Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Companies can prevent attacks by reporting incidents to the authorities.
The UK government has submitted a draft of the new Cybersecurity and Resilience Act, aimed at updating current regulations in the field of cybersecurity. The decision was announced in the King's speech at the opening of Parliament and was a response to the increasing number of ransomware attacks on British companies.
The bill includes a mandatory requirement for companies to report cases of ransomware attacks. The measure is aimed at improving the government's awareness of cyber attacks and responding to them in a timely manner. Government officials say the new regulations will help close existing security gaps and prevent attacks on critical public services.
However, the proposed bill is not as ambitious as the initial plans of the Ministry of Internal Affairs. Previously, it was proposed to oblige all victims of ransomware attacks to report incidents and get permission from the authorities before paying a ransom. It was also planned to ban companies working in the field of critical infrastructure from paying ransoms in order to deprive hackers of incentives to attack such objects.
The current version of the law will apply only to "regulated entities" and not to the entire private sector. These entities may include managed service providers (MSPs) that provide IT infrastructure support for small companies. It is not yet clear whether the new rules will apply to other third-party services involved in the supply chains of critical infrastructure services.
Critical organizations in the UK have been repeatedly targeted by cyber attacks. For example, in June, an attack on Synnovis led to the cancellation of thousands of medical appointments and operations in London, including hundreds of cancer treatments.
The current cybersecurity laws, known as the Network and Information Systems Regulations ( NIS ), were adopted in 2018 based on the EU directive. They set security standards for critical infrastructure and digital service providers, and require mandatory reporting of cyber attacks.
However, the high threshold for mandatory notification of an incident leaves the actual number of such reports low. For example, a NIS reporting incident for an electricity distribution network must include an unplanned loss of supply with fewer than 50,000 customers for more than 3 minutes. An incident involving a nationally significant DNS resolver will cause the service's bandwidth to drop by more than 25% for 15 minutes or longer.
The updated laws will review such thresholds and oblige companies to increase the number of reports of cyber attacks, which will give the government a better understanding of existing threats and allow it to respond to potential attacks in a timely manner. The bill will also empower industry regulators to review compliance with cybersecurity standards, including the ability to recover costs and conduct investigations of potential vulnerabilities.
The draft law is being developed by the Ministry of Science, Innovation and Technology. The exact terms of submission to the Parliament have not yet been announced.
Recall that in early June in London, a serious crisis broke out in the healthcare system after Synnovis, which provides laboratory services to hospitals, was subjected to a hacker attack using ransomware. Many operations had to be canceled, and several major London medical institutions were declared in a state of emergency.
According to Sophos, over the past year, the median amount paid to ransomware reached a record $ 2.54 million, which is 41 times higher than last year ($62,500). The study involved 275 Research Institute organizations, of which 86 disclosed financial details of incidents. The average amount of buybacks in 2024 increased to $ 3,225 million, which is 6 times more than a year ago.
Source
The UK government has submitted a draft of the new Cybersecurity and Resilience Act, aimed at updating current regulations in the field of cybersecurity. The decision was announced in the King's speech at the opening of Parliament and was a response to the increasing number of ransomware attacks on British companies.
The bill includes a mandatory requirement for companies to report cases of ransomware attacks. The measure is aimed at improving the government's awareness of cyber attacks and responding to them in a timely manner. Government officials say the new regulations will help close existing security gaps and prevent attacks on critical public services.
However, the proposed bill is not as ambitious as the initial plans of the Ministry of Internal Affairs. Previously, it was proposed to oblige all victims of ransomware attacks to report incidents and get permission from the authorities before paying a ransom. It was also planned to ban companies working in the field of critical infrastructure from paying ransoms in order to deprive hackers of incentives to attack such objects.
The current version of the law will apply only to "regulated entities" and not to the entire private sector. These entities may include managed service providers (MSPs) that provide IT infrastructure support for small companies. It is not yet clear whether the new rules will apply to other third-party services involved in the supply chains of critical infrastructure services.
Critical organizations in the UK have been repeatedly targeted by cyber attacks. For example, in June, an attack on Synnovis led to the cancellation of thousands of medical appointments and operations in London, including hundreds of cancer treatments.
The current cybersecurity laws, known as the Network and Information Systems Regulations ( NIS ), were adopted in 2018 based on the EU directive. They set security standards for critical infrastructure and digital service providers, and require mandatory reporting of cyber attacks.
However, the high threshold for mandatory notification of an incident leaves the actual number of such reports low. For example, a NIS reporting incident for an electricity distribution network must include an unplanned loss of supply with fewer than 50,000 customers for more than 3 minutes. An incident involving a nationally significant DNS resolver will cause the service's bandwidth to drop by more than 25% for 15 minutes or longer.
The updated laws will review such thresholds and oblige companies to increase the number of reports of cyber attacks, which will give the government a better understanding of existing threats and allow it to respond to potential attacks in a timely manner. The bill will also empower industry regulators to review compliance with cybersecurity standards, including the ability to recover costs and conduct investigations of potential vulnerabilities.
The draft law is being developed by the Ministry of Science, Innovation and Technology. The exact terms of submission to the Parliament have not yet been announced.
Recall that in early June in London, a serious crisis broke out in the healthcare system after Synnovis, which provides laboratory services to hospitals, was subjected to a hacker attack using ransomware. Many operations had to be canceled, and several major London medical institutions were declared in a state of emergency.
According to Sophos, over the past year, the median amount paid to ransomware reached a record $ 2.54 million, which is 41 times higher than last year ($62,500). The study involved 275 Research Institute organizations, of which 86 disclosed financial details of incidents. The average amount of buybacks in 2024 increased to $ 3,225 million, which is 6 times more than a year ago.
Source
