Further Scrutiny of Cybersecurity Policies and Procedures for UK Firms

Further Scrutiny of Cybersecurity Policies and Procedures for UK Firms

The UK government has opened a consultation on the Network and Information Systems (NIS) Directive from the European Commission, which aims to increase the security of network and information systems with the European Union. The directive relates to loss of service, and will run alongside the GDPR, which focuses on data protection and loss of data, so the two should be complementary.

Whilst the directive will mainly affect UK operators in transport, electricity, water, energy, health and digital infrastructure, it could be extended to cover all industries and non-compliance could incur huge fines.

The NIS Directive will help make sure UK operators are prepared to deal with the increasing numbers of cyber threats and will also cover other threats affecting IT – such as power failures, hardware failures, and environmental hazards.

It is not known yet who the regulator will be, but is likely to require the oversight of a number of competent national authorities, and it further demonstrates the move towards tighter scrutiny of cybersecurity policies and procedures, as the risk of attack increases and cyber criminals become ever more inventive.

Just as the rapid digital revolution has given rise to new financial services products like peer to peer lending, crowd funding and digital currencies, it has also generated huge amounts of new market data from all manner of sources, including social media, which can be used to price, target and market products and services and help firms identify new customer segments. Workflow and processes have been automated and some firms employ automated data-driven, decision making tools and online, customer managed investments. All these digital services have generated massive amounts of sensitive data, which must be managed and secured properly. Just as business operations are often global, cyber threats can come from anywhere, and when most of your business depends on digital services and the data they generate, a robust cybersecurity policy becomes as inherent and important as staffing, finance and management.

Threats can come from the inside, the outside, via any mechanism, network threats, employee weak spots, malicious links, DDoS attacks, phishing, whaling, the list goes on. As cyber criminals become increasingly more stealthy and resourceful, firms need to ensure their security is robust enough to hold off attack. And with cybersecurity and data protection under immense scrutiny from the regulators, it becomes more important to be able to prove that your firm has taken all the necessary precautions, that policies and procedures are in place, implemented, adhered to and documented.