Key takeaways

• Building on the UK Government’s recently issued cybersecurity strategy, the UK Department for Culture, Media & Sport has published its Cyber Security Regulation and Incentives Review.
• While the Government has decided not to implement prescriptive cybersecurity regulations, businesses should not forget the demands of pre-existing and future data protection obligations, most notably the GDPR, on their cybersecurity programmes.
• Going forward, businesses which fail to implement appropriate cybersecurity systems and controls may face significant penalties from both data protection authorities and financial regulators.