UK Government to Regulate MSPs in Fight Against Supply Chain Attacks
MSPs will be treated like essential service providers and could face millions in fines if they don’t comply with regulations.
![Government Regulation Government Regulation](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blte1949c4aa94acc22/65243838cee0134be4673a83/Government-Regulation.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Scott Nicholson, co-CEO, Bridewell Consulting, said he welcomed the proposed improvements to the regulation.
“In particular, bringing MSPs into scope of the regulatory framework, given the substantial risk they can propose to the UK’s critical national infrastructure,” he said.
Nicholson added that MSPs often deliver complex activities that require high levels of access. However, “this has long been a risk that is either misunderstood or under regulated.
“It’s clear that scale of the infrastructure and services that require protection is huge and something that is no small task when security has not always been inherent in the design,” he said.
Nicholson noted that many organisations have different perceptions on the level of risk posed by MSPs.
“But the proposed changes will take that decision making away from each Operator of Essential Service (OES). [It will] ensure all MSPs have an appropriate cybersecurity control in place to reduce the risk of compromising their customers,” he said.
“Given the major acquisition and consolidation we have seen over the years, these changes will add to the complexity of the work MSPs need to undertake. Many will be looking for support from trusted cybersecurity partners to help,” Nicholson added.
Bill Conner, president and CEO of SonicWall, said the proposed regulations acknowledge “that there is an important government role when it comes to protecting businesses against today’s most sophisticated threats.
“The proposed legislation reflects the vital reality that we must think differently about public and private sector partnerships, or else we will continue to risk compromising the security of UK businesses and citizens,” he said.
Alan Calder is CEO of GRC International Group, which provides IT governance, risk management and compliance solutions.
He also welcomes the idea of extending the definition of critical national infrastructure to include MSPs.
“MSPs are critical to the cyber health of so many SMEs. It, of course, makes sense that they should set the example in terms of practicing good cyber hygiene, managing cyber risk and helping their clients do that,” said Calder.
Stewart Parkin is technical operations director at MSP Assured Data Protection.
“We see it as a positive step in the right direction to ensure that all industries, including MSPs, are protecting themselves and the wider supply chain from these threats.,” said Parkin.
He noted the ever increasing rise in outsourced and third-party technologies being used within an organisation’s infrastructure.
“It’s vital that MSPs are practising what they very often preach to their customers, and if they aren’t, then they should be held to account,” he said.
Bruce Hockin is channel sales director, Northern Europe at Picus Security. He said some MSPs will be daunted by the prospect of having to comply with the same security requirements as operators of essential services. In addition, they face potential fines of up to £17 million for serious cyber incidents.
“Over recent years, we have seen multiple examples of MSPs targeted by threat actors and the impact that large supply chain attacks such as Kaseya and Blackbauld can have.
“The majority of MSPs prioritize security highly,” said Hockin. “However, this news may be a wake-up call to the ones that don’t to invest in the resources they need to better protect themselves and their clients.
“It’s good to see that the government is also thinking about how it can improve cybersecurity skills in the UK,” he added. “One could argue there’s no point in tightening the regulations if there are not enough skilled professionals to deliver any improvements that are needed!”
Bruce Hockin is channel sales director, Northern Europe at Picus Security. He said some MSPs will be daunted by the prospect of having to comply with the same security requirements as operators of essential services. In addition, they face potential fines of up to £17 million for serious cyber incidents.
“Over recent years, we have seen multiple examples of MSPs targeted by threat actors and the impact that large supply chain attacks such as Kaseya and Blackbauld can have.
“The majority of MSPs prioritize security highly,” said Hockin. “However, this news may be a wake-up call to the ones that don’t to invest in the resources they need to better protect themselves and their clients.
“It’s good to see that the government is also thinking about how it can improve cybersecurity skills in the UK,” he added. “One could argue there’s no point in tightening the regulations if there are not enough skilled professionals to deliver any improvements that are needed!”
The UK government is to extend cybersecurity regulations to MSPs in a bid to counter supply chain attacks.
In May 2021 the UK government called for views on how to improve cybersecurity in supply chains and in MSPs. Then in November it announced that intervention would be required to address the problem. The government will publish the call for views later this year.
In the meantime, the government is to extend Network and Information Systems (NIS) regulations to include MSPs.
NIS regulations came into force in 2018 to improve the cybersecurity of companies which provide essential services such as water, energy, transport, health care and digital infrastructure. Organisations which fail to put in place effective cybersecurity measures can face fines as high as £17 million ($23 million).
The regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their networks. They have to report significant incidents and have plans to ensure they quickly recover from them.
Regulations currently apply to some digital services such as online marketplaces, online search engines and cloud computing. However, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.
‘It’s Not an Optional Extra’
Research by the Department for Digital, Culture, Media and Sport (DCMS) shows only 12% of organisations review the cybersecurity risks coming from their immediate suppliers. Only one in 20 firms (5%) address the vulnerabilities in their wider supply chain.
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said the plans will “help protect essential services and our wider economy from cyber threats.
Minister Julia Lopez
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra,” she said.
Lawmakers are also proposing improvements in the way organisations report cybersecurity incidents. Additionally, they want reform legislation to be more flexible and react to the speed of technological change.
The plans follow recent high-profile cyber incidents such as the cyberattack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products. They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the U.S.
UK MSPs and other cybersecurity professionals have roundly welcomed the proposals. Some have described them as “a wake-up call” for MSPs. Others have said it is an opportunity for firms to “practise what they preach.”
The cybersecurity channel sounds off in the slideshow above.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Christine Horton or connect with her on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like