Siân John, CTO of NCC Group comments on the UK Government’s Policy Statement for the Cyber Security and Resilience Bill. New cyber laws to safeguard UK economy & secure long-term growth - GOV.UK
"Today’s government policy statement sets out the scope and ambition of the Cyber Security and Resilience Bill for the first time, proposing a significant step forward for the UK’s cyber resilience. Notably, the Cyber Security and Resilience Bill will extend Network and Information Systems (NIS) regulations to new sectors of the economy such as data centres, managed service providers and critical suppliers to bolster cyber security for critical national infrastructure (CNI). NCC Group welcomes the strengthening of UK cyber laws. For UK growth to be sustainable, growth must go hand in hand with increased cyber resilience.
"Network and Information Systems regulations introduce minimum cyber security requirements for critical national infrastructure in the UK. These regulations help organisations identify and assess their security risks, remediate and manage vulnerabilities, and improve their overall resilience. Additionally, the regulations promote public-private partnerships and collaboration with law enforcement, the public sector, academia, and private firms to enhance cyber resilience.
"Complex supply chains are the soft underbelly of cyber resilience, exposing critical national infrastructure to risks that are outside of their oversight and ability to control. A preview of NCC Group’s forthcoming supply chain research shows that over two-thirds of organisations believe that supply chain cyber threats will increase in severity over the next 12 months. As supply chains become more complex and opaque, governments are looking to utilise their policy levers to embed the concept of collective responsibility for cyber resilience across the economy and supply chains.
"Some governments have sought to do this by explicitly broadening cyber security rules to capture more and more organisations. The EU’s NIS2 Directive and the UK’s Cyber Security and Resilience Bill significantly expand the definition of critical infrastructure to those organisations that have traditionally been seen as part of the supply chain, such as managed service providers and data centres.
"Beyond explicit regulations and legal liability, critical infrastructure and public sector organisations are placing obligations on their suppliers in order to meet their own procurement and regulatory requirements.
"NCC Group’s research found that over a third of organisations take account of changes in government policy and regulation when evaluating their supply chain. This is consistent across different jurisdictions and sectors. Through our work, NCC Group has also observed that suppliers serving critical infrastructure commonly proactively seek to meet the same regulatory and legislative standards that their customers are required to (even when they, themselves, are not directly regulated) because it is seen as a competitive differentiator."