The King’s Speech: where next for UK cyber?
The Cyber Security and Resilience Bill (CSRB)
“Our digital economy is increasingly being attacked by cyber criminals and state actors, affecting essential public services and infrastructure. In the last 18 months, our hospitals, universities, local authorities, democratic institutions and government departments have been targeted in cyber attacks.
?Our essential services are vulnerable to hostile actors and recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be severe. We need to take swift action to address vulnerabilities and protect our digital economy to deliver growth. The Bill will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure.” ([1]Cabinet Office guidance)
Detail
On 17 July King Charles III made his first King’s speech reflecting His new Labour government’s legislative agenda.? On page 94 of the notes accompanying the speech, we find the briefing of on the ‘CSRB’.
The intent is clearly good.? The National Cyber Security Centre has issued supportive guidance.
There are three main areas:
-????????? Expanding the remit of the existing regulations to ’protect more digital services and supply chains’.? This means aligning more to NISR2 and DORA, and including service providers to critical infrastructure under the regulations and to require them to up their security game;
-????????? Beef up the regulators, allowing them to charge their costs to their sectors;
领英推荐
-????????? More, better and more timely incident reporting (to Government)
Regulators have always suffered from insufficient resources.? Cost-recovery is one way of raising cash (e.g. by a levy)– but we need appropriately skilled, qualified, experienced (SQEP) and, dare we say it paid people to enforce the rules.? ??These SQEP should probably be public sector staff to avoid any actual or perceived conflicts of interest.
The maritime sector is complex – companies can be based in one jurisdiction?? and vessels flagged in another; and the companies that own or charter vessels that fall under the regulations (i.e. those that transport significant amounts of strategic commodities, foodstuffs, goods or people) to and from UK ports, may not be UK-based at all.? There is therefore merit in harmonising rules better to ensure companies cannot arbitrage the regulations at the expense of security.? The proposed rules appear to be territorial UK only (unlike GDPR) – if a strategic level vessel suffers a breach within UK territorial waters, it is not clear whether the MCA (UK Coast? Guard) will get strengthened powers, like the US Coast Guard, to detain and/or fine vessels for failures.
The proposed regulation seems to want to require companies that have suffered breaches to report these to Government. Government consistently (conveniently) forgets that companies are required under the Companies Act to act in the best interest of shareholders.? In the case of listed companies, they have to report material events to the market under strict procedures.? In the US, the Securities and Exchanges Commission now requires companies to inform the market of material cyber beaches within 72-96 hours of determination of materiality. If companies have to report to HMG in parallel, that might work.? But requiring a whole new layer of reporting at a time when companies might be fighting for their survival is not helpful (this was a lesson the Australian Government learned the hard way during the Optus and Medicare breaches.) ?
Conclusion
We look forward to the detail:? and to helping our clients adapt to and benefit from the strengthened cyber posture these regulations will require.? We hope that enforcement will be balanced, fair and rapid:? our clients require clarity about regulations and their enforcement. Please contact us if you would like to discuss this or any other aspect of your cyber security posture. #resilienceandrecovery #astaaracyber