Changes to UK cybersecurity regulation: necessary or overkill?
On 8 August 2017 the UK Government published a consultation on the implementation of the Network and Information Systems (‘NIS’) Directive into UK law. The… Read more
On 8 August 2017 the UK Government published a consultation on the implementation of the Network and Information Systems (‘NIS’) Directive into UK law. The NIS Directive does not apply to communications providers (‘CPs’), to the extent that CPs do not provide digital services; however with CPs having security obligations under the Communications Act 2003, Ofcom has over the summer launched a consultation on its plans to update its guidance on the security requirements in the Communications Act. Emma Wright and Chris Benn of Kemp Little LLP review both consultations and ask to what extent these changes are necessary.
Cyber security is high on the agenda as arguably one of the most serious threats to the UK. The NIS Directive will apply from 10 May 2018 (sooner than the General Data Protection Regulation (‘GDPR’)). Despite the NIS Directive being a directive (which requires implementation by Member States), the UK Government supports the overall aim of the NIS Directive and confirmed it will continue to apply it in the UK post-Brexit. Considering the multi-jurisdictional nature of securing and policing the internet this is not a surprise.
The UK Government has recently issued its public consultation on ‘Security of Network and Information Systems,’ focusing on implementation. The NIS Directive applies to operators of essential services (‘OESs’) and digital service providers (‘DSPs’); interestingly it does not apply to CPs, to the extent that CPs do not provide DSP services. CPs have existing security obligations under the Communications Act 2003, and in June 2017 Ofcom launched a consultation on updating its guidance on the security requirements in sections 105A to D of the Communications Act. Both consultations focus on the security of the networks rather than the personal data being generated, transmitted and stored on the networks and the incident reporting that will apply.
The NIS Directive
The NIS Directive is concerned with the security of ‘network and information systems,’ which means: (i) electronic communications networks; (ii) any device, or grouping of interconnected or related devices, which automatically processes digital data; and (iii) digital data stored, processed, retrieved or transmitted by (i) or (ii), to enable the operation, use, protection and maintenance of (i) and (ii). For the first time, operators of ‘essential services’ will have mandatory breach notification requirements in the event of a cyber attack.
Which organisations are caught by the NIS Directive?
OESs and DSPs are within scope. However, the NIS Directive leaves it to Member States to identify the organisations that will meet the definition of an OES or DSP, hence the UK Government’s consultation.
An OES is a public or private organisation providing a service, which is essential for the maintenance of critical societal and/or economic activities, where the provision of such service depends on network and information systems, and where an incident would have ‘significant disruptive effects’ on the provision of that service. It affects only those organisations that operate within the electricity, oil, gas, air transport, rail transport, water transport, road transport, banking, financial market infrastructure, healthcare, supply and distribution of drinking water, or digital infrastructure sectors.
The UK Government’s public consultation provides further clarity to organisations likely to be considered an OES. Those that may be caught should consider the criteria set by the UK Government, which includes ‘identification thresholds’ and such criteria is intended to capture the most important operators in each sector, where incidents would cause ‘significant disruptive effects.’ Compliance with the NIS Directive will require changes in some organisations’ infrastructure, which may not be easily implemented given the narrowing timeline until implementation.
However, those operators that do not meet the ‘identification thresholds’ may still be required to comply with the NIS Directive. The UK Government has reserved power to designate specific operators as an OES where it has valid grounds to do so, for example, where it is in the interest of national security.
A DSP is an organisation providing an online marketplace, an online search engine, or a cloud computing service, and again, the UK Government’s consultation seeks to clarify the organisations that will need to comply with the NIS Directive. It proposes an automatic exclusion for DSPs that employ fewer than 50 persons and have an annual turnover and/or balance sheet total that does not exceed €10 million and provides definitions of each of the three services that fall within the definition of a DSP.
Some important exclusions are:
• An online marketplace does not include a service provider redirecting a user to other services to make a final transaction (i.e. not facilitating the final sale) nor does it include sites that only sell directly to consumers.
• For online search engines, those sites offering search facilities powered by another search engine are not in scope, since the underlying search engine must comply with the NIS Directive.
• Cloud computing includes infrastructure as a service, platform as a service and business to business software as a service (‘SaaS’), however SaaS offerings for entertainment only purposes are not caught.
While CPs will fall outside of the scope of OESs, depending on the services provided by the CP, they may be a DSP under the NIS Directive.
The two main obligations are to take:
• appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems; and
• appropriate measures to prevent and minimise the impact of incidents affecting the network and information systems with a view to ensuring the continuity of the services they provide.
The UK Government proposes a ‘guidance and principles based approach’ in respect of these measures, which will be set by the National Cyber Security Centre (‘NCSC’) in cooperation with Government departments and UK regulators. The consultation issued by the UK Government asserts that the onus is on UK organisations to demonstrate compliance with the security measures required under the NIS Directive. At present, such organisations have the proposed ‘high level principles’ as a nod to what organisations should do, but further guidance will not be issued until early 2018, with some guidance not likely to come until November 2018, long after 10 May 2018: the date the Directive should be implemented in the UK. However, a grace period has been offered to OESs, that compliance will only be required in respect of guidance that exists, and is published, and that OESs should be given enough time to incorporate new guidance into their risk management and security measures.
The UK Government points to the security requirements and list of factors DSPs should take into account when assessing the appropriateness of the level of their security stated in the NIS Directive. DSPs will have to “identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use to provide [their] services,” and again the level of security must be “appropriate to the risk posed,” and ultimately to prevent incidents (similarly to the obligation imposed on OESs).
OESs have a mandatory obligation to notify (without undue delay) the relevant regulator or a CSIRT (a computer security incident response team, as discussed further below) of incidents having a ‘significant impact’ on the continuity of the essential services they provide. Under the NIS Directive, an ‘incident’ is any event having an actual adverse effect on the security of network and information systems, and ‘significant impact’ should be assessed taking into account several factors. The consultation provides guidance on what a significant impact to the ‘continuity’ of essential services is, i.e. a loss, reduction or impairment of an essential service. In respect of ‘significant impact,’ which currently under the NIS Directive leaves much to be determined, the UK Government proposes that a consultation (to be commenced following the end of the current consultation) between the NCA, OESs and the NCSC should take place to establish thresholds specific to each sector.
Where an OES relies on the services of a DSP, the OES must notify the relevant regulator if there is a ‘significant impact’ to its essential service because of a disruption to the underlying digital service that it relies on.
The consultation provides further clarity on OESs’ reporting requirements, noting that incidents are not limited to cyber security incidents, but also physical incidents, such as power failures, environmental hazards and hardware failures, thus the reporting requirements have the potential to be particularly onerous on OESs. This is acknowledged by the UK Government. Consequently, OESs will welcome the UK Government’s proposal to align the reporting requirements under the NIS Directive with current practices, acknowledging that some industries already have mandatory or voluntary reporting frameworks in place and NIS is only intended to reinforce these frameworks through legislation. All OESs will be required to notify incidents to the NCSC, rather than to industry specific regulators, which will relieve some of the burden on OESs.
In respect of the timing of such incident reporting, the UK Government is proposing that “without undue delay” should mean “without undue delay and as soon as possible, at a maximum no later than 72 hours after becoming aware of an incident” to align with other reporting requirements established by similar legislation, e.g. the GDPR. Note that any existing timeframes shorter than those proposed in the NIS Directive, such as the timeframes proposed by Ofcom under s.105 of the Communications Act, will remain in place.
DSPs also have a mandatory obligation to notify of ‘substantial incidents’ in relation to digital services, however such requirement is only triggered when the DSP has access to the information it requires to assess the impact of the incident. The NIS Directive sets out a list of factors that should be considered when assessing if an incident is a ‘substantial incident.’
The European Commission is working with Member States to establish the framework for DSPs’ reporting requirements to give further clarity to the list of factors. This framework will be published as legally binding guidance under the Implementing Act, which was expected in August 2017. The UK Government acknowledges that the reporting requirements for DSPs currently lack clarity and is proposing a targeted consultation in due course (those interested must opt-in by providing their details).
DSPs will be subject to the same timing requirement as OESs: ‘without undue delay and as soon as possible, at a maximum no later than 72 hours after becoming aware of it.’
Competent authorities and enforcement
The NIS Directive gives flexibility to Member States to designate one or more national competent authorities (‘NCAs’) to oversee compliance by OESs and DSPs with the NIS Directive. Currently the Information Commissioner’s Office (‘ICO’) takes the lead on personal data breach notifications, and industry specific organisations have additional obligations to report to other regulators in the event of security breaches. The UK Government intends for multiple regulators and public authorities to take responsibility in order that sufficient expertise is available to understand the challenges affecting the organisations in the industries that fall within the scope of the NIS Directive. This raises the question of consistency in enforcement. Technical support will be offered from the NCSC, designated as the Single Point of Contact (acting as a liaison with Europe) and the UK’s CSIRT (computer security incident response team, which is a role that includes monitoring and responding to incidents at a national level). The NCSC’s involvement may go some way to ensuring consistency in the guidance published for organisations and approach to responding to incidents.
OESs and DSPs will need to bear in mind their dual responsibilities of personal data breach reporting and security incident reporting. Helpfully, the UK Government is proposing that the timing of reporting incidents under the NIS Directive aligns with other legislative requirements although the regulator may be different. Given the potential severity of the loss of an essential service, the UK Government is proposing to adopt similar fines to those set out in the GDPR.
Ofcom security guidance consultation
CPs are already subject to statutory obligations of security and incident reporting under sections 105A and 105B of the Communications Act 2003, and subject to audit and enforcement provisions under sections 105C and 105D (‘the Guidelines’). The original version of the Guidelines came into force in May 2011 following new obligations introduced under the European Framework on Electronic Communications (originally published in 2002 and later revised in 2009). Ofcom published the current version of the Guidelines in August 2014.
However, Ofcom’s use of these provisions to date appears extremely limited and Ofcom has consulted on revised guidance in these areas. The consultation period closed on 7 September 2017. Ofcom has reflected on the rise in cyber security breaches, which is the rationale for the proposed changes to the Guidelines, focusing on areas of cyber security, risk management and governance, incident reporting and maintaining network availability.
Of course, where an OES outsources its network then many of the obligations will be flowed down to the underlying network provider to the greatest degree possible. CPs that choose to provide cloud computing services will also be required to comply with the NIS Directive in their role as a DSP.
Section 105A – security and availability
Cyber security guidance and schemes
Ofcom has already produced guidance to cover cyber security in respect of Section 05A, and intends its proposal to add to and enhance the existing framework. Ofcom will be looking to the NCSC for guidance on cyber specific measures CPs should be taking. It is ‘encouraging’ CPs to be aware of the guidance from the NCSC (including the ‘10 Steps to Cyber Security’ and Cyber Essentials) and ENISA’s Technical Guideline on Security Measures. CPs should also obtain Cyber Essentials Plus, which is likely to prove difficult as the scheme is designed for smaller organisations.
CPs have previously argued certification ND1643 (a standard designed to assist with preventing or minimising the impact of security incidents on network interconnection) “may be of little value in improving security.” However, Ofcom is keen for the standard to continue to lead compliance, but in an alternative form of a best practice document, which Ofcom can use as a baseline for security compliance. Ofcom encourages the NICC (the company responsible for setting the ND1643 certification) to issue a new document, which is fit for purpose, following consultation with members and other stakeholders.
Ofcom’s focus on cyber security means that CPs will be required to consider cyber security threats alongside the risks associated with protecting personal data, with cyber security risk management being “an essential part of compliance with section 105A.”
Risk management and governance
Ofcom is expecting CPs to carry out vulnerability testing of their cyber security measures, and is currently working with DCMS and the NCSC to develop a vulnerability testing framework, similar to that which the Bank of England operates for financial institutions.
Despite the rise in data protection and cyber security as a board issue following the increase in breaches and advancing GDPR, Ofcom does not consider that cyber security receives sufficient attention at a senior level of CPs. This reflects the findings of the DCMS Select Committee issued just over 12 months ago.
To this end, Ofcom has built on those recommendations: CPs should look to document senior management decisions in the event of a security incident (or more broadly a breach of the Ofcom guidelines) and the processes that were followed, since Ofcom will look to these records as evidence of compliance with its Guidelines. CPs should designate owners at all levels in the organisation, including at Board level. Ofcom recognises that security certifications can “form a powerful mechanism” to demonstrate compliance, however CPs should not see this as a tick box exercise, since Ofcom is not making such certifications a requirement for CPs to obtain.
Maintaining network availability
To comply with CPs obligation to take measures to maintain network availability appropriate to the needs of their direct customers, Ofcom has suggested:
• avoiding single points of failure in a network will go some way to evidencing ‘appropriate steps,’ however Ofcom notes that there are circumstances when this is impractical;
• investing in additional and temporary flood resilience defences, where appropriate; and
• mitigating power failures – one of the root causes of security incidents.
Ofcom intends to investigate significant availability incidents involving power loss and flooding. In respect of third parties, which many CPs engage to support the delivery of their network, Ofcom considers that CPs remain responsible for the actions of their subcontractors and must have sufficient levels of control over subcontractors, to ensure that such subcontracting does not breach the CPs’ statutory obligations.
Section 105B – incident reporting
Despite considering that the current reporting regime is working well and remains appropriate, Ofcom is proposing changes.
Mobile network operators
Ofcom is seeking to address the difference in the number of incident reports it receives from mobile network operators, which is significantly less than fixed network operators, despite the decline in fixed telephony and rise in mobile telephony. Ofcom has previously set different reporting thresholds for the four main mobile network operators; however, the new proposed thresholds are set depending on density of coverage, i.e. urban vs rural areas, rather than by mobile network operator. Ofcom is proposing to tighten the reporting thresholds for mobile network operators to ensure it receives “a significant and sustained increase in reporting” from such operators.
Cyber security incidents
Ofcom expects CPs to notify incidents which have a “significant impact on the operation” of a network or service, which in light of recent cyber attacks, Ofcom considers includes a major breach of data confidentiality or integrity.
The latest proposal is to capture any incidents involving cyber security breaches, which significantly increases the reporting burden on CPs. Ofcom feels it should be aware of all incidents that could be considered to have a “significant impact” to enable further investigation where Ofcom feels it is necessary to do so, encouraging over, rather than under, reporting from CPs.
CPs are likely to be nervous about Ofcom’s proposal to introduce new reporting timelines for ‘urgent incidents,’ which would be required to be notified within three hours of the CP becoming aware. This will not give CPs much time to assess the impact of the incident in order to be able to conclude that such an incident is in fact an ‘urgent incident.’
All other incidents are to be reported in line with the requirements under the GDPR, i.e. within 72 hours of the CP becoming aware, or even later for ‘non-major’ incidents.
Ofcom sets out the criteria for ‘urgent incidents,’ which includes:
• incidents affecting services to 10 million end users;
• incidents affecting services to 250,000 end users and expected to last 12 hours or more;
• incidents attracting national mainstream media coverage; and
• incidents affecting critical Government or public sector services.
These new requirements will require great investment from CPs to be able to adhere to these tight reporting requirements.
Sections 105C & D -audit and enforcement
Ofcom is intending to replace the current guidance around audit and enforcement. Ofcom is proposing to increase its power to conduct audits more frequently, which will include information gathering and direct engagement with CPs. CPs will still be liable for the costs of such audits.
Considering the huge rise in cyber attacks, the NIS Directive is a welcome piece of legislation for consumers. However, for those organisations caught by it, it creates the additional burden of mandatory reporting requirements and increases the level of security measures. Whilst the focus is currently on compliance with the GDPR, organisations should not miss this opportunity to ensure updated reporting procedures also capture any additional obligations imposed by the NIS Directive.
CPs must take note of the proposed new guidelines from Ofcom, now that it intends to conduct more audits. CPs are faced with a plethora of new requirements and this is before the status of the draft ePrivacy Regulation is confirmed.
First published on Cyber Security Practitioner September 2017
Need to talk about this?