close
close

Cybersecurity | UK Regulatory Outlook for May 2024 – Osborne Clarke

Posted on by darion

NCSC Guidance for Organizations Considering Payment for Ransomware Incidents | UK Government announces two new codes of practice on cybersecurity and artificial intelligence | The ICO reports on cybersecurity breaches

NCSC guidance for organizations considering payment for ransomware incidents

The National Cyber ​​Security Center (NCSC) has published joint guidance with the Association of British Insurers (ABI), the British Insurance Brokers Association (BIBA) and the International Underwriting Association (IUA).

The best practice guidance aims to improve the market’s approach to ransom payments, thereby minimizing disruption and incident costs, and ultimately reducing the number of ransoms paid by ransomware victims in the UK.

The three insurance associations urge organizations to follow steps outlined in the guidance, such as business impact assessments and reporting protocols, that organizations and related third parties should consider when faced with a ransomware attack. See the press release.

NCSC also published a blog post on data theft and loss in the event of a ransomware attack and launched a new podcast series discussing the latest cyber threats and issues.

The UK Government announces two new codes of practice on cybersecurity and artificial intelligence

While speaking at CYBERUK, the government’s flagship cybersecurity conference, Technology Minister Saqib Bhatti announced two new codes of conduct that will help improve cybersecurity in AI models and software by setting requirements for developers to build their products in a secure manner to prevent attacks such as this one for MOVEit software in 2023 (see our Statistics for more information).

The AI ​​Cybersecurity Code of Conduct is intended to form the basis of a future global standard that will address AI security challenges to ensure the benefits of AI are realized. The Government issued a related call for feedback on the new Code of Practice, which was originally due to end on July 10, but was extended until August 9, 2024 in response to the calling of a general election. In support of the call for feedback, the government also published a number of research reports on AI cybersecurity.

The second voluntary code of conduct for software vendors sets out basic security and resilience measures for organizations that develop or sell software used by other organizations. The Government has issued a call for comments seeking industry views on the proposed design and implementation of the draft code of conduct, which closes on August 9.

The ICO reports on cybersecurity breaches

The Information Commissioner’s Office (ICO) has published its report ‘Learning from the mistakes of others’. Summarizes case studies from regulatory activities to illustrate common types of cyber threats and the key measures organizations should consider to mitigate the threats.

The report focuses on the five main causes of breaches: phishing, brute-force attacks, denial of service, errors and supply chain attacks, and highlights the importance of considering the nature of the information (how sensitive it is) and the risk of harm when determining the adequacy of security measures.

The ICO has taken enforcement action in relation to cyber-related data breaches where organizations fail to:

  • secure external connections with multi-factor authentication;
  • logging and monitoring systems;
  • respond to unexpected connections or alerts from endpoint protection, such as antivirus or antivirus software;
  • use strong, unique passwords; AND
  • remediate known vulnerabilities and, if possible, apply critical patches within 14 days.

See the press release.

NCSC updates cyber assessment framework

The National Cyber ​​Security Center (NCSC) has updated its cybersecurity assessment framework, which aims to assess how operators of essential services manage cybersecurity risks in line with the UK NIS Directive.

Significant changes have been made to reflect the increased cyber risk to critical national infrastructure, including changes to sections on remote access, privileged operations, user access levels and the use of multi-factor authentication. See the press release.

In February 2024, the UK issued a joint recommendation to critical infrastructure operators on the threat from state-sponsored cyberattacks.