You are here

England and Wales

Survey Answer:

Yes – while there is no cross-industry IT-security standard in UK law, organisations in certain sectors are subject to legal measures requiring them to meet particular IT-security standards. Examples of such sectors are set out in the subsections below.
In addition, authorities and regulators in a number of sectors provide guidance establishing ex-pectations as to IT security, in some cases referencing established standards – e.g. financial institutions should "have regard to established security standards such as ISO17799 (Information Security Management)"; see paragraph 1.4.2 below.
In other cases, compliance with sector guidance is assured through mechanisms such as con-tractual enforcement. Examples of general best practice Cyber Compliance Frameworks that are widely adopted on a contractual or voluntary basis are set out at paragraph 1.7 below.
General security requirements for network providers and service providers are as set out in sec-tions 105A and 105B of the Communications Act 2003 ("CA"), with further guidance on the im-plementation of these regulations provided in the Ofcom Guidance on Security Requirements published on 18 December 2017.
Regulation 5 of the Privacy and Electronic Communications Regulations 2003 ("PECR") sets out requirements for the security of public electronic communications services.
Network and service providers must take appropriate measures to manage risks to security, in particular to prevent or minimise the impact on end users and intercon-nected networks.
Network providers must take all appropriate steps to protect, so far as possible, net-work availability.
Network and service providers must report to Ofcom breaches of security or reduc-tions in availability which have a significant impact on the network or service.
Service providers must take appropriate technical and organisational measures to safeguard the security of their service and must inform customers of any significant security risks.
Network providers must comply with any reasonable security requests made by the service provider.
For both the CA and PECR, please refer to Q 1.3 above
1.1 Healthcare
The UK government published guidance (the "2017/2018 Data Security and Protection Re-quirements") in January 2018 for providers of health and social care within the public sector, re-quiring compliance with the Data Security and Protection Toolkit ("DSP Toolkit"). From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations.
Healthcare providers and health care settings such as hospitals and private clinics may also fall within the definitions of an Operators of Essential Services, and if so would be subject to the incoming Networks and Information Systems regime – see para 1.6 below.
The DSP Toolkit requires providers of health and social care to comply with a set of 10 data security standards focussing on:
• the ability of individual members of staff to handle, store and transmit data securely;
• policies and process to prevent data breaches and suitable responses and continuity plans where a breach does occur; and
• keeping technology secure and up to date.
The UK Department of Health & Social Care is responsible for enforcing compliance with the DSP Toolkit – and does so by inserting contractual provisions into contracts for the provision of health and social care, requiring compliance to avoid a breach of contract.
Relevant organisations are obliged to confirm to the Department their compliance, which is tested through inspections carried out by the Care Quality Commission, an independent regulator for the health and social care sector in England.
1.2 Payments
1.2.1 Measures
Payment Service Providers ("PSPs") – i.e. entities carrying out payment services such as de-positing, withdrawing and transferring cash or executing payments must comply with IT security standards as set out in the Payment Services Regulations 2017 ("PSR").
Payment Card Industry ("PCI") members (i.e. entities directly storing, processing, or transmitting cardholder data) are required to comply with the Data Security Standard ("PCI DSS"), which was most recently updated to version 3.2 in April 2016.
See also the response to Q7 below.
PSPs are obliged by the PSR to:
establish a framework to manage operational and security risks. This includes estab-lishing and maintaining incident management procedures to detect and classify major security incidents, and reporting annually to the FCA on the security risks the PSP faces and its measures implemented in response; and
notify the FCA without undue delay of any major operational or security incident.
Some examples of the standards which PCI DSS-compliant service providers must meet are as follows:
Build and maintain a secure network and systems – this includes installing and main-taining an appropriate firewall configuration and not using vendor-supplied defaults for system passwords and other security parameters;
Protect cardholder data – this includes storing and transmitting data in a secure man-ner employing methods such as encryption and hashing;
Maintain a vulnerability management program – This entails protecting against mal-ware by regularly updating anti-virus software and the like, and patching software as appropriate;
Implement access control measures, such as employing a 'need to know' policy and assigning unique identifications to authorised persons;
Monitor and test networks – this includes monitoring all access to network resources and cardholder data and regularly testing security systems and processes; and
Maintain an information security policy.
Compliance with the Payment Services Regulations 2017 is enforced by the Financial Conduct Authority ("FCA"), which may impose a penalty of "such amount as it considers appropriate" on any PSP who fails to comply.
The PCI DSS are issued by the PCI Security Standards Council (PCI SSC), which consists of the five major payment brands: Visa, MasterCard, American Express, Discover, and JCB. Though the PCI SSC does not manage compliance programmes or impose any penalties for non-compliance, these individual payment brands have their own compliance initiatives, includ-ing financial or operational (e.g. contract termination) penalties for businesses that are not com-pliant.
1.3 Financial Institutions
1.3.1 Measures
The FCA imposes Senior Management Arrangements, Systems and Controls (“SYSC”) on regulated entities.
Banks may also fall within the definitions of an Operator or Essential Services, and if so would be subject to the incoming Networks & Information Systems regime – see para 1.6 below.
SYSC 13.7.6: A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
(2) the extent to which technology requirements are addressed in its business strate-gy;
(3) the appropriateness of its systems acquisition, development and maintenance ac-tivities (including the allocation of responsibilities between IT development and opera-tional areas, processes for embedding security requirements into systems); and
(4) the appropriateness of its activities supporting the operation of IT systems (includ-ing the allocation of responsibilities between business and technology areas).
SYSC 13.7.7: Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry re-strictions;
(2) integrity: safeguarding the accuracy and completeness of information and its pro-cessing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is veri-fied;
(4) non-repudiation and accountability: ensuring that the person or system that pro-cessed the information cannot deny their actions.
SYSC 13.7.8: A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).
The FCA retains a number of enforcement powers for breaches of its rules (including SYSC re-quirements) such as extensive fines or censure – as to the latter: the FCA publishes information about fines imposed during each calendar year.
1.4 Utilities (Energy/Water)
No specific current legal measures are identified, although this position will change with the im-plementation of the NIS in May 2018 – see 1.6 below.
1.5 Critical Sectors: Forthcoming Obligations and Enforcement under the NIS
The headline objectives of the Networks and Information Systems Directive ("NIS") are to: manage security risk; protect against cyber attack; detect cyber security events; and minimise the impact of cyber security incidents.
At the time of writing the final text for the incorporation of NIS has yet to be settled by UK Par-liament. However, the Government's National Cyber Security Centre has published a suite of guidance documents to help affected organisations to implement the Directive.
The NIS will operate in relation to 'critical sectors'. It adopts two separate regimes: one for “Op-erators of Essential Services” (OES – e.g. in sectors such as energy, transport, banking, and health); and another for “Digital Service Providers” (DSPs – e.g. operators of online marketplac-es, search engines, or cloud computing services).
OES must take appropriate measures to avoid and minimise the impact of cyber security inci-dents, to ensure continuity of the services they provide. Member States will also encourage them to adhere to European or internationally accepted IT security frameworks, such as those set out at para 1.7 below.
OES will be required to notify the competent authority without undue delay of incidents having a significant impact on their service continuity (the NIS makes clear that notification will not ex-pose them to increased liability), and include enough information to allot the authority to deter-mine any cross-border impact and inform other affected Member States. In determining such significance, regard shall be had in particular to (i) the number of users affected by the disrup-tion; (ii) the duration of the incident; and (iii) the geographical spread of the affected area. Fol-lowing consultation with the OES, the competent authority may also inform the public as deemed necessary to prevent or deal with the incident.
In the event of an incident, Member States will assess the security of an OES's networks and information systems, requiring evidence of effective implementation of their security policies. Following such assessment they may issue binding remedial instructions. Where an incident has occurred involving personal data, they will work closely with the data protection authorities.
While the NIS requirements for DSPs are similar to the OES requirements, they are less oner-ous – particularly with regard to incident notification and enforcement.
Penalties for breach of national laws implementing the NIS must be "effective, proportionate and dissuasive". According to the Department for Digital, Culture, Media & Sport, fines of up to £17m are envisaged for the settled implementation of NIS.
1.6 Cyber Compliance Frameworks
Additionally, companies can adhere to one or more general cyber compliance frameworks, which specify the requirements for establishing, implementing, maintaining, monitoring, review-ing and/or continually improving their information security management systems. Companies may choose to do so on a voluntary basis to strengthen their defences against data breaches, cybercrime, and fraud, or they may be required/recommended to do so (e.g. under contractual arrangements, or industry standards).
Some examples of common best practice frameworks are as follows:
ISO/IEC 27000-series
The ISO/IEC 27000 family of over a dozen standards helps organizations keep information as-sets secure.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an infor-mation security management system (ISMS). An ISMS is a framework of policies and proce-dures that includes all legal, physical and technical controls involved in an organisation's infor-mation risk management processes.
The specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action – requiring cooperation among all sections of an organisation.
NIST Cybersecurity Framework
The U.S. National Institute of Standards and Technology (NIST)'s Cybersecurity Framework, created through collaboration between the US government and private sector, looks to "address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses."
The flexible Framework enables organisations – regardless of size, cybersecurity risk, or cyber-security sophistication – to apply the principles and best practices of risk management to im-proving the security and resilience of critical infrastructure.
An updated version 1.1 of the Framework is currently in draft and due to be made available in Spring 2018.
CIS Controls
The Center for Internet Security's CIS Controls provide businesses with a recommended set of actions for cyber defence that provide specific and actionable ways to stop dangerous cyber attacks.
They prioritise and focus on a smaller number of actions with high pay-off results. The first 5 Controls are said to eliminate the vast majority of an organisation's vulnerabilities:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
The full set of 20 Controls are said to secure organisations against today's most pervasive threats. The Controls are derived from the most common attack patterns highlighted in the lead-ing threat reports, and vetted across a very broad community of U.S. government and industry practitioners. CIS Controls version 7 is due to be released on 19 March 2018.

Provided By:
David McIlwaine: Pinsent Masons LLP