Mandatory Ransomware Reporting Hinted in King’s Speech

The Cyber Security and Resilience Bill was announced during the King’s Speech on Wednesday, pledging to give regulators more control over security best practices and to mandate incident reporting, with ransomware reporting a key proposal.

The Bill is set to strengthen the UK’s cyber defences following a bout of high profile state-sponsored attacks against critical national infrastructure, as well as threats against businesses of all sizes.  

It said that mandatory incident reporting would help the government and regulators collect data to better understand the threat landscape impacting organisations and help warn of potential attacks based on previous incidents. As part of this, the Bill would expand the reporting guidelines on the type and nature of attacks, including ransomware.

Alongside reporting, the Bill will aim to expand the remit of regulators to provide more control over protecting digital services and supply chains.

This could see more regulatory bodies granted the power to proactively investigate vulnerabilities in IT systems. They could also be provided with cost recovery mechanisms and greater resources for response.

Achi Lewis, Area VP EMEA for Absolute Security: “It is encouraging to see cyber security at the forefront of the King’s Speech, paving the way for new ransomware legislation that can bolster the UK’s cyber resilience. From critical national infrastructure to businesses to civilians, everyone can be targeted by cyber-attacks so it’s important for the UK to have robust defence measures that emphasise reactive, preventative, and recovery procedures.”

“Bringing forward the Cyber Security and Resilience Bill, with a proposed mandate for mandatory ransomware reporting, can greatly improve the cyber resilience of critical national infrastructure to ward off malicious threats. In order to carry this out effectively, security teams need visibility over their networks and device fleets, being alerted to suspicious activity and having the ability to freeze, or shut off, impacted devices and applications when a major breach occurs.”

The Government said that existing cyber laws have been largely inherited from the European Union but that there is an urgent need to keep pace.

Should the mandatory ransomware reporting be successful, alongside the enforcement of the Network and Information Security Directive (NIS2) on 17 October 2024, the UK would overtake its European counterparts in areas of cyber security.