Welcome to the first episode in our new four-part podcast series, Full disclosure, where we explore key cyber regulatory challenges across different regions – UK, Europe, US, and Asia.
Focusing first on the UK, host Matthew Mettenheimer (Associate Director, Cyber Advisory) speaks with Katherine Kearns (Head of Proactive Cyber Services, EMEA) and Mike Groves (Head of Cyber Advisory, UK) about the cyber regulations which impact UK businesses, offering a wealth of insightful takeaways about the country's increasingly complex compliance obligations.
Listen to the S-RM Insider podcast
What does the current cyber regulations landscape look like in the UK?
The ecosystem of cyber regulations right now is vast, and it's becoming more complex. We are seeing the volume of regulatory sources increasing, which is affecting companies operating cross-border. Regulators are truly racing to the top in developing laws that protect critical infrastructures, critical services, sensitive data and these regulations enforce controls that go well beyond basic cyber security hygiene.
Today's security standards are divergent, they will be difficult to implement especially in highly complex, cross-border organisations. And enforcement actions are increasingly punitive. There's board-level responsibilities and administrative criminal charges for some of these regulations, so the enforcements are fairly strong.
A lot of the regulations are principle-based, so they don't actually offer technical controls or standards that organisations need to implement. So, we are going to see more of an evolution in the regulatory space with more specific controls, standards, and guidelines coming out over the next few years as, as it stands, the directives and the regulations themselves are quite inspecific.
And finally, technical boundaries for regulatory scoping are dynamic, many organisations will need to determine whether they fall in scope of cyber regulations. And that's not a simple exercise, it's quite involved.
Which specific cyber regulations impact UK businesses?
1. The Digital Operational Resilience Act (DORA): An EU-wide framework, which impacts UK businesses, DORA establishes cyber security protocols for financial institutions and their critical ICT third-party service providers. Scheduled to be enforced in January 2025, the Act focuses on cyber risk management, incident reporting, resilience testing, and third-party risk monitoring. DORA's objective is to ensure the European financial sector's resilience to drastic operational disruptions.
2. The Network and Information Security directive (NIS2): Introduced in January 2023, NIS2 updates cyber security rules imposed in 2016, elaborating on legal measures designed to enhance overall cyber security in the EU and UK. Covering an array of specifics, including encryption, business continuity, and supplier risk management, NIS2 expects organisations to report significant incidents to relevant authorities within 24 hours of detection. It also obliges businesses to share cyber threat information proactively across the sector. NIS2 is expected to be enforced in October 2024.
3. Payment Card Industry Data Security Standard Version 4 (PCI DSS 4.0): An upgrade of PCI DSS 3.2.1, PCI DSS 4.0 sets more stringent requirements for securing payment card data – focusing on stricter controls, encryption, event logging and monitoring, and comprehensive incident response plans.
4. Telecommunications (Security) Act (TSA): In 2019, the UK government's Department for Digital, Culture, Media & Sport performed an assessment of the UK's supply arrangements for the telco networks and identified that the UK needed a new, fundamentally different security framework for organisations operating within the sector to secure this critical part of national infrastructure. The government has subsequently established a new security framework through the Telecommunications Act which came into force in October 2022. The framework sets out stringent security standards that are designed to promote resilience and integrity of core telco networks and it is expected to bring significant change not only to the UK, but also far beyond. We will see the telco industry shifting from siloed, compliance-based security initiatives to threat-led security transformation which the TSA drives.
5. EU Cyber Resilience Act: The EU Cyber Resilience Act, which is due to be converted into law in autumn 2024, is designed to promote security within digital supply chains and all the digital products that are offered to the EU market.
What are some of the commonalities between these cyber regulations?
ICT risk management frameworks
The regulations are designed to drive organisations towards the development and use of robust ICT risk management frameworks. They aim to ensure that organisations take steps to understand the potential impact of ICT risks and put measures in place to continuously identify and effectively manage those risks. They also place a greater emphasis on ensuring that organisations continue to improve their risk management functions over time, driving these activities beyond what we perhaps might think of as 'tick box exercises' and towards something that looks closer to an optimisation of security controls.
Continuous monitoring
They also place a greater emphasis on ensuring that organisations continue to improve their risk management functions over time. Again, another really critical stipulation because when there's a static compliance requirement, which doesn't require continuous improvement, it can just end up being shelved. So, there's a greater focus across all of these regulations on this continuous improvement piece.
Incident response plans and staff training
There's an increased focus on disaster recovery and business continuity activities. Organisations are expected to define these strategies and establish really comprehensive operational resilience documentation. Once created, continuous testing of the different plans is absolutely critical and that includes testing of key stakeholders as well. And there are lots of different ways businesses can do that, but simulated and tabletop exercises across the incident response and recovery domains are both really good ways of achieving that regular testing, training, and continuous improvement. The regulations further agree on the need for an increasing focus on risk awareness and training programmes for staff and leadership, there's a recognition that the staff body in particular is a huge attack surface across all organisations and organisations can very quickly improve their resilience by deploying training programmes for staff and making them more aware of the threats that are out there and some of the risks that exist beyond the commonalities in the content of the regulations. There are some additional similarities concerning the application and enforcement of them.
Third-party risk management
The next commonality in the new regulations concerns the management and monitoring of third-party risk. In particular, organisations are expected to establish a really effective third-party risk management programme. They need to specify the appropriate contractual obligations for their vendors and for their counterparties.
Notification timelines
There's also the expectation for organisations to implement robust processes for the detection, management, and notification of IT-related incidents. There's a a big focus on short incident notification timelines. For example, given the sensitivity of financial data, DORA specifies really tight 24 hour reporting requirements for entities that are facing substantial operational impacts or data loss.
NIS2 requires the submission of an early warning notification to competent authorities that needs to take place within 24 hours of becoming aware of a significant incident and then subsequently a full incident notification that needs to be delivered within 72 hours. And the TSA obliges third-party suppliers to the UK telco sector to notify telecoms providers within 48 hours of becoming aware of any security incidents in the development network or the corporate network.
Fines and punitive measures
And, then on fines and punitive measures as well, DORA applies administrative or even criminal penalties for non-compliance responsibilities allocated at board-level for the implementation of controls by 17 January 2025 and it's really important to note that accountability sitting within the most senior levels of organisations.
Under NIS2, fines for non-compliance can be up to EUR 10 million or 2% of the total turnover for essential entities or EUR 7 million or 1.4% of total turnover for important entities. And, finally, non-compliance with the TSA could result in penalties of up to 10% of turnover and will be policed by Ofcom.
What can businesses do to prepare for these cyber regulations?
Establishing an ICT risk management framework is key – a very important piece strongly driven by both DORA and NIS2 laws. It's essentially the core piece of work that an organisation has to go through as their first step towards compliance, so ensuring that there is an appropriate level of security founded on a risk-based approach is the core first step organisations have to look at.
Supply chain security – determining critical suppliers and the risks that are coming out of those critical suppliers and monitoring those risks and managing them to reduction is a challenging and very involved exercise, and both DORA and NIS2 have strong clauses around third-party risk management, so we would encourage organisations to strongly look at establishing a robust third-party risk management programme.
Another piece to highlight is how important it is to be prepared to notify regulatory authorities of any suspected or confirmed incident. In fact, the notification timelines are very short. They are akin to what we have seen with GDPR. So, having robust identificiation, disaster recovery plans, and notification procedures is really important and exercising those plans, procedures and notifications is also key to making sure they are effective and working.
Conclusion
There is a pressing need for UK businesses to understand which regulatory obligations apply to them and adapt accordingly to protect their clients and brand reputation. With overlapping features and sometimes puzzling applicability, determining the scope of a regulatory compliance obligation can be challenging. An educated and proactive approach can significantly help in mapping out a company's cyber security risks and then subsequently mitigating them, with board-level interest making the enactment of compliance initiatives a driver of beneficial change rather than merely a mandatory condition.
Stay tuned for the next episodes in our Full disclosure series by subscribing to Latest thinking here. If you would like to discuss any of the topics raised in this podcast with the S-RM team, please do not hesitate to contact us.