Organisations which provide critical national infrastructure services including electricity, water, energy, transport and healthcare could face fines of £17m or four percent of their global turnover if they fail to protect themselves from cyber attacks.
The plan is being considered by the UK government as it examines how to implement the European Union’s Network and Information Systems (NIS) Directive from May 2018. The directive represents the first piece of EU-wide legislation on cyber security and provides legal measures in an effort to protect member states and their essential services from cyber attacks.
This consultation on protecting essential services comes a few months after parts of the National Health Service were crippled – in some case for over a week – by the global Wannacry ransomware outbreak.
According to the Department for Digital, Culture, Media and Sport, the fines would be a last resort – and they won’t apply to organisations which have put proper cyber security protections in place and still suffered a system outage as a result of a cyber attack. At this stage, the government isn’t clear about exactly what constitutes properly taking precautions.
NIS is separate from the EU’s General Data Protection Regulations – due to be in force by May 2018 – which are designed to protect against loss of data, rather than loss of service.
Under the cyber security standards, infrastructure providers will be required to develop a strategy to understand and manage risks and implement measures to prevent attacks and system failures, including raising staff awareness with training. Companies will also be obliged to report incidents as soon as they happen and ensure they can restore systems as quickly as possible in the event of an attack.
The government is set to host workshops with critical national infrastructure operators in order to pick the brains before any proposals for fines are introduced.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” said Minister for Digital Matt Hancock.
“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim,” he added.
The National Cyber Security Centre – the arm of GCHQ responsible for helping to protect the UK from cyber attacks – has also encouraged organisations to take part in discussions with government.
“We welcome this consultation and agree that many organisations need to do more to increase their cyber security,” said NCSC CEO Ciaran Martin.
The public consultation will cover the essential services the directive needs to uncover , the proposed penalties, proposed security measures, timelines for incident reporting and how this affects digital service providers.
Those interested in responding have until 11:45pm on 30 September 2017 to fill out the online form.
The proposals for fining essential service providers for having poor cyber security comes after the government also issued a set of cyber security guidelines for connected and autonomous vehicles in order to better protect them from hackers and cyber attacks.
READ MORE ON CYBER SECURITY