Notis Iliopoulos, EVP of Managed Risk and Controls (MRC) at Obrela discusses a recent panel of cybersecurity experts examining the UK’s evolving Cyber Security Resilience Bill, including concerns around regulatory expansion and industry impact.
Platforming cybersecurity experts
In the wake of an impassioned debate in the House of Commons following the second reading of the Cyber Security Resilience Bill earlier this year, Obrela held a panel discussion of cybersecurity experts to debate the likely changes in the law that may soon be forthcoming.
In its original form, the bill was designed to protect the UK’s critical infrastructure from cyber-attacks.
However, the recent devastating cyber-attacks on Jaguar Land Rover and Marks & Spencer have prompted MPs to call for the bill, to widen its scope and also apply to other sectors such as manufacturing and retail.
The cybersecurity experts assembled by Obrela for an online panel discussion recently predicted that the bill’s powers are now likely to be widened considerably.
Dr Richard Jones, Cybersecurity expert, Law Faculty, Edinburgh University commented: “I think there is a likelihood that additional sectors will in time be added… That is highly likely because I think that is the direction we are moving in.”
The danger of over-regulation and “scope-creep”
But the panel also expressed fears that there is a very real danger of the government widening the scope of the bill and imposing additional regulatory burdens on companies that could have highly negative consequences, a process that the panel referred to as “scope-creep”.
These include measures already outlined in the bill such as mandatory reporting of cyberattacks within 24 hours, with a detailed report submitted within 72 hours of the discovery of the attack.
As the Cyber Security Resilience Bill is now in the Public Bills Committee stage, UK lobbying groups are currently submitting evidence designed to dissuade the government from over-burdening organisations with regulatory requirements.
Balancing resilience and regulation
Adam Avards, Principal of Cyber Security and Third-Party Risk Policy, UK Finance said: “What we really need to avoid is crippling the sector and their ability to respond to attacks.
“Imagine that you are a bank and that you are subject to some kind of cyber-attack that is impeding your ability to provide important and critical business services.
“You want to be able to put all hands to the pump in the resolution of this issue and not towards fulfilling the various regulatory requirements on instant reporting… Our strong sense is that the firms we represent and the financial sector as a whole already have a significant regulatory burden, which impedes their ability to deal with a cybersecurity incident.”
Dr Jones added: “From a societal point of view and government perspective, the trick is to balance the need to ensure cyber-resilience within the UK against the overhead that might be placed on individual companies.”
Turning regulatory compliance into a competitive advantage
But the panel also discussed ways of turning what might otherwise be seen as onerous regulatory compliance into a competitive advantage.
I would say that there are some easy ways to turn the regulatory compliance to critical advantage.
One is by cutting the cost of cybersecurity, where you can automate some compliance.
The second thing is to win the supply-chain game and the third is to put asset pressure internally to get what you need in order to achieve actual security, not mere compliance.
To view the entire panel discussion online, please follow this link UK Cybersecurity Regulations Are Expanding – Is Your Business Ready?
