14 December 2017
visit www.aciworldwide.com

New EU rules could cost UK firms £122bn in cybersecurity fines - PCI SSC

17 October 2016  |  22914 views  |  4 Pound Coin Cash

Businesses in the UK could face up to £122 billion in regulatory penalties for cybersecurity breaches when new EU legislation comes into effect in 2018, says the PCI Security Standards Council (PCI SSC).

In two years new EU legislation will set regulatory fines at four per cent of global turnover, up to EUR20 million, up from the current £500,000.

Government figures show that 90% of large organisations and 74% of SMEs in the UK reported suffering a security breach last year, leading to an estimated total of £1.4 billion in regulatory fines.

If breaches continue at the same level when the new rules come in, the fines paid to the European regulator could see a near 90-fold increase, to £122 billion. For large organisations, this could mean regulatory fines for cybersecurity breaches soaring to £70 billion, equating to the average per organisation of £11 million. Regulatory fines for SMEs could see a 60-fold increase, rising to £52 billion, averaging £13,000.

Jeremy King, international director, PCI Security Standards Council, says: "The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.

"Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand."

Comments: (4)

A Finextra member
A Finextra member | 17 October, 2016, 09:39

I get the impression larger companies (the big brands) are not having as much pressure from acquiring banks regards PCI DSS compliance, these companies calling the shots because of the power they have over their suppliers. That has to change.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 17 October, 2016, 17:39

1. Doesn't Brexit affect this?

2. Cybersecurity and PCI are related but not synonymous. 



Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Edith Rigler
Edith Rigler - Payments Advisory Group - Amsterdam | 18 October, 2016, 12:37

The UK will remain a member of the EU until at least March 2019 (assuming that the UK does indeed evoke Article 50 by March 2017, as indicated recently by the prime minister). Thus ít must comply with EU regulations, directives and laws until March 2019. This means that both the EU General Data Protection Regulation and the 4AMLD will have to be complied with. If and how the UK will adopt, amend or abolish EU regulation after March 2019, depends on the outcome of the "Great Repeal Act" which was also recently announced by the prime minister. However, no details have been provided yet.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 20 October, 2016, 10:29

Brexit or not, the EU-GDPR applies to any organisation collecting and processing private information from EU citizen. A UK organisation with EU customers will be subject to this regulation (and fines) even after March 2019.

Then, the fines are €20 million or 4% of the worldwide annual turnover, whichever is the greatest. There is no "up to" limit.

But more importantly, a breach does not mean the organisation will be fined. A fine will be the result of a non-compliance with the regulation, including failure to notify, violation of keeping records - 2% or €10million whichever is the greatest for these - or violation of data subject rights (like consent and opt-out of processing for marketing purpose) or violation of cross-border data transfer requirements - 4% or €20million whichever...

Like with other regulations - such as PCI - we know a compliant organisation can still be breached. These fines - and the requirements associated - need to be much better understood. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

New York sets out new cybersecurity rules

New York sets out new cybersecurity rules

14 September 2016  |  8006 views  |  0 comments | 18 tweets | 26 linkedin
Hackers hit Oracle Micros POS unit

Hackers hit Oracle Micros POS unit

09 August 2016  |  6639 views  |  0 comments | 6 tweets | 9 linkedin
Retailers flag PCI anti-trust concerns with FTC

Retailers flag PCI anti-trust concerns with FTC

03 June 2016  |  8818 views  |  2 comments | 6 tweets | 5 linkedin
Target reaches $39.4m data breach settlement

Target reaches $39.4m data breach settlement

02 December 2015  |  8105 views  |  1 comments | 5 tweets | 3 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
visit www.aciworldwide.comvisit www.niceactimize.comvisit www.atos.net

Top topics

Most viewed Most shared
Deutsche Bank paper hails 'huge' blockchain potentialDeutsche Bank paper hails 'huge' blockchai...
10075 views comments | 16 tweets | 25 linkedin
satelliteRipple completes XRP Lockup
8794 views comments | 3 tweets | 2 linkedin
PSD2: Laying the regulatory foundation for a new age in paymentsPSD2: Laying the regulatory foundation for...
8783 views comments | 17 tweets | 36 linkedin
Alior Bank to use Open API platform and accelerator to create fintech marketplaceAlior Bank to use Open API platform and ac...
7534 views comments | 20 tweets | 11 linkedin
Brits flock to digital-only banksBrits flock to digital-only banks
7162 views 11 comments | 11 tweets | 15 linkedin

Featured job

Find your next job