Organisations could be fined up to £17m, or 4% of their global turnover, for having poor cyber security under proposed new laws.
As part of plans to improve the UK’s cyber security, operators of essential services that rely on IT systems including NHS trusts, utilities, gas and oil companies, road authorities and train operators, could be fined if they fail to assess their cyber risk and take appropriate protections.
Under the proposal these operators will also have to report any incidents that affect the security or integrity of their digital infrastructure within 72 hours.
The proposals are part of a consultation around a new Network and Information Systems (NIS) Directive to protect the UK’s digital economic and social infrastructure and form part of the government’s £1.9bn National Cyber Security Strategy.
The proposed regulations are also designed to bring UK law in line with a European NIS Directive that comes into force next year.
Major attacks, including the recent WannaCry ransomware that locked computers belonging to the NHS and FedEx among others, as well as the growing threat of state sponsored attacks, has pushed cyber security up the business agenda.
Matt Hancock, minister for digital, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack.”
The consultation document suggests organisations would need to demonstrate they have taken appropriate steps to identify their cyber risk, show they understand and can manage the threats in their supply chains and show they have appropriate governance structure in place to react quickly to any event.
Ministers said any company that “takes cyber security seriously should already have such measures in place”.
Any fines would be a last resort and would not be levied on companies attacked despite having done the correct due diligence, engaged with authorities and implemented the right security.
The National Cyber Security Centre, the centralised cyber security authority launched earlier this year, will be responsible for the issue of more detailed guidelines to companies after further consultation.
The proposal puts the onus on organisations identify what networks and infrastructure systems fall under the requirements and to demonstrate to the relevant authorities that the appropriate measures are being taken.
A second tier of companies, digital service providers such as search engines, online marketplaces and cloud services, that are considered important but not essential will face a less strict set of regulations.
The consultation is currently accepting submissions and is open until 20 September. The government has until 9 May 2018 to transpose the EU NIS Directive into UK law.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.