The UK Government has today revealed the full details of the Cyber Security and Resilience Bill, outlining the scope of the new laws first confirmed in last year’s King’s Speech.

The proposals include measures it hopes will better protect the supply chain and operators of critical national services, including public services, utilities, and also IT service providers – up to 1,000 of which are likely to fall under the scope of the planned measures. Datacentres operators, too, may fall under the scope of the new rules, according to the policy statement.

The Government said it is also exploring additional measures to make sure it can respond effectively to new cyber threats and take rapid action where needed to protect the UK’s national security – including giving the technology secretary powers to direct regulated organisations to improve their cyber defences.

NCSC CEO, Richard Horne, said the bill represents "a landmark moment" that will ensure improved cyber defences in critical services such as water, power and healthcare.

"[The bill] is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries," he said. “By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges."

Commenting on the announcement, Raf Sanchez, CIO at Beazley Security said that at a time of increasing regulatory oversight (not just in the UK but across Europe with the NIS2 Directive and the Digital Operational Resilience Act), it is more important than ever for UK businesses to build a resilient cyber security ecosystem that pre-empts emerging cyber threats.

“The announcement today confirms the UK Government's intention to update and broaden existing cyber regulations to increase protection for key industries, mandate compulsory notifications and increase regulators' powers to investigate vulnerabilities,” he said.

Alessandro Lezzi, group head of cyber risk at Beazley pointed to the insurer’s recent survey of 3,500 global business leaders, which flags a blind spot around the nature of cyber risk. According to the findings, 75% of global executives say they are prepared for cyber risks.

“Our claims data shows us this is not the case,” Lezzi said. “The upcoming Cyber Security and Resilience Bill reflects the need to build a more resilient UK economy against a cyber threat that is only becoming more sophisticated. Insurance has a key part to play in this, helping businesses create an 'always on' approach to cyber risk as regulations become more stringent.”

Mirroring Beazley's view on the role of insurance in managing cyber risk, the Lloyd’s Market Association has today called for a collective market approach to exposure management in the class.

Releasing its best practice document on the management of cyber risks, the LMA is calling for the adoption of standardised primary cyber characteristics within syndicates.

Paul Davenport, finance and risk director of the Lloyd’s Market Association, says cyber risk has emerged as one of the most “dynamic and challenging perils” in today’s risk landscape.

“It is a human-caused and often maliciously motivated threat that can transcend geographical and sectoral boundaries, creating unique challenges for insurers and reinsurers,” he noted. “Unlike ‘traditional’ perils, cyber events are not easily constrained by time, space or rational progression, complicating efforts to assess exposure, manage accumulations and define events.

“While the management of cyber risk accumulations is a relatively new discipline, we are well equipped to face the challenges discussed in this report, providing that we work to ensure complete, accurate and timely data collection and storage – a crucial factor. Standardised ‘primary’ cyber characteristics that are routinely disclosed and captured will go a long way towards ensuring that cyber exposure management practices become embedded into syndicates’ exposure monitoring.”

A full copy of the policy statement containing details of the proposals may be accessed here: https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement

---