News: Culture committee wants CEOs’ pay linked to effective cyber security.
A report by the Culture, Media and Sport Committee has recommended fines for companies who fail to guard against cyber attacks, with further recommendations including how the salary of CEOs should be linked to effective cyber security.
The report, which was the result of an inquiry triggered by the high-profile Talk Talk data breach, also pressed the need for companies to have robust strategies and processes in place, stating that it is ‘not enough for companies to say they weren’t aware’ following disclosure of a data breach.
It was also recommended that victims of a data breach should be able to easily access compensation, while the Information Commissioner’s Office (ICO) should also have a system in place to be able to escalate fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.
The Committee used the Talk Talk data breach as a case in point, using the massive hack as a case study for lessons to be learnt. Jesse Norman MP, Chair of the Committee, said:
"Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
"As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds."
However, the focus of the report was not just on companies, with those stealing and selling data also in the committee’s firing line. The report recommended for a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data.
The Snoopers’ Charter, or Investigatory Powers Bill, also made an appearance in the list of recommendations, with the MP’s Committee urgently calling on the government to address vulnerabilities in the massive new data pools created by the IP Bill.
Welcoming the report, Talal Rajab, head of cyber and national security, techUK, said: "Today’s report by the Culture, Media and Sport Committee highlights the importance of good cyber-security practices for businesses of all sizes that have an online presence or service.
"The report rightly recommends that CEOs put cyber-security at the top of their agenda and assign full day to day responsibility of cyber-security to a dedicated professional. Under proposals in the upcoming Investigatory Powers Bill, companies may be required to store large pools of data that are vulnerable to attack. To maintain user confidence in digital services, and the growth of the UK’s digital economy, companies must have appropriate cyber-security policies and processes in place".