UK firms will be fined up to £17m for poor cyber security

The Department for Culture Media and Sports (DCMS) is consulting on new laws that will charge fines as high as £17 million for essential service providers that fail to protect themselves against cyber attacks.

In the main these rules will apply to major top level domain name registries, internet exchange point operators and DNS providers, though the aim is to protect essential public services such as water, energy, transport and health systems against hacking attempts.

Firms will also be required to show that they have a strategy to combat power failures and environmental disasters.

Digital Minister Matt Hancock described the fines – of up to £17 million or 4 per cent of global turnover – were a “last resort” and would not apply to firms who suffered an attack despite being adequately prepared.

They will also not apply to companies with less than 50 employees or a turnover of under £10 million.

What exactly constitutes “adequate” preparation will be determined as part of the consultation, which is open to responses until 30 September 2017.

The consultation is aimed at determining how the Network and Information Systems (NIS) directive, which comes into law across the EU next May, will be implemented.

The public consultation document points out that digital operators covered by the NIS directive include search engines, online marketplaces and cloud service providers, which in turn encompass IaaS, PaaS and SaaS providers.

It is also another indication that the UK government is taking security matters very seriously, and hopes to use consultations similar to this as a way of sharing information across industries.

These new rules are separate from the scope of the EU’s other impending legislation, the General Data Protection Regulations (GDPR), which focus on data over services.

The GDPR will replace the UK’s Data Protection Act 1998 from May 2018, with the UK’s decision to leave the EU having no effect on its implementation.