UK and EU are tightening cyber security standards

A pair of bills in Britain and the EU aim to force software and product manufacturers to raise their security standards, an attempt to counter cyber crime and bring the issue to public attention.

In the UK, the Product Security and Telecoms Infrastructure Bill (PSTI) is designed to set minimum standards for devices which can connect to the internet. It passed parliament last week in spite of the turmoil affecting the British government.

On the Continent, the more ambitious EU Cyber Resilience Act aims to regulate software as well as hardware, imposing a duty for producers to patch known vulnerabilities. A draft of the Act is up for consideration by the European Parliament and the European Council, which represents member states.

"The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society," said European Commissioner Margaritis Schinas. "Cybersecurity is a matter for society, no longer an industry affair."

The European legislation requires manufacturers and software developers to consider security in the design of products with digital elements, inform customers about cyber security issues and roll out updates whenever a security problem is discovered.

Once a product passes a security assessment, it will be issued with a CE mark, already familiar in Europe on consumer products like toys as an indication that they meet EU safety standards. If new vulnerabilities are discovered they must either be fixed through a software update, or the product must be recalled. Software delivered as a service will not be covered by the legislation, however.

The British PSTI Bill imposes similar requirements on manufacturers of internet-connected devices, but leaves software developers unaffected for now.

If the legislation succeeds in preventing hackers from gaining access to networks through devices like mobile phones, it could improve the outlook for cyber insurers by reducing the numbers of claims. It could also open up new opportunities for insurers beyond cyber - manufacturers may find they need product liability insurance in case they miss a crucial vulnerability.

"Under these acts there are potentially some quite significant financial exposures for companies because they may have to, for example, recall their product," says Hans Allnut, a cyber risk specialist at law firm DAC Beachcroft. "There's going to need to be some coordination between cyber insurers and product liability insurers."

At the same time, insurers could recover some of the costs of their claims from manufacturers or software producers if it can be shown that they are at fault.

But there remains significant uncertainty about how to define security best practices and whether it will be possible to enforce these standards in practice.

"It would be impossible for insurers to ignore this," says Will Gow at QuestGates, a loss adjuster. "It will have a massive impact, but it depends on how well it keeps up with the evolving changes in cyber, and how it's enforced."

There is so far no equivalent legislation on the cards in the US, but it is possible America will eventually follow suit at either the federal or state level.

Europe pioneered data privacy legislation through the GDPR (General Data Protection Regulation) which came into force in 2018, effectively becoming a global standard and a model for legislation in other countries, and the Cyber Resilience Act could play the same role.