UK businesses could escape data breach fines if they engage with NCSC over cyber incidents

British organizations that suffer a data breach may face lower fines if — instead of attempting to conceal the incident — they proactively report and engage with the country’s cybersecurity agency, according to a new agreement between the agency and the data protection regulator.

The chief executives of the United Kingdom’s National Cyber Security Centre (NCSC) — a part of GCHQ — and the Information Commissioner’s Office (ICO) signed the memorandum of understanding (MOU) on Tuesday.

Among the MOU’s provisions is a commitment from the ICO to explore “how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties.”

It sets out how the two parties will work together in an attempt to improve cybersecurity standards and prevent data breaches across the country, without compromising the confidentiality of reports given to either party.

The MOU stresses that reporting to either agency does not allow them to share information about incidents to the other, with the NCSC noting that this would be illegal under the Intelligence Services Act 1994.

The MOU sets out the areas where the agencies will share information, for instance regarding cyber threat assessments affecting critical digital service providers — which, as Recorded Future News reported on Monday, experienced a record number of disruptive cyberattacks this year.

Although neither agency will identify victims of cyber incidents to the other, the MOU sets out how the ICO will share information with the NCSC “about cyber incidents, on an anonymised and aggregate basis, as well as incident specific details where the matter is of national significance.”

Both agencies are seeking to avoid provoking a lack of trust among the organizations reporting to them, as discouraging those reports could undermine their visibility into the true scale of cyberattacks affecting the country.

Earlier this year, the NCSC and the ICO published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and from regulators.

Alongside their work to share information with each other, the ICO has agreed to promote NCSC’s guidance on cybersecurity to help organizations avoid suffering data breaches as a result of cyber threat activity.

The NCSC’s chief executive Lindy Cameron said the MOU will provide both agencies “with a platform and mechanism to improve cyber security standards across the board while respecting each other’s remits.”

John Edwards, the Information Commissioner, said: “We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure.

“This Memorandum of Understanding reaffirms our commitment to improve the UK’s cyber resilience so people's information is kept safe online from cyber attacks.”