Lawyers Society

A Society Just For Lawyers

 

Rail network cyber attacks perhaps own triggered notification threshold below recent network and information security laws, says expert


According to a report by the Telegraph, cybersecurity company Darktrace said that the UK rail network was the subject of at least four cyber attacks in the past 12 months.

Cybersecurity specialist Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that if the EU’s recently finalised Network and Information Security (NIS) Directive was already implemented and in force in the UK then the cyber attacks perhaps own needed to own been flagged by the organisation running the systems below attack.

Hon said, though, that in light of the UK’s vote to depart the EU it is not yet clear whether the UK will implement the NIS Directive into national law.

“Assuming the UK implemented the NIS Directive, if the railway company concerned was designated by the UK as an operator of essential services, or falls within any criteria issued by the UK for that purpose, it would own to notify incidents having a significant impact on the continuity of the essential services they provide,” Hon said. “Rail is certainly unit of the sectors envisaged below the Directive as having ‘critical infrastructure’ in crave of preserving.”

“below the Directive ‘incident’ means any event having an actual adverse effect on the security of network and information systems. So the incident first has to own had an actual adverse effect on the ability of the company’s network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored/transmitted/processed data or related services on those systems, priorto the notification requirement is triggered,” she said.

Hon said it is important for companies to own “systems that will track and log accesses and operations on data, to toil out if there was an impact on confidentiality or integrity” of data, as well as for monitoring network intrusions and maintaining availability against, for example, distributed denial of service attacks.

“If there was no significant impact on the continuity of an essential service – the Directive spells out certain minimum factors to assist decide when an incident should be considered ‘significant’ – then notification is not necessary, although some organisations may wish to do so anyway,” she said.

Hon said that even if notification requirements are not triggered below the NIS regime, operators of essential services perhaps silent face penalties for a breach of their security obligations below the Directive.

As well as determining which organisations in their jurisdiction are ‘operators of essential services’ and subject to the NIS Directive rules, EU countries must set their own “effective, proportionate and dissuasive” penalties for infringement.

The NIS Directive requires operators of essential services to “grab appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they employ in their operations”.

Those operators will also crave to “grab appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services”, for instance encryption and resilience and business continuity measures.

Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the recent NIS Directive earlier this year.

« »

Rail network cyber attacks perhaps own triggered notification threshold below recent network and information security laws, says expert


According to a report by the Telegraph, cybersecurity company Darktrace said that the UK rail network was the subject of at least four cyber attacks in the past 12 months.

Cybersecurity specialist Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that if the EU’s recently finalised Network and Information Security (NIS) Directive was already implemented and in force in the UK then the cyber attacks perhaps own needed to own been flagged by the organisation running the systems below attack.

Hon said, though, that in light of the UK’s vote to depart the EU it is not yet clear whether the UK will implement the NIS Directive into national law.

“Assuming the UK implemented the NIS Directive, if the railway company concerned was designated by the UK as an operator of essential services, or falls within any criteria issued by the UK for that purpose, it would own to notify incidents having a significant impact on the continuity of the essential services they provide,” Hon said. “Rail is certainly unit of the sectors envisaged below the Directive as having ‘critical infrastructure’ in crave of preserving.”

“below the Directive ‘incident’ means any event having an actual adverse effect on the security of network and information systems. So the incident first has to own had an actual adverse effect on the ability of the company’s network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored/transmitted/processed data or related services on those systems, priorto the notification requirement is triggered,” she said.

Hon said it is important for companies to own “systems that will track and log accesses and operations on data, to toil out if there was an impact on confidentiality or integrity” of data, as well as for monitoring network intrusions and maintaining availability against, for example, distributed denial of service attacks.

“If there was no significant impact on the continuity of an essential service – the Directive spells out certain minimum factors to assist decide when an incident should be considered ‘significant’ – then notification is not necessary, although some organisations may wish to do so anyway,” she said.

Hon said that even if notification requirements are not triggered below the NIS regime, operators of essential services perhaps silent face penalties for a breach of their security obligations below the Directive.

As well as determining which organisations in their jurisdiction are ‘operators of essential services’ and subject to the NIS Directive rules, EU countries must set their own “effective, proportionate and dissuasive” penalties for infringement.

The NIS Directive requires operators of essential services to “grab appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they employ in their operations”.

Those operators will also crave to “grab appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services”, for instance encryption and resilience and business continuity measures.

Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the recent NIS Directive earlier this year.

« »

© 2017 Lawyers Society. Theme by Anders Norén.