The National Cyber Security Centre (NCSC) and the Information Commission Office (ICO) have clarified their roles in relation to breaches of cyber security. NCSC manages cyber incidents at a national level to prevent harm being caused to both victims and the UK overall. It helps manage the response at a governmental level and seeks to ensure that lessons are learned to help deter future attacks. The ICO is the independent regulator for enforcing and monitoring data protection legislation and the competent authority for Digital Service Providers under the Network and Information Systems (NIS) Directive. The ICO is the first port of call for organisations who have suffered a breach of cyber security.
Speaking at a CYBERUK event in April, representatives from both organisations gave greater clarity as to the separate roles and responsibilities each organisation has after a cyber attack, making it more simple for a victim to deal with the right authority at the right time.
The NCSC will:
- engage directly with victims to understand the nature of the incident, and provide free and confidential advice to help mitigate the impact in the immediate aftermath;
- encourage impacted organisations to meet their requirements under data protection law, while at the same time reassuring organisations that the NCSC will not share information reported to them with the ICO without first seeking the consent of the organisation concerned; and
- help the ICO expand their GDPR guidance as it relates to cyber incidents.
The ICO will:
- focus the early stages of its engagement to help ensure impacted organisation mitigate risks to individuals and conduct effective investigations; and
- establish the circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk, and in circumstances of high risk to individuals, that organisations have properly met their legal responsibilities.
BOTH organisations will:
- share anonymised/aggregated information with each other to assist with their respective understanding of the risk; and
- commit to amplify each other’s messages to promote consistent, high quality advice in order to ensure the UK is secure and resilient to cyber attacks.
NCSC Chief Executive Ciaran Martin said:
“This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.”