In last week’s King’s Speech, King Charles III led the traditional opening of the new parliamentary session with a plethora of announcements to outline the government’s plans for the coming months.
There’s a huge amount to digest, but one area in particular that caught our attention was the government’s plans for the Cyber Security and Resilience Bill. First touted back in April last year, the King’s Speech provided some much-needed detail on what businesses should expect from it. There’s still much to finalise before it comes into force, but now is as good a time as any to prepare.
Expanding existing regulations
The government sees tightening existing cybersecurity and resilience regulations as a key priority.
Managed IT companies operating in both the public and private sector, for example, will be monitored more stringently under the Bill. They will be tasked with meeting new security responsibilities, reflecting the trusted access they hold across government, critical national infrastructure and business networks. Data centres will be included in this as they underpin essential digital services, such as NHS records, online payments, email services and AI development.
Energy security is also an important pillar of the Bill. Operators that manage the flow of electricity to smart appliances – such as electric vehicle charging points and electric heating appliances in homes – will be subject to new security requirements. This is to reduce the risk of disruption to consumers using smart energy appliances, and to the electricity network more widely.
Further, regulators will be given new powers to name critical suppliers to the UK’s essential services, such as companies providing healthcare diagnostics to the NHS. The idea behind this is to ensure a more secure, transparent supply chain, which is protected from exploitation by criminals.
Making cyber regulators more effective
The Bill aims to infuse a greater sense of urgency and rigour in terms of how organisations report and deal with cyber incidents.
Companies will have to report a wider range of harmful cyberattacks to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, followed by a full report within 72 hours. This will mean support can be provided more quickly, and a more accurate national picture of cyber threats can be built.
Expanding on the above, any data centre or managed service provider facing a significant or potentially significant cyber incident will have to take reasonable steps to promptly identify and notify the customers who have been impacted. Quality of communication, after all, is often what makes or breaks a good response to a cyber attack.
Enforcement of regulations will also be enhanced, allowing for heftier turnover-based fines for serious breaches. This aims to discourage organisations from taking a piecemeal approach to security, and to invest in the right protections to safeguard data and minimise downtime.
Building resilience for the long term
Another positive of the Bill is its emphasis on ensuring the UK is resilient to new threats as they emerge. Ministers will be given new powers to instruct regulators and organisations to take appropriate steps to prevent cyberattacks where there is a threat to UK national security. This means having robust monitoring systems in place, alongside practices such as isolating high-risk systems from other infrastructure.
Finally, the Bill will grant the government powers to make rapid changes through secondary legislation. This will deliver some much-needed agility, enabling government and regulators to update their requirements as new threats come to the fore.
What does this mean for businesses?
Whatever the final legislation looks like, sweeping changes are on the horizon. As a business leader, you should take the time to digest the content of the Bill, figure out how it will affect your business, and put meaningful plans in place to ensure you’re prepared. Do this now, not in a few months’ time.
Being proactive here is essential: the companies that make a concerted effort to shore up their defences, build resilience and gain full visibility of their supply chains are the ones that will prosper when the Bill becomes law.