Cyber Security and the Board: A Sign of What’s to Come

One of the most significant changes that the Bill will introduce is a broadening of which organisations fall in scope of the UK’s cyber security regulatory framework.  As was seen in the original draft, this will not only include operators of essential services, but also digital service providers, managed service providers, and critical suppliers whose disruption could have national-level consequences.  A key amendment to the Bill has been the inclusion of even more sectors under these definitions, designating as ‘essential activities’ the manufacturing of critical transport equipment, as well as some food and essential goods retail.  Local authorities would also be brought into scope of the NIS Regulations in relation to their functions managing electoral rolls and social care records.  

The changes introduced by the Bill also highlight a clear expectation that boards will play a more active role in strengthening organisational resilience.  Specifically, the amendments point towards:

• Increased board oversight and accountability for security, with cyber risk treated as a strategic governance issue rather than a technical concern
• Greater emphasis on board training, ensuring board members are able to identify risks and assess appropriate risk management
• A broader security remit that explicitly includes fraud
• Increased reporting
• Regular testing of network and information systems.

As part of the amendments, it has also been put forward that within 12 months of passing the Act, the Secretary of State will review whether amending the Computer Misuse Act 1990 could improve resilience.

Amendments to a bill are important as they signal a broader shift, and an insight into the direction the Government intends to take.  Whilst such bills often focus on the most critical areas first, their influence rarely stops there.  Expectations typically extend across the business landscape more broadly, meaning even those not initially in scope will feel the impact as standards filter through.

This shift is already taking place; governments and regulators worldwide are increasingly holding boards directly accountable for cyber security, treating it as a core governance and fiduciary responsibility, instead of simply an IT-related concern as it has traditionally been viewed.  In addition to the Cyber Security and Resilience Bill, initiatives such as the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA), and the UK’s Cyber Governance Code of Practice explicitly require boards to oversee cyber risk, approve strategies, ensure training, monitor incidents, and maintain documented evidence of engagement, with potential personal liability for failures.  Meanwhile, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), issued four of the largest fines it has ever imposed last year, all for breaches of the General Data Protection Regulation (GDPR) relating to insufficient data security technical and organisational measures (TOMs).  These enforcement actions clearly demonstrate that regulators are not hesitating to use their enforcement powers to penalise weak cyber governance and, with the largest of these fines totalling at £14 million, the severe financial consequences organisations face for failing to implement robust security controls.

In our blog on Strengthening Your Cyber Defences: Practical Steps for Every Business, we highlighted some of they key measures all organisations should have in place to enhance their security posture and protect against attacks.  However, below are some practical steps you can take to align specifically with the Cyber Security and Resilience Bill.

Understand current cyber security and compliance posture

A core element of strengthening resilience and aligning with new regulatory requirements is gaining a clear and accurate view of your current cyber security and compliance posture.  Conducting a comprehensive cyber security gap analysis enables you to identify where existing controls, policies and processes fall short of regulatory expectations and best practice.  Importantly, it also helps you to prioritise remediation activities, ensuring that limited resources are directed toward the areas of greatest impact and supporting the Board’s ability to make informed strategic decisions about risk, investment and resilience.  See below to learn more.

Ensuring cyber responsibility

One of the first steps your organisation can take is to ensure that explicit responsibility or accountability for cyber security has been applied at board level, so that the Board can gain sufficient oversight.

As part of this, you should consider providing tailored training for directors and senior leaders, beyond standard awareness training.  Such training should consider areas such as understanding trends, interpreting technical risk in a strategic manner and evaluating resilience.

Incorporating fraud into risk practices

As stated above, the Bill identifies the need for fraud to be included within risk; as such, your organisation should evaluate its risk practices to ensure that fraud is properly considered, and where it is not, take steps to integrate it.

Establish regular testing and reporting

Your organisation should look to conduct regular penetration testing and resilience exercises (see below for more details) to verify that controls are operating as expected, and that threats can be detected and responded to in an efficient manner.  You should also assess your reporting process to ensure that cyber incidents can be escalated to the Board promptly and through an established chain.