Cyber_Bytes - Issue 73

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

New App: RPCCyber_

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

ICO's first fine against data processor

At the end of last month, the ICO issued its first fine against a data processor in respect of a security breach.  The fine of £3m was imposed on Advanced Computer Software Group (ACS), which is a SaaS provider to healthcare organisations including the NHS.  The fine, which was originally £6m, was reduced following representations made by ACS to the ICO. Grounds on which the fine was reduced include the ACS' engagement with the National Cyber Security Centre, the National Crime Agency and the NHS in the aftermath of the incident. ACS estimated its costs of handling the incident at £21m.

The fine concerns a ransomware incident from August 2022 in which the special category health data of ACS' customers was stolen and systems were encrypted. The data included details of how to gain entry into the homes of 890 people who were receiving care at home. Hackers accessed ACS' systems via a customer account that did not have multi-factor authentication (MFA) in place. The key failures identified by the ICO, and which led to the fine, were:

1. A failure to adopt MFA across all user-facing systems;
2. Lack of comprehensive vulnerability scanning; and
3. Inadequate patch management.

The enforcement decision is important because it provides practical insight on the security standards expected when processing personal date, albeit in the context of particularly sensitive special category data. . It also shows a willingness of the ICO to pursue data processors, not just controllers, when breaches happen.

Click here to read more from the ICO. The ICO's analysis of ACS' technical failures are outlined at paragraphs 50-57 of the Monetary Penalty Notice.

Cyber Security and Resilience Bill: policy statement published

On 1 April 2025, a policy statement was published by the government, providing further detail on what the much anticipated Cyber Security and Resilience Bill will look like when it comes into force later this year. As expected, the Bill is in part effectively an expansion of the existing Network and Information Systems (NIS) Regulations.  Three measures under the Bill have been identified.

Bringing more entities into the scope of the regulatory framework

The Bill will bring Managed Service Providers (MSPs) into scope. These will be defined in the Bill and are expected to include providers offering IT services to businesses and public sector organisations with access to client data.

The Bill will contain measures aimed at strengthening supply chain security and will enable regulators to designate "critical suppliers". The Bill will allow the government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP).

Empowering regulators and enhancing oversight

1. The Bill will establish the Cyber Assessment Framework (CAF) on a stronger footing, so that firms follow best practice, and it is easier for them to do so. The Bill will provide the Secretary of State with powers to make regulations to update the existing requirements.
2. The Bill will improve cyber incident reporting through expanding the incident reporting criteria, updating incident reporting times, streamlining reporting and enhancing transparency requirements.
3. The Bill will improve the ICO's information gathering powers, for example through expanding duties of firms that provide digital services to share information with the ICO on registration.
4. The Bill will allow regulators to set up new fee regimes and to proactively raise funds.

Ensuring the regulatory framework can keep pace with the changing cyber landscape.

The statement reflects a desire to align the UK's cyber security position with the EU's NIS2 (Directive (EU) 2022/2555), though not all measures in NIS2 are apparent in the Bill, such as management liability. The increase of in-scope firms that are due to have the same duties as digital service providers will increase costs related to security improvements and compliance. The two-stage reporting system in which regulated entities will need to notify their regulator within no later than 24 hours of becoming aware of an incident will require them to be highly reactive.

Click here to read the cyber security and resilience policy statement.

UK data reform bill will be ready this spring, minister says

The Data (Use and Access) (DUA) Bill is expected to be ready this spring, according to Data Minister Chris Bryant, who spoke at a conference on 12 March 2025. While Bryant acknowledged that the DUA Bill is "probably two or three years out of date, and we should have done it earlier," he expressed optimism that it will meet the requirements for EU data adequacy.

The DUA Bill was first introduced to Parliament in October 2024. It is a legislative effort by the UK government to modernise data and ensure compliance with the EU's data adequacy requirements. It introduces a new Smart Data scheme (that allows for the sharing and access of customer and business data), new digital verification services, and changes to the structure of the ICO.

Ensuring EU data adequacy is key for the DUA Bill. An EU adequacy decision, dating back to 2021, found that the UK's data protection provisions were an "essentially equivalent" standard to that of the EU, however this decision needs to be reviewed before it expires in June 2025.

If, upon review, the EU commission decides that adequacy status is lost with the EU, then this could cost businesses between $210m and $420m in lost export revenue annually. It could also cost businesses "between $190m and $460m in on-off Standard Contractual Clause costs", a report published last year estimated, with an annual cost of between $210m and $420m in lost export revenue.

Click here for details on the DUA Bill from Cyber_Bytes Issue 72 and click here to see the latest version of the DUA Bill.

UK under-prepared for catastrophic cyber attack

The Public Accounts Committee (PAC) of the House of Commons has heard that the government is under-prepared for a catastrophic cyber-attack. Its 'Government cyber resilience report' warned that the cyber threat to the UK government is "severe and advancing quickly". In particular, it found that 58 critical IT systems which were assessed in 2024 had gaps in cyber resilience and that the government is unaware of how vulnerable 228 "legacy" IT systems are to a cyber attack. The question is no longer whether the government will face a damaging cyber attack, but how serve the impacts will be.

According to the report, the main hurdle to making the UK government resilient to a cyber attack is a skills gap. A third of cyber security roles in the government were vacant or filled by temporary staff in 2023-24 and 70% of specialist security architects were on temporary contracts. However, programmes such as the Cyber Security Fast Stream are starting to make a difference, such that the overall number of digital technology professional in the civil service has grown and stands at nearly 6%.

Click here to read more from Computer Weekly.

Europol warns against use of AI in cyber attacks

Europol, the EU's police agency, has warned in a report titled 'The changing DNA of serious and organised crime' that criminal organisations are increasingly using artificial intelligence (AI) and other technologies to stage attacks on behalf of hostile powers.

“Cyber crime is evolving into a digital arms race” said Europol executive director Catherine De Bolle. One use of AI has been to accelerate online fraud and help criminals to access personal data, for example through automated phishing attacks. AI has also been used to create sophisticated malware and to generate targeted messages to deceive victims, impersonate victims or blackmail targets.

The report also highlighted how AI is helping criminal efficiency, for example attack automation, social engineering and bypassing security measures, which in turn is making cyber-attacks more scalable and efficient.

Click here to read more from the Financial Times and here to read the report.

Hambro Perks, now Salica Investments, to pay £2mn for stealing confidential information

On 3 March 2025, the Commercial Court handed down judgment in a claim concerning breach of confidence and misuse of confidential information.

Mr Anthony Gifford (the Claimant) brought a claim against the First Defendant, Salica Investments Ltd (formerly Hambro Perks) and the Fourth Defendant, Mr Dominic Perks. The claim arose out of two meetings in early 2016 in which Mr Gifford sought to obtain investment funding from Salica, the Defendant, for his product, 'True View Care' (TVC), a care technology platform for the elderly cared-for population.

Mr Gifford argued that Salica and Mr Perks misused this confidential information to develop their own business and cloud-based software (known as Vida) for the care industry.

The Court of Appeal applied the test for breach of confidence set out in Coco v AN Clark (Engineers) Ltd [1968] FSR 415, namely:

(i) Did the information imparted by Mr. Gifford at the first and second meetings have the necessary quality of confidence?

(ii) Was the information said to have been confidential imparted in circumstances importing an obligation of confidence?

(iii) Was the information used or put to a use which is unauthorised to the detriment of the person communicating it?

The Court of Appeal found that the Defendant misused Mr Gifford's confidential information relating to his TVC care software system in developing their competing Vida software and damages were awarded to him.

Click here to read the judgment.