Cyber Security and the Board: A Sign of What’s to Come

The Bill and its amendments signal a clear expectation that boards will take a more active role in driving organisational resilience. In particular, they point towards:

• Increased board oversight and accountability: Cyber risk is to be treated as a strategic governance issue, not just a technical matter
• Stronger focus on board competence: Greater emphasis on training so board members can identify cyber risks and evaluate risk management measures
• A broader security remit: An explicit link between cyber security, resilience, and related harms such as fraud.
• Enhanced reporting obligations: More frequent and detailed reporting to regulators on incidents and resilience measures.
• Regular testing: Ongoing testing and exercising of network and information systems to demonstrate resilience in practice

One of the most significant changes introduced by the Bill is a broadening of which organisations fall in scope of the UK’s cyber security regulatory framework.  As was seen in the original draft, this will not only include operators of essential services, but also digital service providers, managed service providers, and critical suppliers whose disruption could have national-level consequences.  Recent amendments further broaden this scope by designating additional ‘essential activities’, including the manufacturing of critical transport equipment and certain food and essential goods retail services.  Local authorities would also fall within the NIS Regulations in respect of specific functions, such as managing electoral rolls and social care records.

As part of the amendments, it has also been put forward that within 12 months of passing the Act, the Secretary of State will review whether amending the Computer Misuse Act 1990 could improve resilience.

Amendments to a bill are important as they signal a broader shift, and an insight into the direction the Government intends to take.  Whilst such bills often focus on the most critical areas first, their influence rarely stops there.  Expectations typically extend across the business landscape more broadly, meaning even those not initially in scope will feel the impact as standards filter through.

This shift is already taking place; governments and regulators worldwide are increasingly holding boards directly accountable for cyber security, treating it as a core governance and fiduciary responsibility, instead of simply an IT-related concern as it has traditionally been viewed.  In addition to the Cyber Security and Resilience Bill, initiatives such as the Digital Operational Resilience Act (DORA) and the UK’s Cyber Governance Code of Practice explicitly require boards to oversee cyber risk, approve strategies, ensure training, monitor incidents, and maintain documented evidence of engagement, with potential personal liability for failures.  Meanwhile, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), issued four of the largest fines it has ever imposed last year, all for breaches of the General Data Protection Regulation (GDPR) relating to insufficient data security technical and organisational measures (TOMs).  These enforcement actions clearly demonstrate that regulators are not hesitating to use their enforcement powers to penalise weak cyber governance and, with the largest of these fines totalling at £14 million, the severe financial consequences organisations face for failing to implement robust security controls.

In our blog on Strengthening Your Cyber Defences: Practical Steps for Every Business, we highlighted some of the key measures all organisations should have in place to enhance their security posture and protect against attacks.  However, below are some practical steps you can take to align specifically with the Cyber Security and Resilience Bill.

Understand your current cyber security and compliance posture

A core element of strengthening resilience and aligning with new regulatory requirements is gaining a clear and accurate independent view of your current cyber security and compliance posture.  Conducting a comprehensive cyber security assessment enables you to identify where existing controls, policies and processes fall short of regulatory expectations and best practice.  Importantly, it also helps you to prioritise remediation activities, ensuring that limited resources are directed toward the areas of greatest impact and supporting the Board’s ability to make informed strategic decisions about risk, investment and resilience.  See below to learn more.

Ensuring cyber responsibility

One of the first steps your organisation can take is to ensure that explicit responsibility or accountability for cyber security has been applied at board level, so that the Board can gain sufficient oversight.

As part of this, you should consider providing tailored training for directors and senior leaders, beyond standard awareness training.  Such training should consider areas such as understanding trends, interpreting technical risk in a strategic manner and evaluating resilience.

Incorporating fraud into risk practices

As stated above, the Bill identifies the need for fraud to be included within risk; as such, your organisation should evaluate its risk practices to ensure that fraud is properly considered, and where it is not, take steps to integrate it.

Establish regular testing and reporting

Your organisation should look to conduct regular penetration testing and resilience exercises (see below for more details) to verify that controls are operating as expected, and that threats can be detected and responded to in an efficient manner.  You should also assess your reporting process to ensure that cyber incidents can be escalated to the Board promptly and through an established chain.

‍