UK Unveils Cyber Security and Resilience Bill

The Cyber Security and Resilience Bill proposes stricter rules around incident reporting and supply chain vulnerability management.

“Cybersecurity is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the U.K. is no easy target,” said Technology Secretary Liz Kendall.

The proposal would bring an estimated 900 to 1,100 managed service providers under new requirements to report incidents and take “proportionate measures” to address cybersecurity risk. It would also regulate commercial data centers of at least 1 megawatt in size by designating them as an “essential service” on par with water utilities and the electricity grid and by requiring operators to disclose incidents to the government and to customers.

“Data centers keep the U.K. running, from patient records and payments to email services and artificial intelligence development. The bill will bring them into scope of the regulations, ensuring they meet robust cybersecurity standards,” the Department for Science, Technology and Innovation said.

The bill creates a reporting timeline of 24 hours from when critical infrastructure providers become aware of an incident to make an initial disclosure to the government. Affected companies would have 72 hours to make a “full notification.”

Regulations would also extend outward to cover companies that supply critical infrastructure operators, MSPs and, what British law already calls “relevant digital service providers,” that include search engines and large online marketplaces. The bill would let the government designate suppliers whose disruption would have a significant impact on the economy and require them to implement digital defenses.

Companies that run afoul of the new regulations could face daily fines that amount to 10% of their global revenue.

The measure comes after a summer and fall surge in disruptive cyber incidents felt most pressingly by a hack that shutdown production of luxury automaker Jaguar Land Rover (see: Jaguar Land Rover Hack the Costliest Ever in the UK).

A study cited by the government estimates the average cost of a significant cyberattack on U.K. businesses amounts to 200,000 pounds, a figure that balloons to an annual economic cost of 14.7 billion pounds.

As it readied the proposal, the Labour government said the bill would include a ban on critical infrastructure operators from paying ransom demands. The bill published Wednesday doesn’t include a ban, which received mixed support from security experts (see: UK Government Set to Impose Ransomware Payment Ban).

The bill, which is currently at its second reading in the House of Commons, will have to pass through the parliamentary process in the House of Lords before it receives Royal Assent to become law.

With reporting by Information Security Media Group’s David Perera in Northern Virginia.