As some will have learnt, it can take decades to build a reputation and just a few minutes of a cyber-incident to ruin it. Even the Government knows this and is cajoling businesses to take more action. 

In February 2023, the Department for Science, Innovation and Technology published a call for views in order to “better understand the range of risks linked to software, what is already being done to manage the associated risks, and to seek views on what further government action would be most effective at driving improvements”. The Government’s response to that call for views has now been published. It identifies three key areas in which the Government can “help improve software security practices and protect the security and resilience of organisations across the UK”:

1. Setting clear expectations for software vendors via a code of practice for software vendors which will “set clear baseline expectations for software security which will mitigate risks from development to distribution and communication of vulnerabilities and incidents”.
2. Strengthening accountability in the software supply chain by developing cyber security training aimed at UK procurement professionals, creating standardised procurement clauses for organisations to insert into their contracts, and working with the National Cyber Security Centre to publish content on the use of Software Bills of Materials.
3. Protecting high risk users and addressing systemic risks by incorporating provisions in the code of practice for software vendors to promote secure development processes and testing of third party components, exploring the creation of minimum security requirements for organisations supplying software to government, working with industry to incorporate best practice and identify which innovative solutions regarding free and open source risk management could be implemented within Government, and exploring the development of a Government initiative to assess and improve the resilience of free and open source software used in high risk contexts.

The Government is getting serious about software security across the supply chain - from software vendors to software procurement teams - for private sector organisations, as well as across its own supply chain. This is also a useful reminder to adopt these items into your supply chain and procurement processes.

The European Commission is also looking at cyber security. Earlier this year, it announced that it has adopted the first “European Common Criteria-based cybersecurity certification scheme” in accordance with the EU Cybersecurity Act. This scheme will provide “a comprehensive set of rules, technical requirements, standards and procedures… [to] attest that ICT products and services that have been certified in accordance with such a scheme comply with specified requirements” and, ultimately “inform users of the cybersecurity risk of a product”. Further, on 12 March, the European Parliament plenary session formally adopted the Cyber Resilience Act, a new piece of legislation which “aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle”. The Act now awaits adoption by the European Council, following which it will be published in the Official Journal of the EU and will enter into force 20 days later (although many of its provisions won't apply for another three years).

More detail is required before we can really start to see how the Government’s proposals will help organisations – but in the meantime, there is plenty of proactive work that businesses can take and this should be firmly on the agenda of CTOs/CIOs and the board room agenda. 

Get in touch if you need any help with preventative steps (whether supply chain related or a cyber breach reaction plan) or, should you ever need it, security/data breach incident handling.