The data protection regulator the ICO has signed a Memorandum of Understanding (MoU) with the National Crime Agency (NCA). The ICO says it’s working more closely with the NCA to ensure that organisations are signposted to relevant bodies, such as the UK official National Cyber Security Centre (NCSC).
What they say
Stephen Bonner, Deputy Commissioner – Regulatory Supervision at the ICO, said: “Unfortunately we’ve seen cyber-crime costing UK firms billions over the past years. That’s why it’s crucial that relevant bodies work together to boost the UK’s cyber resilience. This new memorandum of understanding builds on our existing relationship with the NCA and will help improve cyber security standards across the board, while respecting each other’s remits.”
NCA Deputy Director Paul Foster, Head of the National Cyber Crime Unit, said: “The NCA leads a whole-system response to cyber crime, disrupting cyber criminals and putting them before the courts wherever possible. Organisations who are vulnerable to imminent attack or find themselves a victim also need support and guidance, and we work closely with our partners to provide this. We are pleased to be making this commitment with the Information Commissioner’s Office; this agreement signifies our common goal of establishing and maintaining a secure and resilient cyber ecosystem for all.”
As for industry fears that if they report that they’ve fallen victim to a cyber attack to the police, they could find themselves in further trouble with and even punished by the ICO on data privacy grounds, the NCA and NCSC say that they encourage organisations to be mindful of their regulatory obligations, but will never pass confidential information with the ICO without the victim’s permission.
The ICO and NCA state that the memorandum signed on September 5 covers –
The MOU reaffirms the following commitments:
We will encourage organisations to engage appropriately with the NCA on cyber security matters, including the response to cyber crime.
The NCA will never pass information shared with it in confidence by an organisation to us without having first sought the consent of that organisation.
We will support the NCA’s visibility of UK cyber attacks by sharing information about cyber incidents with the NCA on an anonymised, systemic and aggregated basis, and on an organisation specific basis where appropriate, to assist the NCA in protecting the public from serious and organised crime.
Where we are both engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation’s efforts to contain and mitigate harm.
We will work together to promote learning, provide consistent guidance and improve standards on cyber-related matters.
Comment
AJ Thompson, CCO at the IT services firm Northdoor plc, pictured, said: “With Gartner predicting that 45 per cent of global organisations will suffer an attack by 2025, this collaboration is a crucial step towards enhancing cybersecurity and protecting organisations from the rising threat of cybercrime.
“Both bodies focus on cyber-resilience across the UK, stressing the importance of implementing proactive measures to safeguard businesses and how a strong partnership between the ICO and NCA will make a positive impact on combating cybercrime. Another crucial point in the MoU is information sharing and transparency. This ensures that the victim organisations will get the support they need to recover quickly.
“The commitment to confidentiality, unless explicit consent is given, is another key point. This assurance builds trust and will encourage organisations to seek guidance without fearing further repercussions. The alignment across both bodies is vital for a cohesive response to cybercrime ensuring that all businesses, regardless of the size, can have access to advice.
“Another important point is the commitment to minimise disruption for organisations affected by breaches. A co-ordinated approach during an incident response will help mitigate damage and allow organisations to focus on recovery.
“Third-party IT consultants can help organisations align with the recommendations outlined in the MoU and ensure that their cybersecurity frameworks are robust. In 2024 and beyond, organisations will need to look to third-party IT consultants to help them to implement cybersecurity solutions that enables broad visibility that works seamlessly with existing technology stacks.
“Managed Detection and Response (MDR), Managed Risk, Managed Cloud Monitoring, and Managed Security Awareness, are examples of the type of solutions that can be implemented and backed by third-party IT support. Third-party IT consultants can provide 24×7 tactical coverage and ongoing strategic security recommendations, acting as an extension of an organisation’s internal team to improve its security posture.
“Long-term cybersecurity solutions require a comprehensive approach that cultivates a culture of security awareness. Turning to AI-powered solutions that allow organisations to have a 360-degree view of where potential vulnerabilities might lie and allows them to check on potential partners to ensure that their defences are up-to-speed will be crucial. It means organisations are able to address weaknesses with partners’ systems before they are exploited by cybercriminals, protecting data, reputation and regulatory integrity.”
