The UK seeks to enforce tougher standards on MSPs

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.