NCSC and ICO sign MoU to forge deeper collaborative links

The scope of the MoU signed by the NCSC and the ICO includes collaboration on new cyber regulations and guidance, and how to support cyber attack victims appropriately and minimise regulatory penalties

Alex Scroxton,
Security Editor

Published: 13 Sep 2023 11:30

National Cyber Security Centre (NCSC) chief executive Lindy Cameron and information commissioner John Edwards have signed a joint memorandum of understanding (MoU) to establish deeper and more effective collaboration between the two organisations, recognising that while both have distinct niches, there are some areas where they could align their work, and “deconflict” on others.

Potential areas of collaboration include the development of new cyber security standards and guidance, and influencing improvements in the security postures of organisations in sectors regulated by the Information Commissioner’s Office (ICO).

The MoU also reaffirms that the NCSC will never pass to the ICO information that has been shared with it in confidence by an organisation – whether a victim of a cyber incident or not – without first seeking and obtaining consent to do so.

“This new MoU with the ICO builds on our existing relationship and will boost the UK’s digital security,” said Cameron. “It provides us with a platform and mechanism to improve cyber security standards across the board while respecting each other’s remits.”

Edwards added: “We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure. This Memorandum of Understanding reaffirms our commitment to improve the UK’s cyber resilience so people’s information is kept safe online from cyber attacks.”

Some of the other key provisions in the MoU include a commitment on the ICO’s part to encourage organisations to engage with the NCSC on cyber security matters such as incident response, and incentivise them to do so, possibly by reducing potential regulatory penalties.

The ICO will also support the NCSC’s visibility into attacks and other incidents through a new anonymised and aggregated data sharing agreement, although it may provide specific details if the matter is “of national significance”. This is in support of the oft-trumpeted government goal of “making the UK the safest place to live and work online”, and will supposedly help the NCSC ensure it can provide fit for purpose advice and guidance, and evolve its services in line with emerging trends.

It also establishes that in a situation where both bodies are engaged on the same cyber incident, they will both do more to avoid coming into conflict in such a way that they disrupt the victim’s efforts to contain and mitigate it. The ICO said it would seek to enable organisations to prioritise engagement with the NCSC and incident response partners in the immediate aftermath of a cyber attack, where doing so will prioritise mitigative work.

Finally, both the NCSC and the ICO committed to sharing ongoing feedback with a view to continuous improvement of their collaborative efforts, and will work together to enhance existing security guidance, and encourage end-users to adopt it.

“The MoU makes a lot of sense, and it will do a lot of good,” said Andy Kays, CEO of Socura, a Cardiff-based supplier of managed detection and response services.

“The memorandum ensures that businesses that work with regulators, rather than fight them, will face lesser sanctions. It may have always been the case that the ICO would take a tougher stance on businesses that try to hide a breach. However, it is useful for the ICO and NCSC to formalise their position on the matter.

“Everyone in cyber security agrees that organisations need to be more open and honest about breaches. We know that they happen, but when an organisation hides a breach, it always results in worse outcomes for them, their partners, and their customers. Being transparent is the best way for everyone to learn about and learn from major incidents,” he added.

Achi Lewis, EMEA area vice-president at Absolute Software, voiced similar sentiments: “Resiliency must be the UK’s top priority when it comes to digital infrastructure, with a shift from just detection and prevention measures to adding in protection and recovery protocols.

“It’s encouraging to see greater collaboration between the NCSC and the ICO to emphasise the vital importance of digital resiliency but, as we’ve seen with numerous high-profile attacks that have led to fatal downtime, there’s still a lot more to be done.

“Industry regulators must work with organisations to ensure that resiliency is a top business priority as cyber attacks are no longer a case of if, they are a case of when. Without a resilient cyber posture that affords IT teams with visibility across their entire network and includes self-healing technology to repair and restore devices and applications, businesses are leaving themselves vulnerable to a host of threats.”

Changing attitudes

Kays suggested that the adoption of the MoU reflects how attitudes to security issues and data breaches have – and continue to – change. Victims that used to cover up incidents because they were scared of the possible reputational damage are now less-inclined to do so, while others are becoming less judgmental. The only “unforgivable” sins these days in the public’s eyes, said Kays, are when organisations lie about the extent of an incident or fail to invest in security.

“It’s a bonus that this move is coming from the regulators. By actively taking steps to reduce the financial penalties owed to them, they are making it clear that they are on the side of businesses. They are not looking to profit at their expense,” he noted.

Read more on Regulatory compliance and standard requirements

University of Manchester hit by cyber attack