January 30, 2018 | By Holly Dragoo
The United Kingdom will begin to impose fines if adequate efforts are not taken to secure critical infrastructure industries (such as electricity, transportation, water, energy, medical and telecommunications) against cyberattack. Compliance will be monitored by the U.K.'s National Cyber Security Center (NCSC) and enforced by a self-reporting system with audits addressing sector-specific security needs. Fines can reach up to £17 million if organizations fail to enact appropriate preventative measures, but will not be imposed if industries have made measurable preventative efforts, worked with law enforcement and regulators, but sustained attacks anyway.
IISP Analyst Holly Dragoo: "The driving forces behind this new fine structure are clearly related to the events surrounding the widespread WannaCry attacks last year. Effectiveness of the policy change is unclear though, especially as holding industries accountable for the losses they sustain beyond the cost of damage to their business is not going to slow down the number of breaches per year or deter attackers at all. Perhaps it is an attempt to pro-actively defray costs as the government will likely be tapped to help critical infrastructure out in the event of a major breach. At a minimum, however, it will force businesses that are behind the curve in cybersecurity to finally re-prioritize and start treating security as a chief concern vice afterthought."
For further reading
- Engadget: https://www.engadget.com/2018/01/29/uk-fine-cybersecurity-operators-essential-services/
- U.K. official announcement: https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack