The National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have sought to clarify the roles each organisation plays in assisting with data breaches and ensuring that businesses understand what support is on offer.
Speaking at the second day of the NCSC's annual CYBERUK conference, NCSC chief executive Ciaran Martin and ICO deputy commissioner James Dipple-Johnstone clarified the relationship between the two bodies.
They outlined their commitment to greater clarity of the separate roles and responsibilities both organisations have after a cyber incident, which should make it easier for a victim to deal with the right authority at the right time.
It was highlighted that the NCSC's role will be to engage directly with victims to determine the nature of the incident and offer free and confidential advice to help mitigate its impact in the immediate aftermath.
Meanwhile, the ICO will take the lead on ensuring affected companies mitigate the risks to individuals and conduct an effective investigation to establish the circumstances of the breach.
Mr Martin added: "This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities."
Both bodies will share anonymised data to help boost their understanding of risk. However, Mr Martin stressed the NCSC "will never pass specific information to a regulator without first seeking the consent of the victim". This should therefore give firms reassurance they will be able to seek advice without fear of regulatory action.
This pledge was welcomed by some in the industry, with Joseph Carson, chief security scientist at Thycotic, telling ITPro: "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical, knowing it is the businesses responsibility to report the incident to the ICO."
Mr Dipple-Johnstone also said it is essential organisations are clear on what to expect if they suffer a data breach, including what legal requirements they have to report the incident to the ICO, and what the potential implications will be if these rules are not followed.