What Are the Key Obligations Under the Cyber Security Act 2024?

August 29, 2024

The Cyber Security Act 2024, which received royal assent on June 18, 2024, and was officially published on June 26, 2024, has come into full force as of August 26, 2024, along with its subsidiary regulations. This legislative move represents a significant milestone in the realm of cyber security, aiming to offer comprehensive protection against emerging cyber threats. The Act introduces a structured framework designed to ensure organizations, particularly those managing national critical information infrastructure (NCII), adhere to stringent security protocols. Among the four subsidiary regulations under the Act, the Incident Notification Regulations and the Risk Assessment Regulations are pivotal in shaping how cyber security incidents are managed and assessed. These regulations stipulate clear obligations for organizations to follow in the event of cyber security incidents and provide guidelines for ongoing risk assessment and audits. By doing so, they aim to bolster the security posture of entities handling critical data and systems, ensuring that threats are promptly reported and mitigated, and that organizational defenses are continually evaluated and improved.

Incident Notification Regulations

The Incident Notification Regulations impose a threefold obligation on NCII entities in the event of an actual or suspected cyber security incident. The first requirement, Immediate Notification, mandates that organizations notify relevant authorities immediately upon becoming aware of a cyber security incident. This early alert system is crucial for prompt response and mitigation efforts, allowing agencies to coordinate and deploy resources effectively. Following this, an Initial Submission must be made within six hours, providing prescribed information about the incident, including the particulars of the authorized person, details about the NCII entity, and initial insights into the incident’s nature and scope. This submission ensures that the authorities have an informed understanding of the incident, enabling them to take appropriate actions to contain and investigate the breach.

The third obligation, the Supplemental Submission, necessitates a comprehensive report within 14 days of the Immediate Notification. This detailed submission includes further particulars about the incident, such as the estimated number of affected hosts, information about the threat actors, and documentation of artifacts related to the breach. Moreover, it requires details on the incident’s impact, the tactics used by the cyber adversaries, and the actions taken by the organization in response. Throughout this process, continuous updates may be mandated by the Chief Executive of the National Cyber Security Agency, ensuring that the situation is closely monitored and additional preventive measures can be implemented. The structured reporting framework established by the Incident Notification Regulations is instrumental in fostering transparency and collaboration between NCII entities and regulatory bodies, facilitating a more robust and timely defense against cyber threats.

Risk Assessment Regulations

The Risk Assessment Regulations under the Cyber Security Act 2024 require NCII entities to conduct regular cyber security risk assessments and audits, forming the backbone of their compliance and security posture. These obligations are specifically designed to ascertain that risks are proactively identified, evaluated, and mitigated, reinforcing the resilience of critical systems against potential cyber threats. The regulations prescribe that a comprehensive cyber security risk assessment must be performed at least once a year. This annual exercise involves systematically evaluating the vulnerabilities and threats to an organization’s cyber environment, considering factors such as recent technological changes, emerging threat landscapes, and the effectiveness of existing control measures. By doing so, entities can identify any gaps and implement necessary improvements to their security framework, thus reducing the likelihood of successful cyber attacks.

In addition to the annual risk assessments, the regulations mandate regular cyber security audits that must be conducted at least once every two years, or more frequently if directed by the Chief Executive. These audits serve as an independent evaluation of an organization’s adherence to prescribed cyber security standards and protocols. They involve a thorough inspection of the organization’s policies, procedures, technical controls, and incident response mechanisms, providing an in-depth review of the overall security posture. The findings from these audits not only help in ensuring compliance with regulatory requirements but also offer valuable insights into areas that require enhancement. By regularly reviewing and auditing their cyber security measures, organizations can maintain a robust defense against cyber threats, ensuring that their security practices evolve in line with emerging risks and technological advancements.

Importance of Adaptive Regulatory Framework

The Cyber Security Act 2024, which received royal assent on June 18, 2024, and was officially published on June 26, 2024, came into effect on August 26, 2024, alongside its subsidiary regulations. This Act marks a major advancement in the cyber security sector, aiming to provide comprehensive defenses against new cyber threats. It establishes a structured framework that requires organizations, especially those managing National Critical Information Infrastructure (NCII), to follow stringent security protocols. Of the four subsidiary regulations under the Act, the Incident Notification Regulations and the Risk Assessment Regulations play crucial roles in managing and assessing cyber security incidents. These regulations mandate clear responsibilities for organizations to follow during cyber security incidents and provide guidelines for continuous risk assessment and audits. The aim is to enhance the security measures of entities handling critical data and systems, making sure that threats are quickly reported and addressed, and that the organizational defenses are regularly reviewed and improved, ensuring resilience against cyber-attacks.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later