The UK government has announced plans for new laws designed to strengthen cyber security provisions across the country. Under the new laws, British businesses will have greater legal responsibility for protecting their IT systems and data.
What is changing?
Under the 2018 Network and Information Systems (NIS) Regulations, companies which provide essential services like water, energy and healthcare are obliged to implement effective cyber security measures. If one of these businesses experiences a serious outage or hacking, they could be fined up to £17 million per incident.
Under the new laws, the government is proposing to extend these obligations to providers of outsourced IT services too. This means that any company providing IT services – including cloud software and storage – will need to prove their cyber defence capabilities adhere to the NIS regulations.
By extending these requirements to IT outsources, the government hopes to address the phenomenon of “supply chain attacks”. These attacks target service providers to cause maximum disruption to many businesses simultaneously because outsourcers tend to have privileged access to the systems and data belonging to their clients.
Why does it matter?
According to government research, just 12% of UK businesses ever review the potential cybersecurity threats posed by their suppliers. And only 5% take action to address these vulnerabilities because they assume their partners are taking adequate measures to protect them.
By formalising the responsibilities of IT service providers, these businesses will have to improve their offerings – or risk massive fines for non-compliance. Larger IT companies will also be required to notify regulators of all cyber security attacks they experience – not just those which impact their services.
When regulators do have to take action, the companies under investigation will be expected to pay for the cost of investigation. This will no only encourage greater compliance, but also ensure that taxpayers do not have to pay the bill when something goes wrong.
Formalising IT cyber security credentials
As demand for cyber security skills increases, many businesses are struggling to identify the people they need – or to understand the various different qualifications and certifications they may hold. A new independent body, the UK Cyber Security Council (CSC), has been created to help cut through the confusion.
The CSC is tasked with making it easier for employers to understand what is being offered by candidates and training organizations. At the same time, they will also be defining potential career pathways for young people who may be considering a role in cyber security. This will be backed by a Register of Practitioners that lists professionals who are recognized within the industry as ethical, suitably-qualified or with a significant depth of experience – similar to the registers used by the medical and legal professions.
What next?
Currently, these proposals are under consultation with a view to being formalised sometime later this year. The UK government is seeking feedback from citizens and business leaders to refine their plans before April 2022. If you are based in the UK and would like your views on the cyber security proposals to be heard, you can find out more here.