Cyber_Bytes - Issue 62

Published on 03 April 2024

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

ICO publishes new fining guidance

The Information Commissioner’s Office has published new data protection fining guidance setting out how it intends to issue penalties and calculate fines. This provides greater transparency for organisations on the ICO's likely approach to fines.

Amongst other things, the guidance covers:

  • The legal framework that gives the ICO the power to impose fines - making it easier to navigate the complexity of the legislation;
  • The methodology the ICO will use to calculate the appropriate amount of the fine.
  • The new guidance replaces the sections about penalty notices in the ICO Regulatory Action Policy published in November 2018 (access this here at pages 24 and 27).

Click here to read the guidance and here to read the associated press release.

NCSC Head considers banning ransom payments

Ciaran Martin, Chief Executive of the UK's National Cyber Security Centre (NCSC), has reignited discussions about the feasibility of implementing a legal prohibition on ransom payments in ransomware cases. Martin has highlighted the escalating threat of ransomware, labelling it as the most detrimental cyber menace to businesses presently. He emphasised the urgency of finding effective measures to enforce a ban on ransom payments.

Banning ransomware payments has been a contentious issue, with proponents advocating for its implementation to curtail cybercriminal activities. However, those who have seen businesses who would be forced into failure without payment can sometimes take a different view.

A recent report by Emsisoft emphasised the necessity of disrupting the financial incentives that drive ransomware attacks through a comprehensive ban on payments. The report concludes that "the only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work… For as long as ransomware payments remain lawful, cyber criminals will do whatever it takes to collect them." By preventing victims from bowing to the demands of cyber-attackers, the profitability of ransomware schemes will decrease.

To read the Computer Weekly article, please click here. To read the Emsisoft report, please click here.

EDPB publishes opinion on the notion of a main establishment of a controller in the European Union

The European Data Protection Board (EDPB) recently published an opinion addressing a query from the French Supervisory Authority regarding the interpretation of certain aspects of the General Data Protection Regulation (GDPR). The focus was on defining the "main establishment" of a data controller under Article 4(16)(a) GDPR and the criteria for applying the one-stop-shop mechanism, particularly concerning the controller’s "place of central administration" within the Union.

The EDPB clarified that for an establishment to qualify as the main establishment under Article 4(16)(a) GDPR, it must make decisions regarding the processing of personal data and possess the authority to implement these decisions. Furthermore, the one-stop-shop mechanism is applicable only if such decision-making authority is within an establishment in the Union.

The Board emphasised that controllers bear the burden of proving where processing decisions are made and where the power to implement them lies. It stressed the importance of cooperation with supervisory authorities in this regard. Supervisory authorities retain the right to challenge a controller's claim based on an objective assessment of the facts.

While identifying a central management place in the Union aids in pinpointing decision-making authority, further assessment is necessary to qualify an establishment as the main one. Supervisory authorities must ascertain where processing decisions are made and the power to implement them before determining a main establishment. This clarification aims to ensure consistent application of GDPR principles across the Union.

To read the EDPB's opinion in full, please click here.

Increase in cyber security incidents involving electric vehicles and chargers

From 2019 to 2023, disclosable cyber security incidents in the automotive and mobility sector increased by more than 50%, according to Israel-based firm Upstream.  In 2023, there were 295 incidents with bad actors accounting for 64% of these attacks and 65% originating from dark web cyber activities.

For electric vehicles (EVs), the connected charging network is a target.  Recently, the Office for Product Safety and Standards told Wallbox that its Internet-connected Copper SB EV home charger was not properly secured against hackers and couldn’t be sold.  Updated Copper SB EV chargers can still be sold until June 30, but the company has stopped marketing the device.

To read Autoweek's full article on the issue, please click here.

Warning by UK Minister for Artificial Intelligence on cyber defences

The UK Minister for Artificial Intelligence has urged British businesses to bolster their cyber defences following new government data revealing that three-quarters of medium and large-sized businesses experienced cyber incidents in the past year. Additionally, nearly 80% of high-income charities faced security breaches, highlighting the growing threat posed by bad actors utilising AI to steal sensitive information and facilitate ransom schemes.

According to the insurer Hiscox, cyber-attacks on businesses have risen for 4 consecutive years. The government, in close collaboration with industry experts, is implementing measures such as the Cyber Governance Code of Practice to strengthen cyber protections.

To read the full City AM article, please click here.

Stay connected and subscribe to our latest insights and views 

Subscribe Here