Swathes of the British private sector are reluctant to report cybersecurity incidents to law enforcement for fear of regulatory fallout, U.K. lawmakers heard during a parliamentary hearing on ransomware.
Businesses that experience a breach of personal data and online service providers undergoing a substantial cyberattack must report incidents to the Information Commissioner’s Office within 72 hours.
The possibility of regulatory consequences to disclosing incidents drives a wedge between businesses and law enforcement, said Jayan Perera, head of cyber response at London-based Control Risks while Monday before Parliament’s Joint Committee on National Security Strategy.
“The fear may not be that law enforcement will come and slap the handcuffs on them,” Perera told the committee. Rather, they fear that calling police during a cyber incident “will then lead to, you know, some other broader fallout in terms of the regulatory environment.”
Reporting that allowed businesses to anonymously disclose incidents would result in more data, he suggested. If “it wasn’t sort of handing themselves in to say that we’ve made a mistake, that perhaps there would be more sharing there.”
Perera wasn’t the only one during the hearing to suggest that companies are punished for disclosure.
“The comment is also made … that the Americans tend to support their businesses, whereas the other comment also made is that the U.K. tends to find fault when someone gets into trouble,” said Lilian Neville-Jones, a Conservative member of the House of Lords.
“I think there’s a dimension of British culture here,” responded Ollie Whitehouse, chief technical officer, NCC Group, a Manchester-based cybersecurity consulting firm. But he contested Neville-Jones’s characterization. “Things get mobilized, and support is provided,” he said.
Monday’s hearing was the first evidence session for the committee’s inquiry into ransomware, which is currently accepting inputs from industry stakeholders on matters ranging from the scope and extent of ransomware attacks to developing a U.K.- wide response.
The committee is expected to hold more hearings in the coming months.
A recent report by the National Cyber Security Agency revealed ransomware remains the biggest cybersecurity threat, with United Kingdom witnessing this year alone 18 attacks with national-level coordination to mitigate the malware from its critical infrastructure systems.
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to.
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology-