Government proposes tougher cyber laws for IT outsourcers

Written by Sam Trendall on 24 January 2022 in News
News

Consultation launched on possible expansion of NIS regulations

Credit: Nick Youngson/CC BY-SA 3.0

The government has proposed imposing stricter cybersecurity regulation on firms providing outsourced IT services.

A consultation process was launched last week to gather feedback on a range of proposed measures the government believes could “improve the UK’s cyber resilience”.

The first core proposal is to expand the scope of the Network and Information Systems regulation introduced in 2018. The legislation sets out the cybersecurity and data-protection obligations of firms that provide cloud hosting or online services, such as search engines and marketplaces.

Firms found to have breached their NIS duties can be fined up to £17m.

The government plans to extend the rules to cover companies that provide IT outsourcing and managed services to private- and public-sector customers. This would mean many companies delivering billions of pounds’ worth of technology and business-process services to government would face new obligations to implement risk-assessment and governance procedures. Firms would also be asked to demonstrate that they had “put in place reasonable and proportionate security measures to protect their network”.

The plans call for all cyberattacks – and not just those that cause service disruption – to be promptly reported to the relevant regulators. IT providers would further be required to provide details of “plans to ensure they quickly recover from them”.


Related content


The costs incurred by regulators in enforcing the NIS guidelines, meanwhile, would be met entirely by firms in scope of the rules – rather than the taxpayer, the government has proposed.

The second central proposal is intended to “give the government the ability to future-proof the NIS regulations by updating them and, if necessary, bring into scope more organisations in the future which provide critical support to essential services”.

The third proposal, which is the subject of its own discrete consultation process, is to create and implement industry-wide “standards and pathways” for cyber companies and professionals.

Introducing the proposals, Julia Lopez, the minister for media, data and digital infrastructure, pointed to the impact on cyberattacks perpetrated against software firm SolarWinds and the US Colonial oil pipeline.

“Five years ago, few people outside of the tech industry had heard of managed service providers. Cloud was the big thing that was going to change the world – and many argue it has already,” she said. But managed services such as remote security operations, automatic patching, and digital accounts and billing were considered mainly as corporate benefits, a means to improve services and reduce costs. What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries. Rather than having to exploit vulnerabilities in thousands of companies, the threat can manifest itself only through a small proportion of those organisations.”

She added: “These companies provide an essential service to other businesses and organisations. They allow other companies to thrive and are helping the UK develop its digital economy. We do not want to interfere in their ability to operate. But they do create risks which we need to manage, especially when their clients include government departments and critical infrastructure. Our proposals here are aimed at addressing these risks, whilst allowing these services to continue and succeed. Through these proposals, we will provide a comprehensive framework to ensure that managed services, of the kind mentioned above, take appropriate and proportionate measures to secure their services. This will allow us to gain from their benefits, whilst mitigating against their risks.”

The consultation on standards for the cybersecurity profession is open until 20 March, while the consultation on expansion of the NIS runs until 10 April. 

 

About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Ransomware: Cabinet minister sounds alarm over ‘greatest cyberthreat to the UK’
16 May 2022

Steve Barclay urges greater reporting of attacks

Rees-Mogg cites potential of ‘automation and tech’ as plans are unveiled to axe 91,000 officials
16 May 2022

Union chief criticises as ‘reckless’ ministers’ intention to return Whitehall headcount to 2016 levels

Insolvency Service plans to close half its offices and reinvest £20m savings in online services
13 May 2022

Unions warn that restructure could imperil up to 300 jobs

Supercharged: Inside the ONS plan to become a data-science 'powerhouse'
12 May 2022

Five years after being established, the Data Science Campus of the ONS wants to do more to help address government's biggest policy issues – while still retaining its innovative edge. ...