On 10 September 2024, the UK Information Commissioner’s Office (ICO) announced the signing of a new memorandum of understanding (MoU) with the National Crime Agency (NCA), aimed at strengthening collaboration on cybersecurity. This agreement lays out the framework for information sharing between the two organisations and encourages a joint effort to enhance the cyber resilience of regulated organisations.
The MoU outlines several areas where the ICO and NCA will work together, including:
- Improving Cybersecurity: The agreement encourages both organisations to promote positive cyber security cultures and engagement through the reporting of cyber crimes as well as other relevant good practice.
- Information Sharing: The NCA will share cyber threat assessments with the ICO, while the ICO may provide anonymised or organisation-specific information about cyber incidents to aid the NCA in tackling serious organised crime.
- Incident Management Coordination: When both organisations are involved in the same cyber incident, they will coordinate their efforts to minimise disruption. If the NCA believes an incident should be reported to the ICO, it will remind the organisation of its legal obligations without intervening or notifying the ICO on the organisation’s behalf.
- Handling Data Subject Rights Requests: Both organisations agree to consult each other before responding to any requests that involve information shared between them.
- Learning and Guidance: Both organisations will work together to promote learning, provide consistent guidance and improve standards on cyber-related matters.
The ICO states the MoU reaffirms its commitment to providing relevant, up to date information sharing on cyber security matters, to support improved cyber security and to provide guidance on how change can be implemented. Specifically, it is working more closely with the NCA to ensure organisations are signposted to relevant bodies, such as the National Cyber Security Centre (NCSC), and are empowered to report cyber crime at the earliest opportunity.
In the context of an ever-evolving threat landscape, the MoU also includes provisions for regular reviews, with the ICO and NCA set to monitor its operation and review it every two years.
This partnership builds upon the ICO's earlier MoU with the National Cyber Security Centre (NCSC) which was signed on 12 September 2023, (see our article here) reaffirming the commitment of both organisations to support learning, guidance, and improved standards in line with the UK's National Cyber Strategy.
Organisations can take comfort from the MoU’s assurance that the NCA will not pass information obtained during a cyber incident to the ICO without their consent, providing greater transparency and trust between these organisations and those they regulate/engage with.
It is encouraging to see the ICO and NCA agreeing to collaborate in this vital area with the ultimate aim of ensuring that UK organisations can better protect themselves from cyber criminals in an increasingly digitised world and boost our national cyber resilience.
“Unfortunately we’ve seen cyber crime costing UK firms billions over the past years. That’s why it’s crucial that relevant bodies work together to boost the UK’s cyber resilience. This new memorandum of understanding builds on our existing relationship with the NCA and will help improve cyber security standards across the board, while respecting each other’s remits.” Stephen Bonner, ICO Deputy Commissioner, Regulatory Supervision