-
NCSC and ICO clarify roles during session at security
conference CYBERUK
-
Agree to improve victim support and commitment to
enhance cyber guidance
-
Organisations’ heads believe greater clarity of roles
will better align response to attacks
Victims of cyber incidents will benefit from an improved approach
to breaches between the UK’s technical authority for cyber
threats and its independent authority for data protection.
Speaking at the second day of the National Cyber Security Centre
(NCSC) annual conference CYBERUK, Chief Executive Ciaran Martin
and Information Commission Office (ICO) Deputy Commissioner James
Dipple-Johnstone outlined the understanding between the
organisations.
The NCSC manages cyber incidents of national importance to reduce
harm caused to victims and to the UK, help with managing the
response and learn lessons to help deter future attacks.
The ICO is the independent regulator for the monitoring and
enforcement of the General Data Protection Regulation (GDPR) and
the competent authority for Digital Service Providers under the
NIS Directive, meaning breached organisations should notify them
of incidents, cooperate and take remedial action.
Amongst the commitments outlined were a greater clarity of the
separate roles and responsibilities each organisation has after a
cyber incident, making it easier for a victim to deal with the
right authority / organisation at the right time.
The NCSC will;
-
freely engage directly with victims to understand the nature of
the incident and provide free and confidential advice to help
mitigate its impact in the immediate aftermath.
-
encourage impacted organisations to meet their requirements under
GDPR and the NIS Directive, while reassuring organisations
that the NCSC will not share information reported to them on a
confidential basis with the ICO without first seeking the
consent of the organisation concerned
- help the ICO expand their GDPR guidance as it relates to
cyber incidents.
Meanwhile, the ICO will;
· focus its early
stage engagement to the vital steps required to help ensure
impacted organisations mitigate risks to individuals and stand up
an effective investigation.
· establish
circumstances of the incident, making sure that organisations
have adequately protected any personal data put at risk and in
circumstances of high risk to individuals organisations have
properly met their legal responsibilities.
Both organisations will;
- share
anonymised and aggregated information with each other to assist
with their respective understanding of the risk.
- commit
to amplify each other’s messages to promote consistent, high
quality advice to ensure the UK is secure and resilient to cyber
threats.
NCSC Chief Executive Ciaran Martin said:
“This framework will enable both organisations to best serve the
UK during data breaches, while respecting each other’s remits and
responsibilities.
“The development of this understanding is as a result of a
constructive working relationship between our organisations, and
we remain committed to an open dialogue on strategic issues.
“While it’s right that we work closely together, the NCSC will
never pass specific information to a regulator without first
seeking the consent of the victim.”
ICO Deputy Commissioner – Operations, James
Dipple-Johnstone, said:
“It’s important organisations understand what to expect if they
suffer a cyber security breach.
“The NCSC has an important role to play in keeping UK
organisation safe online, while our role reflects the impact
cyber incidents have on the people whose personal data is lost,
stolen or compromised.
“Organisations need to be clear on the legal requirements when to
report these breaches to the ICO, and the potential implications,
including sizeable fines, if these requirements aren’t followed.”
The NCSC will seek to forge similar enhanced clarity on its
working relationship with law enforcement colleagues who are at
the core of the response to malicious data breach incidents.
Notes to editors
- The
NCSC’s annual conference CYBERUK takes place on 24 and 25 April
2019. The two days will be packed with expert speakers, debates,
challenging workshops, the interactive Cyber Games and Cyber Den,
as well as extensive opportunities for networking. Delegates will
be able to hear first-hand how the UK cyber security strategy is
evolving, learn about the current threat landscape, and
contribute their own ideas and thinking.
-
CYBERUK 2019 will bring together both the cyber security
professional community and the decision makers and strategists
from business, the public sector, the third sector and academia
into one two-day event.
- More
than 2,500 delegates are expected to attend CYBERUK 2019.
-
Plenary sessions will be delivered from the Clyde Auditorium in
the Armadillo. BSL interpreters will be present during each
plenary session.
