It has been reported that nine cyber-attacks affecting the British transport sector were missed by the UK’s mandatory reporting laws and were only disclosed to the government on a voluntary basis, Sky News has learned. A law introduced three years ago was intended to boost Britain’s ability to defend itself from the foreign states and criminal hackers by obliging critical infrastructure organisations to report incidents.
<p>The inherent loophole in mandatory breach disclosure is the subjective measure of what constitutes a “substantial breach” upon which you must notify. The added complication is the requirement to notify within 72 hours of the breach being discovered when you may not have an understanding of the extent of the breach in this timeframe or when the full substance of the breach may not be understood. The subjective measure of substantiality may also be an incentive not to divulge the extent of the breach to avoid paying fines that form part of the NIS legislation. NIS2, an update to the current NIS legislation, introduces penalties for non compliance with best practises, and so it will incentivise organisations to adopt defensive in-depth practises or face similar fines, taking the emphasis away from divulging breaches and pushing towards cyber resilience.</p>