New EU rules could cost UK firms £122bn in cybersecurity fines - PCI SSC

New EU rules could cost UK firms £122bn in cybersecurity fines - PCI SSC

Businesses in the UK could face up to £122 billion in regulatory penalties for cybersecurity breaches when new EU legislation comes into effect in 2018, says the PCI Security Standards Council (PCI SSC).

In two years new EU legislation will set regulatory fines at four per cent of global turnover, up to EUR20 million, up from the current £500,000.

Government figures show that 90% of large organisations and 74% of SMEs in the UK reported suffering a security breach last year, leading to an estimated total of £1.4 billion in regulatory fines.

If breaches continue at the same level when the new rules come in, the fines paid to the European regulator could see a near 90-fold increase, to £122 billion. For large organisations, this could mean regulatory fines for cybersecurity breaches soaring to £70 billion, equating to the average per organisation of £11 million. Regulatory fines for SMEs could see a 60-fold increase, rising to £52 billion, averaging £13,000.

Jeremy King, international director, PCI Security Standards Council, says: "The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.

"Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand."

Comments: (4)

A Finextra member
A Finextra member 17 October, 2016, 09:39Be the first to give this comment the thumbs up 0 likes

I get the impression larger companies (the big brands) are not having as much pressure from acquiring banks regards PCI DSS compliance, these companies calling the shots because of the power they have over their suppliers. That has to change.

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 17 October, 2016, 17:39Be the first to give this comment the thumbs up 0 likes

1. Doesn't Brexit affect this?

2. Cybersecurity and PCI are related but not synonymous. 



Edith Rigler
Edith Rigler - Payments Advisory Group - Amsterdam 18 October, 2016, 12:37Be the first to give this comment the thumbs up 0 likes

The UK will remain a member of the EU until at least March 2019 (assuming that the UK does indeed evoke Article 50 by March 2017, as indicated recently by the prime minister). Thus ít must comply with EU regulations, directives and laws until March 2019. This means that both the EU General Data Protection Regulation and the 4AMLD will have to be complied with. If and how the UK will adopt, amend or abolish EU regulation after March 2019, depends on the outcome of the "Great Repeal Act" which was also recently announced by the prime minister. However, no details have been provided yet.

A Finextra member
A Finextra member 20 October, 2016, 10:29Be the first to give this comment the thumbs up 0 likes

Brexit or not, the EU-GDPR applies to any organisation collecting and processing private information from EU citizen. A UK organisation with EU customers will be subject to this regulation (and fines) even after March 2019.

Then, the fines are €20 million or 4% of the worldwide annual turnover, whichever is the greatest. There is no "up to" limit.

But more importantly, a breach does not mean the organisation will be fined. A fine will be the result of a non-compliance with the regulation, including failure to notify, violation of keeping records - 2% or €10million whichever is the greatest for these - or violation of data subject rights (like consent and opt-out of processing for marketing purpose) or violation of cross-border data transfer requirements - 4% or €20million whichever...

Like with other regulations - such as PCI - we know a compliant organisation can still be breached. These fines - and the requirements associated - need to be much better understood.