Cybersecurity

Cybersecurity

Cyber risk, like any other risk to your business, needs to be managed properly and considered a high priority risk for the internal compliance or legal team—not just the IT department. It is a business risk that must be managed within an overall information risk-management and crime prevention framework.

The guidance and tools referenced reflect information security and breach notification requirements in the UK General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679 and Data Protection Act 2018, but are not intended to cover specialist sector-specific requirements in the:

•
Network and Information Systems Regulations 2018 (NIS Regulations), SI 2018/506
•
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426 (as amended), or
•
Financial Services and Markets Act 2000 (FSMA 2000) and the Financial Conduct Authority (FCA) Handbook

What is cybercrime?

Cybercrime is simply a crime that has some kind of computer or cyber aspect to it. It takes shape in a variety of different forms.

•
one-off—involves theft or manipulation of data or services which appears, from the victim’s perspective, to be a single event, eg malware or phishing
•
ongoing—a

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

Practice Compliance weekly highlights—5 March 2026

This week's edition of Practice Compliance weekly highlights includes OFSI’s publication of its framework for prioritising licence applications, OPBAS’ latest supervisory findings identifying continuing weaknesses in enforcement among professional body supervisors and HM Treasury’s guidance on the use of certified digital identities under the MLRs 2017. We also have analysis of the Court of Appeal’s ruling in DSG v ICO on the scope of controllers’ security obligations, new international guidance on foreign bribery risk indicators and the Court of Appeal hearing in the Mazur case.

DBT and FCDO publish guidance on Belarus sanctions licensing considerations and exceptions

The Department for Business and Trade (DBT) and the Foreign, Commonwealth & Development Office (FCDO) have published two new guidance documents under the UK’s Belarus sanctions regime, addressing licensing considerations and exceptions. The DBT guidance provides a look-up guide listing considerations for granting trade sanctions licences across 12 categories, including military interception and monitoring equipment and machinery- related goods and technology. It outlines the conditions under which licences may be granted, including for humanitarian purposes, safety and maintenance needs, and medical or pharmaceutical uses. The FCDO guidance on automatic exceptions sets out defined circumstances in which activities subject to sanctions may be carried out without a licence, including those relating to personal effects and personal use, as well as activities connected to diplomatic missions, emergency situations and consumer communication devices for civilian use. Both documents form part of the statutory guidance issued under the Republic of Belarus sanctions regime.

OPBAS report identifies enforcement weaknesses in AML supervision

The Office for Professional Body Anti-Money Laundering Supervision (OPBAS) has published a report on its 2024/25 supervisory work assessing the effectiveness of professional body supervisors (PBSs) in the legal and accountancy sectors. Following reviews of six PBSs against the Money Laundering Regulations 2017, OPBAS found that overall standards have improved, with most PBSs rated effective or largely effective in governance, risk-based approaches, staff competence and record keeping. However, it identified continuing weaknesses in supervision and enforcement, noting that some PBSs rely excessively on an ‘assisted compliance’ approach, apply insufficiently dissuasive disciplinary measures and allow extended remediation periods. Enforcement outcomes differ between sectors, with lower average fines in the accountancy sector and concerns about the recovery of penalties, potentially weakening deterrence.

Data by any other name—Court of Appeal reverses Upper Tribunal’s ruling on the protection of ‘personal data’ (DSG v ICO)

Information Law analysis: In this case, the Court of Appeal unanimously allowed the appeal brought by the Information Commissioner’s Office (ICO), holding that it is sufficient that data which has been subjected to unauthorised or unlawful processing by a third party still constitutes personal data from the perspective of the data controller, even if it is pseudonymised ‘in the hands of’ the data controller and therefore anonymised ‘in the hands of’ the attacker. Accordingly, the court held, the data controller is required to take ‘appropriate technical and organisational measures’ (ATOMs) to protect that personal data against such hackers, even where those third parties cannot themselves identify the individuals to whom the data relates. Even though this judgment is under the Data Protection Act 1998 (DPA 1998), this decision is significant as it confirms, in terms equally applicable to the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), that the scope of the security obligation is not diminished merely because stolen or exfiltrated data would be anonymised in the hands of the third party with unlawful access. This development expands and makes more pressing the obligation on controllers to assess and guard against a broader range of threats—including ransomware, data destruction, and bulk exfiltration, regardless of the attacker's capacity to re-identify data subjects. Written by Adelaide Lopez, senior associate at Wiggin LLP.

View Practice Compliance by content type :

News