UK businesses face huge fines over failure to take adequate measures against cyberattacks

08 Aug 2017

UK organisations could attract fines up to 4 per cent of their global turnover, if they failed to take measures to prevent cyber-attacks that could result in major disruption to services such as banking, transportation, health or electricity.

Under the proposals that are being considered as part of government consultation that launched yesterday, financial penalties would be used as a ''last resort'' and will not be applicable if organisations facing an attack could prove they had assessed the risks adequately.

The move comes after the NHS became the most high-profile victim of a global ransomware attack, which resulted in cancellation of operations, diversion of ambulances and patient records rendered unavailable.

The coordinated attack hit a large number of computers across the health service was hit by the  WannaCry malicious software.

The issue was in the news again following a major IT failure at British Airways that left 75,000 passengers stranded and cost the airline £80 million. The company had however, blamed a power supply issue rather than a cyber-attack.

The consultation will also focus on system failures, and companies will be required to show what action they were taking to cut the risks.

The digital and culture minister, Matt Hancock, said, ''We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.''

The Department for Digital, Culture, Media and Sport (DCMS) said firms that took cyber-security seriously needed to have measures in place to prevent attacks or systems failures.

It added the consultation was aimed at determining how to implement the Network and Information Systems (NIS) directive which is set to become law in EU next May.

It was separate from the General Data Protection Regulations (GDPR), which was aimed at protection of data, rather than services.