The UK Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) have signed a joint Memorandum of Understanding (MoU) setting out how both organisations will cooperate in the aftermath of major cyber incidents. Announced yesterday by the ICO, the agreement contains a commitment from the NCSC that it will never share information with the commissioner’s office shared in confidence by a third party unless it has permission from that organisation to do so.
Under the new MoU, the ICO will also incentivise proactive engagement by businesses with the NCSC on all things cybersecurity. This will include exploring how the commissioner’s office can “transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties” for breached businesses. The ICO has also committed to sharing information with the NCSC about cyberattacks “on an anonymised and aggregate basis”, though this will extend to incident-specific details, it added, when “the matter is of national significance”.
“We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cybersecurity and stay secure,” said ICO commissioner, John Edwards in a statement. “This Memorandum of Understanding reaffirms our commitment to improve the UK’s cyber resilience so people’s information is kept safe online from cyberattacks.”
From a business perspective, the new agreement between the ICO and NCSC will help businesses to work together with regulators rather than fight them, said Secura CEO Andy Kays, a UK-based threat detection and response business.
“Everyone in cybersecurity agrees that organisations need to be more open and honest about breaches,” said Kays, in a statement. “We know that they happen, but when an organisation hides a breach, it always results in worse outcomes for them, their partners, and their customers. Being transparent is the best way for everyone to learn about, and learn from, major incidents.”