The government has proposed imposing stricter cybersecurity regulation on firms providing outsourced IT services.
A consultation process was launched last week to gather feedback on a range of proposed measures the government believes could “improve the UK’s cyber resilience”.
The first core proposal is to expand the scope of the Network and Information Systems regulation introduced in 2018. The legislation sets out the cybersecurity and data-protection obligations of firms that provide cloud hosting or online services, such as search engines and marketplaces.
Firms found to have breached their NIS duties can be fined up to £17m.
The government plans to extend the rules to cover companies that provide IT outsourcing and managed services to private- and public-sector customers. This would mean many companies delivering billions of pounds’ worth of technology and business-process services to government would face new obligations to implement risk-assessment and governance procedures. Firms would also be asked to demonstrate that they had “put in place reasonable and proportionate security measures to protect their network”.
The plans call for all cyberattacks – and not just those that cause service disruption – to be promptly reported to the relevant regulators. IT providers would further be required to provide details of “plans to ensure they quickly recover from them”.
The costs incurred by regulators in enforcing the NIS guidelines, meanwhile, would be met entirely by firms in scope of the rules – rather than the taxpayer, the government has proposed.
The second central proposal is intended to “give the government the ability to future-proof the NIS regulations by updating them and, if necessary, bring into scope more organisations in the future which provide critical support to essential services”.
The third proposal, which is the subject of its own discrete consultation process, is to create and implement industry-wide “standards and pathways” for cyber companies and professionals.
Introducing the proposals, Julia Lopez, the minister for media, data and digital infrastructure, pointed to the impact on cyberattacks perpetrated against software firm SolarWinds and the US Colonial oil pipeline.
“Five years ago, few people outside of the tech industry had heard of managed service providers. Cloud was the big thing that was going to change the world – and many argue it has already,” she said. But managed services such as remote security operations, automatic patching, and digital accounts and billing were considered mainly as corporate benefits, a means to improve services and reduce costs. What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries. Rather than having to exploit vulnerabilities in thousands of companies, the threat can manifest itself only through a small proportion of those organisations.”
She added: “These companies provide an essential service to other businesses and organisations. They allow other companies to thrive and are helping the UK develop its digital economy. We do not want to interfere in their ability to operate. But they do create risks which we need to manage, especially when their clients include government departments and critical infrastructure. Our proposals here are aimed at addressing these risks, whilst allowing these services to continue and succeed. Through these proposals, we will provide a comprehensive framework to ensure that managed services, of the kind mentioned above, take appropriate and proportionate measures to secure their services. This will allow us to gain from their benefits, whilst mitigating against their risks.”
The consultation on standards for the cybersecurity profession is open until 20 March, while the consultation on expansion of the NIS runs until 10 April.