Cyber Security Compliance: expert explains the regulatory requirements for businesses and how to protect against cyber threats

With an increasing reliance on technology, the protection of sensitive data and digital assets has become paramount for businesses of all sizes. The UK Government’s Cyber Security Breaches Survey 2023 estimates there were 2.39 million instances of cybercrime affecting UK businesses in the prior 12 months – and for small businesses, navigating the complex landscape of cyber threats can be daunting and confusing. It’s never been more important for business owners to understand the laws and regulations and how to mitigate against potential risks.

Rob Rees, Divisional Director at Markel Direct, explains the regulatory requirements for businesses when it comes to cyber security and how to navigate them to keep both your business and your customers safe.

What cyber security laws and regulations do UK businesses need to be aware of?

There are currently four main laws and regulations that businesses need to be aware of when it comes to cyber security. These are:

The Data Protection Act 2018: The Data Protection Act 2018 (DPA) governs the processing of personal data in the UK, ensuring that organisations handle personal data lawfully and protect individuals’ privacy rights.
UK GDPR and EU GDPR: The UK GDPR and EU GDPR are comprehensive data protection regulations that set out rules and principles for the processing of personal data, aiming to safeguard individuals’ rights and freedoms across the United Kingdom and the European Union. Prior to Brexit in 2020, the UK followed the EU GDPR regulations, but a UK version has since been created. Businesses that serve EU customers, however, will still need to comply with both.
Network and Information Systems Regulations 2018: The Network and Information Systems (NIS) Regulations require operators of essential services and digital service providers to ensure the security of their network and information systems, reducing the risks of cyber threats and disruptions to critical services.
Computer Misuse Act 1990: The Computer Misuse Act 1990 is legislation in the United Kingdom that criminalises unauthorised access to computer systems, unauthorised access with intent to commit further offences, and unauthorised modification of computer material.

5 ways businesses protect themselves against cyber threats

Larger businesses may have the assistance of an information security or legal team to help them navigate these regulations and put appropriate measures in place to mitigate risk. Smaller businesses have the same responsibility but are less likely to have the resources available, leaving it to themselves to handle.

To help, here are five ways to help small businesses protect against cyber threats and prepare themselves should the worst happen.

1. Conduct a risk assessment

Before implementing any cyber security measures, business owners should conduct a thorough risk assessment to identify any potential vulnerabilities and threats to the security of their digital assets and data.

As a specialist insurer of small businesses, we have created a simple cyber risk assessment that considers IT systems, data storage practices, employee behaviors and potential points of entry for cyber-attacks and provides guidance on how to mitigate these risks.

Markel Direct has created a cyber risk assessment tool that businesses can use to assess how likely they are to face a cyber threat.

2. Create a cybersecurity policy

A cyber security policy outlines guidelines that employees within a business must follow to protect the company’s digital infrastructure, information and client data.

While the specifics of the policy will vary for different businesses, depending on various factors, there are some basics which should be included in all cyber security policies. These include:

Guidelines for employees: Every comprehensive cyber security policy should incorporate an employee-friendly guide covering secure password practices, email usage protocols, phishing detection, social media guidelines, risk mitigation strategies and specific instructions for remote workers, including network access protocols.

Compliance with wider regulations: Adhering to standard GDPR regulations is also essential. Key policy components include obtaining data transfer consent, the process for notifying the Information Commissioner’s Office of a breach within 72 hours, granting users data deletion and access rights, offering comprehensive explanations of user rights, and, where relevant, outlining procedures to protect children’s data .

Systems and infrastructure: Provide details on software/programs used to safeguard data, such as how they work, what they do to protect information and tips on how employees should use these programs, if necessary. You should also include how your business trains IT workers to keep digital systems safe from threats and vulnerabilities. Outline fully their role in both preventing a cyber-attack and what should happen if one does occur, ensuring they’re fully aware of their responsibilities.

Cyber attack response: It’s important to also outline the company’s response in the event of a cyber-attack. This should be included in the policy by outlining responsibilities for investigation, timely client communication, incident reporting, reviewing insurance coverage, and ongoing employee training, ensuring compliance and responsible action in the event of a breach.

3. Invest in employee training
Employees are often the weakest link in the cyber security chain. In fact, according to Information Commissioner’s Office (ICO) data, about 90 per cent of attacks occur because of human error. This is why ensuring that all employees are properly educated and trained should be a priority when it comes to keeping the data safe.

Training sessions should educate employees on best practices for cyber security, such as how to identify phishing emails, recognise suspicious behaviour and secure data handling procedures.

4. Implement cyber security measures
Businesses of all sizes should invest in robust cyber security measures to protect their IT infrastructure and data assets from unauthorised access and potential cyber-attacks. This could include deploying firewalls, installing antivirus software, implementing intrusion detection systems, and using encryption tools to safeguard sensitive information and prevent data breaches.

5. Ensure you are protected should the worst happen

Not all business insurance policies cover against cyber-attacks, so it is important that you check what your current policy actually covers and assess whether additional insurance is needed.

Cyber insurance is a specific form of coverage that can help protect your business in the event of a malicious attack on your computer systems and data. This type of policy can help minimise disruption to your business, covering the financial costs involved in handling and recovering from a cyber-attack or hacking threat. Examples of some of the events it can cover include; informing clients of a data breach, the costs of restoring data and equipment and meeting ransom demands.

If you are unsure whether or not cyber-attacks are covered by your current policy, review your documentation and speak to your insurer or broker to make sure you are not caught out should the worst happen.

While navigating the cyber security landscape may seem daunting, implementing these strategies can help safeguard against potential threats and keep businesses safe.