Digital service providers & increasing cyber resilience in the UK
In January the UK government published an open consultation around the Proposal for legislation to improve the UK’s cyber resilience, and as an industry body looking at the potential impacts on its members we have been particularly drawn to the section considering changes to managed service providers and moving their services to be covered by NIS Regulations.
According to the summary of the proposal it intends “to expand the scope of digital services regulated under the NIS Regulations to include ‘managed services’ and for the providers of digital managed services to be subject to the same duties as other digital service providers”. So let’s break this down a little.
Much of what is currently out of scope makes up large parts of the digital supply chain which supports many critical business and information services across industries in the UK, therefore making these organisations and services desirable targets for cyber criminals.
Many businesses now rely upon services and systems being supplied by third party suppliers to enable them to operate. The threats from cyber crime have increased at a pace far quicker than a widespread understanding of how to mitigate against them. Rightly so businesses have been working hard to provide services and keep customers happy…however, were an attack to target their suppliers resulting in customer data or personal information being compromised, they would likely be ex-customers pretty quickly.
The current lack of mandatory requirements leaves responsibility with a large number of businesses where there is a less than ideal level of security knowledge to be able to put in place the necessary measures to keep systems and customers protected when working with third party suppliers. The proposed changes put more onus on service providers to ensure that they are doing the right things around security when providing services to clients “by default”, rather than hoping that the client knows the right questions to ask.
This move by Government may cause many to feel like they are being asked to do more at a time when costs are rising and margins are being squeezed. Were new regulations around minimum standards not to come in to play for suppliers in the digital managed services sector, the potential for serious damage and cost to them and their customers would continue to increase.
As the consultation has not long ended and the proposal still quite fresh, there is much to be considered and ratified before a final definition of what determines an organisation as a digital managed services provider. It is important though to keep track of developments as to ignore this move towards a broader set of suppliers falling under NIS regulations could leave you lagging behind at a time when you are required to make changes to how you operate.
Ensuring that you are supported through such changes is going to be key. It could be the case that many suppliers who don’t think they meet the criteria are quickly thrust in to a position where adhering to these regulations becomes critical to their ability to operate and provide services to their clients. Also it is important to recognise that a small business by definition can be providing services to customers who either provide or are linked to organisations providing critical services – the supply chain is so complex now that we have to flex our levels of acceptance around what is too restrictive when we consider the threats all organisations now face.
Before any of this is made mandatory it would be prudent for any supplier reading this that thinks they may fall under such changes to give some consideration to their current security posture and also to look carefully at incident response planning. These costs may seem like an unwelcome burden for businesses ahead of any confirmed changes, however it may result in spreading the inevitable administration and IT costs in responding to any changes that come in to affect.