How retailers should prepare for upcoming cyber legislation

Recent weeks have seen cybersecurity thrown into sharp focus. Continuous cyber-attacks at key times of the year for businesses providing online services disrupts their own business as well as the wider economy.

For tech companies, which are often both targets and service providers to these affected sectors, this evolving threat carries not just operational risk but also growing legal responsibility.

The new Cyber Security and Resilience (CS&R) Bill aims to address this challenge. Announced in the King’s Speech in July 2024 and set for introduction in Parliament later in 2025, it represents a significant strengthening of the UK’s cybersecurity framework.

The Bill’s purpose is to close critical gaps in national cyber defenses, impose new obligations on a broader array of digital infrastructure to protect the wider UK economy, and establish the UK as a global leader in cyber regulation.

Rebecca Steer, Partner in our Commercial team, writes on the Bill for Infosecurity Magazine. She explains that while "we are still awaiting the introduction of the Bill to Parliament, for some in the technology sector, this is more than just another compliance hurdle. It is a legislative reset that directly affects how tech businesses operate their services."

Rebecca then provides a number of key takeaways for tech companies, explaining that "careful preparation and monitoring will be key":

• Understand your responsibility: Understand which parts of your organization – and which of your vendors – might fall within the Bill’s scope. Even if you fall outside, you may find that obligations are passed down from vendors or customers who’s business does fall within scope of the Bill.
• Map your exposure: Map what technology infrastructure, processes and software could be an exposure risk to your business.
• Invest in resilience: The Bill emphasises outcomes, not box-ticking. A robust incident response plan (including insurance cover), regular risk assessments, training staff on key cyber threats and board-level oversight will be essential. Invest in experience professionals and integrate best practice for cyber security throughout all business decision making.
• Track regulatory guidance and best practice: With the National Cyber Security Centre (NCSC) playing an influential role, align your practices with their evolving recommendations will serve both security and compliance ends.
• Engage with policymakers: The Bill is still in formation. For companies operating at scale, this is a crucial time to engage constructively and help shape realistic, effective standards and processes.

Read the full article in Infosecurity Magazine here.