The government’s ambition to increase cyber security resilience across supply chains could expose some managed service providers (MSPs) to business-ending fines.
The prospect of MSPs falling foul of changes in the law have led to some in the industry raising the alarm to get the prospect of fines onto MSPs’ radar before they get caught out.
This process started last year with the Department for Digital, Culture, Media and Sport (DCMS) asking MSPs to take part in a consultation about improving security, before coming to conclusions that settled on the idea that there needed to be a robust structure in place to ensure that happened.
Plans to update the Network and Information Systems (NIS) regulations that were first introduced in 2018 are being proposed and a consultation on that option has begun, which includes a threat to fine organisations that fail to put in place effective security measures, with fines that could reach £17m.
NIS regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network – and the scope of the regulations would be extended to cover MSPs.
“Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” said Julia Lopez, minister of state for media, data and digital infrastructure.
“The plans we are announcing will help to protect essential services and our wider economy from cyber threats. Every UK organisation must take its cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
But for MSPs that fail to secure their operations and expose customers to risks such as ransomware, the penalties could be substantial and that has caused concern in the channel.
“Some managed services providers will be daunted by the prospect of having to comply with the same security requirements as operators of essential services, as well as facing potential fines of up to £17m for serious cyber incidents,” said Bruce Hockin, channel sales director, northern Europe at Picus Security.
“Over recent years, we have seen multiple examples of MSPs targeted by threat actors and the impact that large supply chain attacks such as Kaseya and Blackbauld can have. The majority of MSPs priotise security highly. However, this news may be a wake-up call to the ones that don’t to invest in the resources they need to better protect themselves and their clients.”
Oliver Pinson-Roxburgh, CEO at Defense.com, welcomed attempts to improve cyber resilience and urged MSPs to take note of what was being proposed and take steps to put themselves on the right side of any changes.
“The prospect of these new laws should be a call to action for MSPs right away,” he said. “These firms play a vital role in the nation’s critical infrastructure and have a responsibility to deliver a universal, end-to-end approach to cyber security.”
Pinson-Roxburgh highlighted some of the actions that could be taken, including adhering to standards such as ISO 27001, to establish a culture of security across businesses.
“The time to act is now – not when this legislation eventually arrives,” he said. “At a time when clients are hyper-vigilant on the risks and cost of a cyber attack on their business, MSPs that fail to step up and deliver an all-encompassing approach to cyber security will quickly see customers vote with their feet – and turn to providers that do.”
Government plans to update the NIS regulations include these proposals:
- To expand the scope of the regulations to include managed services.
- To require large companies to provide better cyber incident reporting to regulators.
- To make the most critical digital service providers demonstrate proactively that they are following NIS regulations.
Vadim Solovey, CTO of MSP DoiT International, said his company was already following that type of approach and there were benefits from being able to demonstrate high levels of security.
“As an MSP, we regularly undertake rigorous independent audits and certify our compliance with the highest industry standards, including ISO 27001, SOC 2 and SOC 3,” he said. “This ensures that our systems and processes are secure and robust enough to give our colleagues and customers the confidence and trust that allows us to do our best possible work.
“With critical infrastructure seeing a marked rise in cyber attacks, it is paramount that the organisations delivering services to that market don’t introduce additional risks and vulnerabilities. While the regulatory update may introduce additional costs and administrative burden, the net result is a more secure ecosystem and peace of mind that our critical systems are safe – which benefits everyone.”
Another strand of the NIS updating consultation process was for the DCMS to acknowledge that it needed to be easier to recognise those with cyber security skills and to encourage others to follow and gain expertise.
A recognition of that problem was welcomed by some in the channel, who saw it as an important step in improving overall levels of security awareness across the economy.
Chris Greenwood, UK director at NetApp, said that improving the skills of staff within organisations was vital to ensuring that the potential of digital technology could be fully unlocked.
“Education and empowerment will be the true determining success factors in a data-literate world,” he said. “So, upskilling staff with training that is baked into learning and development initiatives is key and must never become a tick-box exercise.
“As the digital and data landscape continues to evolve, with no endgame in sight, the ability of employees must also evolve to equip them with the knowhow and confidence to remain ahead of the curve and seize the opportunities that can be found in data.”
Linking it back to the threat of fines for MSPs that fail to comply with more robust NIS regulations, Hockin said it made sense to improve skills, along with threatening to punish those that failed to protect data.
“It’s good to see that the government is also thinking about how it can improve cyber security skills in the UK,” he added. “One could argue there’s no point in tightening the regulations if there are not enough skilled professionals to deliver any improvements that are needed.”