The UK's data protection authority, the ICO, has a number of Memorandums of Understanding (MoUs) which outline responsibilities and agreements it has with other national and international authorities1. A MoU is a statement of intent and does not give rise to legally binding obligations.
On 12 September 2023, the ICO, and the UK's National Cyber Security Centre ("NCSC") signed a MoU2 which sets out the broad principles of collaboration between the organisations and formalises a framework governing the sharing of information and intelligence between them.
The MoU reaffirms and strengthens the existing relationship already demonstrated between the ICO and NCSC. For example, in June 2022 the ICO and NCSC wrote a joint letter to the Law Society and Bar Council asking it to remind its solicitor and barrister members that they should not advise their clients to pay ransomware demands should they fall victim to a cyber-attack3. The joint letter highlighted the risks of breaching financial sanctions by paying a ransom demand and emphasised that payment is not seen as a step which mitigates any potential harm to data subjects, and will not help the organisation avoid regulatory repercussions.
So what does the MoU mean in practice for organisations who experience a cyber incident? We highlight below three points of particular interest:
1. Reporting incentives
Whilst organisations are under a legal obligation to report personal data breaches to the ICO within 72 hours (unless the breach is unlikely to pose a risk to individuals' right and freedoms), there is no equivalent reporting obligation to the NCSC. The MoU however commits the Commissioner to incentivise and "encourage appropriate engagement with the NCSC on cyber security matters, including the response to cyber incidents".
Such incentives include the ICO's commitment to explore reducing regulatory fines for organisations that demonstrate meaningful engagement with the NCSC and to publicise this approach:
"Specifically, the Commissioner will publicise (on its website, in guidance, and in relevant press releases) that it looks favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC and will consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines."
Whilst we recommend to our clients who are have suffered a cyber-attack to engage with law enforcement, not least in an effort to assist with their intelligence gathering for wider public benefit, the MoU re-enforces the need for organisations to incorporate reporting to the NCSC as part of their breach response plans; what is new is the incentive that such co-operation might result in a reduction to a regulatory sanction later down the line.
2. The benchmark for "appropriate" cyber security
The ICO will continue to assess what cybersecurity measures are 'appropriate', and will do so by reference to the NCSC's technical standards and guidance, such as the Cyber Assessment Framework ("CAF"), and an organisation's use of the NCSC's accredited training courses and assurance providers.
Where the ICO makes an assessment based on CAF, but diverges from it in a material way, it will discuss the reasons for divergence with the NCSC in an effort to resolve any differences in approach. The MoU states that the Commissioner will promote the NCSC's technical guidance and standards as well as encouraging organisations to engage with the NCSC in relevant cyber security forums and working groups.
3. Information Sharing
Under the MoU, the NCSC will share relevant cyber threat intelligence with the ICO and in turn, the ICO will share information about cyber security incidents with the NCSC (both on an anonymised, systemic and aggregated basis, and on an organisation specific basis, where appropriate), to assist the NCSC's role in helping to reduce harm from cyber security incidents, and under the Network and Information Systems (NIS) Regulations. Notably, any information that is directly or indirectly provided to the ICO by, or that relates to the NCSC, is exempt from freedom of information requests under FOIA4.
Historically, there has been a reluctance by organisations to consult with the NCSC in relation to cyber incidents, due to concerns that the details will be disclosed to the ICO. However, the NCSC is not a regulatory body and importantly the MoU confirms that the NCSC "will not share information from an organisation it is engaged with due to a cyber incident with the Commissioner unless it has the consent of the organisation to do so."
Organisations can therefore seek guidance from the NCSC and benefit from its expertise in the midst of and in the aftermath of a cyber-attack, with the comfort that specific information regarding the incident will not be shared with the regulator. The MoU also confirms the position that the NCSC and ICO will consult each other before making any public communications about a specific incident.
Time will tell how effective the MoU is in contributing to combatting cybercrime, change cyber security cultures and improving the UK's cyber resilience. However, we see it as a welcome step that the two bodies are working together to share information designed to raise security standards, combat cybercrime, and offer a potential incentive to those who cooperate.
