The Colonial Pipeline episode in the US has shown in stark terms what can happen if a critical element of national infrastructure gets taken out by a cyber-attack.

Robert Dorey is chief executive of Astaara, an insurance services and risk-management advisor focused on cyber security. Photo: Astaara

At a stroke, it justifies the adoption by the European Union in 2018 of the Network & Information Systems Regulations (NIS Regulations) — the less ­visible twin of the General Data Protection Regulation (GDPR), also adopted in 2018, that forms the core of the UK’s Data Protection Act.

NIS Regulations requires companies that own or operate strategic or essential parts of the critical national infrastructure to take steps to protect their IT systems against cyber-attack, and ensure that if they cannot withstand an attack, they are able to recover swiftly and have alternative means of delivering their services as they recover.

Should they fail, the relevant government department, in concert with the National Cyber Security Centre (NCSC) — can fine a UK company up to £17m ($24m), depending on the scale and egregiousness of the breach.

To a small or medium-size business, £17m is a hefty sum and might well be the final straw. But it can almost be dismissed by larger companies as part of the cost of doing business. It may well be cheaper for big companies to pay the fine after the event than to upgrade their technology systems beforehand.

Empty petrol tankers parked near fuel storage tanks connected to the Colonial Pipeline system in Baltimore, Maryland, this month. Photo: Bloomberg

The difference between GDPR and NIS Regulations is that under GDPR a badly handled breach can incur a much more draconian fine — up to 4% of a company’s turnover. The regulator, the Information Commissioner’s Office (ICO), has not been slow in dishing out some meaty fines to companies that have played fast and loose with personal data.

In this regard, GDPR has worked: companies worry about personal data — and pay attention to the rules, since neither a fine nor the glare of negative publicity that surrounds breach notices is comfortable for a board.

NIS Regulations’ problem is that it has no ICO to enforce the letter of the law. Each industry has its own regulator, which is already dancing the quickstep with its regulated industries over pricing, profit­ability and licensing.

There is not enough indigenous cyber experience in government outside the NCSC to keep a watchful eye over all the companies designated as operators of essential services.

And there is little incentive for companies to invest in their cyber security: most regard it as a cost that cannot be justified (because they work on the basis of the likelihood of an attack succeeding, rather than assuming one will happen in the near term).

Governments around the world need to realise that episodes like the Colonial Pipeline hack will continue to occur unless they change their behaviour prior to an event and plan properly for the worst case.

If a government is serious about making companies act differently before an event, it needs to engage meaningfully with the operators of essential services and articulate what it expects them to do before a breach occurs — and hold them to it.

If they fail to perform, or suffer a major breach, the fines should be higher, and be capable of escalation, such as the threat of licence revocation in the event of serial misconduct. Post facto fines do not help ­voters queuing for petrol or waiting for the lights to go back on.

Like the UK’s Data Protection Act, the NIS Regulations is a good law, but a government needs to act like it means it.

Robert Dorey is chief executive of Astaara, an insurance services and risk-management advisory business focused on cyber security

Do you have an opinion to share? Email: news@tradewindsnews.com