The lowdown on the Cyber Security and Resilience Bill

02 September 2024 Consultancy.uk

The Cyber Security and Resilience Bill is primarily focused on increasing the resilience of critical infrastructure by expanding the scope of current cyber regulations to protect more digital services and supply chains. James Tytler, associate for cyber incident Response at S-RM, explains how firms might prepare for the coming changes.

The Cyber Security and Resilience Bill, announced during the King’s Speech in July, will be introduced by the new Labour government as part of its plans to strengthen the UK’s cyber defences. Forming part of the Labour government’s broader strategy to safeguard the UK against the escalating threat of cyber-attacks, the Cyber Security and Resilience Bill works in tandem with the Digital Information and Smart Data Bill, which focuses on data protection.

The legislation comes at a critical time, after a recent high-profile incident where Russian cybercriminals targeted NHS hospitals, leaking sensitive patient data and raising the threat of extortion. The bill not only brings the UK up to speed with the European Union’s NIS2 Directive, but may even surpass it, potentially setting a new benchmark in cybersecurity resilience globally.

It will also impose stricter requirements for companies to report cyber incidents, particularly ransomware attacks. By mandating prompt reporting, the bill aims not only to address attacks more effectively, but also build a deeper understanding of cyber threats over time. The collected data and insights should help identify attack patterns and craft more effective response plans.

The legislation is also expected to grant regulators new powers and enforcement actions. For example, it is anticipated that regulators will be equipped with cost recovery mechanisms to provide the resources to investigate and address vulnerabilities in organisations that do not meet the new cyber security standards.

However, there is no indication that the bill will include any mechanism obligating ransomware victims to seek licenses from authorities before ransom payments can be made – an idea which was reportedly under consideration under the previous government.

Why now?

The new government’s decision to prioritise cyber security with the introduction of this Bill is a positive development and well overdue. Not only is the new legislation encouraging, it is absolutely essential given the ongoing cyber-attacks targeting critical infrastructure.

This year alone, the country has suffered numerous high-profile cyber incidents, including the ransomware attack on NHS pathology provider Synnovis in June. This breach not only caused thousands of appointment cancellations, but has also triggered a severe blood shortage in hospitals across the country. The gravity of these implications underscore the urgent need for legislation that can effectively address today’s complex and evolving threat of cyber incidents.

In addition to tackling immediate threats, the Bill will be crucial for modernising the UK’s cyber security framework. Currently, we are still relying on the 2018 Network and Information Systems Regulations, which are simply outdated. Relying on cyber regulations that are six years old has left the UK in a vulnerable position, especially since the rate at which methods used by threat actors are evolving.

Compared to international legislation

Analysis of the EU’s forthcoming NIS2 Directive, set to take effect this year, reveals notable similarities with the Cyber Security and Resilience Bill, as well as some key differences.

Both legislative frameworks aim to safeguard critical infrastructure and supply chains by broadening the scope of existing regulations.

While the specifics of the Cyber Security and Resilience Bill are still emerging, it is anticipated that it will mirror NIS2 in introducing fines and penalties for organisations that fail to meet cybersecurity standards.

A key distinction and potential advantage for the UK is that the bill will become effective immediately upon approval, whereas the implementation and enforcement of NIS2 will be the responsibility of individual EU member states.

The Cyber Security and Resilience Bill is an important step forward for the UK in meeting the challenges of an increasingly complex and dangerous cyber threat landscape. While some questions still remain, the Bill promises to modernise the UK’s current cyber regulations and strengthen cyber security defences.

Founded in 2005, S-RM is an international consultancy with 400 practitioners spanning nine international offices. It featured in Consultancy.UK’s 2024 list of top consulting firms, and received a platinum rating in the cybersecurity category.