3 Methods the UK Government Intends to Strengthen Cyber Security Regulations with Fresh Bill
With a significant surge in ransomware assaults causing disturbances in critical services and key infrastructure, the U.K. government has unveiled the extent of its forthcoming Cyber Security and Resilience Bill for the first time. Its goal is to mend the gaps in the nation’s current cyber rules and safeguard critical infrastructure from ransomware and other forms of attacks.
According to a press release, technology secretary Peter Kyle expressed, “The Cyber Security and Resilience Bill will aid in positioning the UK’s digital economy as one of the most fortified globally – empowering us to shield our services, supply chains, and citizens, which are the primary and most pivotal responsibilities of any administration.”
On April 1, the government published the Cyber Security and Resilience Policy Statement, outlining the proposed bill and some additional measures currently being mulled over. Although no exact timeline for implementation has been confirmed, it is anticipated to be introduced in Parliament later this year.
The bill encompasses three core aspects: broadening the regulatory reach, fortifying regulator authorities, and enabling government flexibility for modifications.
Broadening the regulatory reach
The existing cyber laws in the U.K. have been adopted from the E.U. and involve the Network and Information Systems (NIS) Regulations 2018. These regulations encompass transportation, energy, potable water, healthcare, digital infrastructure, online marketplaces, search engines, and cloud computing services. An assessment in 2022 revealed their obsoleteness.
As these regulations have been updated in the E.U. but not in the U.K., the Cyber Security and Resilience Bill aims to incorporate roughly 1,000 service providers within their purview. There is a proposition to integrate data centers, post their classification as Critical National Infrastructure in September.
Realizing the impacts of the bill may require time
William Richmond-Coggan, a partner overseeing dispute management at Freeths law firm, believes that the consequences of the bill may not be promptly evident as the government anticipates.
In an email to TechRepublic, he stated: “Even if each organization targeted by the new regulations possesses the financial resources, technical capabilities, and leadership bandwidth to upgrade their infrastructure to cope with current and forthcoming cyber threats, aligning all their systems is likely to be a protracted and costly endeavor. In light of the ever-evolving landscape of cyber threats, these dual investments in time and budget need to be continual commitments – establishing a cyber-secure stance is not a one-time task.”
“Equally crucial is the imperative task of ensuring that individuals working in these nationally significant entities comprehend that cyber security is solely as robust as its weakest point, and that each person has a role in upholding the safety of these organizations.”
“Placing an excessive emphasis on top-down regulatory alterations risks weakening or diverting attention from this message, at a juncture where constant vigilance is imperative at all levels to combat the growing threats posed by progressively sophisticated cyber-criminals and increasingly bold state-sponsored actors.”
Enhanced regulatory authorities
The Cyber Security and Resilience Bill will bestow additional powers upon regulators to ensure adequate security protocols are enforced. Regulators will be equipped with more tools, such as the capability to establish and collect fees for regulatory operations and the authority to issue codes of conduct and sector-specific directives. Furthermore, the Information Commissioner’s Office will acquire new competencies, like the ability to release additional information notices to proactively investigate potential vulnerabilities.
Heightened mandatory reporting
The new bill will mandate the reporting of a broader array of cyber incidents, including ransomware attacks, to regulators. This is expected to enhance governmental threat intelligence and response strategies in the long run.
Instead of solely focusing on incidents disrupting continuity, reportable events will encompass those with the potential to significantly impact the provision of vital services or impact the confidentiality, availability, and integrity of systems. For instance, businesses will be obliged to report instances where their data confidentiality is breached or if they succumb to a spyware intrusion affecting their client organizations.
The bill will necessitate companies to notify their regulator and the National Cyber Security Centre of a significant incident within 24 hours of its detection and provide a detailed incident report within 72 hours. Data centers or firms offering digital services must also inform impacted customers.
Government may implement sporadic changes to the bill
The Minister for Technology will have the authority to revise the regulatory framework as needed for national security reasons, like broadening its reach to include new industries. An upcoming modification could also grant the authorities the ability to issue security directives to relevant organizations and overseers during an ongoing cyber threat or attack. This might involve directives to fix systems within a specified timeframe.
Regarding enforcement, the official statement indicates that it will “examine the benchmarks outlined in the Telecommunications (Security) Act 2021”. This law empowers the government to enforce daily fines of up to £100,000 or 10% of the firm’s annual revenue until compliance is attained.
Britain is a nest for cyber malpractice
The United Kingdom has witnessed a surge in prominent hacking incidents in the last year, including ransomware attacks on the British Library, major retailers Sainsbury’s and Morrisons, and medical firm Synnovis, causing disruptions to NHS services. In 2024, the NCSC handled 430 incidents, in contrast to 371 cases in 2023, with 89 of them being “of national importance” due to ransomware threats to vital services and the broader economy.
Last December, the chief of the NCSC cautioned that the nation’s cyber hazards are “often underestimated” and emphasized that “enhancing the fortification and resistance of crucial infrastructure, supply chains, public division, and overall economy is essential” to combat these threats from state actors.
In January, the government of the UK disclosed its contemplation of prohibiting payment of ransoms by government entities and vital industries to decrease their attractiveness as targets for criminals, hence diminishing the incidence and ramifications of such events in the region. Specialists suggest that essential fields like healthcare and critical infrastructure should be excluded from these prohibitions since denying the ransom and the ensuing downtime can result in casualties.
About Author
