Cyber security | UK Regulatory Outlook May 2024
Published on 31st May 2024
NCSC guidance for organisations considering payment in ransomware incidents | UK government announces two new codes of practice for cyber security and AI | ICO reports on cyber security breaches
NCSC guidance for organisations considering payment in ransomware incidents
The National Cyber Security Centre (NCSC) has released joint guidance with the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA) and the International Underwriting Association (IUA).
The best practice guidance aims to improve the market's approach to ransom payments, thereby minimising the disruption and cost of incidents, and ultimately reduce the number of ransoms being paid by UK ransomware victims.
The three insurance associations urge organisations to follow the steps outlined in the guidance, such as assessment of business impact and reporting protocols, which organisations and associated third parties should consider when faced with a ransomware attack. See the press release.
The NCSC has also published a blog post regarding the theft and loss of data in the event of a ransomware attack and launched a new podcast series discussing the latest cyber threats and issues.
UK government announces two new codes of practice for cyber security and AI
During a speech at CYBERUK, the government's flagship cybersecurity conference, the Technology Minister, Saqib Bhatti announced two new codes of practice which will help improve cyber security in AI models and software, by setting requirements for developers to build their products in a secure way, with the aim of preventing attacks such as the one on MOVEit software in 2023. (See more in our Insight.)
The AI cyber security code of practice is intended to form the basis of a future global standard, which will address AI safety challenges to ensure the benefits of AI can be realised. The government has launched a related call for views on the new code of practice, originally set to conclude on 10 July but extended to 9 August 2024 in response to the general election being called. To support the call for views, the government has also published a number of research reports on AI cyber security.
The second voluntary code of practice for software vendors sets out fundamental security and resilience measures for organisations which develop or sell software used by other organisations. The government launched a call for evidence seeking views from the industry on the proposed design and implementation of the draft code of practice, which closes on 9 August.
ICO reports on cyber security breaches
The Information Commissioner's Office (ICO) has published the report "Learning from the mistakes of others". It summarises case studies from its regulatory activities to illustrate common types of cyber threats and the key measures that organisations should consider to mitigate threats.
The report focuses on five leading causes of breaches: phishing, brute force attacks, denial of service, errors and supply chain attacks, and stresses the importance of considering the nature of the information (how sensitive it is) and the risk of harm in determining the adequacy of security measures.
The ICO has taken enforcement action in relation to cyber-related data breaches where organisations failed to:
- secure external connections with multi-factor authentication;
- log and monitor systems;
- act on unexpected connections, or alerts from endpoint protection such as anti-malware or anti-virus;
- use strong, unique passwords; and
- mitigate against known vulnerabilities and apply critical patches within 14 days, where possible.
See the press release.
NCSC updates Cyber Assessment Framework
The National Cyber Security Centre (NCSC) has updated its Cyber Assessment Framework, which is aimed at assessing how well operators of essentials services manage cyber security risks under the UK NIS Directive.
Significant changes have been made to reflect the heightened cyber threat to critical national infrastructure, including revisions to the sections on remote access, privileged operations, user access levels and the use of multi-factor authentication. See the press release.
In February 2024, the UK issued a joint advisory to critical infrastructure operators about the threat from state-sponsored cyber attacks.