UK to introduce watered-down version of mandatory reporting for ransomware attacks

Britain’s new government announced on Wednesday its intention to bring forward a Cyber Security and Resilience Bill updating the country’s cybersecurity regulations, two years after the previous government prematurely described them as “updated” before failing to actually introduce the legislation.

The new law will include a mandatory reporting requirement for companies hit by ransomware attacks. Announced as part of the King’s Speech formally opening Parliament, it comes as ransomware incidents affecting British businesses keep reaching record levels.

The legislation as described falls short of more ambitious plans that were to be proposed in a Home Office public consultation, exclusively reported by Recorded Future News, before the consultation was ultimately scuppered by Rishi Sunak’s snap election.

That proposed major overhaul of how the country responds to ransomware attacks would have required  all ransomware victims to report incidents to the government, and then obliged those victims to seek a license from sanctions authorities before making any extortion payments.

It also would have prohibited companies working in critical infrastructure from ever making an extortion payment, intending to remove the incentive for hackers to disrupt these critical services by preventing them from monetizing attacks.

But the government’s description of the Cyber Security and Resilience Bill states its impact would be limited to “regulated entities” rather than impose the new rules across the whole of the private sector.

Although the range of regulated entities is likely to increase to include managed service providers (MSPs) — companies paid to manage IT infrastructure and provide support, often to smaller businesses that don't have a designated IT department — it is not clear whether the bill will affect other third-party services involved in the supply chains of critical service organizations.

These organizations have been repeatedly impacted by cyber incidents in recent months. A ransomware attack on pathology business Synnovis in June caused a critical incident to be declared across several hospitals in London, leading to thousands of postponed appointments and operations, including hundreds for cancer treatments.

The government stated the Cyber Security and Resilience Bill would expand “the remit of the regulation to protect more digital services and supply chains” explicitly claiming it “will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.”

Low report numbers

The current laws, known as the Network & Information Systems Regulations (NIS Regulations) were initially passed in 2018 based on a European Union directive. They prescribe security standards for the providers of critical infrastructure and essential digital services, alongside establishing mandatory reporting obligations in the wake of disruptive cyberattacks.

The total count of these reports is quite low due to the high thresholds set for an incident to be reportable. A reportable NIS incident for an electricity distribution network would have to involve an unplanned loss of supply to at least 50,000 customers for more than three minutes. An incident affecting a nationally significant DNS resolver for internet traffic would see the service’s bandwidth drop by more than 25% for 15 minutes or longer.

Even so, within just the first six months of 2023, organizations operating critical IT infrastructure services in the United Kingdom reported more incidents than in all previous years combined, as Recorded Future News previously reported.

Under the existing laws, a ransomware attack that did not impact the provision of water supplies — such as the attack on the South Staffordshire Water utilities company — would not be considered a reportable incident.

The updated laws are set to revise these thresholds. The government said the bill’s provisions will include “mandating increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom — this will improve our understanding of the threats and alert us to potential attacks.”

The bill would also empower the sector-specific regulators for critical infrastructure companies to ensure that “essential cyber safety measures are being implemented,” including providing these regulators with “potential cost recovery mechanisms” and “powers to proactively investigate potential vulnerabilities.”

The Cyber Security and Resilience Bill is being brought forward by the Department for Science, Innovation and Technology. It is not clear when the legislation will be introduced to parliament.