NotBeingPetya: UK critical infrastructure firms face huge fines for lax security

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place.

The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under the EU Network and Information Systems (NIS) Directive, which comes into effect next May. Critical infrastructure firms will also be required to show they have a strategy to cover power failures and environmental disasters.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR). UK proposals would set the maximum level of fine for the most severe outages by critical infrastructure orgs as for the most strict fines imposed under the EU’s General Data Protection Regulation.

Organisations that provide water, energy, transport and health services – whose vulnerabilities were exposed by the recent WannaCry(pt) and NotPetya ransomware attacks – are in the government’s line of sight. “Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack,” a government statement explains.

DCMS launched a consultation on its plans on Tuesday.

James Chappell, CTO and co-founder of threat intel firm Digital Shadows, said that UK government proposals go further than what’ll be required to achieve NIS Directive compliance.

“When the UK made its decision to leave the EU one of the concerns within the cyber security industry was that it would choose not to enact the regulatory commitments the country really needs to toughen up its cyber defences,” Chappell explained.

Read more…

Source: The Register