UK to fine companies up to £17 million for cybersecurity lapses

It's to ensure companies in 'critical industries' are ready for the next WannaCry.

Jack Taylor via Getty Images

The UK government will fine companies in "critical industries" up to £17 million if they have woefully inadequate cybersecurity defences. The penalty system is a response to an EU directive, passed in August 2016, that was drawn up to ensure its member states are prepared for modern cyber attacks. Known as the NIS directive, it will be transplanted into UK law to protect health, energy, transport and digital infrastructure. The fines will be a "last resort," however, and take into account how co-operative the company has been with their relevant regulator, the actions taken to remedy the situation, and any other law that might have been breached.

The UK government consulted on its plans to introduce the fee system in August and September last year. It will apply to "operators of essential services," a term that varies depending on the industry. In the transport sector, for instance, it includes airport operators and harbour authorities with more than 10 million annual passengers. The category can also apply to mainline railway operators, large passenger and freight water transport companies, and international rail services. In the "digital" realm, it covers Top Level Domain (TLD) name registries, Domain Name Services (DNS) service providers and Internet Exchange Point (IXP) operators.

Operators of essential services (OES) will need to report cybersecurity incidents above a yet to be determined threshold to their relevant Competent Authority (CA). These government-appointed regulators vary by industry: Ofcom will handle digital infrastructure, for instance, while the Secretary of State for Environment, Food and Rural Affairs (Defra) — supported by the Drinking Water Inspectorate — will deal with water supply and distribution. "Digital Service Providers," which include search engines, online marketplaces and cloud computing services, will need to report similar instances to the Information Commissioner's Office (ICO). It's not clear, however, if they fall under the same fee system as OES.

"The Government can reassure Digital Service Providers that both it, and the Competent Authority will approach implementation of the NIS Directive in a reasonable fashion," the government said in a consultation document last weekend. "Companies will be given time to implement the requirements of the Directive." Guidance on the NIS Directive has been released by the National Cyber Security Centre. The rules come into effect on May 10th and will, the government hopes, minimise the next WannaCry and persuade companies to keep up with best cybersecurity practices.