British Government: Companies Should Fight Cyberattacks Or Receive Fines

British organizations failing to take proper measures to prevent against a cyber attack that disrupts critical services could face massive fines of more than $20 million under a new proposal being considered by the British government.

The fines would not be levied against every company that falls victim to a security breach or cyber attack, but would rather be considered a “last resort” against companies that choose not to take proper precautions in preparing to defend against an incident.

Read: EU's GDPR: What Will American Companies Have To Do To Comply?

The proposed fines would be part of a government consultation on the Network and Information Systems (NIS) Directive, which is set to go into effect in May 2018. The fines suggested could range as high as $22 million or four percent of global turnover and would primarily be handed to companies that fail to protect networks that could result in massive disruptions like transportation, health and utilities.

The potential penalty mirrors what the European Union has threatened to hit organizations with if they fail to comply with the new General Data Protection Regulation (GDPR), designed to set guidelines for how sensitive data should be protected. The GDPR is also set to go into effect in May 2018, making the month an especially important target for organizations to hit when it comes to preparing their networks.

“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards,” Matt Hancock, the UK’s digital and culture minister, said.

The Department for Digital, Culture, Media and Sport also said it wanted to see organizations take a more proactive approach to detecting threats, including developing security monitoring systems and investing in programs to raise staff awareness of cyber threats.

Read: NHS England Cyberattack: Hospitals Throughout UK Hit By Ransomware

The NIS Directive, once implemented next year, will represent a significant portion of the UK government’s five-year, $2.2 billion National Cyber Security Strategy. The program is designed to push essential service operators to take necessary precautions to protect their IT systems.

Ciaran Martin, the CEO of the National Cyber Security Centre, said his organization welcomes this consultation that raised the possibility of fines and agreed that many organizations need to do more to increase and improve their security practices.

“The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone,” Martin said. “Everyone has a part to play and that’s why since our launch we have been offering organisations expert advice on our website and the Government’s Cyber Essentials Scheme.”

The new requirements comes just months after several organizations in the United Kingdom including more than 30 National Health Service hospitals fell victim to global cyberattacks including the WannaCry ransomware campaign that held more than one million computer systems hostage and the Petya wiper attack that destroyed files on machines in more than 60 countries.