Brexit May Heighten U.K. Corporate Cybersecurity Risks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Nov. 3 — Brexit may significantly increase U.K. companies' exposure to cybercrime, cybersecurity practitioners tell Bloomberg BNA.

British companies must keep their focus on their own cybersecurity defense strategies and not be distracted by the hubbub surrounding the country's pending departure from the European Union, they say.

Cybersecurity impacts of Brexit

“Many businesses are distracted by the activities resulting from the Brexit,” Dwayne Melancon, vice president of products for Portland, Ore.-based software provider Tripwire Inc, said. “Attackers often strike while organizations are distracted,” he said.

There have already been “some creative phishing and spear phishing campaigns capitalizing on the interest and fears resulting from the Brexit,” Melancon said. There may also be lingering resentment about Brexit from the countries remaining in the EU and it may lead to “a retaliatory hack,” he said.

Brexit also raises questions about how the U.K. will address cybercrime, cybersecurity and terrorism if ties are broken with the European Union's law enforcement agency Europol. In addition, cybersecurity concerns would increase if companies aren't bound by the new the new cybersecurity framework mapped out under the Network and Information Security Directive (NISD) or the forthcoming reworked EU privacy regime, the General Data Protection Regulation (GDPR), the practitioners said.

Brexit also may have more obscure consequences, such as ending easy hiring of cybersecurity pros across European borders, they said.

Information Sharing at Risk?

“Rapid information-sharing is a very important part of the fight against cybercrime,” Paul Glass, a partner in the Disputes and Investigations group at Taylor Wessing LLP in London, told Bloomberg BNA. “If the terms of Brexit mean that the U.K. will lose access to the full scope of the current information-sharing system, then there is a real risk that U.K. businesses are exposed,” Glass, who specializes in privacy and cybersecurity issues, said.

David Evans, director of policy & community at BCS, the U.K.’s Chartered Institute for Information Technology, said that although “exit from the EU will not prevent future cooperation” with EU countries, there are “risks that it could make such cooperation more difficult.”

A related but not so obvious consequence of more difficult cooperation may involve employing cybersecurity specialists. “Being able to employ highly skilled information security professionals is very necessary,” Evans told Bloomberg BNA. “Exit from the EU may, depending on how negotiations go forward, make hiring from across Europe more difficult.”

U.K.-Europol Cooperation

One of the British government's main security priorities post-Brexit will be to ensure that the U.K. has “continued access to and contribution to information sharing” to help combat terrorism and extremism, a Home Office parliamentary committee said in a report issued after the Brexit vote.

As the EU's primary law enforcement agency, Europol plays a central role in combatting cybercrime and terrorism.

The U.S. “has a high status in Europol, despite being outside the EU,” the committee said in its report, urging that the “U.K. should aim to emulate this position on leaving the EU.”

According to Glass, Europol appears to agree with this analysis. He cited recent efforts by Philipp Amann, senior strategic analyst and team leader for strategy and development at Europol's European Cybercrime Centre, to put “in place operational agreements to allow the U.K. to continue to participate in Europol in some form or another.”

BREXIT TIME LINE

  •  1973—Great Britain joins the European Community
  •  June 23, 2016—U.K. votes in referendum to leave the European Union
  •  Oct. 2, 2016—Prime Minister Theresa May promises to formally invoke separation process before the end of March 2017
  •  Nov. 3, 2016—U.K. High Court rules Parliament must approve move to invoke separation from the EU

But Glass said that the “question is what form those agreements take.” The fact that Europol is subject to oversight and control by EU countries means that even if the U.K. “had full information access, it would probably be in a weaker position to guide Europol than it is now,” he said.

But, “many take the view that the U.K. leads the rest of Europe in intelligence gathering, so arguably the rest of the EU stands to lose out more than the U.K. – failure to share information hurts both sides,” he said.

The chances of the U.K. achieving a special status in Europol is “plausible” because “anything is negotiable,” Melancon said. But, “whether these renegotiated security agreements provide the same protection as the ones under the EU remain to be seen,” he said.

Cybersecurity Directive Implications?

The future of U.K.’s cybersecurity abilities may rest of whether the U.K. adopts the recently approved NISD cybersecurity law.

The directive was approved in August and gives EU countries until May 9, 2018 to transpose the rules into national law. The U.K. hasn't made its official request to exit the EU and two years of negotiations over the details of the departure would follow, so the due date for transposing the directive will come before Brexit is finalized.

The directive requires EU countries “to appoint a competent authority responsible for monitoring its application” and a designated contact to act as a liaison with the other EU countries “to ensure effective cross-border cooperation on cybersecurity matters,” Glass said.

Under the NISD, critical infrastructure operators, such as electricity companies, oil and gas suppliers, airlines and railways, internet service providers, financial services and health-care companies, will be required to report all cybersecurity incidents, he said.

Unless the U.K. sets up specific arrangements with the remaining 27 EU countries, it “will not be part of that group, again limiting the information made available to the U.K.,” Glass said.

According to Evans, the British government “should be looking to exceed” the requirements in the directive regardless of how the U.K. deals with NISD implementation post-Brexit. At a minimum, the U.K. should meet the baseline requirements of the NSID so that the country may be able to host data from the EU, he said.

The New EU Privacy Regime

The EU's new GDPR privacy regime will take effect in May 2018. That means the GDPR will take effect before the official Brexit date.

The GDPR doesn't make significant changes to the basic data security requirements already in place under the EU Data Protection Directive (95/46/EC). The GDPR affirms the principle that companies must ensure appropriate security for personal data they collect. It will, however, make companies responsible for ensuring that data shared with others will also be secured by the third-parties downstream.

In any event, “the U.K. government has to either pass equivalent legislation to the GDPR or incorporate it into English law after Brexit,” Glass said. “It isn't an option not to do this,” he said. If the U.K. wasn't considered by the EU to adequately protect privacy, “it would be very difficult for personal data to be transferred from the rest of the EU to the U.K.,” Glass said.

Investing More in Cybersecurity

Even before Brexit, U.K. businesses faced major cybersecurity challenges with one in four firms reporting cyberattacks aimed at their finances, intellectual property or customer data in the 12 months up to September 2016, according to the U.K. Department for Culture, Media and Sport.

Melancon said that the average time in the U.K. to detect a data breach is well over a year, a period which is “much higher than the rest of the world.” U.K. businesses and the government “must invest more in foundational controls including an accurate inventory of what systems organizations are running, keeping current on assessing and patching vulnerabilities, and most importantly, monitoring the integrity of all computing systems to ensure that unauthorized or malicious tampering with systems and data can be detected and contained quickly,” he said.

Evans agreed that “the public and private sectors in the U.K. need to be investing in workforce capability for information security, and seeing the opportunity to take a leading role in the development of how we use personal data.”

Glass said that “while the government in general does a good job of working with business on cybersecurity and supporting the U.K. cybersecurity industry, more can always be done, so increased funding in both of those areas is very important.“

The U.K. government Nov. 1 announced its next five-year National Cyber Security Strategy, including an investment of 1.9 billion pounds ($2.3 billion). The new plan includes building international partnerships to fight cybercrime—something that will be even more important when the U.K. is no longer included in automatic law enforcement information-sharing under the EU's umbrella of European countries.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.