Recent high-profile cyber attacks, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on the managed service provider Kaseya demonstrate how malicious individuals and organisations can compromise a country’s national security and disrupt activities in the wider economy and society. Research by the Department for Digital, Culture, Media and Sport shows only 12% of organisations review the cyber security risks coming from their immediate suppliers and only 5% address the vulnerabilities in their wider supply chain.
The Network and Information Systems Regulations SI 2018/506 came into force in 2018 with the aim of improving the cyber security of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure. Organisations which fail to put in place effective cyber security measures can be fined up to £17 million.
The NIS Regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network. They are required to report significant incidents and have plans to ensure that they quickly recover from them. While the Regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.
The government wants to update the NIS Regulations and widen the list of organisations in scope to include managed service providers which provide specialised online and digital services. Managed service providers include security services, workplace services and IT outsourcing. The government says that they are crucial to boosting the growth of the country’s £150.6 billion digital sector and have privileged access to their clients’ networks and systems.
Therefore, the government is consulting on proposals for new laws to improve the cyber resilience of organisations which are important to the UK economy. It includes proposals to:
- Expand the scope of the NIS Regulations to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations.
- Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which have a negative effect on their services.
- Give the government the ability to future-proof the NIS regulations by updating them and if necessary, bring into scope more organisations in the future which provide critical support to essential services.
- Transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden.
- Update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively they are following NIS Regulations to the ICO. A more light-touch approach will be taken with the remaining digital providers.
The government is also consulting on proposals to develop the cyber security profession and ensure the UK Cyber Security Council has the powers it needs. The consultation ends on 20 March 2022.