Who: National Cyber Security Centre (NCSC)
Where: United Kingdom
When: 6 November 2024
Law stated as at: 10 January 2025
What happened:
The NCSC released guidance in November 2024 for brands and their advertising partners, in order to help make it more difficult for cyber criminals to deliver malicious advertising, otherwise known as “malvertising”. The NSCS advice aims to reduce the risk of cyber-facilitated fraud and increase trust in the digital advertising industry.
The guidance contains details of eight different actions, laid out in the form of principles, which it says brands should expect their digital advertising partners to follow. These actions are transparent and each add a layer of security when used collectively. Digital advertising companies may publish their responses to the guidance to make it easier for potential customers to evaluate their service by how they have adopted the principles.
The principles lay out the actions expected from digital advertising partners. These are:
- Put in place strong know-your-customer checks, in order to identify unexplainable activity “spikes”, activity in regions known for money laundering and any controlling parties appearing on sanction or adverse media lists.
- Enforce strong cybersecurity processes, with partners being able to demonstrate how they design, build, manage and maintain their whole digital-advertising operations infrastructure in preventing and managing the risks of a cyber-attack throughout their supply chain.
- Only use reputable sources of data and ensure the processing of any data, especially special categories, is in accordance with the UK General Data Protection Regulation. The Information Commissioner’s Office has also written guidance on planning data law compliant online marketing campaigns.
- Implement industry standards, such as ads.txt (which allows publishers and distributors to state who can sell their inventory), buyers.json and DemandChain Object, which provide transparency around entities involved in bid responses and help trace the source of malicious ads in order to stop them. Other industry-recognised certifications, such as those offered by TAG or IAB UK, should also be considered.
- Demonstrate how they detect malvertising and remove it, such as how they deal with any attacks and how they scan for suspicious activity.
- Share threat intelligence with advertisers, publishers and advert networks in order to be able to respond faster to new attacks and to prevent proactively a potential attack that is detected on one platform from appearing on others.
- Have reliable reporting mechanisms, including providing different systems depending on whether the report is coming from an advertiser, publisher or consumer.
- Partners should be willing to be transparent as to how they reduce harm and commit to securing end users and advertisers’ advertising spend.
Why this matters:
NCSC has issued its guidance as it looks to crack down on malvertising in the industry. It gives clear, in-depth measures for advertisers to ensure their partners are following in order to reduce the presence of malvertising and, therefore, the harm to the end user. In due course, we may see advertisers providing their own responses to the guidance to allow for full transparency for their users.
