Critical Infrastructure Security
,
Geo Focus: The United Kingdom
,
Geo-Specific
Government Says Managed Service Providers Need More Regulation
The British government pledged to introduce stricter rules surrounding incident reporting and supply chain vulnerability patching through legislation it first previewed after coming into power in July 2024.
See Also: Essential Elements to Consider when Choosing a Micro-Segmentation Solution
A preview of the Cyber Security and Resilience Bill published Tuesday includes proposals to enhance the power of the Information Commissioner’s Office and a “two-stage reporting structure.” This would require organizations to report cyber incidents causing significant disruptions within 24 hours of detection and file an incident report within 72 hours to the National Cyber Security Center. The outcome of the government’s ongoing consultation on ransomware incident reporting will also be factored into the final bill (see: Under Discussion: UK Mandatory Ransomware Incident Reporting).
Existing statute requires victims to disclose hacks within 72 hours to the Information Commissioner’s Office but only if any cyber incident resulted in the leak of any personal data.
“At the core of our proposals is this government’s number one mission: economic growth. By securing the digital infrastructure upon which a growing number of our businesses depend, we can deliver the stability they need to innovate and invest,” Tech Secretary Peter Kyle said.
The proposed Cyber Security and Resilience Bill will also bring under its scope around 900 to 1,100 managed service providers who have access to clients’ IT systems, networks, infrastructure and data. The government said it will introduce more cyber hygiene requirements for essential and digital service supply chain entities.
Through the measures, the government intends to “reduce the threat of significant disruptions to critical services” to regulated critical infrastructure entities.
“Supply chain attacks have been increasing over the last 10 years therefore, having a bigger focus on the supply chain is a positive move for U.K. CNI. Increasing incident reporting requirements will also improve our visibility and intelligence of cyberattacks across the U.K.,” said Anthony Young, CEO of British cybersecurity firm Bridewell.
Given that IT providers are already required to comply with several cyber regulations such as the Bank of England’s critical third party regime and the European Union’s Network and Information Security Directive; the success of the U.K bill will depend on setting clear expectations, said David Ferbrache, managing director of Beyond Blue.
“I also welcome actions to streamline reporting – there is a proliferation in incident reporting requirements for major firms with diverse requirements and reporting channels – simplifying and removing duplication is essential,” he said.