Security

UK infrastructure firms to face £17m fine if their cybersecurity sucks

Oh boy, measures will also cover IT outages

By Kat Hall

25 SHARE

Infrastructure firms could face fines of up to £17m if they do not have adequate cybersecurity measures in place, the UK government has announced today.

The plans follow proposals earlier this year from the Department for Digital, Culture, Media and Sport intended to comply with the EU Network and Information Systems (NIS) Directive, which comes into effect next May.

The government intends to use those powers on grounds of national security; a potential threat to public safety; or the possibility of significant adverse social or economic impact resulting from a disruptive incident.

The powers will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards. Critical infrastructure firms will also be required to show they have a strategy to cover such incidents.

The maximum penalty will be applied if firms are deemed to have not cooperated with the competent authority, failed to report an incident, not complied with the regulator's instruction, or failed to implement appropriate and proportionate security measures.

Under the measures recent cyber breaches such as WannaCry would be covered by the NIS Directive.

Threats against Blighty's national infrastructure appear to be increasing. In November, Ciaran Martin, chief exec of the National Cyber Security Centre (NCSC), revealed that hackers acting on behalf of Russia had targeted the UK's telecommunications, media and energy sectors.

Margot James, Minister for Digital and the Creative Industries, said: "Today we are setting out new and robust cybersecurity measures to help ensure the UK is the safest place in the world to live and be online.

"We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services."

Incidents will have to be reported to the regulator, which will assess whether appropriate security measures were in place. The regulator will have the power to issue legally binding instructions to improve security, and – if appropriate – impose financial penalties.

The measures will dramatically increase the limit regulators can impose on companies.

In October 2016, TalkTalk was hit with a record £400,000 fine by the Information Commissioner's Office for not taking adequate steps to prevent the personal data of 156,959 customers – including names, addresses, dates of birth, phone numbers and email addresses – from being accessed by hackers.

The NCSC has today published guidance on the security measures to help organisations comply. Martin said: "Our new guidance will give clear advice on what organisations need to do to implement essential cybersecurity measures.

"Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible." ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Ex-TalkTalk chief grilled by MPs on suitability to chair NHS Improvement

From heading one cyber-attack victim to another

TalkTalk ups the (dis)satisfaction ante as UK folk wake up to borked email

New approach to dealing with complaints working wonders

ISP TalkTalk's Wi-Fi passwords Walk Walk thanks to Awks Awks router security hole

Brit broadband biz has only had four years to patch up WPS

TalkTalk shrugs off moaning customers to claim 80,000 more

Back in black

Database ballsup: NHS under pressure over fresh patient record error

Thousands of discrepancies reported between two databases

BT scoops Home Counties chunk of new NHS IT contract

Competition is great, especially when the new contract's run by the old contractors

UK.gov: NHS should be compensated by firms using its data goldmine

Code of conduct will guide tech firms' work with health sector

NHS smacks down hundreds of staffers for dodgy use of social media, messaging apps

Disciplinary action for healthcare workers complaining about patients, colleagues

TalkTalk, UK2 sitting in a tree, not T-A-L-K-I-N-G: Hosting biz cut off after ISP broadband upgrade

Updated 'Not an issue with our network', say UK2.net techies

Fix this faxing hell! NHS told to stop hanging onto archaic tech

We can’t have Matt Hancock calling a hospital and hearing: baa-ruhr-reee-uh-reeee-uh-reee