Cyber security | UK Regulatory Outlook October 2023

Cyber Security Awareness Month

Cyber Security Awareness Month is celebrated every October – various institutions across the UK, EU and the US have announced activities to promote it. This year's campaign will focus on social engineering and hackers' attempts to breach sensitive data.

To keep you up to date on the latest in cyber matters, Osborne Clarke will be hosting an afternoon event on 9 November 2023, where our cyber partners will be sharing practical insights on what businesses can do to better manage cyber risk. Find out more and register your interest for the event.

Government inquiry on cyber resilience of critical national infrastructure

On 24 October 2023, the Science, Innovation and Technology Committee launched an inquiry into the cyber resilience of the UK's critical national infrastructure.

Among other things, the Committee is seeking views on the types and sources of cyber threats to critical national infrastructure in areas such as communications and energy, which are deemed to be most critical to the country's digital economy.

The National Cyber Security Centre (NCSC) previously warned of the threat to critical national infrastructure from state-aligned groups following Russia's invasion of Ukraine.

See the call for evidence.

Code of practice for app store operators and app developers

On 13 October 2023, the Department for Science, Innovation and Technology (DIST) published an updated code of practice, setting out minimum security and privacy requirements for app store operators and app developers, and extending the implementation period to June 2024.

The voluntary code, which was first published in December 2022 as part of the government's National Cyber Strategy, sets out practical steps that app store operators and app developers should follow to protect users from malicious and poorly developed applications. 

The code will be reviewed and updated, where necessary, at least every two years in light of new technological developments or changes to regulations and the threat landscape. DIST also stated that the extended implementation period will be used to engage with developers and operators in order to support future policy. 

NCSC releases new supply chain guidance

On 12 October 2023, the NCSC released a new collection of resources dedicated to supply chain security for organisations.

The page serves as a one-stop-shop for links to resources, guidance and knowledge for understanding the impact of supply chain cyber security risks.

NSA and CISA advisory on top 10 cybersecurity misconfigurations

On 5 October 2023, the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory, sharing the most common cybersecurity misconfigurations in large organisations, and detailing the tactics, techniques and procedures that threat actors use to exploit these misconfigurations.

Some of the most common network misconfigurations include:

• default configurations of software and applications;
• improper separation of user/administrator privilege;
• insufficient internal network monitoring; and
• lack of network segmentation.

The NSA and CISA stated that these misconfigurations illustrated a trend of systemic weaknesses, which are present even in large organisations with mature cyber postures, and encouraged IT teams to implement recommendations within the Mitigations section of the advisory to reduce the risk of malicious actors exploiting the known misconfigurations. Software manufacturers were also encouraged to "embrace" secure-by-design principles to reduce the burden on IT teams.

Draft regulation for EU common criteria-based cybersecurity certification scheme

See Products section.