The UK’s Cyber Security and Resilience Bill represents a major shift in cybersecurity regulation, bringing Managed Service Provides (MSPs) under strict oversight and potentially reducing bills for insurers. Matthew Geyman (pictured), managing director of Intersys, said the move is a “positive step” towards cyber readiness given the risks MSPs pose.
“This ensures that MSPs - who have unparalleled access to client systems - meet higher security standards,” Geyman said.
The legislation follows a series of high-profile cyberattacks, including those on the NHS in 2024, which exposed vulnerabilities in third-party IT services. By expanding regulations to cover MSPs, the bill aims to strengthen national cyber resilience and reduce the risk of large-scale attacks. Businesses that fail to comply could face fines of up to £100,000 per day.
According to Geyman, the bill aligns the UK with global cybersecurity frameworks, including the EU’s NIS2 Directive and the US’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), as it requires MSPs to implement tighter security controls, conduct regular risk assessments and enhance incident reporting standards.
“The biggest priority isn’t just compliance – it’s resilience. Businesses should be focusing on continuous risk assessment, security monitoring, and enhanced staff training. Cyber Security as a Service will become essential,” said Geyman.
The insurance industry is expected to be affected, particularly as it relates to cyber insurance and business interruption coverage. Rising cyber threats have already led to higher premiums and stricter underwriting criteria. By enforcing stronger security standards, the bill could reduce insurers’ risk exposure, stabilising pricing and encouraging wider uptake of cyber insurance.
There is also renewed discussion about a government-backed cyber insurance scheme, similar with Pool Re, to protect businesses against large-scale cyber risks. Insurers are monitoring how these regulatory changes will affect critical infrastructure and supply chains, given that supply chain attacks remain a major concern, Geyman said.
He added that the UK is not alone in tightening cybersecurity laws. Countries such as India and Australia have also introduced stricter regulations, reflecting a broader trend towards stronger cyber governance. Businesses operating across multiple jurisdictions will need to adapt to evolving compliance requirements.
While the full impact of the bill remains uncertain, it marks a significant shift in cybersecurity oversight, reinforcing the UK’s efforts to protect essential services and infrastructure from emerging threats.
