Government announces new Bill to strengthen the UK's cyber security and resilience

Government announces new Bill to strengthen the UK’s cyber security and resilience

In yesterday’s King’s Speech, the Cyber Security & Resilience Bill was one of two specific pieces of legislation focussing on the technology sector that were announced. Its purpose is to strengthen the UK’s cyber defences and to ensure that critical infrastructure and the digital services that companies rely on are secure.

The Bill is an important step forward in addressing the growing number of attacks on the UK’s digital economy by cyber criminals and state actors that are affecting public services and infrastructure. In recent months, these have included attacks on our health services, local authorities, government departments, universities and democratic institutions – many of which have had severe impacts, such as the ransomware attack in June on the NHS in England which resulted in the postponement of elective procedures and outpatient appointments at King’s College Hospital and Guy’s and St Thomas’ Hospital. Furthermore, there is a significant risk to the economy: the financial cost of cyber-attacks to the UK was estimated to be £27 billion per annum in 2011 and this figure is certainly likely to have increased since then … With an insecure geopolitical landscape and the unprecedented advancement of technology, the threat only continues to rise.   

As outlined in the King’ Speech document, the current cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services. The regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.

These regulations have had a positive impact, but progress hasn’t been fast enough and updates are essential in order to keep pace with the threat landscape.

So, what will the Bill do?

The government has announced that:

  • The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.
  • The existing UK regulations reflect law inherited from the EU and are the UK’s only cross-sector cyber security legislation. They have now been superseded in the EU and require urgent update in the UK to ensure that our infrastructure and economy is not comparably more vulnerable.
  • The Bill will make crucial updates to the legacy regulatory framework by:
    • Expanding the remit of the regulation to protect more digital services and supply chains. These are an increasingly attractive threat vector for attackers. This Bill will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.
    • Putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities.
    • Mandating increased incident reporting to give government better data on cyber-attacks, including where a company has been held to ransom – this will improve our understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.

Jill Broom, Programme Manager, Cyber Security at techUK said:

“techUK welcomes the announcement of the Cyber Security & Resilience Bill and the new government’s recognition of the integral role that cyber security has in securing and enabling the critical sectors of our society and economy. Recent high-profile ransomware attacks on the NHS are just one example of the significant impact that cyber-attacks can have on the operation of vital functions as well as on our national security, therefore, it is encouraging to see this renewed emphasis on cyber resilience.

techUK and its members have been calling for the current NIS Regulations to be updated in order to keep pace with the ever-evolving threat landscape and harness the benefits that technology can offer. This Bill is an important step forward in prioritising the security of our critical national infrastructure; and we look forward to working with the government to ensure this legislation is fit for purpose and, at the same time, nurtures continued growth and development of innovation in the UK’s thriving cyber sector.”

You can read the full King’s Speech here and techUK’s insight of it here.

Jill Broom

Jill Broom

Head of Cyber Resilience, techUK

Annie Collings

Annie Collings

Programme Manager, Cyber Resilience, techUK

Raya Tsolova

Senior Programme Manager, techUK

Tracy Modha

Tracy Modha

Team Assistant - Markets, techUK