Cyber Security | UK Regulatory Outlook April 2024

Cyber Security Breaches Survey 2024

On 9 April 2024, the UK government published the latest Cyber Security Breaches Survey, an annual survey looking at the cost and impact of cyber attacks on businesses, charities and educational institutions, and their approach to cybersecurity.

The survey revealed that cyber attacks continue to pose a common threat, with 50% of businesses and 32% of charities having identified a cyber breach or attack in the past 12 months.

As expected, board-level responsibility for cyber security was more prevalent in larger businesses, where the management board is likely to be bigger. However, there remain a number of barriers preventing boards from becoming more engaged with cyber security, including a lack of understanding or interest, a lack of training, insufficient time and a perception that organisations of their kind face a relatively low risk from cyber attacks.

Organisations of all sizes should take a proactive approach to incident management and ensure that board members have oversight of the organisation's cyber strategy. Senior engagement can result in quicker approval for new measures and enables organisations to demonstrate compliance to regulators. The National Cyber Security Centre's Cyber Security Toolkit for Boards is aimed at helping board members across all sectors to better understand their obligations and discuss issues with technical experts within their organisation.

Our international team of Osborne Clarke lawyers can advise on regulatory compliance and crisis readiness through our "war game" exercises, so please get in touch should you need assistance. You can also sign up for our "Dipping into Data" webinar where our experts will take you through the developing legal landscape of cyber security for businesses.

BoE Committee approach to operational resilience

The Bank of England (BoE) has published "Financial Stability in Focus", setting out the Financial Policy Committee's (FPC) approach to operational resilience, in particular the ability of financial firms vital to UK financial stability (including payments, deposits and insurance services) to prevent and mitigate disruptions such as cyber attacks and internal process failures.

The FPC expects to review the existing policies on operational resilience on a regular basis, with the next cyber stress test due to start in spring 2024 and findings expected to be published in the first half of 2025.

Geopolitical and cyber attack risk were the most frequently cited risks to the UK Financial system among financial firms in the BoE's biannual Systemic Risk Survey H1 2024.

In the EU, the new Digital Operational Resilience Regulation (DORA) introduces legal and regulatory requirements to strengthen the ability of financial services firms in preventing and mitigating ICT-related disruptions and threats. See more in our Insight. 

Cyber Security Longitudinal Survey: wave three results

The Department for Science, Innovation and Technology (DSIT) published wave three results of the Cyber Security Longitudinal Survey, a three-year study which analyses the cyber security behaviours of UK medium and large businesses and high-income charities.

A majority of businesses reported taking steps to expand or improve their cyber security. However, only a small minority of organisations took steps to formally assess or manage the cyber threat presented by third-party suppliers or partners, despite the rising threat of cyber attacks resulting from vulnerabilities within a supply chain.

In the last 12 months, 24% of medium business, and 39% of large business reported having assessed their supplier risks. This indicates that, as with previous waves of the survey, larger businesses are likely to adopt a more sophisticated approach to cyber security. To find out more, register for our webinar where Katherine Kearns, Head of Proactive Legal Services at S-RM, and Osborne Clarke's Philip Tansley will take a look at identifying and reducing exposure to cyber risk in supply chains.