The Product Security and Talecommunications Infrastructure (PSTI) Bill places new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the internet, like smart light bulbs and smart thermostats.
These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.
Failure to comply could result in heavy fines issued by a new regulator – up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation is further bolstered by the fact ministers will be able to mandate further security requirements as new threats emerge.
The legislation comes amid the surging use of IoT devices, with an average of nine in every UK household. Unsurprisingly, these devices have become increasingly targeted by cyber-criminals in recent years. For example, earlier this year, Which? published an investigation demonstrating that smart homes could face more than 12,000 cyber-attacks in a single week.
Minister for Media, Data and Digital Infrastructure, Julia Lopez, commented: “Everyday hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
“Overcoming the real security concerns surrounding IoT will be critical to unlocking growth, and IoT-specific regulations such as this one have a major role to play. Common-sense fixes like the banning of default passwords and incentivizing manufacturers to keep on top of security updates and vulnerabilities will help protect consumers and their data, building the trust that the IoT market needs to achieve its full potential.”