Cyber threats are evolving rapidly. Data suggests the cost of global cybercrime is set to increase from £6 trillion in 2023 to over £11 trillion in 2029. And with the recent Synnovis ransomware attack on the NHS making headlines around the world, businesses and public entities are feeling more pressure than ever to ensure the safety of customer and business-critical data.
This pressure has undoubtedly been noticed by those in power, with the UK government revealing a newly proposed Cyber Security and Resilience Bill that, if approved, will impact critical national infrastructure, the way managed service providers fulfil their services and how data is handled on a massive scale.
But what does it mean for you?At Netcentrix, we’re proud to be a trusted managed IT and cyber security provider, offering businesses the support and defences they need to maintain operations and keep their data firmly in safe hands. With this in mind, let’s dive a little deeper into the proposed bill, so you have all the information you need in case it is passed in Parliament.
The Cyber Security and Resilience Bill Explained
This new legislation focuses on “locking down” data within the public sector and core critical infrastructure, strengthening the national defence, and also covers data management practices and managed service providers more broadly.
The result will hopefully be stricter, clearer and more robust practices in data protection and management, while undermining the efforts of cyber criminals seeking weaknesses.
So, if the bill is passed, how will all of this be done?
Expanded Scope of Regulation
- Managed service providers (like Netcentrix) and relevant digital service providers who offer IT infrastructure services, ongoing management support, cyber security services, etc., will fall under the new regulatory framework and will need to adhere to essential cyber safety measures by law. In the same breath, service providers with regular access or management duties of client data will need to provide stringent cyber security measures and services for clients, if they don’t already.
- Data centres will now be classed within Critical National Infrastructure (CNI), while regulators will class service providers as ‘critical’ if essential services would be disrupted by their absence.
- These regulations may extend to lesser-prevalent service providers if they’re recognised as playing a key role in essential services, while also expanding which sectors will be defined as ‘critical’ to offer more comprehensive coverage.
Strengthened Incident Reporting
- Smaller incidents that don’t directly affect service delivery will become reportable, and ‘significant incidents’ must be reported to the National Cyber Security Centre (NCSC) and any relevant governing bodies within 24 hours. A more detailed report must be filed within 72 hours.
- Every incident of a ransomware attack must be reported, and any customers directly affected by serious incidents must be contacted as soon as possible.
Empowered Regulators and Enhanced Oversight
- The ICO (Information Commissioner’s Office) and similar regulatory bodies will be given authority to enforce registration of service providers and gather any information that assists them in this task.
- A ‘Statement of Strategic Priorities’ may be announced to enforce consistency in defences across different sectors, and regulators may be given the power to impose fees and fines on those found to be lacking in their efforts, to recover costs lost by those impacted.
- The Secretary of State may be given the power to take appropriate and proportionate measures by directing regulators and service providers in their specific actions, to limit the impact of national security concerns, especially in protecting essential or digital services.
Regulatory Agility
As we’ve already mentioned, the Bill will offer the Secretary of State more direct powers with regard to cyber risks. But it would also grant the Secretary the ability to push cyber security advancements more quickly during times of crisis, possibly without the typical delays associated with passing new legislation through Parliament.
As a result, supply chain security requirements and technical changes can be adapted on a huge scale far more quickly than previously possible.
What is the end goal of the new Bill?
This might all sound a little confusing, but in plain terms, the Bill would cover four main areas of concern in UK cyber security if passed:
- Modernising outdated cyber security legislation (most notably the Network and Information Systems Regulations 2018) to overcome specific cyber security challenges that have evolved.
- Using recent cyber attacks as educational material against future attacks while closing potential vulnerabilities.
- Protecting vital services with the most robust cyber defences possible.
- Encouraging economic growth by presenting the UK as a stable, cyber-resilience-focused player on the global stage.
What Happens if the New Proposals are Adopted?
The new Bill is likely to be discussed, and passed, in Parliament either in 2025 or 2026. When this happens, thousands of organisations and service providers will need to ensure they’re meeting the new cyber security requirements.
There’s a good chance a firm deadline will be put in place for entities to meet the above requirements, which is why many are being encouraged to begin these important improvements now, rather than waiting for the outcome in parliament.
This will help them complete their duties to the best of their ability, but will also help them avoid potential backlash later down the line should they fail to meet the new regulations outlined by the government in a timely manner.
What does the cyber security and resilience bill mean for you?
If you’re a business customer utilising IT/data management services, cyber security services, or similar, the new legislation should come as a welcome change.
Why? Because it adds greater weight and responsibility to those with access to your sensitive data. Not only will they have a moral and legal duty to uphold the most effective cyber security tools and protocols, but they’ll also be answerable to a new government body with the power to influence actions directly, in the best interests of your data, both before and in the aftermath of a cyber security incident.
For a Managed IT Services Partner Who Follows Strict Cyber Security Rules, Choose Netcentrix
Whether you provide critical services or you’re concerned that your current IT provider is letting you down, and will continue to do so once the new legislation comes into effect, maybe it’s time to explore other options.
When partnering with Netcentrix for all your IT and cyber security needs, you can rest assured you’ll be working with a team with years of combined experience across all areas of hardware, software, security, digital services, data management, cloud computing services, and more.
As a certified Microsoft partner, we’re trusted by the world’s leading computer technology brand to offer its tools and services to customers just like you. If they can put their faith in us, so can you.
And with an average response time of just five minutes, you’ll never be waiting too long for support during times of need.
To find out more, speak to a Netcentrix specialist today.
