UK Companies Fear Reporting Cyber Incidents, Parliament ToldFirms Fear That Involving Police in Response Will Have Regulatory Consequences
Swathes of the British private sector are reluctant to report cybersecurity incidents to law enforcement for fear of regulatory fallout, U.K. lawmakers heard during a parliamentary hearing on ransomware.
Businesses that experience a breach of personal data and online service providers undergoing a substantial cyberattack must report incidents to the Information Commissioner's Office within 72 hours.
The possibility of regulatory consequences to disclosing incidents drives a wedge between businesses and law enforcement, said Jayan Perera, head of cyber response at London-based Control Risks while testifying Monday before Parliament's Joint Committee on National Security Strategy.
"The fear may not be that law enforcement will come and slap the handcuffs on them," Perera told the committee. Rather, they fear that calling police during a cyber incident "will then lead to, you know, some other broader fallout in terms of the regulatory environment."
Reporting that allowed businesses to anonymously disclose incidents would result in more data, he suggested. If "it wasn't sort of handing themselves in to say that we've made a mistake, that perhaps there would be more sharing there."
Perera wasn't the only one during the hearing to suggest that companies are punished for disclosure.
"The comment is also made … that the Americans tend to support their businesses, whereas the other comment also made is that the U.K. tends to find fault when someone gets into trouble," said Lilian Pauline Neville-Jones, a Conservative member of the House of Lords.
"I think there's a dimension of British culture here," responded Ollie Whitehouse, chief technical officer, NCC Group, a Manchester-based cybersecurity consulting firm. But he contested Neville-Jones' characterization. "Things get mobilized, and support is provided," he said.
Monday's hearing was the first evidence session for the committee's inquiry into ransomware, which is currently accepting inputs from industry stakeholders on matters ranging from the scope and extent of ransomware attacks to developing a U.K.- wide response.
The committee is expected to hold more hearings in the coming months.
A recent report by the National Cyber Security Agency revealed that ransomware remains the biggest cybersecurity threat. This year alone, 18 attacks in the United Kingdom required national-level coordination to mitigate the malware in its critical infrastructure systems (see: Ransomware Attacks Pose Biggest Threat to UK Organizations).