In February 2023, the Government published a call for views on the risks associated with software (e.g. cyberattacks aimed at disrupting services or stealing information). On 23 January 2024, it published a summary of the responses received and the government’s response to the views heard including its proposed new policy interventions. The response identifies three key areas of priority briefly outlined below.

First, the Government proposes a Code of Practice for software vendors (developers and resellers) which will require the use of suitable existing secure software development frameworks and formal standards (and, where possible, secure by design principles), communication and information sharing on incident and risk management between customer and vendor, and regular vulnerability testing and reporting. Second, the Government proposes to help software customers hold their suppliers to account by developing cyber security training aimed at UK procurement professionals and creating standardised procurement clauses for organisations to include in their contracts. After publishing the Code, the Government will explore whether accreditation could also be a useful means to enable customers to hold suppliers to account. Finally, to address high risk users and systemic risks, the Code will require vendors to take appropriate steps to test any third-party components (e.g. free or open source software) they incorporate or use in software that they sell, and the Government will explore the creation of minimum security requirements for organisations supplying software to Government.

The Code will focus on the issues experienced by business users.

The response states that, despite many strong calls for new regulation in this area, the Government has opted for a voluntary code of practice, confident that this will be adequate to incentivise vendors to follow good security practices. However, the Government has not ruled out the possibility of legislative backing if industry uptake is insufficient. The Government is at pains to point out that the proposed Code will be developed in collaboration with stakeholders and will take account of existing national and international standards. The proposals do not directly address AI software which, according to the paper, raises unique issues, and which are being explored under separate initiatives such as the global Guidelines on Secure AI System Development (previously reported by Wiggin).

For more information, click here.