UK: Cyber Security Regulation and Incentives Review
On 21 December 2016, the UK Government published “the Cyber Security Regulation and Incentives Review”. The review was conducted as part of the Government’s £1.9bn 5 years’ plan, the National Cyber Security Strategy, to “mak[e] the UK the safest place in the world to live and do business online”. It follows an extensive consultation with a wide range of commercial and non-commercial stakeholders and presents the Government’s position on cyber risk regulation and management in the private sector (excluding those companies operating in sectors critical to the national economy and falling under the forthcoming European Directive on Security of Network and Information Systems).
The key points to note from the Review are as follows:
> there is a strong public interest case to ensure that businesses protect personal data. At least initially, the existing regime under the Data Protection Act 1998 will be replaced by the implementation of the much broader EU’s General Data Protection Regulation (“GDPR”) which will come into force on 25 May 2018;
> although the current plan does not include implementing any additional regulation beyond the data protection requirements set out in the GDPR, the Government is clear that the fast-evolving nature of cyber threats requires a pro-active risk management approach at board level and reiterates that “all businesses have a responsibility to consider their own cyber security and act in their business interests to protect themselves from cyber attack”;
> neither cyber security “health checks” nor any specific cyber controls or practices will be made mandatory. However, the Government considers that businesses would benefit from an impartial review of their cyber risk management;
> due to the nascent nature of the risk and lack of sufficient data to enable insurers to price policies, there will be no legal requirement for cyber risk insurance. Nonetheless, the Government supports businesses buying appropriate insurance coverage;
> the Review also concluded that responsibility for cyber risk management should rest collectively across a number of roles and not just with an identified board member or staff member. The Government will therefore not be seeking to create offences against individual directors.
The Government is clearly attempting to create a safe cyber space without imposing burdensome obligations on the private sector. This pragmatic approach encouraging self-initiative will be welcome by many executives, but both they, and their D&O insurers will do well to take note of what is expected of them. Businesses should also keep in mind that extensive new data protection and cyber security obligations under both the GDPR and the NIS Directive will take full effect in the UK in less than 14 months and will likely continue to affect UK businesses even after the UK has officially left the EU. There is no indication that the UK will repeal the European legislation relating to cyber security after Brexit and indeed, the UK government looks set to continue to invest heavily in projects to enhance the UK’s cyber security.