Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

4. Cyber-Resilience 4.1 Cyber-Resilience Legislation

3.6 Threat-Led Penetration Testing See 3.3 Key Operational Resilience Require- ments for the upcoming Operational Resilience Requirements, which will include testing require - ments. In addition, the CBEST programme is a cyber- assessment tool to assist UK firms with assess - ing the cyber-resilience of key financial institu - tions through security testing performed in “live” corporate environments. On 13 December 2024, the FCA (together with the Bank of England and the PRA) published their annual CBEST the - matic report (the “CBEST Report”). The CBEST Report contains cyber-resilience good practice recommendations and insight, including from the NCSC, for firms to help them maintain their operational resilience. The good practice recom - mendations are the result of a programme that assesses the cyber-resilience of systemic finan - cial institutions through live testing. The report highlights the importance of building a strong foundation of cyberhygiene to prevent common cyber-incidents, including training and aware - ness and robust authentication. The key areas of focus based on the 2024 CBEST Report are: • cybersecurity risks to assets and individuals; • cyber-risk management and impact-based approaches to the protection of key resources (people, process, technology and data); • detection and response capabilities leverag - ing the latest threat intelligence; and • cyber-incident response to eradicate threats and mitigate impacts.

As outlined in 1.2 Cybersecurity Laws , there are a number of laws that supplement the UK’s cyber-resilience strategy alongside the NIS Regulations. Please refer to 4.2 Key Obligations Under Legislation for more information. 4.2 Key Obligations Under Legislation PSTI Act Under this new act, manufacturers (the person responsible for manufacturing a product, design - ing a product or otherwise marketing the prod - uct under their own name or trade mark) of “UK consumer connectable products” are required to comply with new obligations to manage cyber - security risk for connected products made avail - able in the UK. Similar obligations also apply to importers and distributors. These include: • duty to comply with security requirements as defined by the Secretary of State; • duty to investigate and take action in rela - tion to compliance failures – this may include preventing the product from being made available in the UK and/or remedying the compliance failure and notifying enforcement authorities, other manufacturers, importers and distributors; and • duty to maintain records of investigations and compliance failures for a minimum of ten years – these records may be requested by the Secretary of State in the course of investi - gating and enforcing the legislation. The PSTI Act provides for the power of the Sec - retary of State to deem compliance with security requirements. This is further elaborated in the Product Security and Telecommunications Infra - structure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the

329 CHAMBERS.COM

Powered by