Complying with the Cyber Security and Resilience Bill

Last November, the UK Government set out proposals for a new Cyber Security and Resilience Bill designed to strengthen cyber-defences across critical services, including healthcare, drinking water, transport and energy.

 

The focus is clear - prioritise sectors where disruption would have immediate and far-reaching consequences for public safety, national stability and economic resilience. After all, hospitals cannot simply suspend care, water utilities cannot afford prolonged outages, and extended disruption to transport or energy systems would have a huge effect on society.

 

The financial risks are also stark, with the Office for Budget Responsibility warning that a major cyber-attack on critical national infrastructure could temporarily increase government borrowing by more than £30 billion - equivalent to roughly 1.1% of GDP.

 

 

Beyond the public sector

However, despite the current proposals targeting essential services only, the impact of raising resilience standards in the systems the country depends on is far broader.

 

Not only will it protect thousands of interconnected businesses over time, but medium and large organisations providing essential digital services - from IT management and help desk support to cyber-security - are also expected to fall within scope.

 

In other words, this is not solely a public-sector story. Any organisation that supports, supplies, or connects into essential services should be paying close attention.

 

And for those that don’t? My advice is to also take note. Firstly, hitting essential services with regulations may well be just the start. If the Government’s lens is economic resilience and overall cyber-risk, it makes sense that other sectors - particularly manufacturing and education - may be brought under similar expectations in the future.

 

Secondly, the current absence of a legal obligation to comply with new cyber-security standards does not reduce the operational and financial consequences of an attack. With threat levels rising sector-wide and the global risk landscape in ever-increasing chaos, improvement should be driven by risk reality, not by compliance deadlines.

 

And thirdly, good cyber-resilience is fast becoming a marker of overall business strength for a range of stakeholders, from customers to investors. Insurers, too, are tightening expectations. Organisations with weak cyber-hygiene or repeated incidents will find coverage harder to secure, more restrictive in scope, and more expensive to maintain.

 

 

Advice for organisations affected by the Bill, and beyond

With the above in mind, for organisations within scope - and indeed those out - this is a moment to reassess how cyber-resilience is approached at a structural level. And the starting point should be practical, not theoretical:

 

Get to know your sector’s threat landscape and close basic cyber-security gaps

For most sectors, the overwhelming majority of successful attacks are broad, opportunistic and exploit known weaknesses (not ultra-targeted nation-state attacks). They succeed because of unpatched systems, inconsistent updates, poorly implemented access controls, or simple user errors. In other words, they work because doors are left open. Understanding what typically hits your sector - phishing, credential theft, exploitation of legacy systems - allows you to focus on the 90% of attacks that are preventable through inexpensive, effective controls - such as patching systems in a timely way or deploying multi‑factor authentication effectively.

 

Understand legislative changes and their impact

For organisations directly affected by the Bill, there are a number of new considerations, such as turnover-based penalties for serious breaches, as well as strengthened obligations to enhance monitoring, improve incident detection capabilities, and isolate or better protect high-risk systems that could jeopardise essential services.

 

Organisations providing essential digital services will also need to meet clear security duties, including reporting significant or potentially significant cyber-incidents promptly to the government and their customers, as well as having robust plans in place to deal with the consequences. Regulators will even gain powers to designate critical suppliers, meaning those wishing to operate within essential service ecosystems will have to meet defined security thresholds. While legislation is at the proposal stage, now is a great time to get ahead and familiarise yourself with these upcoming changes and how they might impact your organisation.

 

Assess complexity, not just controls

Many essential sectors operate highly fragmented technology environments. Multiple vendors, legacy systems, differing update cycles and limited central visibility create structural weaknesses. In these environments, risk accumulates quietly over time. Resilience here requires understanding how systems connect, where dependencies sit, and which high-risk components could trigger cascading disruption if compromised. Without that visibility, technical controls alone are insufficient.

 

Recognise supply chain exposure

No essential service, or indeed business, operates in isolation; all depend on managed service providers, cloud platforms and external IT support. So it’s important to remember that a weakness in one supplier can create a domino effect across multiple operators. Suppliers should assume that resilience expectations will increasingly mirror those imposed on the sectors they serve. 

 

Don’t rely on regulation alone

Regulation is not a substitute for internal ownership. For too long, cyber-security has competed directly with revenue-generating investment and been placed in a cost category that is easy to defer; an approach that’s failed to reduce the volume or severity of incidents. If we continue with the same funding patterns and governance structures, expecting a different outcome is simply unrealistic. As such, compliance should be viewed as the floor, not the ceiling. Organisations that treat this Bill as a box-ticking exercise will only end up embedding the very vulnerabilities the legislation is trying to address.

 

 

Resilience only when mandated is resilience too late

Having feared that heavy regulation would slow progress or innovation, the UK Government - and many others in the West -  have opted for guidance and best-practice frameworks for a long time now. But thinking is clearly changing.

 

The regulation we’re seeing now, however, is not a guaranteed fix, but rather a sign that doing things a certain way clearly wasn’t working.

 

Regulation will, of course, raise the baseline for those within scope. But resilience should not be something organisations build only when compelled to do so. By that stage, the threat is already active and the exposure already present.

 

The smarter course is to act before designation, before enforcement and before an incident. Waiting for regulation to dictate action is rarely the most efficient - or the least costly - way to manage risk. 

 

---

 

Matthieu Chan Tsin is SVP/GM of Resiliency Services at Cowbell

 

Main image courtesy of iStockPhoto.com and amgun