Businesses found to have breached UK data protection laws when falling victim to cyber attacks could receive lower fines in respect of those infringements if they engage appropriately with the UK’s National Cyber Security Centre, under a new agreement between the NCSC and the Information Commissioner’s Office.

The memorandum of understanding signed between the two organisations commits the ICO to increasingly “recognise and incentivise appropriate engagement with the NCSC on cyber security matters in its approach to regulation”.

It said: “Specifically, the commissioner will publicise (on its website, in guidance, and in relevant press releases) that it looks favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC and will consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines.”

Cyber risk experts Laura Gillespie and Stuart Davey of Pinsent Masons suggest that businesses should factor the MoU into their cyber incident response plans. Gillespie said: “The MOU builds on the working relationships already in place. The NCSC provides a range of tools to organisations in seeking to protect and prevent cyber incidents, which includes the cyber assessment framework. What organisations will be keen to understand is how the use of the CAF may be viewed and followed by the ICO.

“With the ICO to continue to recognise and incentivise appropriate engagement with the NCSC, organisations hit by cyber incidents will clearly need to consider appropriate engagement with law enforcement as part of their incident response plans.”

Davey said the MoU was noteworthy in other respects too, including because it explicitly records that the NCSC will not share information from an organisation it is engaged with due to a cyber incident with the ICO unless it has the consent of the organisation to do so. He added: “Organisations dealing with a live cyber incident may take some comfort that they can rely upon the NCSC’s expertise without any disclosure being shared with the regulator.”

Share Story: