Cyber attacks on public services highlight importance of EU Directive compliance

With 2018 headlines dominated by the introduction of the General Data Protection Regulation (GDPR), Lynsey Mallon, Corporate and Commercial Partner at leading law firm Arthur Cox, explains why the introduction of the lesser known EU Directive on the security of networks and information could have just as serious implications for the non-compliant.

When hackers unleashed the now notorious WannaCry ransomware cyber attack in 2017, it caused widespread disruption at major companies and public bodies across the world, including the National Health Service in the UK.

Around a third of health trusts in England were affected with thousands of computers disabled by the attackers, who demanded payments to bring services back online. The incident resulted in around 6,900 NHS appointments being cancelled.

In a bid to minimise the impact of such attacks and to ensure the continuity of essential public services, the Network Information Systems Regulations 2018 came into force in the UK on 10 May 2018 (the “NIS Regulations”). The NIS Regulations implemented much of the EU directive on the security of Networks and Information Systems.

Implemented in the same month as the widely publicised GDPR, the Regulations focus on protecting services which, if disrupted, could cause significant damage to the economy or to the welfare of society or individuals.

It places new obligations on Operators of Essential Services (OESs), such as energy providers, transport services, healthcare, water supply and distribution and digital infrastructure.

OESs must register with their relevant competent authority ahead of the UK government’s 9 November deadline to have identified all those affected.

Digital service providers, such as search engines, online marketplaces and cloud computing services (RDSPs) are also required to comply and have until 1 November to register with the Information Commissioner’s Office.

The WannaCry attack illustrated how public infrastructure could be impacted by a cyber attack but it was not an isolated incident.

In 2016, a major part of the electricity grid in the Ukrainian capital Kiev was disabled when it was targeted by the Industroyer malware attack.

Earlier this year meanwhile, the US sustained what was considered one of the most disruptive cyber attacks ever to strike American public services when hackers used the malicious SamSam ransomware software to disable computers.

The NIS Regulations aim to reduce the vulnerability of UK infrastructure by requiring those organisations that are subject to the rules to take appropriate and proportionate measures to ensure the security of network and information systems.

There is also a duty to report any security breaches to the relevant authorities within 72 hours of becoming aware that the incident has occurred.

For those bodies that do not comply with the rules, the financial penalties can be considerable. At the low end of the scale, any contravention which doesn’t actually result in an ‘NIS incident’ could still lead to a fine of up to £1 million.

For the most severe breaches of the rules – those deemed to have caused,

or considered likely to cause, a threat to life or a “significant adverse impact on the United Kingdom economy” – penalties of up £17 million are applicable.

Although the NIS regulations relate to loss of services as opposed to data, where the breach also results in the loss of sensitive information it is also likely to contravene the GDPR, meaning fines could escalate yet further.

It is crucial therefore that OESs and RDSPs consider not only their requirements under the NIS Regulations but also any third party contracts that they are a party to, in order to ensure that they contain appropriate provisions to enable the OESs and RDSPs to comply with their obligations under the NIS regulations. Where those contracts also involve the processing of personal data, the OESs and RDSPs need to ensure that those agreements are compliant with both the NIS regulations and the GDPR.

Seeking professional guidance will assist in the process and ensure those that provide essential public services are less vulnerable, not just to cyber attack, but to penalties for not complying with the NIS Directive.

The Corporate and Commercial team at Arthur Cox is well positioned to advise on the emerging information law trends in Northern Ireland and throughout the UK. Please call +44 28 9023 0007 for further information from Lynsey or your regular Arthur Cox contact.