I expected (naively, some may think) by now that with a withdrawal deal secured by the UK and the EU, I would be able to update my earlier report on Brexit published last summer. Sadly, it was not to be, as it appears that, like Blackadder’s famous character Baldrick, the UK government thinks it has a cunning plan to overcome the historic House of Commons defeat suffered on January 15, 2019. We will see in time whether the plan can be judged to be a credible plan and a cunning move in the coming weeks and months.
While we have no way of knowing whether a deal will be struck that will allow the orderly withdrawal of the UK from the EU, we do know that there are five key concerns that CISOs should be thinking about:
- International data flows between UK and EU. We know one way or the other that the continued legal basis for data flow relies on the UK’s data protection regulatory regime being judged as equivalent to the EU’s. This key adequacy decision as it is known would begin to be worked on following the exit of Britain from the EU. While there are a lot of similarities with the regimes as they currently stand, there is no way of guaranteeing that the decision will occur and in what timescale. We recommend that CISOs and DPOs start looking into alternative means now for guaranteeing the legal basis for their international data flows between the UK and EU. This can either be through model clauses or a binding corporate rules program, for example, which are already widely used for transfers outside of the EU.
- Staffing issues. Thankfully, both sides have agreed that whether a deal is agreed or not, they will work hard to provide some certainty to EU and British citizens working outside their home countries. For CISOs, this means that your staff will need reassurance and support if they need help with the application procedures or, in some cases, the costs of applying. The area that is going to be most problematic is in the realm of recruitment. A challenge that is already difficult enough with the cyberskills shortage will require you to think more carefully about where you deploy your staff and security services. Restrictions on numbers of EU citizens entering the UK and vice versa are generally expected, so review your operating model carefully to mitigate against the impact that restrictions on freedom of movement could bring to your security organization structure and headcount deployment.
- Threat intelligence cooperation and levels of computer emergency response team (CERT) support for breach response. Most bilateral threat intelligence sharing that goes on will continue to occur regardless of Brexit. What is more certain to cause some disruption is that the status of UK cooperation and participation in Europol and EC3 on an operational level is going to be lessened. This means that in the case of Europewide breaches of security impacting several countries across Europe and the UK (e.g., WannaCry and NotPetya in 2017), the two will no longer necessarily support each other on an operational basis (unless explicitly asked to). The impact of this will vary, but it is noted that many large organizations in scope of the NIS directive will have built response plans that assume some level of support and cooperation with the authorities. CISOs should expect that their local-country CERT team may not be working with the same quality of threat intelligence nor have the same level of capability to call on as they have been able to under current arrangements. How much this disrupts security organizations remains to be seen but is certain to cause a change from what we have in place today.
- Regulatory relationships and breach notification reporting requirements. GDPR, NIS, and PSD2 are all examples of regulations that apply to the UK and EU today (some impact certain verticals, whereas GDPR applies universally). The UK’s continued participation in the European-level structures that were set up in these directives and regulations looks certain to end (timing being the key factor). Mandatory breach reporting will also become more complicated, with a requirement to report to multiple sets of regulatory bodies if your organization has operations in both the EU and the UK (as many do). CISOs should review their incident response plans in detail and update and refresh them based on the assumption that they will no longer be able to make a single breach notification as is provided for in the current environment. It is likely that the UK authorities will need to be notified if the breaches impact services or citizens of the UK, and the lead EU country designated as your principal location for regulatory purposes will need to be notified separately for EU services and citizens. This is quite a fiddly detail but important given the stringent breach reporting requirements in several examples of EU legislation that also exist in the UK.
- Supply chain issues and where hardware-based security devices pass through previously frictionless borders. This will only impact countries geographically close to the UK or those that rely upon supply chains including the UK. Some shipping of hardware-based security services (e.g., next-generation firewalls or other hardware-based security devices) will be going through extra customs controls and point of origin checks that do not exist today within the single market. CISOs should review their key suppliers and supply chains to determine whether this is likely to impact them and any in-flight projects. Additional time should then be built into your security program plans to account for some additional delay in deliveries. This is not expected to be a large bump but may delay some delivery deadlines if supply chains start to jam up. In the case of a no-deal Brexit, however, there is considerable potential for disruption in a disorderly exit scenario, during more extended delays while new customs procedures are being implemented should be expected.
While this laundry list will in some cases not impact certain organizations, CISOs should review their exposure to these five points and adapt their security program plans in 2019 accordingly. CIOs may find the blog post here of use for their wider no-deal Brexit planning. While we cannot know the precise turn of events during these difficult times, we can at least understand some of the potential issues and start to plan for them.