UK NCSC, ICO sign cybersecurity Memorandum of Understanding

The UK National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have signed a joint Memorandum of Understanding (MoU) that sets out how both organisations will cooperate on cybersecurity and digital resilience. This includes cooperation on the development of cybersecurity standards and guidance as well as influencing improvements in the cybersecurity of organisations regulated by the ICO. It also covers information sharing, deconfliction between the NCSC and the Commissioner in relation to incident management, and how the NCSC will support the ICO's own cybersecurity.

The MoU was signed by NCSC chief executive, Lindy Cameron, and the Information Commissioner, John Edwards. "This new MoU with the Information Commissioner builds on our existing relationship and will boost the UK's digital security," said Cameron. "It provides us with a platform and mechanism to improve cybersecurity standards across the board while respecting each other's remits."

The ICO already works closely with the NCSC to offer the right tools, advice, and support to businesses and organisations on how to improve their cybersecurity and stay secure. The MoU reaffirms commitments to improve the UK's cyber resilience, so people's information is kept safe online from cyberattacks, added Edwards.

Development of cybersecurity standards and guidance

An important component of the NCSC's standards and guidance is the Cyber Assessment Framework (CAF). "Should the Commissioner wish to use the CAF, NCSC will provide advice on how the CAF is intended to be used and technical support about its application. The Commissioner will provide feedback on its experience of using the CAF to inform its future development," read the MoU. Where appropriate and practicable, the NCSC will consult with the Commissioner about possible changes to the CAF, provide advance notice of new versions of the CAF to the Commissioner, and discuss in advance public NCSC communications on CAF changes, it added.

The NCSC and ICO will also work together to enhance international cybersecurity guidance and encourage its adoption, the MoU stated. "The NCSC seeks to influence the development of international standards and guidance on cybersecurity in a manner that supports its work with regulators in the UK. Similarly, the Commissioner contributes to international standards and guidance through working with a range of regulatory partners across jurisdictions with the purpose of further international cooperation, including in relation to cybersecurity," the document read. The Commissioner and the NCSC will inform each other about international developments and opportunities that would support their respective abilities to achieve these outcomes.

Encouraging good cybersecurity practice, continuous improvement in organisations

The Commissioner will encourage good practice and continuous improvement in cybersecurity amongst the organisations it regulates, promoting the application and use of the NCSC's technical standards and guidance, NCSC accredited training courses, and assurance providers to mitigate cyber risks within organisations, the MoU said. "The Commissioner will continue to take into account how proactive an organisation is on cybersecurity matters and will recognise and encourage appropriate engagement with the NCSC on cybersecurity matters, including the response to cyber incidents."

The NCSC will also invite the Commissioner to participate in the Cyber Security Regulators Forum hosted by the NCSC, as well as other relevant initiatives, while the Commissioner will aim to support the NCSC in such initiatives and encourage organisations to engage with the NCSC in relevant forums and working groups.

Secure information sharing about cyber incidents

The ICO will support the NCSC's visibility of UK cyberattacks by sharing information with NCSC about cyber incidents, on an anonymised and aggregate basis, as well as incident specific details where the matter is of national significance, the MoU stated. "For the avoidance of doubt, the NCSC will not share information from an organisation it is engaged with due to a cyber incident with the Commissioner unless it has the consent of the organisation to do so." Disclosure of such information to the Commissioner, without consent, may be a breach of the duty of the director of GCHQ, according to the MoU.

The NCSC and the Commissioner will also share information to the extent permitted by law, and as appropriate and relevant to their respective missions, statutory functions, and objectives, the document added. "Information that is directly or indirectly supplied to the Commissioner by, or that relates to the NCSC is exempt from Freedom of Information requests received by the Commissioner." Appropriate security measures shall be agreed to protect information transfers in accordance with the sensitivity of the information and any classification that is applied by the sender.

Where the NCSC and ICO are both engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation's efforts to contain and mitigate harm, according to the MoU. In doing so, the Commissioner will seek to enable organisations to prioritise engagement with the NCSC and their partners in the immediate aftermath where that will prioritise mitigative work, it added.

"The NCSC and the Commissioner recognise that the priority for an organisation suffering an incident should be the incident's remediation and the mitigation of harm to the organisation, its customers, and the UK and its citizens more generally," the document stated. "Both parties will seek to ensure that their interventions align with this priority and will provide each other with feedback where they view the other's approach to intervention may have worked against it."

Where cross government coordination in response to an incident is required, the NCSC will lead coordination in its role as national technical authority. Should the Commissioner intend to issue public communications concerning an incident, it will share with the NCSC such communications in advance. "In respect of a NIS incident that affects a relevant digital service provider (as defined in the NIS Regulations), the NCSC and the Commissioner will consult each other before issuing public communications about an incident."

NCSC to support ICO's own cybersecurity

The NCSC will support the ICO's own cybersecurity through the provision of technical tools and guidance. In some cases, the NCSC may be able to provide consultancy advice to the Commissioner, for example where significant changes are planned that may have implications for cybersecurity. "The Commissioner can expect to receive NCSC support in the event it experiences a serious cybersecurity incident," the MoU said.