IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

UK gov introduces cyber bill designed to clamp down on unsecure devices

Law could prevent sale of smartphones, TVs, speakers, toys, and other digital devices that fail to meet minimum security requirements

Companies could be fined up to £10 million or 4% of their global turnover if they sell digital products that fail to protect consumers from being hacked.

Manufacturers, importers, and distributors of digital tech will be required to make sure the devices meet new security standards under a new law proposed by the UK government - with heavy fines for those who fail to comply.

The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to Parliament on Wednesday, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

At present, digital device manufacturers must comply with rules to stop them from causing people physical harm from issues such as overheating, sharp components, or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.

The bill will give the government new powers to bring in tougher security standards for device makers.

The tougher standards include a ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’ - which are a target for hackers. All passwords that come with new devices will need to be unique and immune to resets from universal factory settings.

The new law will also require connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates, that must be disclosed to the customer.

This will increase people’s awareness about when the products they buy could become vulnerable so they can make better-informed purchasing decisions, according to the government. It's believed nearly 80% of the firms targeted by the bill do not have any such system in place, the government said.

There will also be new rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.

This new cyber security regime will be overseen by a regulator, which will be designated once the bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.

Related Resource

The Okta digital trust index

Exploring the human edge of trust

Woman types on a laptop, image is faded purple with title text beside it on white backgroundFree download

NCSC technical director Dr. Ian Levy said the bill would “ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security”.

“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice,” he added.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022