UK Gov: Firms could face £17M fine if cyber security is not up to scratch

The UK government has today warned that businesses that fail to protect themselves adequately from cyber attacks could face a £17 million fine or 4% global turnover.

This government pledge is mainly aimed at ensuring critical infrastructure, such as energy, water, transport and health are protected from increasingly successful hacking attempts, as was seen in Ukraine.

It was also announced that firms will be required to produce a strategy on how they expect to recover from power failures and environmental disasters. This perhaps stems from the increasingly disruptive outages effecting organisations, most recently seen with British Airways.

>See also: UK’s new data protection laws aim to give more control

However, Digital Minister Matt Hancock said any fines would be a last resort. And fines would not apply to firms who had put the adequate safeguards in place, but still suffered a cyber attack.

This announcement follows the Government’s cyber security guideline plan for driverless cars and its announcement of more details concerning the UK’s Data Protection Bill. It Hancock’s ambition, seemingly, to make the UK the “safest place in the world”.

He said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack.”

Commenting on this latest government announcement, Sarah Armstrong-Smith, ‎head continuity and resilience at Fujitsu UK & Ireland, said this latest warning from the The Department for Digital, Culture, Media & Sport “demonstrates the reality we now all live in, where cyber attacks and data breaches are always going to be a threat. The worrying reality is that security is often an afterthought and security fundamentals are still not being followed such as changing default passwords. Hopefully the news of such fines will wake organisations up to the seriousness of the consequences from a financial stand point, never mind a reputational one.”

“In security we talk about when not if a security breach will occur, but that does not mean organisations should not be taking all the necessary precautions to limit the potential impact of a breach. In fact, the fast approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems. Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.”

>See also: UK Government issues cyber security guidelines for driverless cars

“Now is the time for organisations to stop being hunted and instead become the hunter when it comes to cyber security. Ensuring a compliant business environment, that will help protect the services that we depend on as a nation.”

Cyber security measures should already be in place, but lack of education and lack of security innovation has meant that nearly half (46%) of British businesses discovered at least one cyber security breach or attack in the past year, according to a government survey. This proportion rose to two-thirds among medium and large companies.

Gordon Morrison, director of Government Relations at McAfee confirms that“Recent global cyber events have highlighted the need to protect essential services from cyberattack. It is not surprising that the government is introducing greater responsibilities to organisations providing essential services and penalties to firms that suffer cyberattacks without adequate security measures being in place. This new regulation will potentially prove crucial in ensuring that a minimum standard of cybersecurity is maintained and help avoid unnecessary disruption to these essential public services.”


The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here



Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...