UK organisations could face huge fines for cyber security failures

Government proposes penalties as ‘last resort’ for those failing to adequately assess risks and prevent damage

British organisations could face fines of up to £17m, or 4% of global turnover, if they fail to take measures to prevent cyber-attacks that could result in major disruption to services such as transport, health or electricity networks.

But the proposals, which are being considered as part of a government consultation launched on Tuesday, say that financial penalties will be used as a “last resort” and not applied if organisations facing an attack can prove they assessed the risks adequately.

The move comes after the NHS became the highest-profile victim of a global ransomware attack, which resulted in operations being cancelled, ambulances being diverted and patient records being made unavailable.

The coordinated attack that infected a large number of computers across the health service was linked to WannaCry malicious software.

The issue came to the fore again after a major IT failure at British Airways left 75,000 passengers stranded and cost the airline £80m – although the company blamed a power supply issue rather than a cyber-attack.

The consultation will also focus on system failures, with requirements for companies to show what action they are taking to reduce the risks.

Continue reading…