Welcome to HSF’s March wrap up which features our top picks for cyber-related news in the UK, EMEA and US.
In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.
Information Commissioner's Office publishes new fining guidance
Information Commissioner's Office – 18 March 2024
On 18 March 2024, the Information Commissioner’s Office (the “ICO“), issued updated guidance (the “Guidance“) on issuing fines under the UK General Data Protection Regulation (the “UK GDPR“) and the Data Protection Act 2018 (the “DPA 2018“). The guidance replaces the sections about penalty notices in the ICO’s Regulatory Action Policy which was published in November 2018. The Guidance also provides further insight into how the ICO will approach key questions, such as identifying the wider ‘undertaking’ or economic entity of which the controller or processor forms part and the methodology the ICO will use to calculate the appropriate amount of the fine. Just how the ICO puts the Guidance into action remains to be seen, as does whether the proposed changes to UK data protection legislation (under the Data Protection and Digital Information Bill, if passed) will necessitate amendments, which may make this Guidance short-lived. Our colleagues have published a long-form analysis of the same here.
European Commission adopts network code on cybersecurity for EU electricity sector
European Commission – 11 March 2024
On 11 March 2024, the EU Commission ) adopted the first-ever EU network code on cybersecurity for the electricity sector (C/2024/1383, the "Network Code"). This is separate to (albeit aligned with) Directive (EU) 2022/2555 (a.k.a the NIS2 Directive). the Network Code focusses on cross-border electricity flows, yet we may see the very thorough approach taken therein being replicated across the wider energy and infrastructure sector. In an era of increased interconnectedness and attacks on infrastructure, the Network Code represents a significant heightening of requirements: everything has to be better mapped out, monitored, remedied, reassessed, demonstrated, communicated; senior management have to be bought in, resourcing has to be appropriate, and risk analysis has to take place according to recognised and prescribed standards etc.
Recorded Future News – 11 March 2024
The Office of Financial Sanctions Implementation (OFSI) has confirmed that it has never detected a breach of the United Kingdom's counter-ransomware sanctions regime. This is despite the list being updated regularly, with three new entries being added to the sanctions list under the Cyber regime towards the end of March alone.
On the one hand, this raises questions over whether sanctions are actually capable of stopping all victims from making extortion payments as well as the ethical conundrum of making victim organisations into criminal ones themselves in a situation that can often be very nuanced (given that OFSI guidance states that "Ransomware payments are unlikely to be considered appropriate for an OFSI licence" which would otherwise offer a route forward). Even if sanctions were capable of stopping ransomware payments, it can still be difficult or indeed impossible for victims to conclusively link attacks to sanctioned organisations/persons; particularly as threat actors are just as able to monitor sanctions lists as anyone else and to change their name and operations in an attempt to circumvent limitations (eg specific crypto wallet addresses.).
On the other hand, sanctions can and, according to the NCA, do, have a deterrent effect by their mere existence: they make operations more difficult, sow discord among the increasingly interconnected ransomware ecosystem actors as well as lulling suspects into a false sense of security to travel abroad if an arrest is planned.
Banning ransomware payments back on the agenda
ComputerWeekly.com – 05 March 2024
Ciaran Martin, leading cyber security expert and inaugural chief executive of the UK’s National Cyber Security Centre (NCSC) has once again raised the issue of whether or not it would be appropriate to enact a legal ban on making or facilitating a ransomware payment. The topic is already a popular one in the cybersecurity community with many stakeholders believing that a ban on ransom payments is the only way to disrupt the crime in the long term even in light of the challenges such a decision poses including the fact that banning ransom payments would leave many businesses unable to recover their systems. It is a timely point raised in light of the British Library's response to its October 2023 cyber-attack stating they have not made "any payment to the criminal actors responsible for the attack, nor engaged with them in any way". The Royal United Services Institute, is holding an online debate on the same with an expert panel, including Mr Martin, on 17 April 2024 (here).
Cybersecurity: European Parliament adopts Cyber Resilience Act at first reading
European Parliament – 12 March 2024
On 12 March 2024, the European Parliament formally adopted its first reading position on the proposal for a regulation on horizontal cybersecurity requirements for products with digital elements; the first ever EU-wide legislation of its kind
The CRA aims to ensure that products with digital features (including "smart" doorbells, baby monitors and Wi-Fi routers) are secure to use, resilient against cyber threats and provide enough information about their security properties. Products should also have security updates installed automatically and separately from functionality updates. Those products deemed to pose a higher cybersecurity risk will be examined more stringently by a notified body.
Important and critical products will be put into different lists based on their criticality and the level of cybersecurity risk they pose.
The Council of the EU is expected to adopt the text without amendment at an upcoming meeting.
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.