Friday 26 Apr 2019 @ 09:15
National Cyber Security Centre
Printable version

Data breach roles outlined at cyber conference

Victims of cyber incidents will benefit from an improved approach to breaches between the UK’s technical authority for cyber threats and its independent authority for data protection.

Provided Image

  • NCSC and ICO clarify roles during session at security conference CYBERUK
  • Agree to improve victim support and commitment to enhance cyber guidance
  • Organisations’ heads believe greater clarity of roles will better align response to attacks

Speaking at the second day of the National Cyber Security Centre (NCSC) annual conference CYBERUK, Chief Executive Ciaran Martin and Information Commission Office (ICO) Deputy Commissioner James Dipple-Johnstone outlined the understanding between the organisations.

The NCSC manages cyber incidents of national importance to reduce harm caused to victims and to the UK, help with managing the response and learn lessons to help deter future attacks.

The ICO is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the competent authority for Digital Service Providers under the NIS Directive, meaning breached organisations should notify them of incidents, cooperate and take remedial action.

Amongst the commitments outlined were a greater clarity of the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right authority / organisation at the right time.

The NCSC will;

  • engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath.
  • encourage impacted organisations to meet their requirements under GDPR and the NIS Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned
  • help the ICO expand their GDPR guidance as it relates to cyber incidents.

Meanwhile, the ICO will;

  • focus its early stage engagement to the vital steps required to help ensure impacted organisations mitigate risks to individuals and stand up an effective investigation.
  • establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.

Both organisations will;

  • share anonymised and aggregated information with each other to assist with their respective understanding of the risk.
  • commit to amplify each other’s messages to promote consistent, high quality advice to ensure the UK is secure and resilient to cyber threats.

NCSC Chief Executive Ciaran Martin yesterday said:

“This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.

“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues.

“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”

ICO Deputy Commissioner – Operations, James Dipple-Johnstone, yesterday said:

“It’s important organisations understand what to expect if they suffer a cyber security breach.

“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.

“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

The NCSC will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.

Notes to editors

  • The NCSC’s annual conference CYBERUK takes place on 24 and 25 April 2019. The two days will be packed with expert speakers, debates, challenging workshops, the interactive Cyber Games and Cyber Den, as well as extensive opportunities for networking. Delegates will be able to hear first-hand how the UK cyber security strategy is evolving, learn about the current threat landscape, and contribute their own ideas and thinking. 
  • CYBERUK 2019 will bring together both the cyber security professional community and the decision makers and strategists from business, the public sector, the third sector and academia into one two-day event.
  • More than 2,500 delegates are expected to attend CYBERUK 2019.
  • Plenary sessions will be delivered from the Clyde Auditorium in the Armadillo. BSL interpreters will be present during each plenary session.
  • Further information can be found at www.ncsc.gov.uk and for media queries you can call the NCSC on 07468 838893.

 

Channel website: https://www.ncsc.gov.uk/

Original article link: https://www.ncsc.gov.uk/news/data-breach-roles-outlined-at-cyber-conference

Share this article

Latest News from
National Cyber Security Centre

NCSC enters new partnership for PDNS delivery

17/04/2024 13:05:00

The National Cyber Security Centre announces new partnership to deliver the Protective Domain Name System (PDNS) service.

UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity

26/03/2024 10:31:00

UK calls out pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians.

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

08/02/2024 11:05:00

GCHQ’s National Cyber Security Centre and partners share details of how threat actors are using built-in tools to camouflage themselves on victims’ systems.

Business leaders urged to toughen up cyber attack protections

24/01/2024 13:12:00

New guidelines to help directors and business leaders boost their resilience against cyber threats.

Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure

15/01/2024 10:15:00

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.

UK exposes attempted Russian cyber interference in politics and democratic processes

08/12/2023 10:29:00

The UK condemns Russia’s sustained attempts at political interference in the UK and globally.

UK and allies expose Russian intelligence services for cyber campaign of attempted political interference

07/12/2023 14:25:00

The UK and allies call out the Russian Intelligence Services for a campaign of malicious cyber activity attempting to interfere in UK politics and democratic processes

NCSC launches Cyber Incident Exercising scheme

06/12/2023 15:25:00

New CIE assured providers give organisations support to create structured table-top or live-play cyber incident exercises.

UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains

23/11/2023 16:05:00

Joint advisory observes cyber actors leveraging zero-day vulnerabilities and exploits in third-party software.