The incoming British government has initiated efforts to enhance the nation’s cyber-resilience with a new bill mentioned in the King’s Speech last week.
Key Takeaways:
- The UK government is taking steps to enhance the nation’s cyber resilience with a new Cyber Security and Resilience Bill
- The bill aims to tighten reporting times for security incidents and strengthen the power of regulators
- This initiative addresses the risk of disruption and data leaks from outdated and insecure IT systems used in UK public services
What is The Bill?
In response to the growing risk of cyber attacks, the new Labour Government announced plans to introduce the Cyber Security and Resilience Bill. This legislation will empower regulators to enforce more robust cyber security measures across more firms. According to background notes published last week, the bill aims to “strengthen our defences and ensure that more essential digital services than ever before are protected.”
The Cyber Security and Resilience Bill seeks to expand on the Network and Information Systems (NIS) Regulations 2018, which originated from an EU directive. Efforts to update these regulations had stalled, but the new bill aims to address this by including more types of digital service providers and emphasising supply chain cyber management.
Steve Burden, Head of Cyber Security at Daisy, highlights, “The bill emphasises comprehensive cyber security protections, especially for critical national infrastructure, impacting organisations of all sizes and industries. It increases the consequences of failing to meet a minimum-security posture or reporting a breach, including adding personal liability for senior management and board directors. This step is crucial for strengthening organisations’ protection against the growing cyber threat.”
The bill will also expand the scope of regulators to cover supply chains and address the increasing prevalence of supply-side attacks, where malicious actors infiltrate networks through third-party suppliers. It also aims to create a stronger regulatory environment to ensure that cyber security measures are effectively implemented.
Key Focuses of The Bill Will Include:
- Critical Infrastructure Protection: Extending the scope of the NIS regime to cover more digital services and supply chains
- Regulatory Powers: Granting new powers to regulators and updating existing regulations
- Mandatory Ransomware Reporting: Improving authorities’ understanding of threats and expanding the types of incidents that must be reported
Paul McLatchie, Security Strategy Consultant at Daisy, adds: “Key regulations such as the Digital Operational Resilience Act (DORA) in the EU and PS21/3 in the UK, focused on financial services operational resilience requirements, have foreshadowed a broader industry shift towards an “assume breach” mindset. Organisations are increasingly recognising the need to balance investments in protective security controls with the development of robust cyber resiliency capabilities. In this context, the recently announced bill is a welcome initiative, providing organisations with the framework to garner support and investment in enhancing their cyber resiliency. It is also encouraging that the bill addresses supply chain security, a critical yet often overlooked aspect of an organisation’s extended security posture.”
Fabien Bourdaire, Cyber Incident Response Service Director at Daisy, shares field insights: “Ten years after Cyber Essentials and six years post-UK GDPR, most businesses and public services are still inadequately protected against cyber-attacks, though ransomware attacks are often preventable. Mandatory ransomware reporting will enforce transparency, enhance problem visibility and reveal failure points. Authorities should already be informed, as ransomware groups often steal PII data before deploying attacks and publish a ‘shame’ list of victims. This mandate could precede a ban on ransomware payments, disrupting the ransomware economy. Regardless of new laws, businesses must boost their cyber-resiliency. For example, are your backup systems secure and immutable?”
The bill responds to heightened cyber threats, citing recent attacks on the NHS and the Ministry of Defence and warnings about China and Russia’s cyber capabilities. The announcement follows a significant ransomware attack on an NHS supplier, highlighting the urgency of the measures.
Martin Lewis, Cyber and Operational Resilience Sales Manager at Daisy, welcomes the proposal to expand the previous scope to include digital resilience and highlights the importance of managing the digital supply chain. He notes, “Cyber resilience is a recurring topic in our conversations with customers who are increasingly concerned about the rising tide of cyber incidents. Safeguarding the UK’s critical national infrastructure, supply chain, and cloud computing services is vital for both economic growth and social well-being across the country. This bill aims to refocus attention on strengthening cyber security and resilience measures, which is a crucial step forward.”
A Comprehensive Approach to Cyber Security
This approach aims not only to mitigate immediate cyber threats but also to reinforce the UK’s long-term cyber security posture, ensuring that both public services and private enterprises are better protected against cyber threats. By integrating stronger regulatory oversight with enhanced incident reporting and supply chain management, the government is positioning the UK as a leader in cyber resilience and security.
Conclusion
The Cyber Security and Resilience Bill represents a significant step forward in protecting the UK’s digital landscape. By expanding regulatory powers, mandating improved incident reporting, and focusing on supply chain security, the bill aims to enhance the nation’s overall cyber resilience. Experts in the field, such as Steve Burden, Martin Lewis, Paul McLatchie and Fabien Bourdaire underscore the importance of these measures in safeguarding critical infrastructure and ensuring economic and social stability. As the bill progresses, it will be crucial for organisations to stay informed and proactive in meeting these new regulatory requirements.