Government proposes penalties as ‘last resort’ for those failing to adequately assess risks and prevent damage
British organisations could face fines of up to £17m, or 4% of global turnover, if they fail to take measures to prevent cyber-attacks that could result in major disruption to services such as transport, health or electricity networks.
But the proposals, which are being considered as part of a government consultation launched on Tuesday, say that financial penalties will be used as a “last resort” and not applied if organisations facing an attack can prove they assessed the risks adequately.
The move comes after the NHS became the highest-profile victim of a global ransomware attack, which resulted in operations being cancelled, ambulances being diverted and patient records being made unavailable.
The coordinated attack that infected a large number of computers across the health service was linked to WannaCry malicious software.
The issue came to the fore again after a major IT failure at British Airways left 75,000 passengers stranded and cost the airline £80m – although the company blamed a power supply issue rather than a cyber-attack.
The consultation will also focus on system failures, with requirements for companies to show what action they are taking to reduce the risks.