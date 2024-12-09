Prevention is inveitably better than a cure, writes James McGachie​

As 2024 draws to a close, the National Cyber Security Centre (NCSC), has published its Annual Review. In it, the NCSC highlights the growing frequency and severity of cyber attacks and the increasing geopolitical and criminal threat, with CEO Richard Horne indicating that the cyber risks facing the UK are “widely underestimated”.

The statistics underpin the threat. The NCSC’s Incident Team, which responds to serious cyber incidents having an impact on UK organisations, provided support in 430 incidents – an increase from 371 in 2023. 89 of these incidents were categorised as nationally significant, with 12 of these incidents deemed at the top end of the scale.

Ransomware continues to be the most pervasive cyber threat to UK organisations, with the top targets including manufacturing, construction, IT, academic institutions and charities – demonstrating the sector-agnostic nature of the threat.

James McGachie is a Partner in DLA Piper’s Litigation & Regulatory practice in Scotland

A key takeaway is the importance of operational assurance and resilience – with the National Crime Agency stating that organisations must “step up their cyber resilience to protect the UK’s economic wellbeing and critical national infrastructure”.

Investing time and resources in cybersecurity inevitably pays dividends in minimising the risk of a successful attack, mitigating the consequences when an incident does occur. Regular rehearsal and dissemination of incident response policies and procedures, including tabletop “fire drills”, and the robust security of any relevant supply chains, is critical.

Consideration of the key decisions long in advance of an incident – including consideration of the ethical, legal and moral issues of ransom payment – ensures the best possible response, providing a thorough rationale to be exhibited to justify particular decisions, documented prior to the “white heat” of any incident. Being able to demonstrate preparedness is an increasing necessity and will likely be queried by regulators, customers, counterparties and other interested parties in the event of any incident.

Such an audit trail is increasingly becoming a need-to-have, given anticipated statutory developments. In 2025, the UK’s Cybersecurity and Resilience Bill is expected to recognise the need to upgrade the UK's response to growing cyber threats, increasing the number of organisations falling within its scope, enhancing reporting obligations and strengthening regulatory oversight.

Although the Bill has not yet been introduced, initial indications released by Government provide signals to identify what this means for businesses: and particularly how the UK will seek to transpose the EU’s second Network and Information Systems Directive (NIS2) to supplement its implementation of the NIS Directive (NIS1) in 2018.

NIS2 introduces enhanced (and earlier) reporting for significant incidents, increased enforcement and new personal liability for management. A key development is the significantly enhanced breadth of entities within scope, and a more proactive regulatory regime, granting regulators the authority to conduct ad hoc audits and inspections (albeit only for those entities classified as “essential” to ensure compliance with cybersecurity measures, and imposing cybersecurity standards.

In conclusion: prevention is inevitably better than a cure, and with the current climate requiring cyber resilience as a key boardroom priority, preparation is key to ensure cybersecurity risk management measures align to the minimum standards in NIS2 and beyond.