Businesses in the UK could face up to £122 billion in fines for cybersecurity breaches in 2018, according to new findings from the Payment Card Industry Security Standards Council (PCI).
The increase in fines would come as part of new EU legislation, which will set regulatory penalties for security breaches at 4% of global turnover, to a maximum of £18 million.
A cybersecurity breach is an incident that results in the unauthorised access of a company’s data or its networks.
While the UK will most likely have left the EU by 2019, Prime Minister Theresa May intends to sign all current European law into UK law and repeal it gradually. That means that the new rules would still apply after Brexit.
Cybersecurity is a big problem for UK businesses. In 2015, 90% of large organisations and 74% of smaller businesses reported a breach, according to PCI.
If breaches remain at 2015 levels, PCI says fines due would increase from £1.4 billion last year to £122 billion. Large organisations would face £70 billion of those fines — an average of £11 million per organisation. Fines for smaller businesses would rise to £52 billion, averaging £13,000 for each business.
Jeremy King, director at PCI, said in an emailed statement: “The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.”
“Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand,” he added.
There have been several high-profile cybersecurity incidents recently. In 2015, broadband firm TalkTalk’s servers were hacked, leading to the theft of 15,000 customers’ bank details. In September 2016, US technology firm Yahoo was hacked, leading to the theft of 8 million email users’ data.
PCI is a council formed from employees of major credit card companies including American Express and Visa, and works to keep secure data and payment technology up to date.