Cybersecurity | UK Regulatory Outlook March 2023

EU agencies warn of malicious cyber activity

On 15 February 2023, the European Union Agency for Cybersecurity (ENISA) and Computer Emergency Response Team (CERT-EU) issued a joint publication to alert organisations on sustained activity by particular threat actors.

The publication warns of Advanced Persistent Threats (APTs) – groups which gain unauthorised access to a computer network and are able to remain undetected for an extended period of time. Hacker groups APT27, APT30 and APT31, amongst others, were named as those targeting "business and governments in the Union", with a focus on information theft.

The ENISA and CERT-EU called for all public and private sector organisations within the EU to follow the listed cyber hygiene recommendations in order to improve their cyber resilience.

The NCSC has also published guidance to help large organisations and SMEs protect themselves online.

Digital and cyber security regulation moves from DCMS to DSIT

On 7 February 2023, the government announced the creation of four new departments, including a new Department for Science, Innovation and Technology (DSIT).

Responsibility for digital and cyber security regulation has now moved across from the Department for Culture, Media and Sport to DSIT.

DSIT will continue to deliver the priorities set out by the National Cyber Strategy 2022, which aims to make the UK the safest place to live and work online.

NCSC issues guidance on supply chain mapping

The National Cyber Security Centre (NCSC) has issued guidance advising medium to large organisations who need to gain confidence or assurance that mitigation measures are in place for vulnerabilities associated with working with suppliers.

The guidance, which is recommended to be read in conjunction with NCSC guidance on supply chain cyber security, is aimed at the process of recording, storing and using information gathered from suppliers who are involved in a company's supply chain. The NCSC maintains that while it is not possible to completely eradicate supply chain attacks, an organisation's ability to respond rapidly to an attack will help limit the scope of damage to the organisation.

Government response to Pro-Innovation Regulation of Technologies Review

On 15 March 2023, Sir Patrick Vallance's Pro-Innovation Regulation of Technologies Review was published, which looks at how pro-innovation regulation can support emerging digital technologies

The government's response accepts Sir Patrick's recommendation of amending the Computer Misuse Act 1990 to include a statutory public interest defence, which would provide stronger legal protections for cyber security researchers and professionals, thereby enabling innovation in the sector. The government reiterated its commitment to ensuring the UK has the right legislative framework, powers and law enforcement capability to tackle the threat from cyber crime.

The Home Office has a live consultation and a forthcoming programme of work that will consider the merits and potential risks to reform.

The Information Commissioner's Office also issued a statement in response, welcoming future discussions of the recommendations in the report with Digital Regulation Cooperation Forum partners and the government.

FATF report on Countering Ransomware Financing

On 14 March 2023, the Financial Action Task Force (FATF) issued a report analysing the methods that criminals use to carry out their ransomware attacks and how payments are made and laundered.

The report lists a number of potential risk indicators that can help public and private sector entities identify suspicious activities related to ransomware, including:

• customers utilising virtual private networks (VPNs);
• transactions involving anonymity-enhancing cryptocurrencies;
• use of encrypted networks; and
• sending of virtual assets to wallets linked to ransomware.