Regulation of cyber security in the UK – is it appropriate?

March 2023  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2023 Issue

Cyber security is now regulated in a number of ways in the UK – including by way of data protection laws, specific cyber security regulations and sector-specific requirements. Often, organisations are required to ensure that their cyber security – within broader concepts such as technical and organisational measures (TOMs) is ‘appropriate’ with a view to keeping data safe or ensuring continuity of service.

Recent enforcement action in the UK has emphasised the importance placed upon this requirement by regulators such as the Information Commissioner’s Office (ICO).

The challenge faced by organisations is often working out what ‘appropriate’ cyber security looks like in practice – and what regulators consider meets the required standard. This article considers this issue from the perspective of a recent decision of the ICO and looks forward to how ‘appropriate’ might be construed in the context of new cyber security regulations coming into force in the UK, most notably the refreshed UK Network & Information Systems (NIS) Regulations.

Data protection – the ICO

In its capacity as the UK’s data protection authority, the ICO assesses the appropriateness of TOMs in the context of the risks posed to the rights and freedoms of individuals, based on the nature of personal data processed by an organisation, as well as the scale of the organisation and the nature of its business.

Although guidance relating to article 32 of the UK General Data Protection Regulation (UK GDPR) provides a number of general examples as to what could constitute ‘appropriate’ TOMs, including encryption of data, implementation of firewalls and providing appropriate employee training, no detailed instruction has been produced by the ICO to clarify its interpretation of article 32.

In the absence of guidance, context can be drawn from monetary penalty notices (MPNs) in order to determine what is considered ‘appropriate’ from the perspective of the ICO. To this end, examination of a recent MPN issued against Interserve Group Limited in 2022 sets out some areas of particular concern in practice.

On 24 October 2022, the ICO issued a fine of £4.4m to Interserve, on the basis that between 18 March 2019 and 1 December 2020 the company failed to process personal data using appropriate TOMs. The ICO investigated Interserve following a security incident affecting the personal data of up to 113,000 individuals.

In reaching is decision, the ICO highlighted a number of areas in which it considered Interserve had failed to implement appropriate technical and organisational measures as per article 32, including: (i) the use of outdated operating systems and outdated protocols; (ii) ineffective endpoint security; (iii) failing to ensure employees had undertaken phishing training; and (iv) failing to restore data in a timely manner.

Taken together, these failings led the ICO to conclude that Interserve “did not have an information security programme consistent with the requirements of the [UK] GDPR” and that the mitigating controls outlined above could have “very significantly reduced the likelihood of personal data being compromised”.

As the most recent significant decision of this type from the ICO, Interserve provides a medium through which we can assess the ICO’s most recent interpretation of article 32. The ICO places notable emphasis on organisations adopting a holistic approach, in which technical and organisational measures are considered in conjunction with one another: it is apparent that an organisation being strong in a certain area (i.e., policies, procedures and training) will not excuse deficiencies in another (such as the unnecessary use of unsupported legacy products). Technical and organisational measures must therefore be viewed as a collective when an organisation considers its security programme – the ICO’s decision suggests that an organisation would be better served by investing across a variety of areas, rather than focusing on achieving maturity in one specific field.

This decision also provides insight into the overarching focus of the ICO regarding ‘appropriate’ TOMs: their presence must reduce the likelihood of personal data being affected by an incident. This overarching objective provides a framework through which organisations can assess their own TOMs – an organisation must be able to sufficiently reduce the likelihood of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data occurring (as per article 4 of the UK GDPR).

In practice, an organisation will be required to assess its TOMs based on factors of the data held and the organisation’s size, complexity and budget. For example, ‘appropriate’ TOMs for an organisation which holds a significant amount of health data may differ significantly from what would be considered ‘appropriate’ for an organisation that holds a limited amount of business contact information. What is considered ‘appropriate’ is therefore subjective to some degree, necessitating companies to carefully consider what data they control or process in order to determine what TOMs may need to be implemented.

Other areas of note identified within the Interserve MPN include the ICO’s focus on ensuring availability of personal data – with the failure to restore data in a timely manner identified as a factor in the ICO’s overall decision. This may highlight an increased focus by the ICO on ensuring organisations have sufficient backup and business continuity and disaster recovery (BCDR) procedures in place in an era in which ransomware attacks have become widespread.

Although helpful in providing clarity to organisations, interpreting the ICO’s intentions entirely within the context of an MPN brings its own challenges. Focusing entirely on an organisation’s failures only serves to draw attention to the deficiencies within that particular business. As no specific advisory guidance has been published by the ICO on ‘appropriate’ TOMs in practice it is possible (and indeed probable) that certain areas of concern for the ICO have not yet been publicly highlighted, due to not featuring within a specific MPN.

Although this allows the ICO a degree of flexibility when conducting enforcement action, it also creates uncertainty for organisations subject to the ICO’s jurisdiction. At present, monitoring of MPNs serves as the most effective method for determining the developing expectations of the ICO – but this does not, in itself, provide comprehensive guidance.

Continuity of service – the UK NIS Regulations

The NIS Regulations apply to operators of essential services and relevant digital service providers, with the overarching objective of mandating a baseline level of security for both types of organisation, which includes “appropriate and proportionate” TOMs.

Guidance has been provided on areas which must be considered by organisations subject to NIS. At a high level, organisations must consider the following areas: (i) the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards (for example, ISO/IEC 27001 and ISO/IEC 22301)

Additionally, the European Union Agency for Cybersecurity (ENISA) has provided guidance on the specific technical security measures an organisation may take to ensure they are ‘appropriate’ to the NIS Regulations. Further illustrative guidance is available from the ICO.

That said, given the broad range of sectors that are within the scope of the NIS Regulations and the varying cyber security challenges within these sectors, high-level guidance cannot give a comprehensive answer as to what will be ‘appropriate’ for a particular organisation.

It is important to note that the NIS Regulations do not necessarily mandate an organisation to implement all of the above, and an organisation is permitted to address these areas with an awareness of the security measures practically available to it. However, an organisation cannot justify failing to implement “appropriate and proportionate” TOMs on the basis of cost alone.

Industry-specific regulations

Generally, regulators within a specific sector, such as financial services, do not impose specific obligations or provide specific guidance in regard to TOMs and what would be considered ‘appropriate’ in practice. Rather, such regulators are typically guided by principles-based requirements.

In the case of the Financial Conduct Authority (FCA), for example, it is mandated that an organisation must take appropriate measures to protect customer data and ensure its confidentiality and security, and for effective controls to be put in place to manage risk. Although these principles encompass cyber security, they do not explicitly refer to it and will cover any relevant area – for example, ensuring appropriate security to prevent data being physically stolen.

Determining what would be considered ‘appropriate’ to a sector-specific regulator will likely vary based on their particular areas of focus and any industry-specific concerns. However, it can generally be expected that sector-specific regulators will increasingly align to guidance published when interpreting ‘appropriate’ measures under both NIS and the UK GDPR.

The challenges faced by organisations in determining what would constitute ‘appropriate’ cyber security are significant. There is a lack of available guidance from the ICO of its implementation of article 32, necessitating a review of recent MPNs, which may not include all relevant guidance necessary. The NIS Regulations provide further description, and a prudent organisation may choose to comply with the standards out in the NIS Regulations – even if they themselves are not strictly subject to them.

Notwithstanding the above, an organisation should be cognisant of any industry-specific requirements it may be required to comply with – although such requirements are often generalised and principles-based, they may include specific provisions which necessitate action.

 

Steven Hadwin is a senior associate and Nick Jackson is a paralegal at Norton Rose Fulbright LLP. Mr Hadwin can be contacted on +44 (0)20 7444 2290 or by email: steven.hadwin@nortonrosefulbright.com. Mr Jackson can be contacted on +44 (0)20 7444 3956 or by email: nick.jackson@nortonrosefulbright.com.

© Financier Worldwide

BY

Steven Hadwin and Nick Jackson

Norton Rose Fulbright LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.