The EU has spent years restricting data sharing and now wants to open the flood dates, which puts businesses in a really difficult place.

According to Jonathan Kewley, co-chair of the global tech group at Clifford Chance, the complexity of cyber security regulation, combined with the lack of security thinking in other regulation, puts businesses in an unprecedented and highly exposed position.

Catching Up

Speaking in a fireside chat at Infosecurity Europe in London last week,  Kat Sommer, group head of government Affairs at NCC Group, said that the overlap of regulations, legislations, and policy initiatives is very real, and “that is a result of government catching up.”

She said:” If you think back to about a decade ago, I think there was still that belief in government that the market would take care of it, that the demand from customers would solve the cyber challenges would make businesses resilient. That obviously hasn't happened as we've seen, so government then decided to step in and at the beginning, took a very ‘we need to solve this for you, so we're going to force you to do the right thing’ approach.

“I think what's changed in the last maybe 18 months or so is a very clear desire from government to engage with industry. We hear a lot about the whole of society approach, we hear a lot about a multi-disciplinary approach to cyber. Regulation and legislation is a key part of government's toolbox, but they are now actively trying to reach into industry and organisations and say, ‘let's do this together.’

Outreach

Sommer praised the actions of UK government to actively have that outreach to the cyber community to make regulations better.

Asked by Kewley if the action of UK government is misplaced, as the laws of continents like the EU are applied, Sommer said yes and no, as yes in the sense that the vast majority of businesses that will be regulated will operate cross border, and will have to comply with UK legislation and also have to comply with US and Europe regulations.

“Adding a separate UK law, maybe not so well received,” she said. “Just to add another layer to it, but a UK voice I think in cyber in particular is very well respected around the world, so the fact that the UK is taking that leading voice and trying to chart a path in terms of finding good solutions to the cyber challenges through policy initiatives through legislation, I think, should not be underestimated.”

Operations

Asked which regulation a company should follow, Sommer said it depends on where your operations are, and where the hub of your operations are.

“The probably slightly more sophisticated or advanced approach is to look at the overarching trends we're seeing in all these regulations. Find the common denominators, and if you're setting out your Global Security Program, build it on that basis; which means you only need to do it once.”

Stating that if the Cybersecurity and Resilience bill had been law, then the M&S attack probably still would have happened, Sommer said that regulation, and the threat of fines is a catalyst for a lot of organisations.

“It is a catalyst,” she said. “It is empowering CISOs and the people looking after security to go to their board and go ‘hey, you've ignored us for the past five years! Guess what, you can't do that anymore!’ “

Kewley said some of this legislation is just not very well thought through, and if you're a business dealing with this. “should we all sit back passively and like bring it on?”

Unintended Consequences

Sommer encouraged delegates to engage with those writing policy, as they can only ever know so much, “so if you don't go in and tell them what the potential unintended consequences are, what the real world is looking like, how potentially technology has evolved, how threat actors have evolved, how are they going to know?”

She said if she was in government, the comment she would make back to industry is to tell them how to do this better, “and I do think that the trend we have seen is a genuine willingness to co-create, and I think that is a real shift in my view.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.