By James Eason, GRC CRA Practice Lead, Integrity360
Introduced in the King’s Speech and added to the government’s legislative website mid-October, the Cyber Security and Resilience Bill will see the mandating of incident reporting for critical national infrastructure providers and associated businesses as well as digital service providers. It’s been touted as the UK equivalent to NIS2, the second version of the Network and Information Security directive which came into effect on 17 October across EU states. But unlike that piece of legislation, the details are scant on just who will be in scope, what they will need to do to comply and the potential repercussions of failing to do so.
What we do know is the Bill will see NIS expanded to cover more digital services and supply chain. Similar to NIS2, it’s likely to see more organisations brought in scope who are deemed important to economic stability. It will also mandate the reporting of different types of incident such as ransomware attacks to better understand threat patterns and coordinate response. In this respect, the Bill will act in a similar capacity to NIS2 which seeks to share threat intelligence between member states via mechanisms such as coordinated vulnerability disclosure, a shared vulnerability database and European cyber crisis liaison organisation network (EU-CyCLONe). Regulators, too, will be given greater powers to enforce and investigate.
The Bill is expected to be put before parliament in 2025 but could well be expedited to ensure the UK has a comparable set of regulations to those on the continent. It’s also a pressing issue given that previous reviews of NIS have revealed that few of those within scope have updated or strengthened policies and processes since the inception of the directive back in 2018 (just over half of operators of essential services have taken such steps). So, change is definitely on the horizon. But how should entities who fall within scope or are likely to do so begin to align themselves with the bill?
Corporate and personal accountability
First and foremost, the regulations are likely to involve an overhaul that will require a management focus. In the case of NIS2, for example, the board is tasked with taking responsibility for and maintaining oversight of the risk management strategy. This will require management bodies to undergo training themselves as well as to arrange training for their employees in order to equip themselves with sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices.
Yet NIS2 also breaks new ground in that it not only places responsibility for oversight of the risk strategy firmly at the feet of the board but goes on to state individuals could be held personally liable if they fail to exercise those responsibilities. Under article 32, authorities can temporarily prohibit any person responsible for discharging managerial responsibilities at CEO or a similar level from exercising managerial functions – in other words they can be suspended from office.
We don’t know if the Cyber Security and Resilience Bill will take a similar tack but NIS2 is by no means alone in this approach. The Securities and Exchange Commission (SEC) likewise specified that individuals could be held accountable in the event of a breach when it tightened its disclosure regulations in July last year. It now requires those disclosing a material cybersecurity incident under Form 8-K to detail the board’s oversight of risk and the role of management in assessing and managing those risks from cybersecurity threats.
It’s therefore fair to assume that any entity looking to comply with these regulations would do well to ensure risks and accountabilities are well understood by the board. This may well require them to get up to speed with an unfamiliar aspect of the business and it’s here where risk and audit committees can perform a valuable role. A risk management and compliance board comprising senior executives such as the CRO, CISO, technology leads and legal team as well as department heads can be a facilitator between the board and what’s happening at a grass roots level in the business.
The role of a risk management committee
Such a risk management committee is usually tasked with evaluating, mitigating, and monitoring various risks as well as meeting internal and external compliance demands. It will also regularly review and update risk management policies, ensure internal controls, and that reporting mechanisms are accurate and transparent. But from the board’s point of view, it can also add value through its ability to determine precisely where the responsibilities of the board begin and end.
The board needs to understand all three GRC facets. From a governance perspective, it needs to ensure it has complete oversight, so the committee’s role here will be to communicate and maintain that. In terms of risk, the board will need to understand the risks posed and to have properly prioritised these and be able to evidence that steps have been taken to minimise and mitigate them. Those steps will need to come from the committee. And finally, the board will need to understand the fundamental elements of compliance in terms of what it is and what they are responsible for not just at a company but also an individual level.
The committee can therefore do much of the heavy lifting with respect to compliance and the security measures to be put in place. The National Cyber Security Centre (NCSC) recommends that such a committee take responsibility for the Essential Activities identified in each section of the Cyber Security Toolkit for Boards, for example, revealing the practical role it plays. These include embedding security and fostering a positive culture, identifying critical assets, understanding cyber threats, implementing a risk management strategy, collaborating with supply chain partners and incident response.
Looking to the future, the likelihood is that the Cyber Security and Resilience Bill will be more prescriptive about the need to put in place a risk management strategy and will require boards to step up and become more accountable for how that is administered and maintained. Boards cannot and should not seek to become cyber security experts but they do need to put in place structures and executive bodies that can ensure they are aware of the level exposure of the business. Maintaining that oversight can then drive improvements as well as demonstrating that the board has done its level best to remain compliant.