Quietly, new cyber security precedents are being set for all firms that work with the public sector, as the Government gets its suppliers to help protect the UK from cyber threats. For example, companies from all sectors will increasingly be subject to the kind of requirements set out in the newly published Civil Nuclear Cyber Security Strategy. This strategy has three key themes…
First, the Government sees it as a supplier’s job to keep on top of new technologies and the changing threats they introduce. Even in the nuclear energy sector (which, together with financial services, already has highly developed cyber security measures in place) the Government now expects to see a “transformation” in approach to cyber security, not just steady improvement. Where the Government feels companies are not up to scratch, regulations will be “reviewed and strengthened” and paid for by “additional industry resources”.
Second, the Government wants evidence that action is being taken by suppliers. Given examples include appointing board level representation of cyber security experts (in addition to a qualified CISO) and providing a “list all of critical digital assets and vulnerabilities across the organisation and supply chain [emphasis added]”.
And third, while the strategy focuses on Government demands of suppliers, there are also hints at the commercial opportunities being created. Companies that excel in demonstrating their cyber security prowess will enhance their bids for public sector contracts (which are also likely to be helped by using the Government’s apprenticeship scheme to expand cyber skills training) and could even develop a “cyber specialist consultancy capability” that is sold to other private companies.
For understandable reasons, the Government is prioritising critical infrastructure sectors in its new cyber security criteria, but they won’t be confined there for long.