Cyber_Bytes Issue 69

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

Data (Use and Access) Bill introduced to Parliament

On 23 October 2024, the House of Lords introduced the Data (Use and Access) Bill (DUA). The DUA is intended to replace the Data Protection and Digital Information Bill (DPDI) which was dropped during the parliamentary wash-up.  

Some of the key points in the DUA include:

• the introduction of open public data bases and smart data which is intended to free up Police and NHS resources;
• the power for the Secretary of State to alter which types of data can be classed as special category data, and provisions on access to business and customer data; and
• the introduction of a national register for underground services such as cables, water, pipes, and power.

The DUA does however remove some elements from the DPDI, including:

• the requirement for the ICO to consider the government's objectives;
• changes to the meaning of personal data;
• the requirement for overseas companies to have a representative in the UK, and;
• the right to refuse to respond to data subject access requests which are disproportionate.

Whilst some have commented that the Bill is less ambitious than the DPDI, this is still a significant piece of legislation which will introduce notable changes to the UK GDPR.

Click here to read the government's press releases considering further changes and click here to view the DUA in its entirety.

NCSC issues guidance for legal practitioners on cyber policies

The NCSC has released a list of preventative steps which solicitors, barristers and other legal professionals should incorporate to reduce the risk of falling foul to a cyber-attack. These steps include:

• Creating and testing backups of important data which would allow client data to be accessible even in the event cyber-attack.
• Keeping software updated and enabling automatic updates to ensure the latest security updates are in place.
• Enabling encryption on all devices.
• Protecting email accounts using strong passwords and using 2-step verification / multi-factor authentication.
• Controlling access to devices by using passcodes or biometrics where applicable and locking your devices when not at your desk.
• Turning on firewalls to prevent unwanted connections to devices.
• Limiting the number of administrator accounts.
• Enabling antivirus software.
• Ensuring lost or stolen devices can be tracked, locked or wiped, so that unauthorised individuals cannot access the information on the device.
• Auditing and reviewing privacy permissions connected with other apps and making sure that staff only have access to applications which are necessary for the purposes of their role.

For each recommendation, the NCSC has helpfully provided various links containing guidance on how to implement these measures on various systems.

Click here to read more from the NCSC.

Regulators' latest updates on Operational Resilience and Critical Third Parties

In August 2024, the Bank of England (BoE) published its Report on Operational Resilience on a Macroprudential Framework with a view to assisting financial entities and the wider financial system to prevent and respond better to operational disruptions.

This has now been complemented on 12 November 2024 by a Policy Statement PS16/24, titled "Operational Resilience: Critical Third Parties to the UK Financial Sector" (the Rules) which have been published by the BoE in collaboration with the FCA and the PRA (the Regulators). 

The Rules stem from the Regulators' recognition of the increasing reliance by financial entities on services provided by third parties and the impact disruptions can have to these services, which can include potential threats to financial stability and market integrity.

The Rules aim to harmonise various regulatory instruments into a new Critical Third-Party (CTP) regime.  This sets out measures to ensure CTPs can prevent and deal with disruptions from Macro Vulnerabilities and Transmission Channels. The Rules also outline 6 'Fundamental Rules' which OTPs are required to exercise whilst conducting business.

Click here to read our full article on the Rules and the UK's digital operational resilience landscape, and click here to access the Rules.

What does your cyber insurance cover? ICAEW provides insights

The ICAEW has emphasised that companies must be vigilant of exclusions and limitations within their cyber policies. RPC's Richard Breavington highlights that some policies require evidence of multi-factor authentication, effective patch management or other security measures; meaning that failure to follow these steps could prevent the policy from responding.

The ICAEW also refer to a report from Delinea which states that 47% of incidents linked to insurance claims are related to privilege and identify compromises, meaning that consequently, 41% of insurers now require evidence of privileged access controls before writing a policy.

The ICAEW use these points to highlight the importance of suitably assessing cyber policies to ensure the rights steps are being taken to ensure claims will be covered, and putting in place the right steps so businesses can be issued the right cyber policy in the first place. The ICAEW also comments that companies should explore AI-supported threat detection and monitoring solutions which can reduce likelihood of incidents and minimise cyber-related loss.

Click here to read more from the ICAEW on this topic.

Cybersecurity myths putting accounting professionals at risk

The Financial Accountant states that whilst over 560,000 cyber threats are discovered daily which mostly target SMEs, many accounting professionals still believe certain cybersecurity myths which leave them vulnerable.

These myths include assuming that:

"Only the big four accounting firms get hacked"- In reality, 81% of cyber threats target small to medium sized businesses.

"Silence is the best policy"- Staying silent can involve risk and can even be contrary to legal requirements if the breach meets applicable notification thresholds.

"You can choose who to report the incident to"- Reporting requirements differ by jurisdiction. Certain incidents may also require reporting to multiple jurisdictions, such as if the company is part of an EU supply chain. RPC's Richard Breavington comments that notifications to European regulators might be needed if European data subjects are affected.

"Backing up data eliminates risk"- In fact, many cyber criminals intentionally target back-up data, albeit having properly protected back ups is a crucial part of a firm's cybersecurity posture.

"Cybersecurity is 'set and forget"- Constant vigilance is required to mitigate cyber risks.

To read more on this topic, click here for the Financial Accountant's full article.

Australian draft law to encourage businesses to share private data with government.

Following escalating cyber threats, the Australian government is introducing the Cyber Security Act which will require businesses to report any ransom payments to authorities. The Act also encourages businesses to share private details with relevant agencies.

The new 'limited use' obligations within the Act will prevent sharing of information provided to the National Cyber Security Coordinator and Australian Signals Directorate – although it will not give businesses a complete indemnity from future prosecution. Under a new power aimed at protecting the country's critical infrastructure, businesses will also be forced to address serious cyber deficiencies within their risk management programmes.

The Australian government's cyber security minister, Tony Burke, has said the Cyber Security Act is long overdue and reflects their deep focus on cyber threats as well as keeping pace with emerging threats and positioning businesses and individuals to respond and bounce back from cyber-attacks effectively.

Click here to read more from ABC news.