NCSC and ICO sign MoU to forge deeper collaborative links

National Cyber Security Centre (NCSC) chief government Lindy Cameron and data commissioner John Edwards have signed a joint memorandum of understanding (MoU) to set up deeper and more practical collaboration between the 2 organisations, recognising that whereas each have distinct niches, there are some areas the place they may align their work, and “deconflict” on others.

Potential areas of collaboration embrace the event of recent cyber safety requirements and steering, and influencing enhancements within the safety postures of organisations in sectors regulated by the Information Commissioner’s Office (ICO).

The MoU additionally reaffirms that the NCSC won’t ever go to the ICO data that has been shared with it in confidence by an organisation – whether or not a sufferer of a cyber incident or not – with out first looking for and acquiring consent to accomplish that.

“This new MoU with the ICO builds on our existing relationship and will boost the UK’s digital security,” mentioned Cameron. “It provides us with a platform and mechanism to improve cyber security standards across the board while respecting each other’s remits.”

Edwards added: “We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure. This Memorandum of Understanding reaffirms our commitment to improve the UK’s cyber resilience so people’s information is kept safe online from cyber attacks.”

Some of the opposite key provisions within the MoU embrace a dedication on the ICO’s half to encourage organisations to have interaction with the NCSC on cyber safety issues corresponding to incident response, and incentivise them to accomplish that, presumably by decreasing potential regulatory penalties.

The ICO may also assist the NCSC’s visibility into assaults and different incidents by a brand new anonymised and aggregated information sharing settlement, though it could present particular particulars if the matter is “of national significance”. This is in assist of the oft-trumpeted authorities objective of “making the UK the safest place to live and work online”, and will supposedly assist the NCSC guarantee it could possibly present match for objective recommendation and steering, and evolve its providers in step with rising developments.

It additionally establishes that in a state of affairs the place each our bodies are engaged on the identical cyber incident, they’ll each do extra to keep away from coming into battle in such a approach that they disrupt the sufferer’s efforts to include and mitigate it. The ICO mentioned it will search to allow organisations to prioritise engagement with the NCSC and incident response companions within the rapid aftermath of a cyber assault, the place doing so will prioritise mitigative work.

Finally, each the NCSC and the ICO dedicated to sharing ongoing suggestions with a view to steady enchancment of their collaborative efforts, and will work collectively to improve present safety steering, and encourage end-users to undertake it.

“The MoU makes a lot of sense, and it will do a lot of good,” mentioned Andy Kays, CEO of Socura, a Cardiff-based provider of managed detection and response providers.

“The memorandum ensures that companies that work with regulators, reasonably than combat them, will face lesser sanctions. It could have all the time been the case that the ICO would take a harder stance on companies that attempt to disguise a breach. However, it’s helpful for the ICO and NCSC to formalise their place on the matter.   

“Everyone in cyber security agrees that organisations need to be more open and honest about breaches. We know that they happen, but when an organisation hides a breach, it always results in worse outcomes for them, their partners, and their customers. Being transparent is the best way for everyone to learn about and learn from major incidents,” he added.

Achi Lewis, EMEA space vice-president at Absolute Software, voiced comparable sentiments: “Resiliency have to be the UK’s high precedence when it comes to digital infrastructure, with a shift from simply detection and prevention measures to including in safety and restoration protocols.

“It’s encouraging to see higher collaboration between the NCSC and the ICO to emphasise the important significance of digital resiliency however, as we’ve seen with quite a few high-profile assaults which have led to deadly downtime, there’s nonetheless much more to be carried out.

“Industry regulators must work with organisations to ensure that resiliency is a top business priority as cyber attacks are no longer a case of if, they are a case of when. Without a resilient cyber posture that affords IT teams with visibility across their entire network and includes self-healing technology to repair and restore devices and applications, businesses are leaving themselves vulnerable to a host of threats.”

Read extra on Regulatory compliance and customary necessities

• University of Manchester hit by cyber assault

  

  By: Alex Scroxton

• Downstream breaches of Capita prospects spreading

  

  By: Alex Scroxton

• Let’s put an finish to secrecy and cover-ups in ransomware assaults

  

  By: Alex Scroxton

• UK spent £6.4m on secret cyber bundle for Ukraine

  

  By: Alex Scroxton