UK Cybercrime Law Reform Narrows Statutory Defense, Leaving Most Security Researchers Unprotected
What Happened — The British government announced plans to amend the Computer Misuse Act 1990, creating a statutory defence that only covers the scanning of internet‑facing systems and only for researchers who are UK nationals holding a UK Cyber Security Council accreditation (≈ 300 people). Experts say the safeguards are so limited that the overwhelming majority of security researchers—including bug‑bounty hunters, academic teams, hobbyists and smaller‑business professionals—will remain exposed to prosecution.
Why It Matters for TPRM
- Reduced legal protection may discourage vulnerability discovery on third‑party services, increasing the likelihood of undisclosed flaws.
- Vendors that rely on UK‑based security research could face delayed remediation and higher exposure to exploitation.
- Procurement contracts may need to be revised to address the legal status of security‑testing activities and to ensure compliance with the new statutory defence.
Who Is Affected — Technology SaaS providers, cloud‑infrastructure operators, financial‑services firms, and any organization that contracts UK‑based security researchers or uses UK‑origin vulnerability disclosures.
Recommended Actions
- Review and amend contracts to require proof that any security‑testing partner complies with the statutory defence criteria.
- Consider diversifying testing resources to include non‑UK researchers or reputable external platforms that operate outside the jurisdiction.
- Monitor the legislative process closely and update risk assessments as the reform progresses.
Technical Notes — The proposal limits the defence to “scanning” activities, forces researchers to halt work as soon as a vulnerability is identified (preventing verification), and bars delegation of tests to others. Only holders of the UK Cyber Security Council chartered status (≈ 0.4 % of the sector) qualify. No CVE or technical exploit is involved; the change is purely legal. Source: The Record