Reporting Cyber Incidents in the UK

On 2nd March 2023 the UK retailer WH Smith submitted a 10-line report of a data breach to the London Stock Exchange.   The sketchy details are far from a full disclosure but do indicate that the breach involved employee rather than customer or trading data.  WH Smith was required to make this announcement because they are listed on the London Stock Exchange and they are required to inform investors in a timely manner with information that may affect them.

The statement mentions that relevant authorities had been informed.  These were not specified but could include the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).  If a body is involved in financial services of some kind they would be authorised or regulated by the Financial Conduct Authority (FCA) and would also need to notify them.  Although usually thought of as a high street retailer W H Smith is regulated by the FCA (reference 569452) because it is authorised to introduce clients to the financial body MGAMutual. Finally if the incident is due to a deliberate cyber-attack it will need to be reported to the police.  In England, Wales and Northern Ireland any suspected fraud or cyber crime also needs to be reported to Action Fraud.  In Scotland the police report will be sufficient.

It is possible that these bodies will all co-ordinate each other’s records but they too will be constrained by data sharing and privacy regulations so it is best to contact all possible related bodies individually.  There is also the matter of how much information to release to the public. Some data such as that published on the London Stock Exchange will immediately become public.  Other disclosures are only likely to be publicised some time later as summary trends.  On the other side of the fence the perpetrator of any offence is under no such restriction and could threaten any information release (true or false) as grounds for blackmail.

Submissions to Parliament’s Joint Committee on National Security Strategy in November 2022 indicate that some UK firms are reluctant to divulge information on incidents.  This may be because reporting could expose further regulatory breaches that the victim may or may not have been aware of. These would lead to more investigations and possibly penalties.

The whole field of what to report to whom is complex and there is no text book answer for every case.   Larger organisations will have dedicated staff on hand, possibly including a legal team.  It is harder for smaller businesses to ensure that they are meeting their reporting and investigative obligations.

The broad plan is to have an incident response playbook in place and run through it at regular intervals to ensure that it is fit for purpose. Responses will differ depending on the organisation affected and Kindus can help with drawing up and validating the playbook. This will need to include details of how the victim will react to and investigate any breach internally but must also include prompt reporting to the relevant regulatory authorities. Reporting will not only facilitate independent investigation of the incident but avoid any penalties resulting from non-disclosure.

More from Disaster Recovery


Energy Costs Of Data Processing

Energy Costs Of Data Processing The rapid increase in energy costs will impact on those relying on data storage and processing Data Processing is …

Read post


Virgin Media – An Important Lesson

Kindus explains how you can mitigate the effects of an Internet outage Yet again we have seen another major technology meltdown. This time it …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus