In recent years, the digital landscape has witnessed continuing rapid evolution, from Cloud technologies to generative AI, accompanied by an ever-growing threat of cyber-attack. Increasingly sophisticated cyber-attacks are targeting the intrinsic value of data, particularly through ransomware which has become a major problem; governments worldwide are therefore stepping up their efforts to protect citizens, businesses, and critical infrastructure.
In the United Kingdom, this proactive stance is reflected in the National Cyber Strategy 2022 and the continuous development and strengthening of legislation related to cyber security. This blog post explores legislative changes coming up and provides insights into how organisations can adapt and thrive in this evolving regulatory landscape.
The regulatory landscape: What's here now and on the horizon
GDPR (General Data Protection Regulation)
The General Data Protection Regulation has been a cornerstone of data protection in the EU since its inception in 2018. However, it's worth noting that the UK has its own version of GDPR post-Brexit, known as UK GDPR. Both GDPR and UK GDPR impose stringent requirements on organisations concerning data privacy and protection. While these regulations have been in place for a few years, they are continually evolving, with periodic updates to address emerging cyber threats.
The UK GDPR, or United Kingdom General Data Protection Regulation, means that businesses in the UK must follow specific rules when handling personal data. This includes obtaining consent before collecting data, keeping data secure, and granting individuals rights over their data. Non-compliance can result in substantial fines (set as a percentage of annual global turnover, not profits), so taking data protection seriously is not just important for a business’s reputation, but for its bottom line as well. If your business deals with the EU, you may well need to follow the EU GDPR. It's essential to invest in compliance efforts like staff training and policy updates as a minimum. Demonstrable evidence, for example, Cyber Essentials certification or an ISO27001 accreditation, that an organisation takes data protection seriously will both help prevent a breach and create confidence in the minds of customers and suppliers.
Key Link: ICO - UK GDPR
NIS Regulations (Network and Information Systems Regulations)
NIS Regulations, initially introduced in 2018, are set for a significant update this year. These regulations focus on enhancing the resilience of critical infrastructure against cyber threats, but that scope is broadening. Organisations operating in sectors identified as "essential services" will soon face more stringent cyber security requirements, but all businesses can and should adopt better practices outlined in the NIS to stay ahead of the ever-changing threat. The 2023 update of regulations aims to protect against increasingly sophisticated and frequent cyber attacks. For ‘essential service’ providers, ensuring compliance with these evolving regulations will be essential to protect against cyber threats, maintain business continuity and remain legally compliant.
In 2022, following a consultation, the UK Government unveiled its plans to bolster the UK's cyber resilience by revamping the NIS regulations. The proposed changes encompass several aspects, including the incorporation of managed service providers (MSPs) within the regulations to strengthen cyber security in digital supply chains. Additionally, there will be improvements in the reporting of cyber incidents to regulatory authorities, the potential introduction of a cost recovery system for enforcing NIS regulations, and the granting of governmental authority to make future adjustments to ensure ongoing effectiveness. Furthermore, these updates will enable the Information Commissioner to adopt a more risk-based approach to overseeing digital services. These comprehensive updates to the NIS regulations are set to be implemented as soon as parliamentary time permits.
If your organisation currently uses an MSP for your IT support, or for Cyber-security Services then in future they will probably need to be able to demonstrate that they provide a service that meets the updated regulations.
DORA (Operational Resilience Act)
The Digital Operational Resilience Act (DORA) aims to bolster the operational resilience of the financial sector in the EU. While EU legislation, and primarily focused on financial services, its implications extend to businesses that rely on financial institutions and many organisations in the UK. DORA came into force in Jan 23 and compliance must be achieved by 2025; it requires organisations to meet high-level cyber security controls to ensure the security of financial data and transactions. At present, DORA is not yet UK law, however, it may be adopted and good practise might suggest that diligent organisations should seek to meet its scope.
DORA has a wide reach, affecting over 22,000 financial organisations and ICT service providers operating not just in the EU but also those supported by ICT infrastructure outside the EU. This regulation sets out clear and specific guidelines for everyone in the financial industry. This includes banks, investment firms, insurance companies, and intermediaries, as well as newer players like crypto asset providers, data reporting providers, and cloud service providers.
DORA takes the best practices from earlier industry guidelines and uses them to lay down rules for consistent ICT risk management. It also emphasises the importance of thorough resilience testing, including tests that simulate real threats. Additionally, it places a strong emphasis on managing risks when working with third parties. All of this is aimed at ensuring a reliable and uniform delivery of services along the entire value chain. Recent reports by UK professional services firms emphasise the scale of work required and the likelihood of needing to start early to meet the 2025 deadline.
Key Link: DORA
Computer Misuse Act
The Computer Misuse Act is a foundational piece of UK legislation, but it's also 33 years old and subject to periodic updates to address new cyber threats. It criminalises unauthorised access, modification, or disruption of computer systems. Staying updated with amendments to this act can help businesses to remain compliant and protect against cyber threats. The Chancellor announced further CMA reform in a statement in March this year.
The Computer Misuse Act 1990 in the UK consists of three main elements that play a crucial role in safeguarding computer systems and data. To put it simply, the first element makes it unlawful to access computer systems, programs, or data without the appropriate permission, treating unauthorised access as a criminal offence. The second part of the Act outlaws unauthorised access with the intention of committing or aiding further criminal activities, like data theft or fraud. Lastly, it is against the law to make unauthorised changes to computer material, which includes actions such as creating, deleting, or altering data without the proper authorisation. These three core aspects of the Computer Misuse Act work hand in hand to discourage and penalise cyber crimes, ensuring the security and reliability of computer systems and data in the UK.
These provisions may not immediately seem relevant for an organisation that makes legitimate use of IT, but they are pertinent to commissioning penetration testing, threat intelligence gathering or ‘ethical hacking’, which are valuable supports to your cyber defences. It’s important to ensure you do not inadvertently fall foul of the law because at the moment the CMA potentially criminalises some of this work. The CyberUp campaign aims to change this problem to better protect those working to improve the cyber security landscape.
Key Link: Legislation.gov.uk - Computer Misuse Act
The implications of increasing legislation for businesses
With the evolving regulatory landscape, businesses can expect increased pressure to bolster their cyber security measures. Smaller companies, traditionally less focused on cyber security, will find themselves in the spotlight, with a growing need for cyber security insurance to mitigate potential liabilities.
Increased cyber security legislation in the UK has several implications for businesses, we have summarised these into 10 key areas:
1. Compliance requirements: Businesses are required to comply with cyber security laws and regulations, such as the Data Protection Act and the General Data Protection Regulation (GDPR). This means they must invest in measures to protect customer data, implement data breach reporting procedures, and ensure data privacy.
2. Increased accountability: Companies are held accountable for the security of their systems and data. This includes regular security assessments, risk management, and demonstrating due diligence in safeguarding sensitive information.
3. Penalties for non-compliance: Failure to comply with cyber security regulations can result in severe penalties, including fines and legal actions. These penalties can have a significant financial and reputational impact on businesses.
4. Cyber security investment: Businesses must invest in cyber security, including technologies like firewalls, encryption, and employee training, to meet compliance and protect against cyber threats. However, this can be costly, leading to it being a lower priority. In fact, only 3 in 10 businesses have dedicated cyber security roles, as per the 2023 Government Cyber Security Breaches Survey.
Many, especially small to medium businesses, are therefore seeking external help. 49% of businesses and 44% of charities sought guidance from cyber security consultants, IT consultants, or IT service providers in the past year.
5. Cyber insurance: Some businesses may opt for cyber insurance to mitigate the financial risks associated with data breaches and cyber attacks. To secure cyber insurance, businesses must demonstrate robust cyber security controls and, in some industries, have certain accreditations such as Cyber Essentials or ISO27001.
6. Consumer trust: Compliance with cyber security regulations can enhance consumer trust. Customers are more likely to trust businesses that take data security seriously, potentially leading to increased customer loyalty and a positive brand reputation.
7. Supply chain considerations: Businesses need to ensure that their supply chain partners also comply with cyber security regulations. This can involve vetting suppliers and partners for their current policies and practices.
8. Continuous monitoring and adaptation: Cyber threats are constantly evolving. Businesses must continuously monitor their cyber security measures and adapt to emerging threats and vulnerabilities to remain compliant and secure.
9. Skills and training: Companies may need to invest in training their employees in cyber security awareness and best practices. This can help prevent internal security breaches caused by human error. The Government found qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training, and time.
10. Reporting obligations: In the event of a data breach, businesses are often required to report it to the Information Commissioner's Office (ICO) and affected individuals promptly. This reporting process can be complex and time-consuming.
In summary, increased cyber security legislation in the UK places greater responsibilities on businesses to protect data and prevent cyber threats. While compliance can be challenging and may require investments, it also offers opportunities to enhance security, build trust, and adapt to the evolving cyber landscape. However, understandably it is easier said than done.
There are two key areas we suggest for organisations to help be prepared for increasing government regulation for cyber security.
1. Adopt recognised standards
Scale up to Cyber Essentials/Plus: The Cyber Essentials certification provides a foundational level of cyber security that is essential for all businesses. Scaling up to Cyber Essentials Plus demonstrates a higher level of commitment to cyber security. Bluecube offers consulting services surrounding Governance, Risk and Compliance to support organisations through the whole process of getting certified and also, and we are qualified to issue accreditations. You can find out more about cyber essentials and how to get certified here.
ISO 27001: The ISO 27001 standard is internationally recognised and provides a comprehensive framework for information security management. Achieving this certification showcases a commitment to robust data protection. Find out more about gaining your ISO27001 certification here.
Other international standards: Depending on where businesses operate, they may need to adhere to other international standards specific to those regions. This demonstrates adaptability and global compliance.
2. Partner with an MSP (Managed Service Provider)
Hiring an MSP is a strategic move for businesses aiming to enhance their cyber security posture. MSPs not only provide expert guidance and support in implementing controls but can also assist in achieving certifications such as Cyber Essentials and ISO 27001. Collaborating with an MSP like Bluecube ensures a proactive approach to cyber security and regulatory compliance.
In conclusion, the evolving cyber security legislative landscape in the UK necessitates a proactive approach from organisations of all sizes. By staying informed about upcoming changes, adopting recognised standards, and collaborating with MSPs, businesses can navigate the regulatory challenges ahead and establish a robust cyber security framework that protects both their data and their reputation. Embracing these changes will not only ensure compliance but also foster trust among customers and partners in an increasingly digital world.