The Cyber Security and Resilience Bill, launched this week, will enable regulators to enforce larger, turnover-based penalties for serious cybersecurity breaches by companies with ties to important infrastructure, strengthening the existing Network and Information Systems Regulations 2018 (NIS).
In addition to changes to the existing scope of NIS, the bill proposes to increase its scope to include ‘large load controllers’, which manage electrical load for smart appliances. This will introduce a new category of OES for providers of energy smart appliances (ESAs) including electric vehicles, charge points for electric vehicles, and infrastructure such as battery energy storage systems and virtual power plants.
Bringing them alongside existing operators as part of the bill will mean providers of ESA will now need to show they have robust plans in place to deal with cyber attacks, along with adapting to reporting processes to flag significant or potentially significant incidents to regulators and customers.
The most notable changes being proposed, which will affect all OESs will be changes to notification requirements. Regulators and the National Cyber Security Centre will need to be initially notified of incidents within 24 hours, and full reporting within 72 hours. The timescales have changed, but so too have the triggers for notification, with near-miss incidents or those “capable of having… adverse effect” also included within the reporting requirements. Customers who are likely to be impacted by a cyber incident will also now need to be informed promptly by the security providers.
Stuart Davey, a cyber readiness expert with Pinsent Masons, said the increased scope of the bill would offer an extra challenge to those affected, including in the energy industry.
“The inclusion of large load controllers was a surprise, having not been originally trailed in the consultation exercise,” he explained.
“For the first time, those providers will have specific obligations to ensure they comply with the new security requirements. This demonstrates the importance the government places on clean tech and electronic charging infrastructure.”
In addition, the bill proposes a new category of OESs that are ‘critical suppliers’. This is targeted at organisations that provide “goods or services” to an OES, where they rely on network and information systems to carry out supply.
“The briefing paper and consultation documents emphasised the importance of supply chain management, and the bill delivers this by proposing that critical suppliers can be designated by a competent authority,” said Davey.
“At the consultation stage, this appeared to be one of the hardest points to pin down. The current drafting will need careful review, but the fact that there is six pages of lengthy drafting, dealing with designation, consultation, revocation and coordination, suggests this has not been a straightforward process. This is likely to lead to further engagement between ‘operators of essential services’, those potentially to be designated, and competent authorities”
Chris Martin, a technology and cyber readiness expert with Pinsent Masons, said the bill will give both operators of essential services and their key suppliers cause to consider how cyber security and resilience is addressed in supply chain contracts.
“Existing good practice for operators of essential services in the energy sector means imposing appropriate cyber security obligations on key suppliers,” he said.
“Existing contractual practices will now need a thorough review in light of the bill’s proposed changes to NIS. Energy operators and their suppliers should expect regulators to demand demonstrable cyber resilience, which means contracts must go beyond generic security obligations. Practical considerations include embedding clear cybersecurity standards aligned with NCSC guidance, setting mandatory incident reporting timelines, granting audit and assurance rights, allocating liability for regulatory fines, and including termination provisions for non-compliance.”
Martin added that, for suppliers to the energy sector, the focus on supply chain means that they must make strong cyber resilience the hallmark of the goods and services they provide. to ensure any contractual allocation of the risk of enforcement action is fair.
In addition to the changes that are directly relevant to OES, the bill also strengthens the powers of, and obligations on, competent authorities.
“On the one hand, there may be a recognition that competent authorities have not introduced enough guidance under NIS, and the bill explains what guidance is expected to be published,” said Davey.
“The bill also further empowers competent authorities, including by providing more powers for information gathering, with potential penalties for any parties failing to cooperate with such information requests. It is highly likely that regulators will use these new powers to bolster the enforcement actions that are already being taken under NIS.”
Accompanying the bill is a guide which sets out the government’s intent to simplify the penalty band structure under NIS, allow for further factors to be considered as to what constitutes a proportionate penalty, and introduce new maximum penalties. These are proposed to include a new top band of up to £17 million, or 4% of a regulated entity’s worldwide turnover.
In addition, proposed changes include allowing those regulators to recover the full costs associated with their NIS duties – but they will also be required to show how they are using these funds as part of a new charging scheme to strengthen the enforcement process.
Some of the changes less likely to hit headlines relate to the increased powers of the government to instruct regulators – and the organisations in their remit – to take preventative steps when national security is at risk, which could also have significant implications for operators if cyber attacks are threatened.
The bill comes in the wake of warnings from the National Cyber Security Centre in October that companies needed to step up their preparations after a rise in significant attacks.
