The UK Cyber Security and Resilience Bill

Andy Watkin-Child, Founding Partner of Parava Security Solutions examines why the UK Cyber Security and Resilience Bill marks a critical shift in how organisations must govern, manage and demonstrate cyber-resilience.

A deep dependence on digital systems

Cybersecurity has always mattered; what has changed is the world around it.

Nation-states – as well as the public and private sectors they encompass – can no longer afford to treat cyber-risk as a niche concern.

Once, cybersecurity could be brushed aside hidden under a thick shag-pile carpet and delegated to ‘the techies,’ those perceived practitioners of digital alchemy who simply made things work.

It was not something boards needed to see, let alone understand and too often, they did neither.

Our deep dependence on digital systems has caught up with us.

Persistent gaps in the management of digital dependency by nation-states and boards have exposed the soft underbelly of national and economic security. 

We have failed to recognise the symbiotic relationship between technology, products and services. 

As a result, both the public and private sectors remain vulnerable to a very real, growing and consequential cybersecurity threat.

Nation-states and organisations manage risk every day. 

However, cyber-risk is distinct in its scale, complexity, interdependency and the challenges associated with its mitigation.

Cyber-risk is systemic and rapidly evolving, capable of cascading across sectors, borders and institutions, generating direct and indirect consequential losses and impacting national and economic security.

These characteristics set cyber-risks apart as one of the most significant risks faced by nation-states and boards today. 

What sets cyber-risks apart is:

1. There are no geographic or sectoral boundaries and a national blast radius (potentially global)
2. Our dependency on digital systems enables cyber-risk to propagate across a global attack surface
3. Events can impact national, economic and corporate security individually and collectively
4. Cyber-attacks can be initiated by anyone
5. The impact of cyber-attacks often goes unnoticed until systems fail or ransoms have been demanded
6. Cyber-incidents can trigger other risks, such as financial, operational, legal, safety and reputational
7. Defenders must protect everything; attackers only need to find one weakness
8. Attribution is almost impossible to achieve
9. Risk Mitigation requires coordination by nation-states, the public and the private sector
10. Cyber-threats constantly change. Attackers evolve, adapt and learn from defences in real time

Cyber-attacks have consistently demonstrated these challenges with far-reaching consequences for national security, economic stability and corporate resilience. 

Cyber-attacks have exposed enduring weaknesses in risk management and reinforced the need for robust governance, effective oversight and credible assurance of cyber-risk across every level of society. 

Many of the critical services on which society depends, including energy, water, oil and gas, transportation, financial services, digital infrastructure and healthcare are digitally enabled and in many countries, privately owned. 

These services are invariably operated under commercial models driven by profitability and the need to maintain a profit. 

Commercial pressure can often lead to underinvestment in non-revenue-generating capabilities such as cybersecurity.

Consequently, governments face an increasingly complex and precarious reality as cyber-risk management is core to the management of national and economic security. 

Cyber-risk issues and challenges identified in points one to ten require a whole-of-society approach to risk management. 

An approach that has few remedies or levers to remediate outside of regulation.

Cyber-regulation remains the primary or only mechanism available to nation-states to influence cybersecurity risk management across both public and private sector organisations.

The UK Cyber Security and Resilience Bill – What is it and what does it mean?

In 2018, the UK introduced the Network and Information Systems (NIS1) regulation to improve cybersecurity across critical national infrastructure.

However, its effectiveness has been uncertain. At best, NIS1 established basic cybersecurity requirements; at worst, it failed to adequately protect critical infrastructure from cyber-threats. 

There have been very few publicly reported cases of non-compliance or fines.

The UK’s difficulties in implementing NIS1 reflect those of EU member states.

In response, EU member states introduced major updates to NIS1, resulting in NIS2, which was formally adopted and published in January 2023.

The Bill makes significant updates to NIS1, the Cyber Security and Resilience Bill:

1. The new regulation expands the range of organisations affected.  While NIS1 applies to Operators of Essential Services and Relevant Digital Service Providers in sectors such as energy, transport, health, water and digital infrastructure, the new rules include many more entities. These include managed service providers, data centres, large load controllers and critical suppliers to essential services, even if they are based overseas, extending coverage across the supply chain
2. Adopts a clear focus and expectations for covered entities to demonstrate proactive management of cybersecurity risks. NIS1 requires organisations to take appropriate and proportionate measures to manage the risks to the security of network and information systems. The Bill proposes the same approach, but it is expected that secondary legislation will specify precise risk-management measures and how they should be implemented. Effectively focusing on covered organisations towards more structured and precise risk management measures
3. Enables regulators to designate third parties as “critical suppliers” in supply chains, bringing third-party risk management within scope and placing obligations directly
4. Tightens incident reporting requirements for covered entities from 72 hours (NIS1) to 24 hours and broadens incident definitions
5. Makes changes to Enforcement, Penalties and Supervisory Powers. Empowering regulators with stricter enforcement powers

UK Cyber Resilience legislation means organisations can no longer treat cybersecurity as a technical or reactive issue.

Businesses within scope must actively prevent cyber-incidents, prepare for them, respond effectively and recover quickly whilst be able to demonstrate this capability.

This includes clear accountability, strong governance with board-level oversight, documented risk and incident response plans, faster and more formal incident reporting and tighter controls over suppliers and third parties.

Regulators will have stronger powers to assess compliance and impose penalties, making cyber-resilience an ongoing operational and regulatory responsibility.

Conclusion

The UK Cyber Security and Resilience Bill is an important step toward improving cybersecurity for organisations it covers.

However, when compared with approaches taken by other countries, such as the EU’s NIS2 and DORA or the US Cybersecurity Maturity Model Certification (CMMC), the Bill faces significant challenges before it is approved.

These challenges could weaken cybersecurity risk management for critical national infrastructure providers, managed service providers and digital services, potentially leaving the UK behind and reducing cyber defence capabilities across both the public and private sectors.

The Bill gives the Secretary of State powers, including setting strategic priorities, creating regulations, reporting to Parliament, directing organisations during national security events, overseeing regulators and developing codes of practice. 

However, the Bill lacks clear detail on how organisations should manage cybersecurity risks in practice. 

Unlike similar regulations, the Bill does not require organisations to follow specific cybersecurity frameworks or standards.

These frameworks provide clear boundaries, help organisations measure their cybersecurity maturity and enable effective oversight and assurance by boards, executives, regulators and auditors.

The Bill also does not assign clear responsibility for cybersecurity risk management governance, oversight or assurance to organisational leadership.

It does not link compliance to civil or criminal penalties, which are often necessary to drive accountability and deter non-compliance.

Without these mechanisms, cybersecurity risks may not receive the leadership focus or investment needed to manage them effectively.

This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.