The UK government has released its policy statement on the forthcoming Cyber Security and Resilience Bill, which will bring more organisations into the scope of the regulation and mandate faster incident reporting. In response to the news, please see below comments from security experts at Beyond Blue and Closed Door Security:
David Ferbrache, managing director of Beyond Blue, said:
“The extension of NIS regulations to reflect the changing nature of our dependency on critical infrastructure is long overdue and reflects the reality of our increasingly complex and interconnected digital world.
While much of the new policy deals with cyber security, the proposed title is the Cyber Security and Resilience Bill, which is an opportunity to bring these two important disciplines together and take a holistic approach to regulation, which looks beyond just cyber threats.
One of the key announcements from the policy is the introduction of MSPs falling into the scope of the regulation. Small and medium sized enterprises depend on managed service providers for every aspect of their IT and their security posture – making sure MSPs take security seriously can make a massive difference to those SMEs. Alongside initiatives such as the NCSC’s Active Defence Programme, this can help protect one of the most vulnerable areas of our economy.
The bill also recognises the importance of supply chain security – reflecting the reality that threat groups are increasingly targeting suppliers as a weak link in security and a way of achieving mass effect. There is an increasingly complex set of regulation on suppliers, including the Bank of England’s Critical Third-Party Regime and NIS2/DORA regulations in the EU. It will be important to make sure expectations on suppliers are clear, and where possible aligned across regulators.
I also welcome the action to streamline reporting – there is a proliferation in incident reporting requirements for major firms with diverse requirements and reporting channels – simplifying and removing duplication is essential.
The one area of the Bill that will require more clarity is around the enhanced role of the ICO. The extension of the role of the ICO to regulate a wide range of digital services is a major change in scope. Care will be needed to not create conflicts of interest or distract from their key role as our national data protection authority.”
William Wright, CEO of Closed Door Security, said:
“The much-anticipated Cyber Security and Resilience Bill is here.
The government is clearly not underestimating the threat posed by adversaries and is pulling more organisations into regulatory scope to drive resilience across the country.
The new regulation will now cover designated critical suppliers to operators of essential services, as well as MSPs, MSSPs, data centres and organisations that provide data infrastructure.
The policy also mandates faster incident reporting across more organisations, to help the government more closely understand threat activity and gain deeper insights into attacks taking place that could more widely impact the UK and its citizens.
The UK has long set out its ambitions to become the safest place in cyber space, but this is impossible to achieve when only a subset of organisations are regulated on cyber security.
By pulling more organisations into the scope of the regulation, the government will encourage wider adoption of good cyber hygiene practices to help safeguard the UK.
Today supply chains span the breadth of the internet, with small unknown organisations being intrinsically linked with highly critical organisations, which is exactly what happened with Synnovis. The government is clearly working to defend against these attacks by categorising key suppliers to regulated organisations to better safeguard the UK’s essential services and its citizens.
But, in reality, the Bill still only affects a subset of organisations.
We can’t forget about the private businesses not covered by the regulation, which are still highly vulnerable to attack and critical to the UK’ s economy.
As a result, now that the Cyber Security and Resilience Bill has been published, the government must work harder to raise awareness on cyber hygiene for the huge number of organisations that don’t fall into the scope of the regulation.”
Read the policy statement in full, here
For more cyber news, click here
