Government announces new Bill to strengthen the UK's cyber security and resilience
The Government has announced a new Cyber Security & Resilience Bill via the King’s Speech.
The Bill was one of two specific pieces of legislation focusing on the technology sector that were announced. Its purpose is to strengthen the UK’s cyber defences and to ensure that critical infrastructure and the digital services that companies rely on are secure.
The Bill is an important step forward in addressing the growing number of attacks on the UK’s digital economy by cyber criminals and state actors that are affecting public services and infrastructure. In recent months, these have included attacks on our health services, local authorities, government departments, universities and democratic institutions – many of which have had severe impacts, such as the ransomware attack in June on the NHS in England which resulted in the postponement of elective procedures and outpatient appointments at King’s College Hospital and Guy’s and St Thomas’ Hospital. Furthermore, there is a significant risk to the economy: the financial cost of cyber-attacks to the UK was estimated to be £27 billion per annum in 2011 and this figure is certainly likely to have increased since then … With an insecure geopolitical landscape and the unprecedented advancement of technology, the threat only continues to rise.
As outlined in the King’ Speech document, the current cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services. The regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.
These regulations have had a positive impact, but progress hasn’t been fast enough and updates are essential in order to keep pace with the threat landscape.
So, what will the Bill do?
The government has announced that:
*The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.*
The existing UK regulations reflect law inherited from the EU and are the UK’s only cross-sector cyber security legislation. They have now been superseded in the EU and require urgent update in the UK to ensure that our infrastructure and economy is not comparably more vulnerable.
*The Bill will make crucial updates to the legacy regulatory framework by:*
- Expanding the remit of the regulation to protect more digital services *and supply chains. These are an increasingly attractive threat vector for attackers. This Bill will fill an immediate gap in our defences and prevent* similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.
- *Putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities.*
- *Mandating increased incident reporting to give government better data on cyber-attacks, including where a company has been held to ransom – this will improve our understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.*