UK introducing mandatory cyber incident reporting for managed service providers
The British government is introducing a new mandatory reporting obligation on managed service providers (MSPs) to disclose cyber incidents, alongside minimum security requirements which could see MSPs fined up to £17 million ($20 million) for non-compliance.
The government said on Wednesday that MSPs “play a central role in supporting the UK economy” and warned they are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.” MSPs are paid to manage IT infrastructure and provide support, often to smaller businesses that don't have a designated IT department.
Financially-motivated ransomware attacks have impacted MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care according to BBC News.
The Record reported earlier this month on how the ransomware incident affecting Advanced prompted the government to hold several Cabinet Office Briefing Rooms (COBR) crisis management meetings.
State-sponsored actors have also targeted MSPs, according to the National Cyber Security Centre (NCSC), which in 2018 attributed a global espionage campaign known as "Cloud Hopper" to the Chinese Ministry of State Security.
The new obligations on these providers will be introduced through an update to the Network and Information Systems (NIS) Regulations which in their current form require essential services such as water, energy and transport to uphold security standards and notify national authorities about incidents.
The existing reporting requirements are also going to be updated. Their effectiveness has been criticized following reporting which revealed that, despite numerous security breaches affecting both the energy and transport sectors, no incidents have ever met the actual thresholds for being disclosed to the government.
The existing notification thresholds are based on whether the incidents impact the actual service the organizations provide; for instance, whether at least 50,000 customers went without electricity supply for more than three minutes. However they do not account for the risks that activities exploiting a network can pose before they turn into attacks.
Essential services will now need to notify regulators “of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption,” the government announced on Wednesday. The new thresholds have not yet been disclosed — they will be set by the sector-specific regulators in collaboration with the NCSC.
Julia Lopez, the U.K.'s cyber minister — a junior portfolio at the department for Digital, Culture, Media and Sport (DCMS) — said: “The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states,” and added that the new laws would “better protect our essential and digital services and the outsourced IT providers which keep them running.”
The NCSC’s Paul Maddinson, director of National Resilience and Strategy, added: “I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security. These measures will increase the resilience of the country’s essential services — and their managed service providers — on which we all rely.”
The announcement was made as the government published its response to a public consultation on amending the NIS Regulations. The government said the overall response was “positive,” with the notable exception of its “cost recovery” proposals.
In its press release on Wednesday the government said it is “able to change the NIS regulations, which were originally derived from the EU’s NIS directive, because the UK has left the EU and can update these laws to better fit the country’s cyber security needs.”
However some of the British government’s changes, particularly extending the remit of the directive to include MSPs, have already been introduced in the European Union’s own update to the NIS Directive known as NIS 2.
The EU’s NIS 2 will enter into force twenty days after it is published in the Official Journal of the European Union, which is expected this week. As it is a directive, member states will then have 21 months to write their own legislation reflecting it, meaning it is not expected until the end of 2024 at the earliest.
The British update to the NIS Regulations (2018) would be introduced “as soon as parliamentary time allows,” according to the government.
The most obvious difference between the British and European approaches appears to be that the bloc’s NIS directives prohibit regulators from recovering the costs of enforcement activities, meaning the legislation introduces a financial burden on member states when imposing the legislation.
The majority of respondents to the U.K.’s public consultation disagreed that the current rules, which allow the sector-specific authorities to invoice specific companies to pay "the reasonable costs" of audits or inspections, needed to be changed.
However the government said that in its view “in general the cost burden of regulation should fall on the regulated, not the general taxpayer. Therefore we need a cost recovery scheme for NIS that reduces the burden on the taxpayer.”
It added: “Moving forward, the government will work with the regulators to ensure that their cost recovery mechanisms take into account the feedback effectively, remain transparent, appropriate, and proportionate.”
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.