Written statement on Cyber Security and Resilience - Nov 12

Minister for AI and Online Safety (Kanishka Narayan): In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack. Computer systems were hacked, private patient data was stolen, and IT systems were rendered useless. This resulted in disruption to services at five NHS Trusts and local care service providers across several London boroughs, causing delays to over 11,000 outpatient and elective procedure appointments and, tragically, contributed to the death of a patient. For Synnovis itself, the financial impact of the cyber attack is estimated at £32.7 million.

The internet is one of the greatest engines for creativity and innovation, transforming every part of our lives, from how we communicate to how we book an appointment with our doctors. It is embedded into every part of the critical systems we rely on daily, with huge benefits. However, as the attack on the NHS provider shows, the technology that underpins cyberspace - the invisible world where all our online activity happens – can be attacked and weaponised by those that mean to do us harm.

Vulnerability to cyber attacks is not limited to the NHS. Last year, over 600,000 UK businesses were subject to a cyber attack. Independent research commissioned by DSIT – published today – shows the average cost of a significant cyberattack for a UK business is over £190,000. When taken at the level of the economy, this suggests an estimated annual cost to businesses of £14.7 billion or 0.5% of the country's GDP. These statistics and recent high-profile attacks serve as a sobering reminder that cyber security is not a luxury, and all organisations should take steps to defend themselves.

The government is taking a wide range of actions to improve cyber resilience across the economy. This includes:

• Writing to leading UK firms asking them to take urgent action on cyber security. So far, over 130 firms have responded to the letter with details of the actions they are taking, including requiring suppliers to adopt the Cyber Essentials scheme.
• Launching a new Cyber Action Toolkit to help small businesses boost their online defences
• Offering free cyber security guidance, tools, training and Codes of Practice
• Offering practical, hands-on cyber security help to SMEs via nine regional Cyber Resilience Centres
• The Stop! Think Fraud campaign which provides advice to the public and small businesses on how to prevent fraud and cyber crime.

But where organisations provide essential services that the public and businesses rely on every day, we must go further to ensure appropriate and proportionate safeguarding measures are in place. As the CEO of the National Cyber Security Centre warned, ‘the challenge we face is growing at an order of magnitude'. Yet as the threat has grown more intense, frequent, and sophisticated, our defences have become comparatively weaker. The UK's only cross-sector cyber legislation – protecting the essential and digital services the public and businesses rely on every day, like the NHS, transport system and energy network – is out of date and no longer sufficient to tackle the cyber threats faced by the UK.

As the Prime Minister has said, ‘national security is the first responsibility of any government, that never changes. But as the world changes, the way we discharge that responsibility must change with it'.

In response to the growing cyber threat, it is crucial that we act now to enhance the UK's security and resilience – to protect our essential public services, deliver a step change in UK national security, and underpin economic growth.

This is why today we will introduce the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, updating the Network and Information Systems Regulations 2018 through three pillars of reform.

Expanded scope: The regime does not cover every UK organisation. It is about those services which are so essential, that their disruption would affect our daily lives. The original regulations in 2018 brought into scope services like the NHS, transport system and energy network. Since then, cyber criminals are exploiting new routes - managed service providers, data centres, and critical parts of supply chains - to threaten our way of life. Recent incidents impacting M&S and Heathrow Airport involved managed service providers, leading to considerable business disruption and interrupting check-in and boarding services, respectively. This reflects the interconnected economy we live in. By bringing into scope more of the core services relied on across the economy, UK businesses and public services will be more secure and resilient.

Effective regulators: 12 regulators are responsible for implementing these laws. This allows for a sector-specific approach, as different organisations are vulnerable to threats in different ways, such as through the technology they use. The Bill will drive a more consistent and effective regime, with expanded and more timely reporting of harmful cyber attacks, a stronger mechanism for government to set priority outcomes for regulators to work to, and a fuller toolkit for sharing information, recovering costs and enforcement.

Enabling resilience: The government does not currently have the powers to head off the threats faced by the UK as they change and evolve. That is why the Government will be given the tools to quickly strengthen our cyber security and resilience in response to the ever-changing threat landscape such as bringing more sectors into scope or updating security requirements and respond to imminent threats to our national security and way of life.​

The measures set out today respond to the threat we face – protecting the public at home, putting national security first, and making the UK a safe and confident place to do business.