News + Resources

The publication of the Cyber Security and Resilience Bill in parliament on 12^th September 2025 was a watershed moment for cyber security in the UK. By including IT service providers under the regulatory ambit, it gives Government the remit to require critical suppliers to take the cyber security of their own operations seriously, and opens them up to sanction if they fail to protect their clients’ systems.

There is a but here, however. Service providers’ relationships with their clients are governed by the contracts they have agreed. These contracts often include terms and conditions behind which suppliers can hide. We all know that many contracts heavily skew risk to the client; and in cases where money is tight, security requirements can often be traded out for cost reasons or get missed in the morass of small print. Down time is recompensed with service credits rather than recognising the true cost of business interruption; most contracts explicitly exclude any supplier liability for damage or loss caused by a cyberattack; and clients are often not in a position (whether through size imbalance, experience or skills)  to demand that suppliers evidence appropriate plans, management grip or insurance coverage (PI, E&O or D&O) that would offer some recourse.

The new bill is welcome. The NCSC and other UK Government components see the risk, and are deploying all the tools at their disposal to strengthen our defences. But the contractual issue is a global problem, which legislation alone cannot solve. In areas where Government money is being spent, Government organisations in the critical national infrastructure should specify the types of behaviour required from their suppliers and budget for their inclusion from the start. For those private sector organisations operating CNI elements (e.g. in our sector, ship and port owners/operators), they should take a critical approach to their supply chain to ensure that they are not assuming unquantifiable risk through poorly worded and one-sided service and support contracts. We want our clients not only to bounce back quickly from an attack – but we also want them not to be victims in the first place.