Everything You Need to Know About the Cyber Security and Resilience Bill

The upcoming Cyber Security and Resilience Bill is a major change in legislation, aiming to improve the nation's cyber defences. But what does it mean for your business?

As cyber-attacks become increasingly sophisticated, they are simultaneously increasing in both frequency and severity. The UK Government’s current consultation, completing on 8^th April 2025, is a direct response to the pace that cyberattacks are evolving. As cybercriminals continue to find new ways to target businesses of all shapes and sizes, it’s time to fight back.

At Everywhen, we’re following the developments and their potential implications to keep our clients up to date. 

Under this legislation, there are two key potential changes that business owners need to understand. These are: mandatory reporting requirements for incidents and potential restrictions on ransomware payments.

"What we're seeing with this bill is the Government taking direct action to address the growing cyber threat landscape," says Marc Rocker, Head of Cyber at Ardonagh Advisory.  

"While increased regulation often raises concerns among business owners, we need to view these measures in context of the evolving threat environment, where a single ransomware attack can bring operations to a complete standstill.”

One of the proposed key changes in the upcoming bill is the development within cyber incident reporting. Currently, only some businesses need to adhere to strict reporting requirements following a cyber incident, however, following these potential changes, a lot more business will fall under this bracket.   

Under the new bill, all businesses will be legally required to report cyberattacks to the relevant authorities, including ransomware incidents. The purpose of this change is to ensure the Government has complete and realistic data on cyberattacks, ultimately improving their understanding of threats and potentially highlighting potential campaigns of attack.

"To me, mandatory reporting makes sense regardless of the scale of the attack," explains Rocker.

"The challenge has always been that we don't have a complete picture of the cyber threat landscape because many attacks go unreported. This complete input of data ultimately helps everyone."

Business owners may find that they need to revisit their internal procedures for identifying, documenting, and reporting cyber incidents because of this change. It could also potentially result in increased scrutiny and paperwork following an attack. As this is often the time when you have stretched resource, preparation will be key to ensure you’re ready to accommodate these additional requirements.

At present, if a business is subject to a ransomware attack, they have some tricky decisions to make. Many businesses have internal policies in place to not pay ransomware threats. According to the Government’s Cyber Security Breaches Survey 2024, this applies to around half of businesses (48%) and just under four in ten charities (37%). However, many others are forced to make a risk calculation based on a variety of factors including cost, operational disruption and reputational damage.

One of the more controversial proposals under the new legislation is the potential restriction on ransomware payments. The Government is currently running a consultation on a ‘ransomware payment prevention regime’ that could require victims to report ransomware events before actioning ransomware payments to cybercriminals.

"While I understand the government's intention to cut off the financial incentives for cybercriminals, I have concerns about how this will work in practice," Rocker explains.

"Businesses face immense pressure during ransomware incidents, often with extremely tight deadlines set by attackers. Adding a regulatory approval process could complicate an already challenging situation."

• Who will serve as the licensing authority for ransomware payment approvals?

• Will this authority be able to respond within the critical timeframes needed (often 24-72 hours)?

• How will resources for this new regulatory function be funded?

• If ransomware payments are banned or restricted, how would authorities prevent payments made through cryptocurrency channels?

"These are complex questions without easy answers," says Rocker. "Rules are already in place preventing government-funded organisations from paying ransom demands, yet we still see local authorities being successfully targeted. This suggests that simply banning payments may not be the solution we're hoping for."

The impact of these proposed regulatory changes will vary depending on your organisation's size, sector and cybersecurity defences already in place. However, all businesses should prepare for:

• Increased documentation requirements - You will need to prepare for a change in how your business documents cyber incidents, their impact, and how you’ve dealt with them.

• Delays in responding to ransomware attacks - If attacks are privy to an extensive approvals process, this could extend the resolution timeline.

• Reduced discretion around cyber incidents – As reporting incidents becomes mandatory, your response will be critical for upholding your business’s reputation.

• Cyber insurance – Cyber insurance policies will likely adapt to these changes – you will need to find out how this affects your existing cover.

"Business leaders need to understand that these changes, while potentially challenging to implement, ultimately aim to create a more secure digital environment for everyone," Rocker advises.

"By participating in the consultation process, businesses have an opportunity to shape how these regulations will work in practice."

As the regulatory digital landscape continues to change, cyber insurance has become an increasingly important tool for managing risk within a business. Far from being just another policy feature, comprehensive cyber cover offers layers of protection that directly address the challenges presented by the new legislation.

"Many businesses don't realise that cyber insurance is about so much more than just financial compensation after an incident," explains Rocker.

"Modern cyber policies provide access to crisis response teams, technical specialists, legal experts, and even ransomware negotiation professionals who can guide you through the complex process of responding to an attack."

• 
  Ransomware response

Some cyber policies offer access to specialised ransomware negotiators who understand both the technical and psychological aspects of these situations. These experts can help determine whether payment is advisable, negotiate terms if necessary, and ensure compliance with any applicable regulations. At present, your policy could even cover the cost of a ransomware payment if it’s seen as the most effective way to get your business back up and running. 

• Business interruption

If your business is unable to run due to a cyber-attack, the resulting operational disruption could have a substantial impact on your bottom line. Business interruption coverage helps mitigate these losses.

• Data breaches

Cyber policies can cover the costs of investigating data breaches, including notifying the individuals affected and steps taken to mitigate the reputational impact.

• Regulatory defence

As regulatory requirements continue to change, it’s important to have cover in place for regulatory proceedings, including legal representation and any penalties imposed.

• System restoration

Following an attack, your systems or data will need to be restored and, in some instances, rebuilt. Your cyber policy may cover the costs of recovery.

When it comes to protecting your business against cybercrime, the decision should never rest with a single individual.

"We sometimes see situations where cyber insurance is declined by a business based on a decision made by just one person within the organisation," Rocker points out. "This approach carries significant risk. Ideally, decisions about cyber protection should involve input from leadership, IT, finance, and operations at minimum. For larger organisations, this should be a board-level discussion with proper documentation of the decision-making process."

The reason why collaboration is key? It’s simple, cyber risk affects every aspect of your business. One person’s decision to forego or limit coverage could have far-reaching implications that extend beyond the immediate financial considerations.

"If your business suffers a significant cyber-attack after deciding against appropriate coverage, stakeholders may question that decision – especially if it wasn't made through a proper governance process," warns Rocker. "This is particularly relevant as regulations tighten and public awareness of cyber threats grows."

The government's consultation on ransomware legislative proposals runs until 8 April 2025. This represents an important opportunity for businesses to provide input on how these regulations should be shaped.

"I strongly encourage business owners to participate in the consultation process," says Rocker. "This is your chance to ensure the government understands the practical realities of implementing these regulations in a business environment. The decisions made will affect how all UK organisations manage cyber risk for years to come."

Access the consultation: homeofficesurveys.homeoffice.gov.uk/s/E6ROXH

Before the final version of the Cyber Security and Resilience Bill is released, there are proactive steps businesses can take to get ahead of the game:

• Review your incident response plan – Does it accommodate potential new reporting requirements?

• Assess your cyber insurance coverage – Does it address evolving regulatory considerations?

• Invest in appropriate cybersecurity measures – Are you comfortable that your software, training and insurance all work together to sufficiently reduce your exposure to cyberthreat?

• Stay in the loop – Ensure you stay on top of changes in regulation

"The reality is that cyber threats continue to evolve regardless of the regulatory environment," concludes Rocker. "Taking a proactive approach to cybersecurity and risk transfer through insurance isn't just about compliance, it's about ensuring business resilience in an increasingly digital world."

At Everywhen, we specialise in helping businesses navigate the complex world of cyber risk. Our dedicated cyber insurance specialists can:

• Provide expert guidance to help you find the right cover for your business needs.

• Clearly explain the differences between policies and cover options to help you make an informed decision.

• Connect you with risk management resources to mitigate risk across your business

• Support you through the claims process should you experience a cyber incident

As cyber threat races ahead, there’s no time like the present to defend your business. Get in touch today to discuss how Everywhen   can help secure appropriate cyber insurance protection for your business. Our team is ready to provide the expertise and support you need to navigate this challenging risk landscape with confidence.