UK threatens £100K-a-day fines under new cyber bill The UK's technology secretary revealed the full breadth of the government's Cyber Security and Resilience (CSR) Bill for the first time this morning, pledging £100,000 ($129,000) daily fines for failing to act against specific threats under consideration. Slated to enter Parliament later this year, the CSR bill was teased in …
Am I the only one who has never heard of Peter Kyle, and therefore read that as Jeremy Kyle finally detailed the plans for the bill at length today.
One imagines him sitting the offending CISOs down on his sofa and giving them a dramatic talking-to about their sordid cybersecurity failures, for public spectacle.
Mr. Smith, we have conducted an AI code-authorship analysis, which has indicated that the hideous cyber-vulnerable SAP-to-SCADA connector was in fact YOUR bastard lovechild! <audience gasps> What do you have to say about that??
One imagines him sitting the offending CISOs down on his sofa and giving them a dramatic talking-to about their sordid cybersecurity failures, for public spectacle.
One doesn't. Having never heard of him, one looked him up when he was appointed Secretary of State for Science, Innovation and Technology. And discovered that he has the same qualifications for that job as my great-aunt Gertrude. None at all.
Bloody essential, more like!
If there's any chance a minister actually knows the slightest smidgen about what they are in charge of, there could be the impending horror that they may have "ideas" of their own and make an even bigger dogs bollocks of the whole affair than if they knew nothing!
Keep* 'em ignorant, I say!
* For most of them, that's not a problem as they have never reduced their full 100% ignorance quotient since birth. It comes with the territory!
Sewage overwhelms our rivers ---- No Action!!
Royal Free Trust turns over 1.6 million citizen medical records to Google/DeepMind --- No Action!!
The Met -- remember Wayne Couzins and David Carrick --- Years of abuse and murder --- Eventually something gets done --- but FAR TOO LATE!!
.....and here we are again......the government is preparing MORE LEGISLATION where there will be NO ENFORCEMENT and ---sigh!!!! --- No Action!!!
You echo the thoughts I was having as I read the article.
Rules are one thing, who is going to enforce?
You need to invest in the regulatory bodies as well as just generating legislation, which half the time, is only for headlines and sound bites.
I welcome anything that will improve security posture and reduce the likelihood of cyber incidents.
You will still need a regulator that has teeth, will enforce the rules and will send the "inspectors" in to check the state of play, which to date, is something we're missing in the UK.
There is enforcement. In the case of a theft of government held data about you, the government will fine the government 100grand, it's the only way for the government to control the government
Obviously we can't fine private companies, it will upset the economy or the Americans
"....and here we are again......the government is preparing MORE LEGISLATION where there will be NO ENFORCEMENT and ---sigh!!!! --- No Action!!!"
The way it seems to go is that when there is something bad happening (which is adequately covered by exisating legislation but action is rarely taken), and the public doesn't like it, the government response is to introduce yet more legislation which basically just duplicates that already existing, because they can grandstand about how they are 'tackling the issue'. All that then happens is yet more laws which are rarely enforced.
April 2, 2025........today we hear about another criminal member of the Met Police -- Philip Hunter.
Stalked a woman for seven years.
The Met tried to say she had mental health problems.....Yup.....blame the victim!!
Surprise, surprise this predator with a warrant card worked in the same team as......Wayne Couzins!!!!
The Metropolitan Police needs a new name...............Wayne Couzins University.................
.....and to get to the point............more legislation......no enforcement...........tax payers getting to pay the wages of criminals in the Met!!!!
Company director> Sarah, is that your name, right? Could we discuss this fine over a cup of coffee?
Sarah> I can't really, that wouldn't be appropriate. We have channels for that.
Company director> Have you pictured our meeting in your head? Nice hot organic coffee from Blue Mountains, the invigorating smell, the chatter around you. You feel relaxed.
Sarah> Stop! That is completely out of the line!
Company director> But you have pictured it, haven't you?
Sarah> Well, yes... and?
Company director> So it's like already happened. Everything that happens that is not now is just a fading entry in our memory.
Sarah> What is your point?
Company director> We should make it happen. You already know it will be fine.
Sarah> Well...
Company director> *passing a business card* Call me on this number this evening.
*next day, 7AM, artisan coffee place*
Sarah> This is a mistake.
Company directory> The dissonance of experiences, conflicting thoughts. Do you like Jazz?
Sarah> Not particularly, no.
Company director> Fair enough, but you like music in general, no?
Sarah> Of course, everyone likes music?
Company director> Radiohead?
Sarah> Oh yes!
Company director> So picture our gathering as if we were that song "Creep".
*Sarah looks confused and suddenly blushes*
Company director> There we go! So let's dance. You see, the fine. You know... that could be just a glitch.
Sarah> This is uncomfortable.
Company director> *passes a black card* There is £25k on that card. Don't use it in the UK.
Sarah> What do you mean?
Company director> Make it a glitch, close the ticket, make it a mistake. Figure it out, then go on well deserved holiday.
*Sarah is circling a finger around the cup*
Company director> You have some savings, right? Use them to buy tickets. Mexico is great this time of the year. Then get the card and go to town on SPA, get your teeth fixed.
Sarah> Excuse me?
Company director> Come on, I can see your veneers are in bad shape. In six month's time I'll give you another card with £50k on, if I stop hearing about the fine.
Sarah> I've got to go, I will be late! *hiding the card in the purse*
Company director> Well done!
Black cards are so passé, much better is to make her mortgage disappear. The loan gets purchased by an offshore company and then gets sold several time more and suddenly no more mortgage payments. And the best thing is if the mortgagee misbehaves the mortgage can re-appear. Saves all that worry about the person buying flash cars and speedboats and attracting the wrong type of attention.
...lets not hold our breath shall we?
UKGovt can pass whatever legislation they want. Nobody is listening amongst their suppliers as they know full well nothing will happen as they're the only choice for Govt contracts now.
Elsewhere - best of luck with that, I daresay the vast majority of the "fines" received will come from Govt entities (councils, NHS, education etc) and will do nothing other than shuffle money around and cost ordinary people money.
Imagine if we implemented this for homes. If you get burgled, you'll get fined £100,000 or 10% of your savings, whichever is greater.
This would:
a) stop police wasting their time on catching burglars
b) provide much needed funding for public services
c) stimulate the economy as people would be motivated to ensure their homes are secure.
d) provide politicians with nice fat kickbacks from security suppliers.
What if people would either not able to afford upgrades or fines? They will just sell the homes to big corporations, as clearly home ownership would be for serious entities and they would just rent secure homes out.
Tents would be exempt.
Sounds great, right?
I am no expert on cyber-security at scale but I can see a few principles, which seem to be completely different from the approach of the Government...
1. Fix the bloody personal data problem!!! The biggest risk to people is the problem of personal data theft. There is one, and only one, real answer to that: prevent companies from requiring (or acquiring) any more personal data than the minimum required for their service to operate! At the customer's option, they can ask the company to store more data to provide a more personalised service but that can be withdrawn at any time and must be unrelated to the price charged. I might allow my TV provider to keep information like how far I am through a particular series, or what sorts of films I like to watch, but that should be unrelated to how much they charge me and I must be able to delete some or all of my data at any time I wish.
This single item would dramatically reduce the amount of personal information stored and the attractiveness of many of the cyber attacks.
2. Critical national infrastructure (power, water, communications, transport, etc) funding must be strictly controlled and the companies operating it must have strict responsibilities (especially for security, safety and reliability), which can be enforced against some entity which cares (not limited liability shareholders).
3. Private companies providing services to government (particularly in areas of national importance) must have some sort of strict liability to their customers so the company invests in the necessary cyber-security.
Sure, these are easy to say and hard to do - but this needs to be the debate, not fines which will never get paid.
Point 1 is already the case, officially. GDPR and "UK GDPR" both require companies to only store and process the minimum amount of data needed for their task. However, the way companies can justify the tasks is somewhat lax...
The counter-argument for point 2 is that without "limited liability", people won't invest and start businesses, as they end up with too much risk. But there surely must be a balance somewhere in between.
Point 3? Impossible. That'd require government contracts to be written in a way that is advantageous to the customer, and they never are.
the government would be able to order regulated entities to make specific security improvements to counter a certain threat or ongoing incident, and this is where the potential fines come in.
Does the government escape being responsible for providing and paying for their ordered specific security improvements to counter a certain threat or ongoing incident?
Some, and maybe even many or most regulated entities may not have the necessary smarts to do what governments may think to order ..... but they can surely easily enough follow clear specific instructions and be pleased to do so?
I see this was filed at Tue 1 Apr 2025 11:37 UTC, which is 12:37 BST.
If you abide by the rule of all pranks before 1200, in theory, this post is outside that limit, but otherwise, a good candidate for an April Fool.
Either way, £100K-a-day fines - let's see them applying it - and depending on the company, it's still loose change from back of the sofa. As for "10 percent of turnover for each day the breach continues" - again, let's see them applying it and then collecting it. And whilst at it, apply the same penalty for other transgressions for which they have been so far giving slaps on the wrist to the big companies
We have said many times, security not only need password or passphrase to protect it, but also need the software to protect the password and passphrase, otherwise how can the information be secure when your security software is not able to protect itself?
I'll believe it when I see both personal consequences for the directors involved, and some actual enforcement.
And to the last paragraph.
"Even if every organization that the new rules are directed to had the budget, technical capabilities and leadership bandwidth to invest in updating their infrastructure to meet the current and future wave of cyber threats, it is likely to be a time consuming and costly process bringing all of their systems into line."
Translation :
After years of pretending to work, under-investment and redirecting funds to my Yacht collection. You're telling us we now have to actually do our jobs. WAAH!
The answer, citizen, is to set up a Facebook group where you can be more closely monitored!
Even without this latest stupidly, there are already loads of former forums and message boards on all sorts of subjects which have been replaced by Facebook groups - which rules me out completely, as I have no intention of ever having a Facebook account.
"If, for example, a managed service provider (MSP) – a crucial part of the IT supply chain – failed to patch against a widely exploited vulnerability within a time frame specified by a government order, and was then hit by attacks, it could face daily fines of £100,000 or 10 percent of turnover for each day the breach continues."
Why was I hearing in my head the words "Microsoft products and services are no longer available in your region"...
Behold the Government can handle any Cyber operation - But struggles to produce a working healthcare website...
Why not leave the parents to inforce (sic) ((Enforce)) Internet time and monitoring? Presumably because parents have better things to do...
Uhmm, TPM 2.0 comes knocking and Windows 11 gets a Revision... DISA no longer has a IAD page for securing the host-base line on Windows, shortly after multiple staff firings at Fort Mead, so some open source pundits have done a better Job launching Revision OS - How Windows should have been... With all the Spyware switched off... Check out the performance and latency... Thumbs up to the YouTube video in Chinese!
An the Stock prices tumble, tumble, tumble...
@Graham Cobb
Re: 1. Fix the bloody personal data problem!!! The biggest risk to people is the problem of personal data theft.
But you agreed to it the moment you installed Windows with Chrome...
I would have said the biggest problem is when you install an open source app like Etcher and find some Herbert has poked a bloody huge advert inside what was arguably once an open source app!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
