The government is consulting on new measures to boost British organisations’ cyber-security following recent high-profile attacks.
If passed, the measures will see more organisations follow stricter cyber-security duties, with large fines for non-compliance.
Cyber-attacks are on the rise. A recent cyber-attack on Microsoft Exchange Servers saw attackers gain access to user emails, passwords and administrator privileges. It’s estimated that 250,000 servers were affected worldwide, including 7,000 within the UK. Such an attack demonstrates that vulnerabilities in third-party products and services can be exploited by cyber-criminals. Subsequently, hundreds of thousands of organisations can be affected at the same time.
The government’s proposals seek to protect both essential services and the wider economy from cyber-threats.
The Proposed Rules Explained
The Network and Information Systems (NIS) Regulations were established in 2018 to improve the cyber-security of companies providing essential services, such as water, transport, healthcare and digital infrastructure. As part of these regulations, organisations that fail to implement effective cyber-security measures can be fined up to £17 million.
Currently, only 12% of organisations review the cyber-security risks coming from their immediate suppliers, according to research by the Department for Digital, Culture, Media & Sport. Moreover, only 5% address the vulnerabilities in their wider supply chain.
The government plans to update the NIS Regulations and widen the list of companies in their scope, proposing to:
- Expand the scope of the regulations to include Managed Service Providers (companies that manage IT services on behalf of other organisations).
- Update the regulatory regime so the most critical digital service providers must proactively demonstrate they’re following the regulations.
- Enable the regulations to be more readily updated in the future and bring more organisations within scope if required.
- Ensure all relevant costs for NIS regulation enforcement—incurred by regulators such as Ofcom, Ofgem and the Information Commissioner’s Office—are transferred from the taxpayer to the organisations covered by the legislation.
- Require large firms to provide better cyber-incident reporting to notify regulators of any cyber-attack suffered, not just those impacting the organisation’s services.
Driving Up Cyber-security Standards
In March 2021, the government established the UK Cyber Security Council to lead the cyber-workforce, driving up standards in the cyber-security profession.
Within the UK’s booming tech sector, cyber-skills are struggling to keep pace. According to GOV.UK, 50% of all UK businesses have reported a lack of basic technical cyber-skills. Furthermore, 37% of all vacancies advertised within the cyber-sector have been hard to fill due to candidates lacking technical skills and knowledge.
The government’s proposals would give the UK Cyber Security Council the powers to raise the bar and create a set of agreed qualifications and certifications for those working in cyber-security. This ensures employees can prove they’re properly equipped to protect businesses online.
Cyber-attacks are often possible because criminals exploit vulnerabilities in organisations’ digital supply chains. The government’s proposals aim to increase levels of cyber-resilience across the economy.
Media, Data and Digital Infrastructure Ministry of State Julia Lopez said, ‘Every UK organisation must take their cyber-resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra’.
For more information about cyber-safety, contact us today.
Contains public sector information published by GOV.UK and licensed under the Open Government Licence v3.0.
The content of this publication is of general interest and is not intended to apply to specific circumstances or jurisdiction. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice from their own legal counsel. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2022 Zywave, Inc. All rights reserved.