‘Smart' and autonomous vehicle cyber guidance: Board level accountability

On 6 August 2017, in advance of proposed legislation, the UK government published 8 ‘Key Principles' regarding the cyber security of connected and autonomous vehicles. This is the third of a series of 4 blogs regarding those principles.

As well as requiring security by design, ongoing monitoring and collaboration between the various auto-industry organisations (see blogs 1 and 2 in this series), the government expects organisational security to be “owned, governed and promoted at board level” (Key Principle 1).  The requirement is not just that vehicles should be secure, but that the processes and practices of manufacturers, sub-contractors and suppliers should be equally rigorous.

Organisations are expected to “embed a ‘culture of security'” (Key Principle 1.3) via awareness and training, and (under Key Principle 1.2) organisations are expected to be able to identify one or more directors with “personal accountability” for product and system security.  Oddly, Key Principle 1.2 also suggests, wrongly, that accountability is delegable: it is thought that the guidelines are instead intended to refer to delegation of responsibilities.  Clarification from the Department for Transport would be welcome.

Although the 8 Key Principles are non-binding guidelines, the outcomes they seek are closely aligned with the responsibilities and requirements of an organisation under the General Data Protection Regulation (GDPR).  It is likely appropriate for a director charged with implementing and monitoring compliance with data protection law to also have “accountability” for organisational security under these guidelines.  It is important to remember, however, that the information security expectations under this guidance are broader than under the GDPR and its predecessor.  Data protection will be considered further in the next blog.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.