The U.K. government is poised to introduce the Cyber Security and Resilience Bill into Parliament in the coming months, as confirmed by the government’s legislative agenda outlined in King Charles’ speech this week. The move is expected to ‘strengthen the U.K.’s cyber defenses, ensure that critical infrastructure and the digital services that companies rely on are secure.’
“Our essential services are vulnerable to hostile actors and recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be severe,” according to a document titled ‘The King’s Speech 2024.’ “We need to take swift action to address vulnerabilities and protect our digital economy to deliver growth.’
The Bill will expand ‘the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.’ The existing U.K. regulations reflect laws inherited from the EU and are the U.K.’s only cross-sector cyber security legislation. They have now been superseded in the EU and require an urgent update in the U.K. to ensure that the nation’s infrastructure and economy is ‘not comparably more vulnerable.’
The introduction of the U.K. legislation comes as EU policymakers and lawmakers have moved to update the original NIS regime – ‘NIS2’ is due to be implemented in the EU member states by Oct. 17, 2024.
The Bill will make crucial updates to the legacy regulatory framework by expanding the remit of the regulation to protect more digital services and supply chains. These are an increasingly attractive threat vector for attackers. The Bill will fill an immediate gap in the nation’s defenses and prevent similar attacks experienced by critical public services in the U.K., such as the recent ransomware attack impacting London hospitals.
The legislation will also put regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities.
The Cyber Security and Resilience Bill will also mandate increased incident reporting to give the government better data on cyberattacks, including where a company has been held to ransom – this will improve understanding of the threats and alert to potential attacks by expanding the type and nature of incidents that regulated entities must report.
The current cybersecurity regulations play an essential role in safeguarding the U.K.’s critical national infrastructure by placing security duties on the industry involved in the delivery of essential services. The regulations cover five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Also, twelve regulators (competent authorities) are responsible for implementing the regulations.
Subject to the specific contents of the Cyber Security and Resilience Bill, there will likely be a need for businesses, technology companies, and those operating in critical national infrastructure services, to adhere to, and likely invest in, stricter cybersecurity standards. There will inevitably be a requirement for all businesses to consider who they may interact with in their supply chains to determine whether they fall within the scope, even indirectly, of the new stricter cyber security requirements.
Furthermore, whilst the anticipated information sharing will likely increase collective resilience to cyber-attacks, enhanced reporting obligations may well increase the administrative burden on businesses and bring with it additional costs arising from cyber incidents.
The government recognizes these issues and so anticipates providing resources, especially to small businesses, for improving cybersecurity practices and understanding the new requirements, most likely through the National Cyber Security Centre (NCSC).
The document identified that hostile cyber actors are increasingly targeting the U.K.’s critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals, and the Ministry of Defence as well as ransom attacks on the British Library and Royal Mail, have highlighted that the nation’s services and institutions are vulnerable to attack.
The NCSC has also assessed that the increased threat from hostile states and state-sponsored actors continues to ramp up. Also, two post-implementation reviews found the original regulations are having a positive impact, but that progress has not been fast enough.
Commenting on the move cyber risk expert Stuart Davey of Pinsent Masons highlighted how some of the work towards reforming the U.K. NIS regime has already been done by the previous U.K. government, which carried out its review of the NIS Regulations 2018 and then consulted on potential reforms.
“The proposed reforms were focussed on expanding the scope of NIS to other types of digital service providers and emphasizing the importance of supply chain cyber management, but it has been quiet on this front for 18 months since the government published its response paper in November 2022 – until now,” Davey said.
He added that “The government has identified the heightened and evolving cyber threat facing organizations, citing recent high-profile cyber attacks affecting the NHS and the Ministry of Defence, and its plans to bring forward this new Bill also come hot on the heels of public warnings from the U.K. National Cyber Security Centre about the cyber capabilities of China and Russia in particular.”
Law experts from CMS Legal observed in a post “Whilst an element of crystal ball gazing may be required, it has already been anticipated that the stricter requirements being imposed in the EU through NIS2 and the Cyber Resilience Act will result in increased uptake in Cyber Insurance and an increased use of risk management services. It is therefore anticipated that this would be the same in the U.K. should the Cyber Bill become law.”
“Whilst insurers will most likely also celebrate a legislative requirement for improved cyber security posture, they will likely need to adapt their policies to account for the greater level of regulatory scrutiny and potentially stricter financial penalties businesses may face, alongside the scope for increased civil litigation that may arise,” they added. “More detailed assessments of cybersecurity practices may well be required with the potential to charge higher premiums for those with inadequate safeguards.”