18 October 2017

New EU rules could cost UK firms £122bn in cybersecurity fines - PCI SSC

17 October 2016  |  21842 views  |  4 Pound Coin Cash

Businesses in the UK could face up to £122 billion in regulatory penalties for cybersecurity breaches when new EU legislation comes into effect in 2018, says the PCI Security Standards Council (PCI SSC).

In two years new EU legislation will set regulatory fines at four per cent of global turnover, up to EUR20 million, up from the current £500,000.

Government figures show that 90% of large organisations and 74% of SMEs in the UK reported suffering a security breach last year, leading to an estimated total of £1.4 billion in regulatory fines.

If breaches continue at the same level when the new rules come in, the fines paid to the European regulator could see a near 90-fold increase, to £122 billion. For large organisations, this could mean regulatory fines for cybersecurity breaches soaring to £70 billion, equating to the average per organisation of £11 million. Regulatory fines for SMEs could see a 60-fold increase, rising to £52 billion, averaging £13,000.

Jeremy King, international director, PCI Security Standards Council, says: "The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.

"Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand."

Comments: (4)

A Finextra member
A Finextra member | 17 October, 2016, 09:39

I get the impression larger companies (the big brands) are not having as much pressure from acquiring banks regards PCI DSS compliance, these companies calling the shots because of the power they have over their suppliers. That has to change.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 17 October, 2016, 17:39

1. Doesn't Brexit affect this?

2. Cybersecurity and PCI are related but not synonymous. 



Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Edith Rigler
Edith Rigler - Payments Advisory Group - Amsterdam | 18 October, 2016, 12:37

The UK will remain a member of the EU until at least March 2019 (assuming that the UK does indeed evoke Article 50 by March 2017, as indicated recently by the prime minister). Thus ít must comply with EU regulations, directives and laws until March 2019. This means that both the EU General Data Protection Regulation and the 4AMLD will have to be complied with. If and how the UK will adopt, amend or abolish EU regulation after March 2019, depends on the outcome of the "Great Repeal Act" which was also recently announced by the prime minister. However, no details have been provided yet.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 20 October, 2016, 10:29

Brexit or not, the EU-GDPR applies to any organisation collecting and processing private information from EU citizen. A UK organisation with EU customers will be subject to this regulation (and fines) even after March 2019.

Then, the fines are €20 million or 4% of the worldwide annual turnover, whichever is the greatest. There is no "up to" limit.

But more importantly, a breach does not mean the organisation will be fined. A fine will be the result of a non-compliance with the regulation, including failure to notify, violation of keeping records - 2% or €10million whichever is the greatest for these - or violation of data subject rights (like consent and opt-out of processing for marketing purpose) or violation of cross-border data transfer requirements - 4% or €20million whichever...

Like with other regulations - such as PCI - we know a compliant organisation can still be breached. These fines - and the requirements associated - need to be much better understood. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

New York sets out new cybersecurity rules

New York sets out new cybersecurity rules

14 September 2016  |  7923 views  |  0 comments | 18 tweets | 26 linkedin
Hackers hit Oracle Micros POS unit

Hackers hit Oracle Micros POS unit

09 August 2016  |  6538 views  |  0 comments | 6 tweets | 9 linkedin
Retailers flag PCI anti-trust concerns with FTC

Retailers flag PCI anti-trust concerns with FTC

03 June 2016  |  8756 views  |  2 comments | 6 tweets | 5 linkedin
Target reaches $39.4m data breach settlement

Target reaches $39.4m data breach settlement

02 December 2015  |  8056 views  |  1 comments | 5 tweets | 3 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
visit www.fivedegrees.nlvisit www.innotribe.comRegister now

Top topics

Most viewed Most shared
Ripple looks to drive bank adoption with $300m XRP rebate programmeRipple looks to drive bank adoption with $...
15433 views comments | 12 tweets | 4 linkedin
Swift positive on blockchain, but big challenges remainSwift positive on blockchain, but big chal...
8628 views comments | 16 tweets | 22 linkedin
hands typing furiouslyHow artificial intelligence can deliver a...
8167 views 0 | 8 tweets | 9 linkedin
satelliteGates Foundation backs Ripple collaboratio...
7678 views comments | 13 tweets | 10 linkedin
IBM uses blockchain to improve cross-border payments processingIBM uses blockchain to improve cross-borde...
6872 views comments | 9 tweets | 17 linkedin

Featured job

New York, NY - USA (some flexibility on location)

Find your next job