Interesting article by the team at White & Case looking not only at the different laws that interface with cyber in the UK, including GDPR and the Network and Information Security Regulations 2018 ("NIS").
It is interesting to see how the different legal measures interact with each other and the different requirements that they place on businesses. Not only that, but they have teeth - people generally think of the GDPR fines which are up to the greater of €20 million or 4 percent of annual global turnover, but they should also not forget that a failure to meet the requirements of the NIS Regulations can result in fines up to a maximum of £17 million.
The team also lists twenty practical steps that organisations can take to help comply with the various requirements. It is important that businesses do not simply employ a tick-box approach to this and thoroughly and independently assess where they stand in terms of cyber readiness. This is highlighted in step twelve: "Conduct regular security audits and reviews." It is important that this is performed independently and looks at security holistically - it is not something that can be done piecemeal. True different elements of the defenses can be individually tested, but to get a true view of preparedness, businesses have to review their cyber controls in a holistic manner.
Implementing a cybersecurity programme that adequately protects against would-be attackers and ensures compliance with applicable laws is one of the key challenges faced by businesses operating in the UK. This is made more complex as there is no single overarching "cybersecurity law" in the UK.