Organisations agree to clarify roles dealing with cyber attacks

The CYBERUK conference is taking place for a second day in Glasgow Credit: Andrew Milligan/PA

Two organisations have announced steps to make it easier for people and organisations to know which authority to deal with if they are the victim of a cyber attack.

The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have agreed a new understanding aimed at clarifying their distinct roles in such events.

NCSC chief executive Ciaran Martin and ICO deputy commissioner James Dipple-Johnstone outlined the new agreement as they prepared to take part in the second day of the annual CYBERUK conference in Glasgow.

The NCSC manages cyber incidents of national importance, helping with the response and learning lessons to help deter future attacks.

The ICO is the independent regulator for the enforcement of data protection rules and is the authority to be notified when organisations suffer cyber attacks.

Under the commitment, the NCSC has agreed to engage directly with victims and to provide free and confidential advice.

It will also encourage impacted organisations to meet their requirements under the General Data Protection Regulation (GDPR).

Meanwhile, part of the ICO’s role will be to establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk.

Both organisations will share anonymised information with each other.

Mr Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.”

Mr Dipple-Johnstone added: “The NCSC has an important role to play in keeping UK organisations safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.”