July 29, 2024
The United Kingdom (UK) State Opening of Parliament took place July 16, which saw the new UK government set out their agenda, including the announcement of the Cyber Security and Resilience Bill. [1] This new legislation has direct parallels to the European Union (EU)’s Network and Information Security (NIS) 2 Directive, and will be national legislation, thereby affecting all sectors in the UK, both private and public.
Public sector organisations in industries such as government, healthcare, military, and education face a continually increasing number of cyber attacks, and threat actors are turning their attention to targets that are critical to essential services. As a result, both the Government Communication Headquarters (GCHQ) and the National Cyber Security Centre (NCSC) have publicly stated that we need to work together to make our systems more resilient to threats, that “bolstering baseline cybersecurity is not enough” and have warned that providers of essential services in the UK cannot afford to ignore cyber threats. [2][3]
The UK is again mirroring the EU, as it did with the General Data Protection Regulation (GDPR) and Digital Service Providers (DSP) under NIS, by introducing this parallel digital regulation. Through the Cyber Security and Resilience Bill, the government is attempting to protect its digital economy and safeguard critical infrastructure by implementing broader and deeper regulatory powers to address vulnerabilities. To increase understanding of cyber incidents, the bill also introduces greater reporting requirements. Organisations will be obligated to report cyber incidents in detail, especially when they have been held to ransom.
Overall, the bill improves cybersecurity regulation across the UK. It will increase the power of regulators in support of greater cyber resilience across the country, especially with respect to critical infrastructure sectors. This could, for example, mean that the Office of Communications (OfCom), which currently does not have any authority over the cybersecurity resilience of the industries it oversees, would be given the power to supervise the cybersecurity protections of telecommunications organisations that form a critical part of the digital supply chain. The bill also covers provisions to navigate another major issue to effective regulatory oversight: funding. The bill is clear that it may require that organisations provide levies to regulators in order to fund the extensive discharging of new investigation and prevention powers so that everyone contributes to a fair and stable marketplace.
However, despite the positive aspects of the Cyber Security and Resilience Bill, it is not without issue, and could pose some potential issues for organisations within its scope. The briefing for the Kings Speech articulates how the bill seeks to prevent cyber attacks; an unattainable target in today’s threat landscape. Instead, it should ensure clear focus on supporting critical infrastructure organisations in building resilience against cyber attack, implementing appropriate security measures to mitigate the impact of these inevitable attacks and maintain safe operational capabilities, even during extreme cyber events.
Integrating sufficient cybersecurity measures in compliance with this upcoming bill may also be challenging from a financial perspective, especially for public sector organisations. These organisations may need to make difficult decisions on how to reallocate their budgets to increase cybersecurity spend and maintain compliance, potentially compromising other aspects of their organisation in the process.
The Cyber Security and Resilience Bill also adds additional requirements to a growing list of cybersecurity laws and regulations to which organisations must comply. Regulatory burden is an increasingly complex issue that has been growing in cybersecurity for more than a decade, specifically in the most heavily regulated industries like financial services. It is currently unclear if heavily regulated sectors will be granted exceptions to the requirements of the bill on the grounds of equivalence – meaning that complying with a separate regulation with similar requirements also makes the organisation compliant with the new bill.
When considering the cost of compliance and the additional regulatory burden that the act presents, a further unintended consequence of the bill may be that emerging technology companies are disincentivised to engage with critical services due to the heightened cybersecurity requirements it brings. Emerging cybersecurity companies bring important innovative solutions to the field to combat the increasingly complex and challenging threat landscape. It is important to ensure that the barrier to entry for these exciting young companies is not unattainably high.
Though the Cyber Security and Resilience Bill is still in early stages and has not yet been finalised, organisations should aspire to stay ahead of incoming changes. Business continuity and incident response planning are critical activities, as is having an updated and tested cybersecurity strategy. Organisations should seek to embrace these new requirements to help improve the overall cybersecurity posture of the UK going forward.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. fticonsulting.com
[1] “The King’s Speech 2024.” Prime Minister’s Office (17 July 2024), https://assets.publishing.service.gov.uk/media/6697f5c10808eaf43b50d18e/The_King_s_Speech_2024_background_briefing_notes.pdf.
[2] “CYBERUK 2024: Anne Keast-Butler Keynote Speech.” National Cyber Security Centre (2024), https://www.ncsc.gov.uk/speech/cyberuk-2024-gchq-director-keynote-speech.
[3] “CYBERUK 2024: Felicity Oswald Keynote Speech.” National Cyber Security Centre (2024), https://www.ncsc.gov.uk/speech/cyberuk-2024-ncsc-ceo-keynote-speech.