UK threatens fines for companies that do too little against internet attacks

The United Kingdom is pending a bill that could fine British organizations and companies that fail to secure their networks against internet attacks up to 4 percent of their total global revenue.

This mainly concerns organizations where the paralysis of the systems by, for example, ransomware results in a serious disruption of transport and health services or the electricity networks. The British newspaper The Guardian writes that the instrument of fines is only used as a last resort. No fine will be imposed if companies can demonstrate that they have adequately assessed the risks.

The plans to issue fines are not limited to protecting computer systems against Internet attacks. They also target failing systems. At the end of May, that was the case with the systems of airline British Airways, as a result of which more than a thousand flights were canceled and some 75,000 passengers could not fly. Under the new plans, companies must demonstrate what they have done to mitigate risks.

Any fines are part of a government consultation as part of the implementation of the European Network and Information Systems Directive. This directive has already been adopted in the EU and obliges member states to implement the rules within 21 months through national legislation. The tool to impose fines is not included in the directive and is partly a response to the WannaCry attack that severely disrupted the UK healthcare system, the NHS, in May. Many systems in hospitals and general practices were affected.