The government has proposed new laws to better protect public services from cyber attacks.
The Cyber Security and Resilience Bill aims to strengthen national security and protects growth by boosting cyber protections.
These proposed laws would cover certain digital and essential services including healthcare, transport, energy and water.
Under the proposed changes, medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will be regulated for the first time. They will also need to meet clear security duties, including reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences.
Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean suppliers would have to meet minimum security requirements.
Changes will come to enforcement, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing.
The technology secretary will get new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security.
The Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion.
Research also shows that the average cost of a significant cyber-attack in the UK is now over £190,000. This is equal to around £14.7 billion a year across the economy.
Science, innovation, and technology secretary Liz Kendall said: "Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
"We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge."
National Cyber Security Centre CEO Dr Richard Horne said: "The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.
"As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.
"Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires."
