Cyber security | UK Regulatory Outlook June 2023

NCSC expands scope of Cyber Incident Response scheme

Following the launch of the Cyber Advisor scheme in April 2023, the National Cyber Security Centre (NCSC) announced a new NCSC-assured Cyber Incident Response (CIR) Level 2 scheme that will extend support to victims of common cyberattacks.

In comparison with CIR level 1, which assures companies providing incident response services to central government and critical national infrastructure organisations, level 2 will help a wider range of clients including private sector organisations, charities, local authorities and organisations that operate predominantly in the UK.

Victims named as MOVEit incident negotiation deadline passes

Cl0p, the Russia-linked ransomware group, has begun naming businesses who were hacked in the MOVEit incident following the passing of the 14 June negotiation deadline.

Although no sensitive has currently been leaked, Cl0p claims that stolen data will be posted from 21 June if their demands are not met.

On 19 June 2023, the Financial Conduct Authority (FCA) issued a statement urging firms to check if they or any companies in their supply chain have used MOVEit, and to report any operational impacts to the FCA.

The NCSC continues to provide regular updates on this incident.

International advisory warns of LockBit ransomware threat

On 14 June 2023, the UK and international partners issued a joint advisory warning about the ongoing threat posed by the LockBit ransomware group which continues to launch cyberattacks on organisations globally.

The joint advisory encourages businesses of all sizes, across a wide range of critical infrastructure sectors, to implement recommendations which aim to reduce the likelihood and impact of any future ransomware incidents.

ENISA publishes new reports on AI and cybersecurity

Following its AI Security Conference on 7 June 2023, the European Union Agency for Cybersecurity (ENISA) published a press release discussing the EU approach to secure and trusted artificial intelligence (AI).

ENISA also published four new AI reports:

• setting good cybersecurity practices for AI: a framework to guide national cybersecurity authorities and the AI community to secure AI systems, operations and processes;
• cybersecurity and privacy in AI: reports outlining the cybersecurity and privacy threats and vulnerabilities of electricity grids and medical imaging diagnosis; and
• AI and cybersecurity research: a report identifying five key research needs for further research on AI for cybersecurity.

Ofcom updates guidance for NIS regulations

On 31 May 2023, Ofcom published updated guidance for the Network and Information Systems Regulations 2018, which sets out the regulator's views on the ways operators of essential services in the digital infrastructure subsector can meet their obligations under the regulations.

The guidance sets out when operators of essential service should report incidents to Ofcom, which will enable the regulator to better identify significant cybersecurity and resilience gaps and spot trends in cases of disruption.

NCSC publishes new cloud security guidance and cybersecurity training packages

The NCSC published new guidance on how to use a cloud service securely, with the aim of helping organisations meet their security responsibilities by ensuring chosen services are configured correctly.

It has also published two free e-learning packages to help organisations manage cybersecurity risks across their supply chains. The MOVEit incident is an important reminder of the importance of assessing the resilience of an organisation's entire supply chain, including relevant sub-contractors.