IT companies that provide services for the NHS, as well as the UK’s energy, water and transport infrastructure, will face tough new security standards in a new law introduced by ministers to mitigate the threat of cyber attacks.
The Cyber Security and Resilience Bill will be introduced on Wednesday in a move that ministers hope will strengthen national security by boosting cyber protections for the services that people and businesses rely on.
The aim is to keep taps running, lights on and the UK’s transport services moving as businesses, transport hubs and government organisations continue to be targeted by cyber attacks.
The last month the National Cyber Security Centre said a “significant threat” posed by Chinese and Russian hackers had contributed to a record number of serious online attacks.
The OBR has warned a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – the equivalent of 1.1 per cent of the UK’s GDP.
Further research published on Wednesday shows the average cost of a significant cyber-attack in the UK is now over £190,000, equivalent to £14.7 billion a year across the economy – equivalent to 0.5 per cent of the GDP.
The proposed laws would regulate IT management, IT help desk support and cyber security companies that provide services for private and public sector organisations.
Medium and large companies that hold trusted access to important infrastructure and business networks will need to meet clear security duties and report major cyber incidents to government and their customers.
Key providers to the UK’s essential services, such as those who provide healthcare diagnostics to the NHS or chemicals to a water firm, can be categorised as critical suppliers by regulators. This will mean they need to meet minimum security requirements in order to shut down gaps in supply chains that criminals could exploit, as a new power for regulators.
Tougher penalties will be introduced to prevent companies from cutting corners when it comes to providing taxpayer services. Liz Kendall, as technology secretary, will get new powers to instruct regulators and the organisations they oversee to take more steps to prevent cyber attacks.
“Cyber security is national security,” said Ms Kendall. “This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
The new bill has received backing from National Cyber Security Centre CEO Dr Richard Horne, who has said: “The Cyber Security and Resilience Bill represents a significant step towards ensuring the nation’s most critical services are better protected and prepared in the face of an increasingly complex threat landscape.
“The real-world impacts of cyber attacks have never been more evident than in recent months and so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure.
“Cyber security is a shared responsibility and foundation for prosperity, and so we urge all organisations, no matter how big or small, to follow the advice and guidance available at ncsc.gov.uk and to act on it with the urgency that the risk requires.”
National Chief Information Security Officer for Health & Care at NHS England, Phil Huggins said: “The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.
“The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.
“Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.”
