Whilst receiving limited fanfare, the UK Labour government has announced a new Cyber Security and Resilience Bill (Cyber Bill) as part of its legislative package in its first King’s Speech. Contrary to certain expectations, there was no announcement of specific AI regulations, but future AI legislation was signposted.
The Cyber Bill is part of the government’s pledge to enhance and strengthen the UK’s cybersecurity measures and protect the digital economy. It is largely in response to recent high-profile cyber incidents impacting key services and infrastructure, such as hospitals, universities, democratic institutions and government departments, and the ongoing threats from rogue state actors.
Whilst limited details have so far been provided, it is expected that the Cyber Bill will follow a similar approach to that taken by the EU in the updated Network and Information Security (NIS2) Directive and Cyber Resilience Act to ensure critical infrastructure and digital services are secure.
Key Aspects of the Cyber Bill
Once published, it is anticipated that the Cyber Bill will include the following:
- An increased emphasis on protecting critical national infrastructure (such as the NHS) from cyber-attacks. It is anticipated this will be done by implementing stricter security requirements, mandating regular vulnerability assessments, and ensuring that organisations have robust incident response plans in place. This reflects the fact that only half of operators of essential services have updated or strengthened cyber policies or processes since 2018.
- Greater powers to Regulators alongside enhanced reporting and compliance requirements. This will mean that organisations, especially those working in critical sectors, will face more stringent requirements for reporting data breaches and cybersecurity incidents. This is intended to help build a clearer national picture of the UK cyber threat landscape. It appears this may include a requirement to notify the payment of a ransom demand, as previously mooted by the Conservative Government.
- To add weight to the new statutory requirements, the new legislation is expected to introduce higher fines and penalties for organisations that fail to comply with the mandated cybersecurity standards. This will likely sit alongside the infrequent, but high, fines already imposed by the Information Commissioner’s Office (ICO) for data breaches in the UK.
- Given the interconnected nature of modern commerce, organisations will be required to ensure their suppliers and partners also adhere to and maintain an expected level of cybersecurity standards. This is seemingly in recognition of the recent increased severity of cyber incidents caused by suppliers to mainstream third party service providers, such as MOVEit and Synnovis.
- If the Cyber Bill does closely follow EU legislation as expected, it may also impose obligations for the implementation of cyber security measures, and liability for any failings, on senior management. This could mean that directors or managers could face personal fines or other penalties if they fail to comply with any new statutory requirements.
- A Digital Information and Smart Data Bill (likely based on legislation announced but not passed by the last Government) was also announced as a companion to the Cyber Bill to enable new, innovative uses of data to help boost the economy alongside modernising and strengthening the role and operation of the ICO.
- Whilst no AI Bill was announced, the Government plans to establish appropriate legislation to regulate the development of powerful AI models. This includes placing requirements on developers to ensure the safe and ethical use of AI technologies and likely ensuring the protection of workers’ rights in the face of ever-increasing technological reliance.
Potential Implications for Businesses
- Subject to the specific contents of the Cyber Bill, there will likely be a need for businesses, certainly tech companies and those operating in critical services, to adhere to, and likely invest in, stricter cybersecurity standards.
- There will inevitably be a requirement for all businesses to consider who they may interact with in their supply chains to determine whether they fall within the scope, even indirectly, of the new stricter cyber security requirements.
- Whilst the anticipated information sharing will likely increase collective resilience to cyber-attacks, enhanced reporting obligations may well increase the administrative burden on businesses and bring with it additional costs arising from cyber incidents.
- The government apparently recognises these issues and so anticipates providing resources, especially to small businesses, for improving cybersecurity practices and understanding the new requirements, most likely through the National Cyber Security Centre (NCSC).
Wider Considerations including for Insurers
Whilst an element of crystal ball gazing may be required, it has already been anticipated that the stricter requirements being imposed in the EU through NIS2 and the Cyber Resilience Act will result in increased uptake in Cyber Insurance and an increased use of risk management services. It is therefore anticipated that this would be the same in the UK should the Cyber Bill become law.
Whilst Insurers will most likely also celebrate a legislative requirement for improved cyber security posture, they will likely need to adapt their policies to account for the greater level of regulatory scrutiny and potentially stricter financial penalties businesses may face, alongside the scope for increased civil litigation that may arise. More detailed assessments of cybersecurity practices may well be required with the potential to charge higher premiums for those with inadequate safeguards.
Other classes of Insurance, such as D&O and Financial Institutions, may also wish to consider the potential implications of the proposed new legislative regime, especially if the new legislation places obligations and liability for cyber security on senior management.
Comment
Although the proposed changes in cybersecurity and data protection legislation may not have received the same attention as other aspects of the King’s Speech, they do highlight the current importance of enhancing and maintaining cyber security, especially around critical national infrastructure, and the role improved cybersecurity will play driving economic growth.
It is also clear that it is only a matter of time before the new Government tackles the much more multifaceted, and in many ways more challenging, topic of AI regulation which is something its predecessor had sought to progress, without landing on one single approach.
CMS has longstanding experience (alongside its technical partners) in assisting businesses, including those providing critical services and their supply chains, and their Insurers, in relation to cyber breach preparedness and improved cyber resilience. Please contact the authors if you would like to discuss further.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.