[co-author: Aleksander Aleksiev]
On 5 September 2024, the UK’s data privacy regulator, the Information Commissioner’s Office (ICO), and the UK National Crime Agency (NCA) signed a Memorandum of Understanding (MoU) outlining how they will further collaborate on cybersecurity matters to advance their stated aim to ensure UK organizations can better protect themselves from ransomware attackers.
The MoU reaffirms the following joint commitments between the ICO and NCA:
- The two agencies will encourage organizations to “engage appropriately” with the NCA on cybersecurity matters, including in response to cybercrime.
- The NCA will never pass information shared with it in confidence by an organization to the ICO without first seeking the consent of that organization.
- The ICO will enhance the NCA’s visibility of UK cyberattacks by sharing information on an anonymized, systemic and aggregated basis, and on an organization-specific basis where appropriate.
- Where both the ICO and NCA are engaged on a cyber incident, they will endeavor to work together to minimize disruption to an organization’s efforts to contain and mitigate harm.
- The ICO and NCA will work together to promote learning about, provide consistent guidance on and improve standards for cybersecurity-related matters.
In advising clients on various incidents, Skadden has increasingly observed the NCA proactively contacting UK organizations affected by cyber incidents. The MoU further demonstrates the NCA’s intention to obtain more frequent and detailed information about the nature of the cybercrime affecting organizations in the UK.
Organizations are likely to take comfort from the NCA’s confirmation that the agency will not send organization-specific data to the ICO without first obtaining their consent. This may encourage a more candid line of communication been victim organizations and the NCA.
[View source.]
