Simmons & Simmons | Lawrence Brown and Robert Allen
Recommended additional protections
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
Enhanced cybersecurity protections, beyond those mandated by law, are recommended by numerous authorities, with guidance notes and advice widely available.
The National Cyber Security Centre is an organisation within the UK government that provides advice and support for the public and private sector to promote cybersecurity. The central pillar of its advice is ‘Cyber Aware’, which provides a set of guidelines built around six key actions. In addition, it also maintains ‘10 Steps to Cyber Security’, guidance aimed at medium-sized to large organisations that employ cybersecurity professionals, and a ‘Small Business Guide: Cyber Security’. On top of this, the Centre publishes various focused guides on passwords, ransomware, phishing, devices, personal data malware, operational security and the cloud.
Other authorities also recommend enhanced protections. The Global Cyber Alliance, Action Fraud, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) are among other authorities that also recommend protections beyond those strictly mandated by law.
While industry and regulatory codes or guidance do not constitute protections mandated by law, failure to follow such codes may still give rise to adverse consequences. For example, the ICO states, in its Regulatory Action Policy, that failure to follow an approved or statutory code of conduct is an aggravating factor when it considers sanctions. On 9 December 2022, the UK government published a Code of Practice for app developers and app store operators, which sets out practical steps designed to protect users. Parts of the Code were developed in conjunction with the ICO, and certain principles contained therein are mandated through existing legislation.Government incentives
How does the government incentivise organisations to improve their cybersecurity?
On 19 January 2022, the government published the policy paper titled “2022 Cyber Security Incentives and Regulation Review”. In that it noted that it was for the market to incentivise better security practices for organisations, but recognised that those incentives (eg, consumer pressure and competitive advantage) have not yet formed effectively. To mitigate this, the government planned to take a more interventionalist approach through guidance, further market participation and strengthening of UK cyber legislation. In June 2023, the government published a research paper titled ‘Cybersecurity in the UK‘, which in part supplements the 2022 policy paper.
At the CyberUK 2024 conference, the UK government unveiled initiatives as part of its £2.6 billion National Cyber Strategy to enhance artificial intelligence (AI) model security, aiming to set a global benchmark against hacking and sabotage. These efforts, emphasising the secure development and operation of AI, were supported by research and a public consultation on AI cybersecurity from May to July 2024, highlighting the government’s commitment to leading in cyber technology and ensuring AI’s safe utilisation.
The UK government continues to incentivise organisations to improve cybersecurity through commercial drivers, financial support, and practical resources.
- Commercial incentives: mandatory Cyber Essentials certification for government contracts and requirements from major private-sector suppliers encourage compliance with baseline security standards.
- Financial support and grants: programmes such as Cyber Local, CyberASAP funding for academic startups, and expert security reviews for small and medium-sized enterprises (SMEs) help protect intellectual property and strengthen resilience.
- Direct resources: services from the National Cyber Security Centre, such as Active Cyber Defence, the Cyber Advisor scheme, and tools like Exercise in a Box and the Cyber Essentials Readiness Tool, allow organisations to test and improve their cyber defences.
The Cyber Security and Resilience (Network and Information Systems) Bill will expand regulatory obligations for Managed Service Providers and critical suppliers, including stricter incident reporting and potential fines. While regulatory in nature, these developments effectively incentivise investment in cybersecurity by linking compliance with legal accountability.Industry standards and codes of practice
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
The National Cyber Security Centre publishes a guide dealing with issues such as cyber defence, threat and ransomware. The Centre’s “10 Steps to Cyber Security” sets out a number of key areas for medium-sized to large organisations to ensure that technology, systems and information are protected against cyberattacks. In doing so the guide emphasises the need to take a risk-based and proactive approach to cybersecurity.
Organisations operating within the regulated financial services sector are also guided by a range of materials produced by the FCA in order to achieve compliance with its Principles, and the standards set out in the “Senior Management Arrangement Systems and Controls” section of the FCA Handbook. One such example is the FCA’s publication on “Good Cyber Security – The Foundations“, which demonstrates the FCA’s approach to working with other organisations (namely the National Cyber Security Centre) in order to achieve effective levels of cybersecurity within the sector.Responding to breaches
Are there generally recommended best practices and procedures for responding to breaches?
The best way to mitigate the impact of a data breach is to ensure you are properly prepared. A number of public organisations have published guidance for responding to data breaches (including the ICO and the National Cyber Security Centre). You should already have a detailed cybersecurity policy and within that should be a data breach response plan. Such a plan should be accessible to all employees and form part of standard onboarding training.
The first recommended step is to identify the extent of the breach and preserve relevant evidence. Although it may seem basic, it is important to document how the breach was identified and keep a careful note of the steps taken. Such steps might include ensuring the correct internal stakeholders have been contacted (eg, HR, security), determining whether the breach contained personal data, and identifying which jurisdictions may have been affected. Answering these questions will inform the scope of external bodies that need to be involved in the crisis response team (eg, forensic experts to track the extent of the breach).
Where the target of the attack has in place cyber insurance cover (specifically, breach response), it should notify its provider promptly and ensure that no steps are taken without the relevant insurer’s consent. Doing so may put the insured entity in breach of the terms of its policy, which in turn may jeopardise its entitlement to cover.
Next, your focus should shift to analysis – that is, understanding the “how”. For example, how did the breach occur and is it ongoing? If so, what steps need to be taken to fix (or patch) the breach? At this stage, you should consider whether stopping the breach might tip off the attacker and lead to the destruction of evidence; this should be balanced against your data protection duties. You should also consider any external and internal communications. For example, you might want to consider a formal press release or an internal notice reminding employees of the sensitivities of publicly discussing the breach with the media.
Again, consideration should be given here to any cyber insurance and relevant claims conditions that may apply.
You should then consider the remedies and next steps available to you. Depending on the circumstances of the breach, this can range from initiating legal action to instigating a PR strategy.
Last, you should consider your long-term response. If the breach identified any holes in your security system or staff training, these should be addressed as a matter of urgency. You should also reflect on whether you need to strengthen the relationships with necessary third parties; you may want, for example, to have forensic experts or legal counsel on retainer for data breaches.
Certain regulated entities, including operators of essential services (OESs), relevant digital service providers (RDSPs) and managed service providers (MSPs), will have enhanced reporting obligations under the Cyber Security and Resilience (Network and Information Systems) Bill, which may impose penalties for failure to notify significant incidents in a timely manner.Voluntary information sharing
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
It is considered best practice to share information on cybersecurity threats, although this usually occurs after the threat has been properly resolved. You can share this information informally, for example through social media, or more formally on a voluntary basis to Action Fraud or the National Cyber Security Centre.Public-private cooperation
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The UK government’s National Cyber Strategy 2022-2030 sets out an aim for the United Kingdom to establish itself as a global cyber power, which includes strengthening the UK cyber ecosystem between government, academia and industry. The Strategy intends to build on the existing relationships between the National Cyber Security Centre and industry stakeholders, most notably the regional cyber clusters formalised by the UK Cyber Cluster Collaboration.
Industry experts have also organised to help direct the UK technology sector. In particular, techUK (the United Kingdom’s technology trade association) brings together organisations to enhance government collaboration and accelerate innovation. techUK has over 800 members across the United Kingdom, from sector leaders, such as Amazon and DeepMind, to law firms and emerging start-ups.Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance obtainable for most organisations? How common is it?
Insurance for cybersecurity breaches is available in the jurisdiction and has become more prevalent and available in the past six years. The cyber insurance market remains in a “hard” state, with higher premiums, strict underwriting, and more limited coverage, largely due to the increasing frequency and sophistication of ransomware and other cyberattacks. Previously, insureds that suffered cyberattacks or were involved in cyber incidents would try to claim under their existing commercial insurance policies (eg, those relating to property or commercial risks). While some of these “silent” cyber risks could attach, many would not fall within cover. This state of affairs helped drive the “affirmative” cyber insurance marketplace forward. However, given the ever-increasing frequency of ransomware attacks, the likelihood that insurers will eventually cease to provide cover for this particular type of risk is greater than ever. Overall, cyber insurance is becoming increasingly common, as threat actors and the attacks they deploy are more sophisticated now than ever before.
This article first appeared on Lexology | Source
