Cyber Security | UK Regulatory Outlook September 2024

UK data centres to be designated as critical national infrastructure

On 12 September 2024, the technology secretary, Peter Kyle, announced that UK data infrastructure, including physical data centres and cloud operators, will be classed as critical national infrastructure (CNI), underscoring the important role data centres play in the nation's economy.

The CNI designation will place data centres on equal footing with essential services like water, energy and emergency services. A dedicated CNI data infrastructure team will be established to oversee and coordinate access to the National Cyber Security Centre (NCSC) and emergency services during critical incidents.

These new measures aim to better protect vital health and financial data against threats such as cyber attacks, IT outages and adverse weather events, reaffirming the prime minister's commitment to safeguarding the UK's data industry.

For further reading on the importance of robust supply chain risk management amidst rising cyber threats, read our Insight.

ICO and NCA sign memorandum of understanding for collaboration on cyber security

On 5 September 2024, the Information Commissioner's Office (ICO) and the National Crime Agency (NCA) signed a memorandum of understanding (MoU), reaffirming their commitment to collaborating to improve the UK's cyber resilience.

The MoU establishes a framework for cooperation and information sharing between the ICO and the NCA, specifically:

• sharing intelligence about international developments and opportunities in relation to cyber security;
• information sharing regarding cyber threats and incidents, including cyber threat assessments where the threats are likely to affect relevant digital service providers regulated by the ICO;
• reminding organisations of their legal obligations to notify all relevant regulators of a cyber incident;
• coordinating incident management where both regulators are engaged in managing a cyber incident to minimise any disruption to the organisation's efforts to mitigate any harm; and
• coordinating public communications and press releases to ensure consistent guidance and standards on cyber related matters.

The MoU clarifies that the NCA will not share information from an organisation it is engaged with due to a cyber incident with the ICO without the consent of the organisation.

The agreement signifies the ICO and NCA's common aim of supporting companies with the guidance and support they require on cyber security matters, assisting victims of cyber attacks and promoting the reporting of cyber crime.

See the press releases from the ICO and NCA.

NCSC and partners link Russian military hackers to critical infrastructure attacks

The NCSC and its partners in the US, the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine have identified a unit of Russia's military intelligence service as responsible for carrying out a campaign of malicious cyber activity targeting government and critical infrastructure organisations around the world.

The international agencies published a joint advisory detailing the tactics and techniques used by the GRU Unit 29155 to target organisations to collect information for espionage purposes, the theft and leaking of sensitive information, disruption of websites and destruction of data.

The NCSC strongly advises organisations to follow the recommended actions set out in the advisory to strengthen their cyber resilience and defend their networks against GRU-linked attacks, including prioritising routine system updates and patching known vulnerabilities.

See the NCSC press release.

NCSC and partners issue warning over DPRK state-sponsored cyber campaign

The NCSC and international partners in the US and the Republic of Korea issued an advisory warning of the threat from a Democratic People's Republic of Korea-state sponsored group known as "Andariel", which has been targeting critical infrastructure organisations around the world to steal sensitive and classified technical information and intellectual property. The group primarily targets defence, aerospace, nuclear and engineering entities, as well as organisations in the medical and energy sectors.

Read the joint cybersecurity advisory, which outlines technical details and mitigation advice.

NCSC encourages organisations to share lessons learnt from cyber security incidents

The NCSC's chief technology officer, Ralph B, published a blog post encouraging organisations to share information on the "lessons learnt" from cybersecurity incidents and how near misses have impacted their services with the aim of providing greater insight into cross-sector threats and the effectiveness of cyber defences.

The NCSC encourages organisations to share information on their Connect Information Share Protect (CISP) platform or other trusted cyber security groups.

UN finalises new cybercrime convention

United Nations member states and the Ad Hoc Committee established by the United Nations General Assembly agreed on a draft text for the convention against cybercrime. The draft convention aims to strengthen international cooperation in addressing the threat posed by technology used by criminals in committing offences such as terrorism and organised crime.

Once it is adopted by the UN General Assembly, expected later this year, the treaty will become the first global legally binding instrument on cybercrime. For details, see the draft convention.

ESAs publish Systemic Cyber Incident Coordination Framework

The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs), will establish the EU systemic cyber incident coordination framework (EU-SCICF). The framework aims to support the EU's Digital Operational Resilience Act (DORA) by strengthening coordination among financial authorities and key actors, creating an effective financial sector response to major cyber incidents with the potential to disrupt key financial services and operations.

Over the coming months, the ESAs will begin the implementation of the framework by setting up various bodies and identifying legal and operational hurdles which will be reported to the European Commission. The development of the framework will be subject to the availability of resources and other measures taken by the Commission.