Each quarter, IISZON will discuss one potential gap or challenge between what the regulations or vendors assume and what operational technology environments are in reality. This edition: the Cyber Resilience Bill versus the organisations it will govern.
The Bill, plainly stated
The UK Cyber Resilience Bill will improve, modernise and expand the NIS Regulations 2018 scope. It moves from "appropriate and proportionate" — a phrase regulators have tolerated being interpreted for the last eight years — to defined, auditable, enforceable minimum standards. Board directors will carry personal liability for governance failures. Incident reporting windows tighten to 24 hours. Supply chains are now your problem, contractually and evidentially. Penalties increase substantially beyond the current £17 million ceiling aligning to GDPR levels.
The direction is clear, competent authorities are not going to wait for legislation to update their assessment expectations.
The Operational Gap
The Bill assumes six specific capabilities will be tested, including board-level accountability and risk maturity, shift to dynamic risk management and controls validation, enhanced supply chain management, mandatory technical capabilities and controls, rapid incident response and enhanced reporting and finally regulatory future proofing which will allow changes to be expedited to meet the evolving landscape.
Now here are some of the challenges or gaps which will need to be met by some operators and the regulators — process segmented networks appropriately designed for safety and availability rather than monitoring, legacy systems vulnerabilities which are within defined operational risk tolerances so won't be patched, limited evidential automation of control effectiveness and boards where risk management, security awareness and communication can be further improved.
The gap isn't always technical. It can be organisational. The regulation has been written with operational technology in mind, but there is still work to do in closing the gap between the regulation and reality.
In my opinion, none of these are new problems. The Bill simply removes the flexibility that allowed them to remain unresolved.
How do you respond
Organisations that will meet the Bill's obligations without disruption are more than likely not the ones with the largest budgets. They will be the ones that already treat their threats, risk, control and compliance obligations as priority. The Bill will reward integrated and automated governance, but penalise the appearance of it.
I am fortunate to work with forward thinking boards with mature teams and capabilities. But, this will remain a persistent challenge or struggle depending on your outlook, one of which we at IISZON continue to accept.
IISZON supports Operators of Essential Services across all stages discussed in the article — advisory, assurance, recovery and innovation. If you'd like to understand where your Operational Gaps are before a regulator finds it, we're available to discuss it.