The UK Government has published a review of cyber security regulation and incentives, which considered “whether there is a need for additional regulation or incentives to boost cyber risk management in the wider economy.”
The Review concludes that “significant improvements in cyber risk management can be achieved through the implementation of the forthcoming General Data Protection Regulations (GDPR),” citing the new requirements to report significant breaches to the Information Commissioner’s Office (ICO) and the significant financial sanctions available for breaches as likely to be effective in encouraging better cyber security behaviours. In addition, the Review states that the GDPR “will be supplemented by a number of measures to more clearly link data protection with cyber security, including through closer working of the ICO and the National Cyber Security Centre (NCSC).”
Government does not intend to create any additional regulation beyond the GDPR, concluding that to do so would have limited effect, and would be unlikely to be effective enough to outweigh the burden on business. Instead, it will pursue several new non-regulatory interventions to incentivise better cyber risk management, which will mostly be delivered through the NCSC.
Government will however regularly review “the need for regulation and further activity in this area”, which “will take account of a range of factors including data from the Cyber Security Breaches Survey, evidence gathered from the application of the GDPR and the NCSC’s assessment of the security threat.”
For more information, see: the Cyber Security Regulation and Incentives Review