When managing a cyber incident, one pressing issue to consider is "who needs to be notified?" Clients are often prepared to discuss whether or not regulators and customers should be informed, but can be less certain when discussing whether to notify the National Cyber Security Centre ("NSCS"). A concern we sometimes hear is "if we tell the NCSC, will it tell the ICO?" The clear answer back from both organisations in a new MOU published on 12 September is "no".
The MOU reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO without having first sought the consent of that organisation. It explicitly states that, while the NCSC will remind organisations to be mindful of their regulatory obligations, it will never opine on whether that organisation is under a regulatory duty to notify, and will not notify the ICO itself.
Unlike the ICO, the NCSC is not a regulator. As part of GCHQ, it is the UK’s technical authority for tackling cyber threats and its focus is therefore on defending the UK from cyber risks. It provides guidance and assistance in this area and can help organisations increase their cyber resilience, including when managing an incident. The ICO has therefore agreed to encourage organisations to engage with the NCSC, for example by:
- ensuring that the ICO’s incident response phase allows organisations to prioritise engagement with the NCSC (and their incident response providers) in the immediate aftermath of the incident to help them focus on mitigating harm, identifying the root cause of the incident and taking appropriate steps to prevent the incident reoccurring; and
- exploring how it can demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties. It has agreed, for example, to publish on its website (and in its guidance and press releases) that it will look favourably on victims of nationally significant cyber incidents who report to, and engage with, the NCSC. The ICO will also consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines.
Other points mentioned in the MOU include the two organisations agreeing to work together to enhance the cyber security guidance that is available and encourage its adoption. They also agree to "deconflict" when they are both involved in an incident, and share information on a number of fronts. For example, the ICO will share information with the NCSC to support its visibility of UK cyber attacks, both an anonymised/aggregated basis and by sharing incident specific details where the matter is of national significance.