A recently released Policy Statement from the UK Secretary of State for the Department for Science, Innovation and Technology, Peter Kyle MP, has provided some guidance over what areas will be prioritized in the UK government’s Cyber Security and Resilience Bill.
The Policy Statement focuses on three key areas: expanding the regulatory framework, empowering regulators, and ensuring the regulatory framework is adaptable.
Expanding
The Bill seeks to bring more organizations into its scope to understand better digital services and the vulnerabilities supply chains pose. The government believes that increased regulation of this space will help to ensure compliance with cybersecurity measures. Two of the main ways the government is looking to do this are through making managed service providers (MSPs) more accountable and identifying ‘critical suppliers’ in the supply chain.
MSPs
Placing duties on MSPs has been proposed to protect against cyber-attacks and better understand the threats facing essential services. Expanding the scope of the regulations to include managed services is hoped to enhance the security of IT infrastructure and reduce the risks of cyber-attacks. This measure is estimated to secure another 900-1100 MSPs.
Identifying ‘Critical Suppliers’
The government is seeking to introduce a power for regulators to enable them to identify and designate specific high-impact suppliers in the supply chain as ‘designated critical suppliers’ (DCS). These proposals will require the chosen DCSs to adhere to core security requirements and incident reporting obligations. The goal here is to set consistent standards across the most critical tiers of the supply chain.
Empowering
The proposed Bill would grant the Secretary of State additional powers to make regulations to update the existing requirements and issue a code of practice setting out guidance on how to satisfy the regulatory requirements.
The government’s aim here is to set clear expectations for firms that provide digital services and operate essential services in scope of the Bill, to ensure proportionate and up to date security requirements are in place, while providing a means to update these requirements in response to a changing threat landscape. The main ways they propose to achieve this are by improving both incident reporting and regulators’ cost recovery mechanisms.
Improved Incident Reporting
Under the plans, the scope of incident reporting would be increased to notification within 24 hours and reporting within 72 hours, with a broader definition of incidents now reportable for regulated entities as well. The Bill is also looking to streamline the reporting process and enhance transparency for digital services and data centres.
The process will, in theory, closely mirror the EU’s NIS2 Directive. A proposed two-stage reporting structure would necessitate that regulated entities contact their regulator and notify the National Cyber Security Centre (NCSC) of a significant incident within 24 hours of becoming aware of one – with an incident report needing to be completed within 72 hours. Informing both NCSC and the regulator at the same time is hoped to provide both parties with a more thorough understanding of the threat landscape.
Information Gathering Powers
New powers would be granted to the Information Commissioner’s Office (ICO) - enabling it to identify the most critical firms that provide digital services. Concerning MSPs, for example, ICO would have the authority to regulate them with increased information gathering, investigation, and enforcement powers.
Improving Regulators’ Cost Recovery Mechanisms
Under the proposals, regulators would be given the scope to set up new fee regimes, allowing fees to be levied and costs to be recovered via invoices. The regulations will also clarify the intent and scope of the costs regulations and extend this regime to all activities necessary for the performance of the regulators’ functions, including enforcement.
Adapting
Measures to adapt the regulatory framework to keep pace with the ever-changing cyber landscape include giving the Secretary of State increased scope to update the legislative framework without requiring an Act of Parliament, subject to certain safeguards. Removing added layers of bureaucracy here will hopefully make enacting changes more straightforward in the face of an immediate and evolving cyber threat.
Welcome Changes
The Move to shore up UK cybersecurity has been welcomed by industry experts.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented, “The UK government’s Cyber Security and Resilience Bill is a much-needed step in the right direction. The bill’s focus on mandating improved cyber defenses for essential service providers and the overall proactive approach is a much-welcomed initiative.”
Jamie Akhtar, CEO and Co-founder of CyberSmart echoed the positive sentiments, but also wants the proposals to act as a catalyst for change. “While most welcome, this bill needs to be the start of a ‘levelling up’ (to borrow a phrase) of cybersecurity across the UK.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.