The Office for Budget Responsibility estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of GDP. The UK government has also published research which shows the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.
Against that background, the government is introducing the Cyber Security and Resilience Bill to parliament. Its key aim is to strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day. It will reform and add to the existing Network and Information Systems (NIS) Regulations 2018.
The Bill covers certain digital and essential services including healthcare, transport, energy and water. The Bill will update the legacy regulatory framework by:
- expanding the remit of regulation to protect more digital services and supply chains such as data centres. These are an increasingly attractive threat vector for attackers. The Bill aims to fill an immediate gap in the UK’s defences and help prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack affecting London hospitals.
- putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities.
- mandating increased incident reporting to give government better data on cyber-attacks, including where a company has been held to ransom. This will improve understanding of the threats and alert the government to potential attacks by expanding the type and nature of incidents that regulated entities must report.
The Bill will apply across the whole of the UK.
