Geo Focus: The United Kingdom
,
Geo-Specific
,
Standards, Regulations & Compliance
Security by Design or Be Fined, Committee Suggests
A U.K. parliamentary committee is recommending a new statute forcing software publishers to hew to secure-by-design principles or else face financial penalties.
See Also: How Payment Service Directive (PSD2) is Changing Digital Banking – Are You Ready?
The British government, like the U.S. government, has pushed the tech sector to voluntarily integrate security into product design, a policy driven by frustration over the sheer quantity of disruptive ransomware attacks, incidents of nation-state cyberespionage and fears over the potential for remote sabotage by foreign hackers (see: UK Software Security Code of Practice Earns Mixed Reviews).
The U.K. Commons Business and Trade Committee nonetheless endorsed liability for software developers in a Monday report containing recommendations to improve economic security. The committee called for “enforcement agencies” empowered to levy fines for noncompliance with secure-by-design principles.
Making secure-by-design mandatory – whether by exposing tech companies to customer lawsuits or through government enforcement – has so far been an impossible goal for American proponents and a difficult one for British backers. U.K. supporters succeeded in imposing minimum cybersecurity standards for internet of things devices such as no universal default passwords but otherwise has had to rely on tech sector cooperation.
In the United States, backers including the Biden administration, have been unable to overcome opposition from Silicon Valley and arguments that imposing liability onto the tech industry would constrain America’s economic engine. President Donald Trump in June undid a Biden-era requirement for software developers to submit attestations validating their use of secure software development practices when selling to the federal government (see: Trump Rewrites Cybersecurity Policy in Executive Order).
Observers may have a chance to observe the real-world applicability of anti-liability arguments starting in late 2027, when secure-by-design standards for “products with digital elements” sold in Europe come into effect. But not even European rules will cover all software, since the regulation, the Cyber Resilience Act, excludes software-as-a-service.
Whether the U.K. succeeds in imposing wide-ranging software liability when Europe and the United States have not is now a political question. Lawmakers could software liability by expanding already proposed cybersecurity legislation, said Andrew Churchill, policy director at non-profit Cybersecurity and Business Resilience.
The parliamentary committee additionally called for a change to tax law that would allow companies to deduct payments to subscription-based IT services that enhance resilience. Current laws, the committee said, de-incentives subscription payments for cybersecurity software by not allowing companies to write off the costs.