A busy week for cyber: new rules for digital service providers and supply chains?

Last week was a busy week for cyber. The Government published its response to both its call for views on the security of digital supply chains and to proposed changes to the NIS Regulations. In the same week, the NCSC published its annual report. Supply chain risk is a key issue for many organisations and featured in all three of them.

New rules for digital supply chains?

On 15 November, the government responded to its call for views on supply chain cyber security risk. The call for views sought feedback on:

• how organisations currently manage supply chain risk and what additional governmental support would enable them to do this more effectively: feedback confirmed that key barriers to effective supply chain cyber security risk management ranged from low recognition of the risk and limited visibility into supply chains, to insufficient tools to evaluate the risk and limitations on taking action due to structural imbalances. Many of the respondents also mentioned that they are currently using the NCSC Supply Chain Security Guidance and Supplier Assurance Questions; and
• a proposed framework for managed service provider (MSP) security: the respondents to the call for views highlighted the importance of MSPs, and a dependence on a group of the most critical MSPs which carry a level of risk that needs to be managed proactively. They also noted a difficulty in accessing information about MSP’s cyber security. The majority deemed the NCSC’s Cyber Assessment Framework principles to be applicable to the cyber resilience of MSPs, suggesting that these principles should be considered when establishing a security baseline or assurance framework in the future.

Respondents were also positive about other proposals, for example around education, certification and assurance marks, international engagement and minimum requirements in public procurement. The government confirmed that it will, as part of the upcoming National Cyber Strategy (expected later this year) continue working with industry to develop a set of policy solutions to increase cyber resilience of digital solutions, and its work will include “legislative work to ensure that [MSPs] undertake reasonable and proportionate cyber security measures.”

NIS update 

On 17 November, the government responded to its call for views on amending the Security of Network and Information Systems Regulations. The NIS Regulations impose security and incident notification obligations on operators of essential services or OES (in sectors such as health and energy) and relevant digital service providers or DSPs (online search engines, online marketplaces and cloud computing services). Currently the incident notification thresholds for OES are set by their respective sector regulators, where-as the thresholds for DSPs are set in the legislation. These DSP thresholds are no longer fit-for-purpose. They were set at a level deemed appropriate for the EU market and are not suitable, post-Brexit, given the smaller UK market. In July, the Government published a call for views on its proposal to move the reporting thresholds for DSPs from legislation to ICO guidance (the ICO being the relevant regulator in this space). Responses to the proposal were generally positive, or neutral, and the Government confirmed that it “strongly believes the proposed changes… will maintain and enhance the effectiveness of NIS legislation in protecting the security of network and information systems for digital service providers.” It will publish next steps “in due course.” While this development is obviously DSP focussed, it is of interest to all organisation who use their services.

NCSC Annual Review 

Finally, on 17 November the NCSC launched its fifth annual review. It highlighted work the NCSC had done linked to the pandemic, given the health sector focus of many attacks, and highlighted ransomware and supply chain as two major cyber risks currently facing organisations. NCSC CEO Lindy Cameron described ransomware as “the most immediate cyber security threat to UK businesses and one that …. should be higher on the boardroom agenda.” The review also discussed the resources offered by the NCSC and the support it has given to 777 significant incidents (up from 723 the previous year).