UK Trends and Developments Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
In the meantime, the UK has a voluntary approach to supply chain cybersecurity regula - tion. The Software Vendors COP and the AI COP both include principles and guidance on how to assess and manage supply chain cyber-risks throughout the product life cycle, engage trust - ed actors involved in the product build and life cycle, and notify vulnerabilities to other parties. The financial services sector has also made pro - gress in promoting the use of Cyber Essentials, the NCSC-backed scheme that helps organi - sations improve their cybersecurity and pro - tect themselves from cyber-attacks. Six major UK banks have committed to making Cyber Essentials a requirement for their suppliers and encouraged other businesses to join them. The benefits of this approach include improved sup - plier due diligence, reduced compliance costs, and improved cyber-insurance coverage across the supply chain. Additionally, the UK’s financial regulators – the Bank of England, the Prudential Regula - tion Authority (PRA) and the Financial Conduct Authority (FCA) – issued a joint policy statement (PS 16/24) on the final Critical Third Party Over - sight Regime (the “Regime”), which came into effect on 1 January 2025. The Regime aims to manage the risks to the UK financial system’s stability and confidence that could arise from failures or disruptions in the services that a criti - cal third party provides to firms. The Regime consists of several policy statements and rules that apply to third parties that are designated as critical by His Majesty’s Treasury. This is similar to the EU’s Digital Operational Resilience Act (DORA), which also applies to financial institu - tions and insurance intermediaries, and which came into effect on 17 January 2025. Under DORA, certain third-party information and com -
munications technology service providers are subject to similar cybersecurity obligations. Cybersecurity enforcement trends As it currently stands, the majority of enforce - ment action concerning cybersecurity in the UK is conducted by the ICO in relation to security incidents under the General Data Protection Regulation (GDPR). The ICO’s report “Data Security Incident Trends” shows that, out of the 60,607 incidents reported to the ICO from the start of 2019 through to the third quarter of 2024, 14,993 (approximately 25%) were cyber-related. There has been a steady number of cyber-incidents reported to the ICO each year, with a slight spike in noti - fications in 2023 (3,318 in total). As with the findings from the NCSC, the ICO figures show that the most common cyber-incident notifica - tions relate to phishing attacks (approximately 39%), followed by ransomware attacks (approxi - mately 26%) and unauthorised access incidents (approximately 12%). Despite all the evidence pointing towards a more challenging cybersecurity landscape, as well as the strong signals from the NCSC that cyber-resilience and cyber enforcement are top priorities, the nature of ICO enforcement action appears to have softened. There has been a sharp decline in the number of “investigations” the ICO has launched in response to a notifica - tion of a cyber-incident – from 1,497 in 2019 to just 39 in the first three quarters of 2024. How - ever, during the same time period, there has been a steady increase in the “informal action taken” by the ICO. This means that the ICO is increasingly deeming it unnecessary to use its formal powers, such as issuing a fine or a repri - mand, and instead provides advice to the notify - ing organisation.
341 CHAMBERS.COM
Powered by FlippingBook