Michael Constable

Michael Constable

Director Consulting Delivery – Cyber Managed Services & Advisory, UK & Australia

Amidst the pomp and ceremony of the formation of the new UK Government, you may have missed a crucial component of the King's Speech: the introduction of significant new cyber laws.

The King underscored that over the past 18 months, the UK's hospitals, universities, local authorities, democratic institutions, and government departments have been persistently targeted by cyber-attacks. He emphasised the urgent need to address these vulnerabilities to protect our digital economy and ensure sustainable growth. The new UK Government has committed to updating the Cyber Security and Resilience Bill, aiming to fortify the UK’s cyber defences and secure critical infrastructure and digital services.

 

What to expect

We fully support any government measures that bolster the protection of the UK's essential services and digital economy. So, what can we expect from this updated Bill?

  1. Broadened Regulatory Scope: There will be an expansion in the scope of regulations to cover more digital services and supply chains. This will particularly address areas that were compromised during the recent ransomware attack on London hospitals.
  2. Empowered Regulators: Regulators will be granted enhanced powers to ensure the implementation of essential cyber safety measures. This includes potential cost recovery mechanisms to support regulatory resources and proactive investigation of vulnerabilities.
  3. Increased Incident Reporting: There will be a push for more comprehensive incident reporting to provide the government with better data on cyber-attacks, including instances where companies have been held to ransom.

 

What next?

Recent reviews by the UK Government have shown that while the original regulations have had a positive impact, progress has been insufficient. In 2022, a review acknowledged the existing framework's crucial role in enhancing the UK's resilience against network and information systems security threats, but highlighted the need for updates to keep pace with evolving threats. Just over half of the operators of essential services have updated or strengthened their policies and processes since the inception of the regulations in 2018.

We anticipate that regulators will be granted more authority to ensure all parties, including their suppliers (and ideally, their suppliers' suppliers), continuously assess and address cyber threats and risks in the services they manage.

In summary, while the regulatory update is much needed, those involved in supporting the UK's critical services should not wait for the legislation to take effect. It is imperative to start reviewing your risk and threat intelligence processes now and ensure your team regularly conducts incident management exercises based on real-world scenarios.

 

How can we help?

At CGI, we help our clients manage complex security challenges with a business focused approach – protecting what is most valuable to them. Please feel free to get in touch if you’d like to discuss the topics in this blog or find out how we can help you with your security challenges. 

 


Sources

https://inews.co.uk/news/politics/cyber-attack-protection-laws-nhs-mod-kings-speech-3173364

About this author

Michael Constable

Michael Constable

Director Consulting Delivery – Cyber Managed Services & Advisory, UK & Australia

Michael leads the delivery of the Security Operations element of CGI’s UK cyber practice with responsibility for Security Operations Advisory, Managed Security Services and Penetration testing functions. Focused on regulated industries, Critical National Infrastructure (CNI) and Government, these services to address key risks to our ...