UK: Cyber Security Regulation and Incentives Review

News / / UK: Cyber Security Regulation and Incentives Review

On 21 December 2016, the UK Government published “the Cyber Security Regulation and Incentives Review”. The review was conducted as part of the Government’s £1.9bn 5 years’ plan, the National Cyber Security Strategy, to “mak[e] the UK the safest place in the world to live and do business online”. It follows an extensive consultation with a wide range of commercial and non-commercial stakeholders and presents the Government’s position on cyber risk regulation and management in the private sector (excluding those companies operating in sectors critical to the national economy and falling under the forthcoming European Directive on Security of Network and Information Systems).

The key points to note from the Review are as follows:

>  there is a strong public interest case to ensure that businesses protect personal data. At least initially, the existing regime under the Data Protection Act 1998 will be replaced by the implementation of the much broader EU’s General Data Protection Regulation (“GDPR”) which will come into force on 25 May 2018;

>  although the current plan does not include implementing any additional regulation beyond the data protection requirements set out in the GDPR, the Government is clear that the fast-evolving nature of cyber threats requires a pro-active risk management approach at board level and reiterates that “all businesses have a responsibility to consider their own cyber security and act in their business interests to protect themselves from cyber attack”;

>  neither cyber security “health checks” nor any specific cyber controls or practices will be made mandatory. However, the Government considers that businesses would benefit from an impartial review of their cyber risk management;

>  due to the nascent nature of the risk and lack of sufficient data to enable insurers to price policies, there will be no legal requirement for cyber risk insurance. Nonetheless, the Government supports businesses buying appropriate insurance coverage;

>  the Review also concluded that responsibility for cyber risk management should rest collectively across a number of roles and not just with an identified board member or staff member. The Government will therefore not be seeking to create offences against individual directors.

The Government is clearly attempting to create a safe cyber space without imposing burdensome obligations on the private sector. This pragmatic approach encouraging self-initiative will be welcome by many executives, but both they, and their D&O insurers will do well to take note of what is expected of them. Businesses should also keep in mind that extensive new data protection and cyber security obligations under both the GDPR and the NIS Directive will take full effect in the UK in less than 14 months and will likely continue to affect UK businesses even after the UK has officially left the EU. There is no indication that the UK will repeal the European legislation relating to cyber security after Brexit and indeed, the UK government looks set to continue to invest heavily in projects to enhance the UK’s cyber security.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500