A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 24 junio 2021
In May’s edition of the Data and Cyber Bulletin we explored the key considerations for an organisation following a data breach. We noted the importance of notifying the ICO within 72 hours of an organisation becoming aware of a personal data breach. However, the ICO is not the only body to which an organisation can be obligated to notify following a data breach. Consequently, this month we will focus on the other organisations you may need to notify following a data breach, although we note this is not an exhaustive list.
Principle 11 of the FCA Handbook states that firms must disclose to the FCA anything relating to the firm of which the FCA would reasonably expect notice. It is established that material cyber incidents meet this threshold. A cyber incident is likely to be material if:
Payment service providers should additionally note their obligations to make a notification following major operational or security incidents under the Payment Services Regulations 2017.
The Bank of England regulates and supervises financial firms through the PRA. The PRA has eight Fundamental Rules which are similar to the FCA’s Principles for Businesses. Of particular note is Fundamental Rule 7 which mirrors Principle 11 of the FCA Handbook and obligates firms to be open and cooperative and disclose to the PRA matters of which the PRA would reasonably expect notice. As was considered above, if your firm is regulated by the PRA and has suffered from a cyber incident, assess whether the severity of incident is material enough that the PRA should be notified.
If your organisation is the victim of a cyber incident perpetuated by a criminal, you should also consider reporting the breach to Action Fraud. Action Fraud is the UK’s national centre for reporting fraud and cybercrime. All reports are passed on for assessment by the National Fraud Intelligence Bureau who may then send them to police forces for investigation. Others may be sent to Action Fraud’s Prevention and Disruption Team where the fraud enabler i.e. a telephone number or website address, can be blocked to prevent other organisations from falling victims to the same cyber attack.
If you are in Scotland then reports should be made to Police Scotland.
Cyber incidents may also need to be notified to the NCSC. The NCSC provides advice, guidance and support on cyber security and the management of cyber security incidents. The NCSC seeks to reduce the harm caused to victims of cyber attacks and uses the knowledge gained through notifications to update its guidance to help deter future attacks. It traditionally assists organisations with cyber incidents of national importance.
However, where there is a severe cyber incident, the NCSC may be able to:
If your organisation is an Operator of Essential Services, as defined under the NIS Regulations, then you should also consider whether you need to inform your Competent Authority of the cyber incident.
Overall, notifying organisations of a cyber incident is important for not only your organisation but also for the public and national authorities. It allows for the collection of data to understand cybersecurity trends, identify common weaknesses, common modes of attack and provide guidance to prevent similar attacks from occurring in the future.
Charlotte Halford, Holly Eastwood
Patrick Hill, Hans Allnutt, Eleanor Ludlam, Jade Kowalski, Charlotte Halford, Christopher Air
Eleanor Ludlam, Tom Evans
Eleanor Ludlam, Nicola Geary
Eleanor Ludlam, Charlotte Halford, Patrick Hill
Rebecca Morgan, Johanna Lipponen
Charlotte Halford, Christopher Air, Holly Eastwood
Eleanor Ludlam, Pavan Trivedi
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Jade Kowalski, Charlotte Halford, Christopher Air, Sophie Devlin, Eleanor Ludlam, Rebecca Morgan
Patrick Hill, Sonali Malhotra
Hans Allnutt, Pavan Trivedi
Sophie Devlin, Shanaka Wijetunge