Two pieces of upcoming legislation are set to transform the cyber strategies of companies in certain sectors. Immediate reporting of significant cyber-attacks is soon to be mandatory and making ransomware payments may soon be outlawed.
A Home Office proposal was recently put before Parliament as the Cyber Security and Resilience (Network and Information Systems) Bill.
The Prime Minister said: “National Security is the first responsibility of any government, that never changes. But as the world changes, the way we discharge that responsibility must change with it.”
The Bill is aimed to help protect the UK against cyber warfare by strengthening the cyber defenses of critical services. Harmful cyber breaches will need to be reported to regulators, where there is the potential to cause significant impact, with initial notification within 24 hours and a fuller report within 72 hours. The National Cyber Security Center is to be informed at the same time.
The Bill’s definition of “critical services” is broad and encompasses not only energy, transport, health services and water utilities, but also “digital infrastructure”, which includes online marketplaces, online search engines, data centers and cloud computing services plus some electronic communications systems.
Making ransomware payments to be banned
The UK Home Office has also proposed a ban on certain organizations making ransomware payments. Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals under the measure. But the proposed legislation would also extend well beyond those sectors.
Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber-criminal groups, many of whom are based in Russia.
The ban is already meeting stiff opposition from the financial sector, which is concerned that banks may be included and that this could affect their ability to get customers up and running after an attack. UK Finance, which represents around 300 firms across the UK financial services sector fears that an outright prohibition on ransom payments could be counter-productive.
According to a recent report on the proposed legislation by UK Finance: “No clear empirical evidence or international case study demonstrates that banning payments reduces ransomware attacks; instead, experience suggests it may drive payments underground rather than deter criminals. Some law enforcement experts have also cautioned that bans could increase risks to victims if not carefully designed due to the disruption that unresolved ransomware attacks could cause.”
