In the wake of several targeted supply chain cyber attacks, the UK's National Cyber Security Centre has called for new, more robust cyber security regulations for managed service providers (MSPs). Following an update to the Network and Information Systems (NIS) Regulations, MSPs will be required to meet a number of cyber security standards in addition to new incident reporting procedures.
Under the current legislation, incidents do not need to be reported unless they result in a significant data breach or interfere with critical systems, which would, in turn, affect a large number of people. The NCSC has argued, however, that these reporting thresholds have meant that despite cyber security incidents occurring across critical sectors such as Energy and Transport, not a single report has been made since their introduction. The new guidelines will significantly lower the reporting thresholds, requiring MSPs to follow a rapid response approach, mitigating the impact of future cyber security incidents.
Along with new reporting thresholds, MSPs must meet several minimum cyber security standards. While the specifics of these cyber security minimums have not been announced, these will be developed in close collaboration with the NCSC. MSPs who fail to comply with these regulations could be liable to a £17M fine and additional data breach fines from the ICO, in line with UK-GDPR compliance requirements.
The new measures are being introduced to address the growing number of cyber security incidents affecting UK organisations and mitigate their potential effects. In its 2022 Annual Review, the NCSC placed particular focus on the need to improve the cyber security posture of MSPs providing services to critical sectors, highlighting this year's ransomware attack on NHS supplier Advanced, which significantly impacted patient care across the UK.
According to this year's NCSC annual review, the increasing threat of supply-chain targeted attacks, the number of unreported security incidents and their threat to critical systems have all been significant factors in leading the NCSC to introduce these new cyber security standards. By introducing these measures, organisations across the UK can benefit from improved protection from future attacks and better resilience against increasingly sophisticated adversaries.
For MSPs in the UK, meeting the minimum cyber security standards will require a new proactive approach to cyber security, an increase in constant security monitoring and additional staff training. Rapid response to security incidents will need MSPs to have robust and up-to-date incident response plans, which should be regularly tested to ensure their continued efficiency.
In addition to these new security measures, MSPs must ensure that they are also compliant with UK-GDPR regulations, as data breaches can incur significant fines from the ICO.
Meeting these new regulations will undoubtedly place a new regulatory burden on MSPs across the UK. Still, by improving the cyber security posture of businesses, organisations large and small will be better protected from future attacks while strengthening the security of the UK supply chain as a whole.
While details of the new security measures are yet to be published, we already know that the new security reporting requirements will require MSPs to implement rapid incident response protocols, including incident response plans, constant security monitoring, and training. MSPs already compliant with the UK-GDPR will be familiar with the rapid response process, where data breaches must be reported to the ICO within 72 hours of discovery. MSPs who have not taken care of their compliance can be liable for additional fines of up to £17.5M or 4% of annual turnover.
In conclusion, the new regulations will undoubtedly bring about a change in the way MSPs across the UK approach cyber security. By doing so, organisations will benefit from improved protection and resilience against cyber threats and better protection of the UK supply chain.
Through our NCSC-affiliated, all-in-one platform, we're helping MSPs easily take care of new regulatory requirements, monitor their systems for potential threats and ensure that they comply with all relevant UK-GDPR requirements. All while paying 90% less than what they'd pay a consultant. Book a demo to find out how.