What you need to know about the New UK Cyber Security Bill

Why regulated firms must act now to stay compliant and resilient.

The UK government is finalising a new Cyber Security and Resilience Bill, designed to raise national cyber security standards and reduce the risk to organisations operating in critical or high-value sectors, including financial services, accountancy, law, and property.

For firms already under FCA scrutiny, the Bill isn’t just a technical update, it signals a strengthening of the regulatory environment that will affect how you govern IT, manage suppliers, and respond to incidents.

Below is what firms in regulated sectors need to know.

What the Cyber Security Bill Is Trying to Achieve

The core objective is simple: Improve national resilience by ensuring organisations adopt stronger, measurable cyber security practices.

The Bill aims to:

- Strengthen requirements for organisations that handle sensitive data or support critical economic activity.
- Introduce clearer standards for cyber governance and executive responsibility.
- Improve transparency of cyber incidents and create a more consistent reporting framework.
- Increase oversight of IT service providers and third-party suppliers.
- Close gaps highlighted by large incidents impacting UK firms over the last 3 years.
 

Why the New Cyber Security Bill Matters to Regulated Firms

The Bill aims to address three major issues:

1. Rising cyber threats

UK businesses experienced a surge in attacks last year, with professional services firms among the most targeted. Financial data, client records, and advisory systems remain top targets for ransomware groups.

2. Increased dependency on IT and third-party providers

Many firms rely heavily on MSPs (Managed Service Providers) for day-to-day IT, cloud services, and cybersecurity. The Bill seeks to regulate these providers more tightly: because your security is only as strong as theirs.

3. Inconsistent incident reporting

The Bill will introduce more formal reporting requirements to help government bodies respond faster to large-scale attacks.

For firms in regulated sectors, this means more scrutiny, more accountability, and less tolerance for weak or outdated security infrastructure.

 What’s Changing? Key Areas of the Cyber Security Bill That Impact businesses

1. Stricter Cyber Governance Requirements

The Bill strengthens expectations on how businesses manage cyber risk at board level.

This includes:

- Documented cyber responsibility at senior leadership level
- Regular cyber-risk reporting
- Oversight of third-party contracts
- Mandatory testing of business continuity and disaster recovery plans

This closely aligns with the FCA’s position on operational resilience and secure systems and controls and will demand more evidence from firms during audits.

 
2. Mandatory Cyber Incident Reporting

The legislation is expected to introduce compulsory reporting of:

Ransomware attacks
- Supply-chain breaches
- High-impact system outages
- Data exfiltration
- Incidents involving critical infrastructure

For FCA-regulated firms, this will sit alongside existing SUP 15, SYSC, and operational resilience obligations.

Firms that cannot detect incidents quickly; or cannot demonstrate visibility across their IT estate, will be exposed.

 
3. Regulation of IT Providers and MSPs

This is one of the most important elements of the Bill.

The government intends to:

Impose minimum security standards on MSPs
- Require MSPs to report breaches and outages
- Mandate transparency around service quality and security
- Hold MSPs more accountable when failures cause downstream harm

This means firms must ensure their IT providers meet higher standards, particularly if they operate in regulated sectors.

Low-cost, non-specialist IT providers will struggle to meet these requirements. This is one of the biggest forthcoming risks for FCA-regulated organisations.

 
4. Stronger Supply-Chain Security Obligations

Firms will need to demonstrate more rigorous due diligence for:

- Cloud platforms
- Software suppliers
- AI tools
- IT support providers
- Telephony and communications vendors

This ties directly into FCA expectations under SYSC 8 (outsourcing), where firms must show they understand the risks of their external providers and monitor them effectively.

 
5. Greater Executive Accountability

Senior leaders, particularly those under the Senior Managers & Certification Regime, will face increased responsibility for cyber governance.

This includes:

- Signing off on cyber readiness
- Ensuring the firm has a tested incident response plan
- Overseeing supplier risk
- Approving security investment decisions

Boards can no longer rely solely on “what the IT company says”. They will be expected to understand, challenge, and verify.

 
Expert Insight: Greg Chapman, Managing Director, Chapman Technology Partners

"This Bill is a welcome step change for the IT support industry. At present, anyone can set up an IT support company and begin servicing UK businesses. They can promise robust support and strong security, yet there are no regulations in place to ensure customers actually receive what they’ve been told.

This Bill moves the UK towards a much more mature cyber security posture. Regulators and government bodies want evidence; real, measurable resilience, not assumptions or outdated policies. For regulated firms, this is the moment to modernise their infrastructure, validate their providers, and invest in the controls that auditors and regulators now expect as standard."

 
What Firms Should Do Now: Five Priority Actions

1. Audit Your Cyber Posture

Assess your:

- Endpoint security
- Access controls
- Authentication policies
- Cloud security configuration
- Backup and disaster recovery
- Vulnerability management

This gives you a baseline for improving compliance before the Bill becomes enforceable.

2. Review Your IT Provider (MSP)

Ask your provider:

- Can you evidence your security standards?
- Are you aligned with NCSC and FCA expectations?
- Do you have a zero-trust security model in place?
- How do you handle breach reporting?
- Do you have a documented incident response plan?

If the answers aren’t clear, the Bill will expose the gap.

3. Formalise Incident Response and Business Continuity

Your plan must be:

- Documented
- Tested
- Reviewed annually
- Aligned with FCA requirements
- Supported by your MSP

A plan in a drawer is no longer acceptable.

4. Enhance Supply-Chain Due Diligence

Review every key supplier using:

- A risk scoring model
- Documented security standards
- Contract reviews
- Clear SLAs and KPIs

The Bill strengthens the requirement to prove supplier oversight, not assume it.

5. Implement Zero Trust Security Principles

Zero Trust focuses on:

- Least-privilege access
- Identity-first protection
- Micro-segmentation
- Continuous verification

It is rapidly becoming the baseline standard for regulated firms.

Ready to Strengthen Your Cyber Resilience?
If you want clarity on where your firm stands, or whether your current IT provider is meeting the standards the new Bill demands - we can help.

Contact Chapman Technology Partners Speak with an expert about your firm's IT resilience, regulatory obligations, and the practical steps to prepare for the Cyber Security & Resilience Bill. We specialise in supporting financial planners, advisors, mortgage brokers, accountants, and law firms with FCA and SRA-aligned security.

www.chapmantechnologypartners.co.uk