Legislation announced by the government to protect the cyber resilience of critical services offers “no guarantee of security”, according to a tech-focused lawyer.
The Cyber Security and Resilience Bill, if passed would establish a regulatory burden for the IT providers of essential services, including the NHS and energy grid.
The bill was proposed amid a rising threat of cyber attacks, with both public and private organisations now under constant threat of costly breaches.
However, the bill is “by no means a guarantee of security or certainty” according to Kristina Holt, managing associate at the law firm Foot Anstey.
“The introduction of this Bill is by no means a guarantee of security or certainty, particularly as far as enforcement and due diligence is concerned. To be effective, we need to see significant resource actually allocated for its enforcement – if this is substandard, the full potential of the Bill may be limited,” Holt said.
Holt said that it was “encouraging” that the government was looking to move beyond its historically “reactive approach” to cyber threats, but warned that the real challenge will be for businesses, which will come under greater regulatory scrutiny and potentially face penalties for breaches.
“[Businesses] must feel their way through the fog of new compliance demands and bear the weight of the greater responsibility and obligation placed on their shoulders,” Holt said.
“At every stage moving forwards, industry must be consulted – real improvement will only come from conversation with those tackling cyber threats on the ground.
“It should be no surprise that technological legislation throws up technicalities, so the government should do all it can to ensure these are navigable. Industry input is, after all, invaluable for shaping practical, enforceable regulations with both the public and businesses’ best interests at heart.”
