The government is consulting on new measures to boost British organisations’ cyber-security following recent high-profile attacks.
If passed, the measures will see more organisations follow stricter cyber-security duties, with large fines for non-compliance.
Cyber-attacks are on the rise. A recent cyber-attack on Microsoft Exchange Servers saw attackers gain access to user emails, passwords and administrator privileges. It’s estimated that 250,000 servers were affected worldwide, including 7,000 within the UK. Such an attack demonstrates that vulnerabilities in third-party products and services can be exploited by cyber-criminals. Subsequently, hundreds of thousands of organisations can be affected at the same time.
The government’s proposals seek to protect both essential services and the wider economy from cyber-threats.
The Proposed Rules Explained
The Network and Information Systems (NIS) Regulations were established in 2018 to improve the cyber-security of companies providing essential services, such as water, transport, healthcare and digital infrastructure. As part of these regulations, organisations that fail to implement effective cyber-security measures can be fined up to £17 million.
Currently, only 12% of organisations review the cyber-security risks coming from their immediate suppliers, according to research by the Department for Digital, Culture, Media & Sport. Moreover, only 5% address the vulnerabilities in their wider supply chain.
The government plans to update the NIS Regulations and widen the list of companies in their scope, proposing to:
- Expand the scope of the regulations to include Managed Service Providers (companies that manage IT services on behalf of other organisations).
- Update the regulatory regime so the most critical digital service providers must proactively demonstrate they’re following the regulations.
- Enable the regulations to be more readily updated in the future and bring more organisations within scope if required.
- Ensure all relevant costs for NIS regulation enforcement—incurred by regulators such as Ofcom, Ofgem and the Information Commissioner’s Office—are transferred from the taxpayer to the organisations covered by the legislation.
- Require large firms to provide better cyber-incident reporting to notify regulators of any cyber-attack suffered, not just those impacting the organisation’s services.
Driving Up Cyber-security Standards