UK unveils Cyber Security & Resilience Bill advancements

Yesterday

The UK government's proposed Cyber Security and Resilience Bill, unveiled this week, signifies a pivotal advancement in the nation's efforts to fortify its cyber resilience. The bill aims to enhance protections for the country's critical national infrastructure (CNI) by extending existing Network and Information Systems (NIS) regulations to encompass new sectors, such as data centres, managed service providers, and critical suppliers.

Siân John, Chief Technology Officer of the cybersecurity consulting firm NCC Group, hailed the bill as a significant progression for UK cyber resilience. John articulated that sustainable growth in the UK must be coupled with heightened cyber resilience. She emphasised that the expanded NIS regulations set minimum cyber security standards for critical national infrastructure, facilitating organisations in identifying and evaluating security risks, rectifying vulnerabilities, and improving overall resilience.

NCC Group's insights reveal that complex supply chains pose a considerable vulnerability to cyber resilience, introducing risks beyond the direct oversight and control of many organisations. This concern is underscored by forthcoming research from NCC Group, indicating that over two-thirds of organisations anticipate an increase in the severity of supply chain cyber threats within the next year.

The Cyber Security and Resilience Bill aligns with similar international legislative efforts, such as the EU's NIS2 Directive, by broadening the definition of critical infrastructure to include entities traditionally perceived as mere components of the supply chain. By doing so, the UK government aims to instil a collective responsibility for cyber resilience that spans across the economy and supply chains.

In addition to legal and regulatory measures, there is a growing trend among critical infrastructure and public sector organisations to impose obligations on their suppliers to meet procurement and regulatory requirements. NCC Group's research found that over a third of organisations consider changes in government policy and regulation when assessing their supply chains.

Dr. Jared Smith, a Distinguished Engineer and Threat Researcher at SecurityScorecard, also provided commentary on the bill. Dr. Smith highlights the bill as a crucial step in addressing the rising threats that modern organisations face, particularly supply chain attacks, third-party breaches, and vulnerabilities that remain unpatched. He pointed to research indicating that 98% of organisations have had at least one third-party vendor experience a breach in the past two years. This statistic underscores the critical necessity for continuous visibility into supply chain risks and the tools required for prompt action.

Furthermore, Dr. Smith observed that within the financial sector, over half of critical vulnerabilities have remained unpatched for more than six months, a situation that demonstrates the importance of not only identifying risks but also rectifying them swiftly before exploitation. The proposed legislation supports the implementation of mandatory monitoring and real-time risk intelligence, crucial components to bolstering a resilient digital infrastructure.

The introduction of the Cyber Security and Resilience Bill marks a proactive effort by the UK government to fortify the nation's cyber defences amidst escalating cyber threats. By extending regulatory reach to encompass more sectors, fostering public-private collaborations, and encouraging supply chain accountability, the bill represents a comprehensive approach to enhancing the UK's cyber resilience.

Share on: