UK businesses express concerns about mandatory reporting of cyber security incidents
From: Out-Law.com
UK businesses have expressed “significant concern” about draft new EU rules which would force them to report some cyber security incidents they experience.
According to a summary of the responses (50-page / 312KB PDF) the Government received to a ‘call for evidence’ it put out following the publication of a new draft Network and Information Security (NIS) Directive earlier this year, UK businesses are worried about how the proposals would interact with similar reporting obligations already in place in many industries as well as how the planned framework would sit alongside new EU data protection laws that are currently under negotiation.
“Significant concern was raised on the mandatory reporting requirements of the NIS Directive,” the summary of responses said. “Many participants indicated that they were not in favour of these proposals and that there were issues in the practicalities of implementing them. Participants in regulated sectors said that in many cases they had an existing obligation to report breaches to their regulators and felt that this would add an additional reporting layer for a similar task. There were also concerns on how the NIS Directive would resolve itself with Data Protection regulation, and other existing requirements both at EU and national levels.”
UK businesses also believe that the NIS Directive proposals could penalise those with good cyber security and that compliance with the rules, rather than the proactive tackling of security risks, could become the focus for organisations, according to the document published by the Department for Business, Innovation and Skills (BIS).
“There was a fear that compliance teams could be set up in place of more proactive cyber security teams to ensure a bottom line because it was mandated – cyber security would become a ‘stats game’,” the report said. “Genuine information sharing requires trust and mandatory reporting was unlikely to generate genuinely valuable data, simply compliance.”
“Mandatory reporting potentially penalised those with better cyber security and reporting procedures in place as they would be required to disclose information that organisations operating at the minimum compliance level may not have detected,” it said. “There was significant concern on the capability for disclosures to remain safe and confidential the further information went up the reporting chain … Questions were also raised about what the Commission would do with the information reported to it, and how well protected it would be.”
Businesses said that non-mandatory information sharing and reporting could be “potentially useful”.
“Participants agreed they would benefit as long as the mechanism to report was easy to utilise, had appropriate levels of anonymity and that information only had to be reported once,” according to the summary of responses document. “In addition, many participants expressed the view that more should be done to improve capability proactively rather than focussing on reporting, which would do little to address the root cause of the problem and is like ‘shutting the door after the horse has bolted.’”
The Government said it has shared similar concerns with the Commission as those raised in its call for evidence.
“We also have serious concerns regarding the unintended consequences of breach reporting, and how this might act as a perverse incentive for businesses to improve their overall risk management practices,” it said.
The European Commission laid out its plans for a draft NIS Directive in February. Under those plans, public administrators and ‘market operators’, such as banks and energy companies, would be required to notify designated regulators of “significant” cyber security incidents that they experience. The companies, under certain circumstances, would also be obliged to report those incidents to the public.
The Government said it has asked for the European Commission to provide more specific information about the cost and impact of the regime to businesses, to clarify which businesses should be subject to the Directive and to justify why the rules should apply in some sectors, among other things.
“The UK shares the Commission’s desire to improve levels of network and information security across the EU,” BIS said. “We want to ensure that the internal market is a vibrant and safe place to do business and that Member States know who to contact in the case of a cyber incident and can effectively work together to reduce the threat and impact of cyber incidents. The UK Government will negotiate at EU level for an instrument that does not overburden business, the public sector or other organisations; that encourages economic growth and innovation; and that fosters positive and sustainable behaviour change.”
Print article |