A new partnership framework between the NCSC and the ICO will better serve UK organizations that have fallen victim to a cyber incident

Victims of cyber breaches in the UK have been urged to turn to both the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) for help in the event of online calamity.

During a session at the NCSC’s annual CyberUK conference on Thursday (April 25), the two organizations outlined plans to “better align response to attacks”.

The NCSC is the UK’s technical authority for cyber threats, handling incident response for “incidents of national importance”, while the ICO acts as a data protection regulator.

Breached organizations are obliged to notify the ICO about incidents.

NIS and easy

As well as attempting to nip problems in the bud, the NCSC’s role also involves analyzing attacks and developing improved mitigation strategies and best practice guidelines, subsequently shared with other firms in the same sector.

The ICO’s role involves the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the NIS Directive.

Businesses and local authorities would be forgiven for thinking the duties of the NCSC and the ICO overlap. In response to this, the two organizations are attempting to make it easier for a victim to “deal with the right authority or organization at the right time”.

The NCSC is offering to provide “free and confidential advice” to help mitigate the impact of a cyber-attack and assist in the early stages of an investigation.

This includes encouraging affected organizations to fulfill their legal requirement for reporting breaches under GDPR and the NIS Directive.

However, the NCSC has promised that it “will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organization concerned”.

Cyber spies won’t act as “snitches” for the ICO because to do so would act as a disincentive for victims of cyber breaches to be open with the GCHQ division about suspected hacking attacks or data breaches, among other reasons.

Share and enjoy

At CyberUK today, representatives from the ICO and NCSC told delegates that they will share anonymized and aggregated information with each other to help in risk assessment, as well as working together to promote “consistent and high quality” cybersecurity advice.

NCSC chief executive Ciaran Martin said: “This framework will enable both organizations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.”

“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim,” he added.

ICO deputy commissioner of operations, James Dipple-Johnstone, said: “It’s important organizations understand what to expect if they suffer a cyber security breach.”

“The NCSC has an important role to play in keeping UK organizations safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised,” he added.

Victims of breaches are not freed from their legal requirement to report problems to the ICO – even in cases where they’ve put up the ‘Bat Sign’ and brought in the NCSC for advice.

Dipple-Johnstone warned: “Organizations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

Confidentiality about reported data will be respected nonetheless.

Dipple-Johnstone said: “We wouldn’t want anybody reporting to us to fear any information getting out. There are checks and balances in place.”

The framework for how the NCSC and ICO’s working relationship does not directly affect how police are brought in to malicious data breach incidents.

Dipple-Johnstone concluded: “It’s important to report. We encourage organizations who would benefit from a law enforcement or NCSC response to report to those organizations.”


RELATED Successful UK cyber defense strategy should be extended to private sector, say academics