Cyber security | UK Regulatory Outlook September 2023

EU Commission guidelines on application of NIS 2 to financial entities under DORA

On 14 September 2023, the EU Commission released guidelines on the application of Articles 4(1) and (2) of the NIS 2 Directive, which concern the relationship between the Directive and current and future sector-specific legislation addressing cybersecurity risk-management or reporting requirements.

In particular, the guidelines provide clarification on the provisions of the Digital Operational Resilience Act (DORA) which apply instead of the relevant NIS 2 Directives for financial entities in-scope of both regulations in the following areas:

• information and communication technology (ICT) risk management;
• ICT-related incident management, in particular major ICT-related incident reporting;
• digital operational resilience testing;
• information-sharing arrangements; and
• ICT third-party risk.

Please see our Insights on the NIS 2 Directive and DORA,  for further information.

ICO and NCSC sign Memorandum of Understanding

On 12 September 2023, the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC) signed a joint Memorandum of Understanding that sets out cooperation between the two organisations on the development of cyber security standards and guidance.

It is expected that the NCSC will lead coordination in incidents where cross-government coordination in response to an incident is required. The ICO will encourage regulated organisations to engage with the NCSC on cyber security matters and has committed to exploring how it can demonstrate that evidence of meaningful engagement with the NCSC will serve as a mitigating factor in reducing regulatory penalties.

The memorandum clarifies that the NCSC will not share information from an organisation it is investigating due to a cyber incident with the ICO without prior consent of the organisation.

NCSC and NCA white paper on ransomware and cybercrime

On 11 September 2023, the NCSC and the National Crime Agency (NCA) published a white paper examining the evolving tactics used by organised criminal groups and the wider cyber crime "ecosystem".

The paper highlights that most ransomware incidents are not due to sophisticated attack techniques, but are opportunistic in nature, and success is usually the result of poor cyber hygiene. Thus, organisations can implement free guidance from the NCSC to help stop the majority of attacks.

NCSC announces new CTO Ollie Whitehouse

On 1 September 2023, the NCSC announced that Ollie Whitehouse will become its first Chief Technology Officer (CTO).

Mr Whitehouse will join the NCSC after 27 years working in cyber security in the private sector, having previously held senior roles advising government, including serving as Chair for the DSIT Cyber Technology External Advisory Group.

He will formally become CTO in late October 2023.

NCSC warning over security of AI systems

See AI.

National Cyber Strategy 2022-23 progress report

On 14 August 2023, the government published its annual National Cyber Strategy Progress report, reflecting on key achievements throughout the year. It also provided progress updates on some of the principal developments this year:

• Plans to bring all private sector businesses working in critical national infrastructure (CNI) within scope of cyber resilience regulations – proposals to strengthen the UK's cybersecurity laws will be incorporated into the Network and Information Systems (NIS) Regulations "as soon as parliamentary time allows".
• Product Security and Telecommunications Infrastructure Act – requiring manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products comes into effect on 29 April 2024. The Office for Product Safety and Standards (OPPS) has been confirmed as the regulator for the regime.

The report also notes that the Russian state is still a key source of threat for the UK – the NCSC has confirmed attempted cyberattacks against the UK media, telecommunications, and energy infrastructure.

NCSC joint advisory on most common vulnerabilities exploited in 2022

On 3 August 2023, members of the Five Eyes Alliance, which includes the UK's NCSC and its counterparts in the US, Australia, Canada and New Zealand, released a joint cybersecurity advisory listing the top 12 vulnerabilities that were routinely exploited in 2022.

The alliance sent a warning to organisations about the importance of updating and applying security patches promptly, as the advisory reveals a trend in threat actors routinely targeting older, previously disclosed flaws – despite security updates being available to fix them.

The advisory also provides mitigation advice to help organisations improve their cybersecurity posture – for companies in the UK, this include signing up for the NCSC's Early Warning service to receive alerts about potential threats affecting their networks.

Cyber risks in National Risk Register 2023

On 3 August 2023, the Cabinet Office published the 2023 National Risk Register (NRR), outlining the most serious risks facing the country.

The report identifies 89 threats to the UK, which includes the newly listed vulnerabilities of undersea telecommunications cables and the threat to gas supplies posed by Russia.

The NRR includes information within nine risk themes, including terrorism, cyber, and state threats. Potential targets for cyberattacks identified include:

• gas, electricity, fuel supply infrastructure;
• civil nuclear sites;
• health and social care systems;
• transport sector;
• telecommunications systems; and
• UK financial critical national infrastructure including UK retail banks.

NCSC publishes 'shadow IT' guidance

The NCSC has published guidance on "shadow IT" – also known as "grey IT", which refers to the use of IT-related hardware or software without the use of the IT department within the organisation (for example, sharing data with a client on an external cloud provider without IT approval).

The use of shadow IT presents risks to an organisation as it could result in the exfiltration of sensitive data or the spread of malware. The guidance recommends organisational mitigations to address shadow IT, as well as technical solutions that can help organisations manage the risk of shadow IT on the enterprise network.

PSTI Regulations made bringing into force security requirements for connectable products

Please see Products.

PPN on Cyber Essential Scheme updates

Please see Regulated procurement.