On 6 August 2017, in advance of proposed legislation, the UK government published 8 ‘Key Principles' regarding the cyber security of connected and autonomous vehicles. This is the third of a series of 4 blogs regarding those principles.
As well as requiring security by design, ongoing monitoring and collaboration between the various auto-industry organisations (see blogs 1 and 2 in this series), the government expects organisational security to be “owned, governed and promoted at board level” (Key Principle 1). The requirement is not just that vehicles should be secure, but that the processes and practices of manufacturers, sub-contractors and suppliers should be equally rigorous.
Organisations are expected to “embed a ‘culture of security'” (Key Principle 1.3) via awareness and training, and (under Key Principle 1.2) organisations are expected to be able to identify one or more directors with “personal accountability” for product and system security. Oddly, Key Principle 1.2 also suggests, wrongly, that accountability is delegable: it is thought that the guidelines are instead intended to refer to delegation of responsibilities. Clarification from the Department for Transport would be welcome.
Although the 8 Key Principles are non-binding guidelines, the outcomes they seek are closely aligned with the responsibilities and requirements of an organisation under the General Data Protection Regulation (GDPR). It is likely appropriate for a director charged with implementing and monitoring compliance with data protection law to also have “accountability” for organisational security under these guidelines. It is important to remember, however, that the information security expectations under this guidance are broader than under the GDPR and its predecessor. Data protection will be considered further in the next blog.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.