The UK is consulting on new measures for greater resilience among British businesses’ cyber security. This move is part of a £2.6 billion National Cyber Strategy and comes after high profile cyber-attacks.
According to the UK government, new laws are needed to increase security standards in outsourced IT services used by almost all UK businesses. Additionally, the published proposals include making improvements to how organisations report cyber security incidents.
The government has proposed reforming legislation to increase it’s flexibility and react at the same pace as technological change. Suggestions have also been made for the UK Cyber Security Council to have powers to create a set of qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
These plans follow the cyber-attacks on SolarWinds and Microsoft Exchange Servers, which used vulnerabilities in third-party products and serves. Additionally, research by the Department for Digital, Culture, Media and Sport shows only 12% of organisations review the cyber security risks coming from their immediate suppliers and 5% of firms address the vulnerabilities in their wider supply chain.
Julia Lopez, Minister of State for media, data and digital infrastructure said: “The plans we are announcing today will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Furthermore, the government launched a consultation into amending the Network and Information Systems (NIS) Regulations, these include proposals to:
- Expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations.
- Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which impact their services.
- Give the government the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organisations in the future which provide critical support to essential services.
- Transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden.
- Update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers.
NCSC Technical Director Dr Ian Levy, said: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience. These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”