Jun 182014

UK Government launches new Cyber Essentials measures

Sidley Data Matters Contributors
, , , , , ,

In an era where cyber risk is almost daily news, governments have been working to develop tools to help businesses protect themselves against those who want to steal or misuse data.

The UK Government has launched a set of basic measures that any organization can use to reduce cyber risk, following a review of cyber attacks by the Government Communications Headquarters (GCHQ). Termed the “Cyber Essentials Scheme1”, this initiative is voluntary, rather than a legal requirement. However, the aim is that involvement in it should become mandatory for certain Government procurement contracts, especially those for information technology and communications. Given the size of the UK Government’s IT spend, this is likely to be a strong incentive for adoption and over time the measures may be adopted as a form of industry standard.

Cyber Essentials aims to encourage businesses to build at least a basic level of cyber security into their operations, on the premise that relatively simple steps might help to prevent some 80% of attacks to which they would otherwise be vulnerable. The measures:

  • lay out a procedure for creating resistance to cyber risk;
  • provide a mechanism for that resistance to be certified; and
  • enable organizations to display their level of cyber security through certification.

External certification is designed to allow customers, suppliers and perhaps insurers to know whether an organization meets a measurable minimum standard. Companies that demonstrate compliance with Cyber Essentials may enjoy a competitive advantage over those that do not. The certification process is evolving and we will write a further update on this aspect shortly.

From a compliance and risk management point of view, the Cyber Essentials measures should set a benchmark against which management may be held accountable: cyber risk management is, of course, a corporate governance issue. Standards like these may also be used in the determination of negligence; losses that could have been prevented by the adoption of the Cyber Essentials may turn out to be uninsured and may be more easily shown to be the responsibility of the organization that failed to prevent them. Cyber Essentials could also play a role as a benchmark for compliance with general data protection requirements on information security, which is becoming an ever bigger issue, with fines of up to 5% of annual worldwide turnover being proposed under the EU Data Protection Regulation.

Most businesses are likely to focus on the “10 Steps to Cyber Security” launched by the UK Government in 2012 and certification under the new Cyber Essentials. As part of the recent focus on cyber risk, lawyers and risk managers will need to consider liability and how to address it, and the extent to which contracts with suppliers should contain provisions governing cyber and information security. There is likely to be a call for suppliers to show Cyber Essentials certification, and for buyers to rely on and refer to that certification.

Alongside the work of any business in reducing exposure to cyber risk, cyber insurance is a critical consideration. Risk managers and IT specialists should be reviewing the kinds of insurance cover their business has; what cyber risks are excluded and what insurance cover best meets their needs and addresses perceived threats?

Insurers are working to exclude cyber risks from standard insurance policies and many are providing separate cover for them. It is too soon to know how insurers will react to a Cyber Essentials certification; it may become a prerequisite for buying cyber insurance; certainly it could affect premiums. Insurers are already in dialogue with the Department of Business, Innovation and Skills about how Cyber Essentials will work and to what extent they will support and recognize it.

For those businesses that have not already done so, carrying out a cyber risk assessment and due diligence of potentially vulnerable business activities and their contractual position should be a priority. An audit and review of the terms on which third party services are provided should focus on areas of the business where information technology underpins critical business activity and review IT services agreements, cloud computing, remote data processing, as well as communications services agreements and the associated insurance cover.

Companies should consider setting up a cyber Risk Register linked to their corporate governance risk systems and a centralized register of the contracts that seek to address such risks. This way it is possible to monitor, manage and insure the risks which they carry and understand which vendors exclude liability. Legal and financial advisers, risk managers, IT functions and data protection officers will need to work together to understand how exposure and risks arise, assess liability, quantify it, and determine whether and how contractual mitigation may be formulated. From a management point of view, it may be important to be able to show shareholders, customers and suppliers that there is a governance program in place which regularly evaluates the cyber risks that could affect the business and deals with data protection.

If you have any questions regarding this update, please contact:

Tim Cowen
Partner
+44.20.7360.3604
tcowen@sidley.com

 

William Long
Partner
+44.20.7360.2061
wlong@sidley.com

 

1 https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000. 

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.