New GCHQ unit: Psst, breached biz bods. We won’t rat you out to the ICO
The new National Cyber Security Centre is pitching itself to CEOs as a friendly government organisation which won’t get the regulators involved after data breaches.
Those gathered this morning on the 18th floor of 125 London Wall heard one of the NCSC’s deputy directors address CEOs on how they should lead their businesses’ recovery from cyber attacks—and it was primarily by contacting NCSC, a part of GCHQ.
Peter Yapp, the deputy director for the incident management directorate, explained how his role worked: “If something [regarding a cyber incident and your company] breaks in the press, I’ll get a call from someone in government,” he said, and he would be expected to explain what the incident meant.
“If you haven’t phoned me and told me about it, I will phone you,” stated Yapp.
“It is worth telling me about the most serious incidents,” he told his audience, acknowledging that these were difficult to define, before comforting them: “We do not tell the ICO what you tell us.”
This closeness with industry is the explicit purpose of the NCSC, which will be based in Cheltenham, Gloucester, and at a new building in Victoria in London. Although a part of GCHQ, the NCSC is intended to be “much more open and out-facing” said Yapp, and when the building in Victoria opens for NCSC’s staff it will be open for industry to visit.
Ciaran Martin, who was formerly the head of cyber security at GCHQ, will operate as the CEO of the NCSC which — pending ministerial sign-off — will have five directorates, including Incident Management, Research, and Engagement, with 15 sub-directorates including a cryptographic research team.
An ICO spokesperson said: “Reporting breaches to the ICO is a matter for the data controller. We expect organisations to follow the detailed guidance we provide about breach reporting. We are already engaged with government on cyber security regulation and have plans to work together with the newly created NCSC.” ®