1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

There is no statutory definition of 'cybersecurity', 'cybercrime' or 'data protection' in the United Kingdom.

The UK government's National Cyber Security Strategy offers the clearest definition of 'cybercrime'. It states that 'cybercrime' consists of two interrelated forms of criminal activity:

  • cyber-dependent crimes, which can only be committed through the use of information and communications technology (ICT); and
  • cyber-enabled crimes, which are traditional crimes that are 'scaled up' by the use of ICT.

The National Cyber Security Centre (NCSC) defines a 'cybersecurity incident' as a breach of a system's security policy affecting its integrity or availability and the unauthorised access or attempt to access to a system. This means that 'cybersecurity' refers to the protection of information systems.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The United Kingdom does not have a single cybersecurity law; rather, there is a range of key statutory and regulatory provisions.

The main pieces of legislation are:

  • the Data Protection Act 2018 (which is the United Kingdom's implementation of the EU General Data Protection Regulation (GDPR));
  • the Communications Act 2003;
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003;
  • the Computer Misuse Act 1990, as amended by the Serious Crime Act 2015;
  • the Official Secrets Act 1989;
  • the Investigatory Power Act 2016;
  • the Regulation of Investigatory Powers Act 2000; and
  • the Network and Information Systems Regulations 2018 (SI 2018/506), as derived from the EU Network and Information Securities Directive ((EU) 2016/1148).

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

The NIS Regulations 2018 transpose the requirements of the Network and Information Security Directive into UK law. These regulations impose cyber-related regulations on two classes of organisations:

  • relevant digital service providers; and
  • operators of essential services (OESs) that operate in specific sectors and meet threshold operating requirements.

Schedule 2 of the NIS Regulations applies to OESs – which include operators of essential services in the key sectors of energy, transport, health, drinking water supply and distribution, and digital infrastructure – where the operator relies on network and information systems.

Financial services are subject to security and governance obligations under the Financial Conduct Authority (FCA). The FCA Handbook contains provisions that regulate financial services for all matters. Financial services providers are obliged to report cyber-related incidents to the FCA (Principle 11 of the FCA Handbook).

The FCA advises financial institutions to use the resources available on the NCSC for general cybersecurity guidance in connection with protecting information and systems.

In the United Kingdom, the Office of Communications – the UK communications regulator – has been working with EU and international regulators to share lessons and, where possible, to harmonise approaches. Another example of regulatory collaboration in the United Kingdom is the creation of a formal body known as the Digital Regulation Cooperation Forum. Members include:

  • the Information Commissioner's Office, which leads on data protection;
  • the FCA, which deals with financial services; and
  • the Competition and Markets Authority, which deals with competition matters.

The aim of the Digital Regulation Cooperation Forum is clear, consistent and coordinated regulation. Building a collective view of important industry trends and innovations and responding to changes in the market is important. Collaboration and cooperation across governments, industry, academia and other stakeholders are at the heart of this effort.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The processing of personal data is regulated by the UK GDPR and the Data Protection Act 2018. Particularly sensitive personal data ('special category data') is subject to more stringent processing requirements than personal data. Special category data includes:

  • data revealing an individual's political opinions, race or ethnic origin, sexual orientation, sex life, religion or philosophical beliefs;
  • biometric data;
  • trade union membership data; and
  • health or genetics data (Article 9 of the UK GDPR).

Personal data relating to criminal convictions and offences is not considered special category data; however, appropriate safeguards must be in place when processing this type of personal data. These are dealt with in Sections 10 and 11 and Schedule 1 of the Data Protection Act 2018.

Classified information is regulated by the Official Secrets Act 1989 and Part 4 and Schedule 11 of the Data Protection Act 2018.

Criminal offence data is regulated by Part 3 of the Data Protection Act 2018.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

Businesses that are not incorporated or resident in the United Kingdom but that provide goods or services to UK consumers or businesses may be subject to certain UK laws which impose cybersecurity obligations. For example, the NIS Regulations impose obligations on OESs that provide services in the United Kingdom regardless of where the organisation is based. Specific advice should be sought in each case.

The Online Safety Bill – which is currently at the committee stage in the House of Lords and is expected to receive royal asset later this year – aims to deliver the government's manifesto commitment to make the United Kingdom the safest place in the world to be online while defending free expression. The key points of the Online Safety Bill include the following:

  • New rules and tailored duties for firms will be introduced focused on minimising the presentation of harmful search results to users;
  • Platforms that fail to protect their answers will have to face the regulator and could face fines or being blocked;
  • Platforms within the scope of the bill will have to remove illegal material online;
  • Platforms will be subject to a duty to protect young people using their services from legal but harmful material; and
  • The largest platforms will need to put in place proportionate systems and processes to prevent the publication of fraudulent ads. This will tackle harmful scam ads, which can have a devastating effect on their victims.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

The United Kingdom is a party to the Budapest Convention on Cybercrime, which was signed on 21 November 2001 and came into force on 1 July 2004. The Budapest Convention is the first international treaty aimed at addressing cybercrime by:

  • harmonising national laws;
  • improving investigative techniques; and
  • increasing cooperation among nation states.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

Hacking is an offence under Section 1 of the Computer Misuse Act 1990, pursuant to which a person is guilty of an offence if he or she gains unauthorised access to a computer and proceeds to cause it to perform any function with the intent of securing access to data in the computer. Enabling this to occur also constitutes an offence.

Offences under the Data Protection Act 2018 include the intent to secure unauthorised access to personal data. Under the Investigatory Powers Act 2016, offences include intentionally diverting information without legal authority.

The penalty for hacking is imprisonment for up to 12 months or a fine not exceeding the statutory minimum, or both. Convictions on indictment carry a term of imprisonment of up to two years.

Phishing is an example of fraud by false representation. Under the Fraud Act 2006, it is an offence to commit fraud by false representation if the representation:

  • was intended to make a gain, cause a loss or expose another to a risk of loss; and
  • was dishonest.

Common examples of cyber phishing include fraudulent text messages or emails purporting to be from official organisations.

Electronic theft, such as breach of confidence or criminal copyright infringement, is an offence under the Computer Misuse Act 1990. Depending on the actions taken during the offence, the Fraud Act 2006, the Theft Act 1990 and the Copyright, Designs and Patents Act 1988 may also be engaged. In May 2022, a HSBC bank employee was sentenced to five years and eight months' imprisonment after being convicted under the act for transferring £900,000 from three customer accounts.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

The National Cyber Force – which is part of the Ministry of Defence, the Defence Science and Technology Laboratory, the Secret Intelligence Service and the Government Communications Headquarters – is responsible for operating in and through cyberspace to counter, disrupt, degrade and contest those that intend to harm the United Kingdom or its allies. The National Cyber Force's operations are conducted in line with a well-established legal framework which includes the Intelligence Services Act 1994 and the Investigatory Powers Act 2016. The work of the National Cyber Force falls into three categories:

  • countering threats from terrorists, criminals and states using the Internet to operate across borders in order to harm the United Kingdom and other democratic societies;
  • countering threats which disrupt the confidentiality, integrity and availability of data and services in cyberspace; and
  • contributing to UK defence operations and helping to deliver the United Kingdom's foreign policy agenda – for example, intervening in a humanitarian crisis to protect civilians.

The Information Commissioner's Office (ICO) is responsible for enforcing cyber statutes and regulations. Professional regulators such as the Financial Conduct Authority and the Solicitors Regulation Authority oversee cybersecurity enforcement in specific sectors.

The ICO has the following enforcement powers:

  • to impose information notices;
  • to impose assessment notices;
  • to impose enforcement notices, which can require the organisation to take or not take certain actions; and
  • powers of entry and inspection.

The sanctions that the ICO can impose may be either administrative or criminal. Administrative sanctions can take the form of fines of up to the greater of £17.5 million or 4% of the undertaking's total annual worldwide turnover in the preceding financial year. Criminal offences are set out in the Data Protection Act 2018. Individual company directors can face criminal liability and unlimited fines for breach of the Data Protection Act 2018 in addition to the organisation itself.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Where breaches of the Data Protection Act 2018 involve a private party's personal data, the data subject may lodge a complaint with the ICO. The ICO cannot award compensation. However, a finding of a regulatory breach may be used in subsequent civil or criminal proceedings brought by the data subject. A finding by the ICO that there has been a breach is not a prerequisite for a civil claim or criminal prosecution. A data subject can bring proceedings against a data controller or processor for material or non-material damage (including distress).

Employers are directly responsible for employees who process data on behalf of the employer as a data controller. The only exception to this is where an employee 'goes rogue' and acts in a way that is outside the employer's control (Various Claimants v Morrisons [2020] UKSC 12).

2.3 What defences are available to companies in response to governmental or private enforcement?

Section 2(3) of the Official Secrets Act 1989 provides as follows:

It is a defence for a person charged with an offence under this section to prove that at the time of the alleged offence he did not know, and had no reasonable cause to believe, that the information, document or article in question related to defence or that its disclosure would be damaging within the meaning of subsection (1)

Section 170 of the Data Protection Act 2018 provides as follows:

(1) It is an offence for a person knowingly or recklessly—

(a) to obtain or disclose personal data without the consent of the controller,

(b) to procure the disclosure of personal data to another person without the consent of the controller, or

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Therefore, it is a defence for a person to prove that a regulatory breach was:

  • necessary for the purposes of preventing crime;
  • required or authorised by enactment by a rule of law or court order; or
  • justified in the public interest.

Further defences include where the person acted in the reasonable belief that:

  • it had a legal right to obtain the data; or
  • it had the consent of the controller.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

In comparison to the 'mega' fines imposed in the European Union and the United States, the Information Commissioner's Office (ICO) maintains a risk-based approach to enforcement action. The former commissioner of the ICO, Commissioner Denham, stated that the ICO must reserve the most serious sanctions for those that mishandle or misuse data. The monetary penalty notices published by the ICO in 2022 focused on:

  • large-scale organisations that handle and process large quantities of data, where there is an expectation of a substantial General Data Protection Regulation implementation strategy; and
  • organisations that should be aware of the higher risks inherent in processing sensitive data.

In February 2022, the UK Supreme Court dismissed an appeal by Bloomberg and ruled that a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation. The data subject brought a claim against Bloomberg for misuse of private information.

The decision means that reporters will be prevented from reporting on potential wrongdoing by some of the United Kingdom's most influential individuals. The Society of Editors raised concerns that the ruling goes against open justice and there is a risk that the bar is now so high for privacy cases that legitimate public interest journalism will cease to be reported.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

  • On 4 April 2023, the ICO fined Chinese-owned company TikTok £12.7 million for multiple breaches of data protection law, including using the personal data of children under the age of 13 without parental consent. The ICO estimates that up to 1.4 million UK children are using TikTok without parental consent.
  • In October 2020, the ICO fined British Airways £20 million after it ruled that the airline had failed to protect customers' personal data. It was found that personal data was being processed without adequate security measures in place.
  • In 2019, Marriott Hotels was fined £18.4 million by the ICO for failure to protect customer data. It is believed that up to 7 million exposed guest records belonged to UK-based customers.
  • In 2022, Lloyd's of London experienced a significant cyber breach.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

In 2012, the government published 10 Steps to Cyber Security (now complemented by Common Cyber Attacks: Reducing the Impact), which provides general best practice advice. Sector-specific standards and best practice guidelines are increasingly relevant. The National Cyber Security Centre, part of the Government Communications Headquarters, provides guidance on the reporting of cyber incidents.

Useful guidance on industry standard development is set out in:

  • the United Kingdom's government-backed, industry-supported Cyber Essentials and Cyber Essentials Plus Schemes, with their cyber liability insurance; and
  • guidelines issued by the National Cyber Security Council and by the Information Assurance for Small and Medium Enterprises consortium.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

The United Kingdom implemented the Cyber Essentials Scheme to support voluntary assessment and cybersecurity programme certification.

The UK National Cyber Strategy 2022–2030 envisages the United Kingdom as a leading democratic cyber-power that can protect and promote its interests in and through cyberspace in support of national goals. It sets out five pillars:

  • Pillar 1: Strengthening the UK cyber ecosystem;
  • Pillar 2: Building a resilient and prosperous digital United Kingdom;
  • Pillar 3: Taking the lead in the technologies vital to cyber power;
  • Pillar 4: Advancing the United Kingdom's global leadership and influence for a more secure, prosperous and open international order; and
  • Pillar 5: Detecting, disrupting and deterring adversaries to enhance UK security in and through cyberspace.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

There are no specific legal duties for proactive cyber compliance for directors. However, cyber resilience is increasingly seen as part of an organisation's environmental, social and governance framework. Corporate officers – particularly directors – are under a duty to act in the best interests of the company they serve. Failure to ensure proactive cyber compliance and effective cyber resilience could result in a breach of the traditional duties of corporate officers and directors.

Responsibility standards for financial services company directors and senior management officials are set out in the Senior Management Arrangements, Systems and Controls Sourcebook.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Publicly listed companies are subject to additional governance obligations. Any information that they publish must comply with applicable regulations to prevent pricing inaccuracies or market distortion and protect consumers. These rules impose obligations that indirectly require businesses to secure their IT systems or disclose details of security vulnerabilities. Examples of such regulations include:

  • the Financial Conduct Authority Listing Principles;
  • the UK Corporate Governance Code (especially Provisions 28 and 29);
  • the Disclosure and Transparency Rules;
  • Section 90 of the Financial Services and Markets Act 2000; and
  • the Companies Act 2006.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

The Cybersecurity Information Sharing Platform is a tool for companies to exchange cyber threat information. It was established as a joint venture between government and industry by the UK National Cyber Security Centre.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

The National Cyber Security Centre defines a 'cybersecurity incident' as a breach of a system's security policy that is carried out to affect the system's integrity or availability and the unauthorised access or attempted access to a system. A 'personal data breach' is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In the event of a personal data breach which risks serious harm to the data subjects, there is a mandatory legal duty to report this to the Information Commissioner's Office (ICO) within 72 hours of the controller becoming aware of the breach.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

Organisations must notify the ICO of a personal data breach by filling in a personal data breach notification form as stipulated by the UK General Data Protection Regulation (GDPR). Where notification is required, the UK GDPR requires data controllers to communicate personal data breaches to the data subjects without delay. The notification should detail:

  • the nature of the personal data breach; and
  • recommendations to mitigate potential adverse effects.

In order to reduce the risk of damage to a data subject, it is crucial that data controllers communicate with the data subject promptly. Organisations must provide the following information to the ICO following a breach:

  • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of individuals concerned;
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if applicable) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, actions taken to mitigate any possible adverse effects (Article 33(3) of the GDPR and Section 67(4) of the Data Protection Act 2018).

Action Fraud is the national fraud and cybercrime reporting centre in the United Kingdom. Serious and complex cases are referred to the National Crime Agency's Cyber Unit.

5.3 What steps are companies legally required to take in response to cyber incidents?

Cyber-incidents must be reported to the ICO. The ICO has published a self-assessment form for data controllers and a data security breach reporting form. There are also sector-specific requirements.

Companies should also share their incident on the cybersecurity information sharing platforms. Financial firms must report cyber-incidents to the Financial Conduct Authority (FCA) (Principle 11 of the FCA Handbook). If an incident may have a detrimental impact on a company's reputation there is a duty to report the incident under Supervision Manual Provision 15.3.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

The legal duties of corporate officers and directors with respect to cyber-incident responses depend on the nature of the breach and the sector concerned. Specific advice should be sought in each case.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

In the United Kingdom, organisations are permitted to take out insurance against cyber-incidents. Cyber insurance is a slightly double-edged sword, in that hackers are often capable of identifying cyber insureds and target them precisely because they have cyber insurance. Cyber insurance is becoming increasingly difficult to price, leading to a protection gap which needs to be addressed as a societal issue as well as a commercial one.

There is disagreement as to whether regulatory fines are generally insurable. A person cannot insure against liability for committing a crime. Consequently, under the Data Protection Act 2018, fines for criminal offences are not insurable. In Patel v Mizra [2016] UKSC 42, it was held that administrative fines will not be insurable for reasons of public policy. FCA-administered fines are not insurable.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

In a consultation paper published on 7 February 2023, the Home Office proposed three main changes to the Computer Misuse Act 1970. The first change will enable law enforcement agencies to take control of domains and IP addresses that are being used by criminals for illegal activity. It also includes provisions to allow public authorities to take down such domains and prevent the creation of further domains for criminal use. The second proposal is to increase the severity of penalties for taking or copying data. The current penalty under the act is a fine and a maximum of to two years' imprisonment. Arguably, this does not reflect the seriousness of the threat and the difficulty in taking action. The third proposal gives law enforcement agencies the power to require data owners in control of data to preserve that data in an unaltered state for use in investigations.

One of the difficulties with the proposed reforms is likely to be extraterritorial enforcement. Although the victims may be in the United Kingdom, cybercrimes may involve actors outside the United Kingdom. Consequently, jurisdictions will have to cooperate.

Artificial intelligence-enabled programmes, such as ChatGPT, are some of the fastest-growing consumer applications disrupting traditional ways of doing things. Since its release in November 2022, ChatGPT has been embraced by a number of sectors and consumers. Potential threats posed by chatbots, including the accuracy of the information provided, will need to be closely monitored.

At the time of writing, there appear to be close to 100 'deep fake' software versions in existence. These enable the creation of a 'double' of a person in a manner which credibly sounds like the person in question. These developments should be closely monitored and every effort made to verify identity in all dealings at all times.

The Finance Services and Markets Bill is currently at the report stage in the House of Lords. Part 6, Section 65 deals with crypto-assets in the context of regulated activities and financial promotion. Cyber resilience is an integral part of any digital asset.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

  • The human factor: No cybersecurity system is free from human behavioural risk. The best way to address this is through education and training across the organisation – top down and bottom up.
  • The rise of artificial intelligence (AI) processes in organisations: The best way to address this is to deploy AI wisely and monitor its usefulness withing the organisation on a dynamic basis.
  • Communication within the organisation: Silos often create unnecessary cyber and other risks. The best way to address this is through education and training.

Cyber resilience should be seen as a board-level issue which is looked at in a dynamic, proportionate, risk-based manner, instead of merely being an IT issue addressed annually or at other lengthy intervals. Cyber resilience is the responsibility of everyone within an organisation, including those within the supply chain, from basic service providers to the chief executive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.