Cyber laws have recently been updated to enhance the United Kingdom's resilience against cyber and ransomware attacks.
This protects vital services in our society, such as water, energy and transportation, and business operations — like yours — that serve the public.
In this article, we’ll cover the evolution and changes to the laws and a comprehensive list you need to comply with. It also covers the fine implications of not complying and actionable steps you can take to improve cyber resilience and comply with laws.
The importance of being prepared for cyber threats, attacks & data breaches
Cybersecurity remains a critical issue for businesses and charities; the financial impact of cyber incidents can still be substantial and bring your business to a standstill. Here’s a quick overview of statistics that show why it's becoming more and more important to be prepared:
- In the last 12 months, 11% of businesses and 8% of charities experienced cybercrime. For medium businesses, it's 26%, large businesses 37% and high-income charities 25%.
- Among those reporting cybersecurity breaches, about a third (34% for businesses and 32% for charities) fell victim to cybercrime.
- Additionally, 3% of businesses and 1% of charities were victims of fraud due to cybercrime, accounting for 9% of businesses and 6% of charities experiencing breaches.
- It's estimated that UK businesses suffered around 2.39 million cybercrime incidents and 49,000 fraud incidents resulting from cybercrime in the past year. Charities experienced approximately 785,000 cybercrime incidents, with no estimate available for the scale of resulting fraud.
- The average annual cost of cybercrime for businesses is around £15,300 per victim, while no cost estimate is available for charities due to sample size limitations.
Read this article to find out more about why information security is important.
The evolution of UK cyber laws
The COVID-19 pandemic has had an irreversible impact on how businesses operate worldwide, including the UK. Remote work and managing businesses digitally have become the norm.
UK cyber laws were updated as of late last year. According to a UK government press release published on 30 November 2022, these regulatory changes mark a significant step forward in safeguarding the UK's critical infrastructure against cyber threats.
The amendments primarily target the Network and Information Systems (NIS) Regulations, which came into force in 2018 intending to improve cybersecurity among companies providing critical services. NIS is short for 'network and information systems', and its regulations aim to address the threats aimed at these.
The NIS originated as EU-wide regulations, but the UK's ability to modify these regulations became possible with the country's exit from the EU.
Cyber laws aim to force companies to implement measures that protect the companies' information and systems from attacks.
UK cybersecurity: list of updated laws and regulations
Cybersecurity laws are rather complex. There is no overarching law, yet there are critical legislation schemes:
- NIS Regulations (Network and Information Security Regulations 2018)
- Computer Misuse Act 1990
- DPA (Data Protection Act 2018)
- UK-GDPR (UK General Data Protection Regulation)
- Telecommunications (Security) Act — for communication providers
Fine implications for not complying with UK cyber laws
NIS Regulations: organisations that fail to implement effective cybersecurity measures under the NIS Regulations can be fined as much as £17 million for non-compliance.
Computer Misuse Act: companies do not need to comply with this act; instead, it’s implemented to punish cyber criminals. Fines include a £5,000 fine or a six-month sentence for unauthorised access to or malicious use of data and unlimited fines or prison sentences depending on the crime.
DPA: companies not complying with the Data Protection Act may be fined up to £17.5 million or 4% of annual global turnover.
UK-GDPR (data security): all businesses need to comply with this act, referring to how your company processes personal data. Not complying may cause a maximum fine of up to £17.5 million (€20 million) or 4% of their overall annual turnover (the larger fine will be implemented).
Expanding the regulatory scope
One of the most notable changes in the latest updates is the inclusion of MSPs within the regulatory framework. MSPs (Managed Service Providers) are organisations that provide IT services such as online billing or security monitoring. These providers are instrumental in ensuring the functionality of essential services that drive the UK's economy. By bringing MSPs under the scope of regulations, the government aims to bolster the security of digital supply chains.
The expanded regulations encompass critical service providers such as energy companies, the NHS, vital digital services like cloud computing providers and online search engines. This broadening of scope ensures a comprehensive approach to securing the essential facets of the UK's digital landscape.
Enhanced incident reporting
In addition to extending the scope, the updated regulations demand that essential and digital services improve cyber incident reporting to regulatory bodies such as Ofcom, Ofgem and the Information Commissioner's Office (ICO). This entails notifying regulators of a broader range of incidents, even those that do not immediately disrupt services but carry a high risk or potential impact.
These measures empower the government to adopt the NIS regulations over time, ensuring their ongoing effectiveness. This flexibility enables the inclusion of new organisations and sectors that may become critical to the UK's economy.
Moreover, the updated rules establish a transparent cost recovery system for enforcing the NIS regulations. This system considers various factors, including regulatory burdens and company size, to reduce the financial burden on taxpayers.
Empowering the Information Commissioner
Under the revised cyber laws, the Information Commissioner can adopt a more risk-based approach when regulating digital services. This approach considers how critical these providers are in supporting the resilience of the UK's essential services. By tailoring regulation to the level of risk, the government seeks to strike a balance between security and industry growth.
Actionable steps for complying with UK cyber laws & building cyber resilience
To comply with UK cyber laws, we recommend taking the following actionable steps to ensure your information is secured while your business operations are not impaired and to avoid fines.
- Get clear on which cyber laws you need to comply with. You can do this by conducting extensive research (this article can act as your baseline) and interviewing or hiring a security expert.
- Create an Information Security Management System (ISMS) with processes your company needs to comply with — ISO 27001 can provide you with a framework to do so. This framework will also help you comply with UK cyber laws.
- Implement training for your employees to ensure awareness of the threats cyber and ransomware attacks pose and the financial and operational implications this can have on your company. Guidance on how to implement this can also be found in ISO 27001.
Want to find out more about managing your company's risks? What is risk management, and how can companies identify risks?