As cyber security threats continue to evolve rapidly and damaging attacks on both public and private entities hit the headlines with alarming regularity, steps are being taken to strengthen the UK’s cyber defences, with important potential implications for local government.
Earlier this year, central government published a policy paper setting out the ambitions and strategy for the new Cyber Security and Resilience Bill, which is expected to be introduced into Parliament later this year. Given local authorities’ position as custodians of a raft of sensitive and confidential private data, and the threat of disruption to the provision of essential public services, understanding what this Bill is likely to entail is crucial. This is especially the case for those authorities with full or partial responsibility for managing critical national infrastructure (CNI) including transport, energy and communications.
Though the final details are still to be hammered out, the intention behind the new Bill is clear: to impose tougher, more extensive obligations around cyber resilience, with a particular emphasis on protecting critical infrastructure and essential digital services. Meeting these obligations will take careful planning and it’s never too soon to start getting ready for the Bill’s implementation. Here, we look at what is currently being proposed, how this could affect local authorities, and what steps local authorities can take to prepare.
Understanding the key proposals
At its heart, the Cyber Security and Resilience Bill, which will update the UK’s cybersecurity legislation, seeks to modernise the UK’s core cybersecurity framework to help both public and private organisations face down the growing range of online threats. The new Bill is expected to:
- Set new standards and enhance regulatory powers - The Bill seeks to establish a higher standard for compliance and enforcement. Regulators could be handed greater powers of oversight, including the ability to proactively gather information to identify and investigate possible weaknesses in local authorities’ systems or security protocols.
- Expand the regulatory scope - Existing cyber regulations will be broadened out to cover more digital service providers. This means that those who supply local authorities with data centres or managed digital services (and so have access to local authorities’ critical IT infrastructure and data) may be subject to more stringent security standards to ensure that essential public services are well-protected against cyber threats.
- Increase scrutiny of the supply chain – Regulators could also be given new powers to designate a supplier as a “Designated Critical Supplier” (if the supplier’s goods or services being affected could cause significant disruption to an essential or digital service) in order to increase oversight over key parts of the public sector supply chain to prevent any disruption to service delivery. Local authorities would be well advised to impose specific cyber security obligations in their contractual requirements, and to carry out in-depth due diligence including (a) conducting security checks and (b) assessing the supplier’s business continuity and contingency plans.
- Improve incident reporting – Local authorities may be required to report a broader range of incidents and to follow a twin-track reporting structure which would require local authorities to report incidents to the National Cyber Security Centre (NCSC) in addition to any other relevant regulator (e.g. the Information Commissioner’s Office (ICO)). These reports would need to be made no later than 24 hours after becoming aware of the incident, followed by an incident report within 72 hours.
- Enforcement and penalties - The new Bill may also give regulators more teeth in terms of the high financial penalties that they can impose for non-compliance. Final details of the penalty regime are yet to be published, however such sanctions are unlikely to be levelled at local government, given the impact this could have on delivery of public services. This is consistent with the ICO’s ‘public sector approach’, which allows the ICO to use its discretion to reduce the impact of fines on public bodies.[1] However, the imposition of fines demonstrates the seriousness with which enforcement of the new rules will be carried out. We have already seen the ICO step up its enforcement activity in relation to cyber security incidents the past 12 months, and this suggests that trend is set to continue.
The Bill is expected to be welcomed by many in an effort to safeguard the UK’s critical national infrastructure and essential public services. According to a 2024 report by the ICO[2], 3,000 cyber incidents were reported in 2023, with public sector bodies such as councils, schools and NHS Trusts among those affected in the past year[3]. Indeed, the policy paper itself referenced high-profile cyber-attacks on local government as a driver of the new measures contained in the Bill. Once the Bill is enacted, there are likely to be more formal obligations for organisations to adhere to, especially around incident reporting and risk management, and less scope for organisations to exercise their own discretion.
How to prepare
These new measures are significant, but for local authorities which already have mature cybersecurity policies and processes in place, the changes should be progressive rather than revolutionary. Early planning should enable local authorities to navigate the journey in a measured and manageable way.
Since many local authorities are already facing budgetary pressures, some may find that they have limited scope for substantial investment into new cyber defence technologies. Keeping software and systems up-to-date and focussing spend on the highest risk areas such as CNI are likely to be the priorities for IT investment. However, there are other, lower-cost ways to bolster cyber defence strategy too, for example:
- Embrace the Cyber Governance Code of Practice – Released earlier this year, this Code marks a pivotal shift in how organisations are expected to govern cyber risk and build resilience, and has been tailor made for boards and directors in both the public and private sectors. Although it is not currently being enforced, proactively implementing these guidelines now will help you meet future regulations with minimal disruption, while improving overall cyber resilience. Unlike some more technical frameworks, this code relates directly to governance, accountability and strategic oversight and should be taken as a call-to-action for senior leaders as they start preparing for the Bill.
- Review and strengthen cyber security provisions and procedures – Undertaking a technical assessment of the Code’s requirements against your own internal procedures and current cyber security provisions is a good way to identify where gaps lie or where improvements could be made. Conducting regular cyber security audits and implementing robust reporting mechanisms will help to ensure that breaches can either be prevented or dealt with as swiftly as they arise.
- Build cyber security awareness – As several recent cyber incidents have shown, attackers are not only trying to penetrate vulnerable systems with malware and viruses, they are also using sophisticated social engineering scams to deceive staff into giving access to secure systems. Therefore, it is not just the technology, process systems and controls that are increasingly under the microscope, but attention should also be focused on the people within an organisation. Carrying out regular training to educate staff about the latest tactics used by cyber attackers is vital, as threats evolve rapidly and people are typically the first line of defence against them. We can also expect regulators to focus in their investigations on whether senior leaders are doing enough to prioritise cyber compliance.
- Test your resilience – Whilst the theory is important, understanding how well prepared you really are to repel a cyber-attack in practice is crucial. Carrying out ‘war games’ where your defences and responses are put to the test under different scenarios can be a valuable tool to help identify where vulnerabilities exist and to build confidence among staff that they know what to do under pressure.
- Safeguard each link in your supply chain – Cyber incidents affecting local government often begin in the supply chain, when attackers exploit weaknesses within a supplier’s systems which can expose local authorities to security breaches as a result. Now more than ever, it is vital to carry out thorough and regular checks on suppliers’ cyber security systems and controls, and ensure that there are robust protocols in place around data sharing or shared systems. Robust cyber resilience is also one way for suppliers to demonstrate how they will create ‘social value’ when tendering for public contracts. This of course is another incentive to ensure regulatory compliance.
- Leverage the support available – Useful resources exist to help local authorities to improve their cyber resilience and provide support in case of attack, including from the ICO, NCSC and Local Government Association.
Local government is expected to be at the vanguard of cyber resilience, as outlined in the government’s Cyber Security Strategy 2022 to 2030[4], which aims for all public sector organisations to be resistant to cyber threats by the end of the decade. The new Cyber Security and Resilience Bill aligns with this strategy. By encouraging local authorities to enhance their systems, processes, controls and oversight, these new regulations should help empower local authorities to achieve this goal, even as the number and sophistication of cyber threats increases.
Gareth Oldale is a Partner and Head of Data Privacy and Cybersecurity and Georgía Philippou is an Associate at UK law firm TLT.
[1] ICO consultation on the revised approach to public sector regulation | ICO
[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/05/organisations-must-do-more-to-combat-the-growing-threat-of-cyber-attacks/
[3] https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/top-attacks-uk-public-sector-2024.html
[4] Government Cyber Security Strategy: 2022 to 2030 - GOV.UK