Managing cyber security and data protection – a meeting of minds?
We live in an increasingly data driven world and have seen cyber-attacks of all kinds become increasingly common place. With this, the issues of data protection and cyber security have become more intertwined than ever before.
Neither data protection nor cyber security can continue to be dealt with by organisations in isolation, but should be viewed as matters that require a whole organisation approach to compliance and risk management.
This has been echoed in the recent news from the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). Following on from their joint letter of July 2022 to warn against the payment of ransomware demands, the ICO and NCSC have again joined forces to promote a more co-ordinated approach to their work. The two authorities have this week published a Memorandum of Understanding (MoU) setting out a framework for cooperation and information sharing between them.
So how are they planning to work together to deal with common issues?
Cyber Assessment Framework – the NCSC's Cyber Assessment Framework (CAF) is a key tool to assess how cyber risks are being managed by organisations. The NCSC will now provide advice and technical assistance to allow the ICO to use the CAF as part of its regulatory functions and to understand the cyber risk profile of organisations with which it is engaged. If the ICO develops its own assessment framework, it will work with the NCSC to understand how any divergence between the two frameworks can be minimised.
NCSC technical standards will be promoted by the ICO when encouraging good practice and 'continuing improvement' in the cyber security of those it regulates. The NCSC may also provide technical cyber security advice to the ICO to support it in making its regulatory decisions.
Information Sharing – the ICO may share a range of information with the NCSC about the cyber security incidents it is dealing with. This may include information on an aggregated or anonymised basis, or on an organisation by organisation basis, as needed to assist the NCSC with its work. Conversely, the NCSC is not permitted to share with the ICO the names of those who have reported cyber security incidents to the NCSC without consent from the organisation in question: as NCSC is part of GCHQ, to do so might breach parts of the Intelligence Services Act 1994.
Reporting – where the NCSC is engaged in a cyber security incident and considers that the incident should also be reported to the ICO, the NCSC will remind organisations of their regulatory obligations but will not give a view on whether the incident should be reported. However, in the reverse situation, the ICO will recommend and encourage organisations to notify the NCSC where there has been a 'nationally significant' cyber incident.
Co-ordination – where both the ICO and the NCSC have been notified of a cyber security incident, the organisations will try to co-ordinate their work to minimise any disruption to those affected. This may also mean the ICO trying to ensure that organisations can prioritise engagement with the NCSC in order to "prioritise the mitigation of harm, identify the root cause of the incident, and take appropriate steps to prevent the incident reoccurring" in the immediate aftermath of an incident.
Enforcement action – the ICO will consider how proactive organisations have been on cyber security matters and will 'recognise and encourage' engagement with the NCSC on cyber security issues. In particular, the ICO will 'look favourably' on victims of nationally significant cyber incidents who do report to and engage with the NCSC. Interestingly, we can expect that this position will be publicised widely by the ICO, alongside clarity on how reporting to and engaging with the NCSC will be taken into account in the ICO's calculation of fines.
This announcement makes very clear the increasing importance of the role of cyber security in the work that is undertaken by the ICO, and the need for the NCSC to have a clear picture of the developing cyber threat landscape. Those who fall victim to cyber-attacks will welcome a more joined up approach, particularly the acknowledgement that responding to a cyber incident, and dealing with investigations by both the NCSC and the ICO can use up valuable resources: containing and managing the incident must remain key. And, as a reward, for those who are proactive and engage with the ICO and the NCSC following a cyber breach, the ICO may well look to reduce its fines accordingly.