Following the State Opening of Parliament, the King’s Speech on 17 July included news of significant new legislative proposals to address cybersecurity concerns, focusing on supply chain risks, particularly in the public sector, and improving incident reporting.

What Concerns and Risks? 

The kinds of concerns and risks the new legislation has been drafted to tackle are essentially those that come from the public sector’s extensive reliance on interconnected systems and digital services. For example, public sector organisations (including healthcare, local government, and infrastructure services) manage vast amounts of sensitive data and provide essential services to the population. This, therefore, makes them prime targets for cyber-attacks, which can disrupt critical functions and compromise personal information.

Recent cyber incidents, such as the ransomware attack on Synnovis (a pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust), have highlighted the vulnerabilities within public sector supply chains. The Synnovis attack (in June), for example, led to significant disruptions in healthcare services, delaying thousands of outpatient appointments and elective procedures in major hospitals. The particular vulnerability of supply chains is illustrated by recent research from Security Scorecard which showed that a staggering 29 per cent of all breaches in the last quarter of 2023 were the result of a third-party attack vector, i.e. cyber criminals gaining unauthorised access to an organisation’s systems or data by exploiting vulnerabilities in its suppliers, vendors, or partners.

As noted by the UK government within the supporting documentation for the King’s Speech: “Over the past 18 months, hospitals, universities, local authorities, democratic institutions, and government departments have been targeted. These attacks highlight the vulnerability of our essential services, with severe consequences observed in sectors like the NHS and the Ministry of Defence”. 

What New Legislation? 

As one of 40 bills announced by King Charles III in his speech, the ‘Cyber Security and Resilience Bill’ is being introduced to tackle the public sector’s reliance on interconnected systems and digital services. This new legislation is designed to address this challenge by expanding the scope of cybersecurity regulations to cover more digital services and supply chains within the public sector to ensure that public organisations implement necessary security measures to protect against cyber threats.  To give a brief overview of what’s being suggested, the key points of the Cyber Security and Resilience Bill are:

– Expansion of regulations. The bill broadens the scope of existing cybersecurity regulations to include more digital services and supply chains, addressing vulnerabilities in critical infrastructure.

– Empowerment of regulators. It provides regulators with enhanced powers to enforce cybersecurity measures, including the ability to investigate potential vulnerabilities proactively.

– Protection of the public sector. The legislation aims to safeguard essential public services such as healthcare and defence, which have been targets of significant cyber-attacks in recent years.

– Cost recovery mechanisms. The bill introduces cost recovery mechanisms to ensure regulators have sufficient resources to enforce cybersecurity measures effectively

Increased Incident Reporting Too 

Also, the ‘Cyber Security and Resilience Bill’ mandates increased incident reporting, which is crucial for improving the government’s response to cyber-attacks. For example, it requires organisations to report a wider range of cyber incidents.

This is because enhanced reporting is likely to improve the government’s ability to identify, mitigate, and respond to threats more effectively, thereby reducing the risk of widespread disruption.

Overall, the bill is designed to address the pressing need to strengthen cybersecurity across all sectors, particularly focusing on the interconnected nature of modern supply chains.

Criticism

Although the need for such legislation is clear and is likely to be welcomed, some critics have suggested that it should have happened sooner – it’s the first time cybersecurity legislation has been updated in six years, and it may only just bring the UK up to speed with current threats. Also, with the rate at which new threats are advancing, the legislation is unlikely to fully address all vulnerabilities.

What Does This Mean For Your Business? 

For businesses, the introduction of the Cyber Security and Resilience Bill represents a challenge and an opportunity. The new regulations will require companies (particularly those involved in supplying public sector organisations) to bolster their cybersecurity measures. This means that businesses will need to review and potentially upgrade their existing security protocols to meet the expanded regulatory requirements. Ensuring compliance will also be crucial to avoid penalties and to maintain the trust of public sector clients who are increasingly vigilant about their cybersecurity posture.

The emphasis on enhanced incident reporting is another critical aspect that businesses must prepare for. Organisations will need to establish or refine their reporting processes to ensure that all significant cyber incidents are promptly and accurately reported to the relevant authorities. This increased transparency will not only aid in the collective defence against cyber threats but also help businesses understand the evolving threat landscape, allowing them to adapt and improve their security measures proactively.

Also, giving greater power to regulators means that businesses are likely to need more rigorous inspections and enforcement actions. This could involve regular audits and compliance checks, and the need for a continuous commitment to maintaining robust cybersecurity practices. While this may require additional resources and investment, it also presents an opportunity for businesses to strengthen their defences against cyber-attacks, thereby safeguarding their operations and reputation.

The legislation’s focus on securing supply chains also highlights the importance of third-party risk management. Businesses will need to ensure that their suppliers and partners adhere to high cybersecurity standards, as vulnerabilities within the supply chain can have severe repercussions. Implementing stringent vetting processes and regular security assessments for third parties are likely to be essential to mitigate these risks.

To conclude, while the Cyber Security and Resilience Bill introduces new obligations, it also provides a framework for businesses to enhance their cybersecurity resilience. By embracing these changes and proactively strengthening their defences, businesses can protect themselves against the growing threat of cyber-attacks and maintain their competitive edge in an increasingly digital economy.