Cyber Security and Resilience (CSR) Bill – What you need to know

The new Cyber Security and Resilience (CSR) Bill which is currently going through parliament is designed to improve cyber security across a raft of industries that support critical national infrastructure.  For example, the new bill will bring into scope organisations that supply and support essential services such as the NHS, drinking water providers, energy, transport and even data centres.

In common with NIS2, which is applicable to EU organisations and those that transact with the EU, the CSR bill has a broad remit which means that the regulations will now apply to many more organisations than previous legislation.  As a result, companies – and with them their supply chains – that provide essential services to the public will become subject to far more stringent cyber security risk management requirements.

Medium and large businesses delivering services like IT management, IT help desk support and cyber security to private and public sector organisations – such as the NHS – will be regulated thanks to the CSR bill for the first time. Many hold trusted access across government, critical national infrastructure and business networks, so they need to meet security requirements, which includes having robust incident management plans in place to deal with the consequences of a serious cyber-attack.

The government press release announcing the new CSR Bill, says that regulators will be given new powers to designate critical suppliers to the UK’s essential services. And furthermore, that enforcement will include tougher turnover-based penalties for breaches.

This follows on from the Cyber Governance Code of Practice, published earlier this year by NCSC, which is built around five key principles, namely:

• • Risk Management
  • Strategy
  • People
  • Incident Planning, Response and Recovery
  • Assurance and Oversight

In each section there is an emphasis on the importance of appropriate action plans, allocation of resources and communication plans, in advance of a cyber-attack happening. And an Out-of-Band Secure Communications channel plays a critical role at every stage. Here is a summary of the action points that are supported by the adoption of an Out-of-Band secure communications platform.

Risk Management

Action: Define and clearly communicate the organisation’s cyber security risk appetite and gain assurance that the organisation has an action plan to meet these risk expectations.

The secure communications platform should be set up in advance, with pre-set users and call groups so that when an incident occurs, it can be handled in private without relying on other channels which may be monitored by adversaries or attackers.

Strategy

Action: Gain assurance that resources are allocated effectively to manage the agreed cyber risks.

A pre-defined communications plan, with groups set up in advance ensures that incident response teams (CSIRT), and executive management can simply get on with responding to the incident to get the organisation back on track as soon as possible.  This includes communication with supply chain partners, customers and other key stakeholders to keep them abreast of the situation. Timely communication helps to avoid knee jerk reaction from the media, and in the long term will protect brand reputation.

People

Action: promote a cyber security culture that encourages positive behaviours and accountability across all levels.

Adopting a secure communications platform for sensitive or confidential conversations not only provides employees with the appropriate tools to do their job so that they don’t need to rely on less secure channels. It also helps to foster a more security conscious culture within the organisation.

Incident planning, response and recovery

Action: In the event of an incident, take responsibility for individual regulatory obligations, such as reporting, and support the organisation in critical decision making and external communications.

When dealing with a serious cyber incident reputations can be won or lost.  It is critical at such times that communications with external stakeholders cannot be intercepted by nefarious parties, or the media (for example). The use of secure communications enables the organisation to keep control of the narrative, so that all stakeholders receive the correct information, at the appropriate time.

Assurance and oversight

Action: Establish regular two-way dialogue with relevant senior executives, including but not limited to the chief information security officer (or equivalent).

Action: Gain assurance that cyber security considerations are integrated and consistent with existing internal and external audit and assurance mechanisms.

By preparing communications strategies before an incident occurs – setting up all the key stakeholders that may need to communicate together – organisations can ensure a speedy response and ensure that they have documented communication protocols that are embedded in the Business Continuity Management plan.

For more information about what your organisation should be looking for to support your Cyber Security and Resilience (CSR) with an Out-of-Band secure communications platform, download our latest white paper: https://armourcomms-25743375.hs-sites-eu1.com/out-of-band-incident-management-response-white-paper