As part of the UK government’s efforts to update the country’s cybersecurity laws, a new proposal would bring managed service providers under the existing cybersecurity regime.
The UK government has published proposals to strengthen the Network and Information Systems (NIS) Regulations and raise the security standards in outsourced IT services.
The proposals require essential digital service providers to follow strict cybersecurity duties, while they include improved incident reporting and driving up standards in the cybersecurity profession.
As part of the proposals, the government would extend the NIS Regulations to managed service providers, which include firms that provide specialised online and digital services, such as remote security operations, AI services, digital accounts and billing, or business process outsourcing, such as front office/back office.
Although the proposal does not single them out, managed services are a prominent feature of the UK payments landscape.
The critical national infrastructure at the heart of the country’s payments system is operated through managed service agreements. For example, Vocalink provides a managed service to process transactions on behalf of Bacs and Faster Payments, the country’s two main retail interbank payment schemes. Vocalink also provides a managed service to Bankgirot in Sweden to process its direct debits.
However, given the high levels of security and regulatory scrutiny that these services already operate under, it is unlikely that these types of payment arrangements will be the target for these new proposals. Nevertheless, they could have an impact on other payment related services elsewhere in the value chain.
In addition, the new regulations would require large companies to provide better cyber incident reporting to regulators, including a requirement to notify regulators of all cybersecurity attacks they suffer, not just those which affect their services.
It also includes plans to establish a two-tier supervisory regime for digital service providers. This will involve a proactive, or ex-ante, supervisory regime for the most critical digital services and a reactive, or ex-post, supervisory regime for the remaining digital services regulated under the NIS Regulations.
The proposed new legislation, which is part of the government’s new £2.6bn National Cyber Strategy, follows recent high-profile cyber-attacks that shed light on the vulnerabilities in businesses’ digital supply chains.
In December 2020, hackers compromised the SolarWinds supply chain, while the May 2021 ransomware attack on Colonial Pipeline paralysed the United States for days.
Later in July 2021, managed service provider Kaseya was subject to an attack that led to widespread downtime for more than 1,000 companies.
“What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries,” said Julia Lopez MP, minister of state for media, data, and digital infrastructure.
The consultation document underscores that cybersecurity risks are passed through supply chains, which can “result in seemingly small players in a supply chain introducing disproportionately high levels of cybersecurity risk”.
The proposals now aim to address this gap by bringing digital managed services into the scope of the NIS Regulations.
They also propose to create new delegated powers that enable the government to update the regulations, create a new power to bring certain organisations within the remit of the NIS Regulations and strengthen existing incident reporting duties, currently limited to incidents that have an impact on service, to also include other significant incidents.
Finally, the proposal extends the existing cost recovery provisions to allow regulators to recover the entirety of reasonable implementation costs from the companies that they regulate.
The consultation on the proposal for legislation to improve the UK’s cyber resilience runs until April 10, while interested parties can submit comments on the proposal embedding standards and pathways across the cyber profession by 2025 until March 20.