Tackling cyber supply chain risk: new laws proposed

From reports of cyber attacks at the UK’s Foreign office and European oil facilities to crisp shortages caused by a ransomware attack at KP snacks, cyber is again hitting the headlines. It is no surprise then that the government has recently said in its 2022 cyber security incentives and regulation review that its current approach to managing the UK’s cyber risk is ‘not delivering the requisite change at sufficient pace and scale’ and it needs to be more ‘proactive and interventionist.’

In fact, we’ve already seen evidence of this new proactive approach. On 19th January the government published proposals for legislation to improve the UK’s cyber resilience which could bring new rules into play for supply chains (managed service providers and suppliers in critical sectors in particular), and change incident reporting and funding for the UK’s Network and Information Systems (NIS) regime. The plans include: 

• Managed service providers: expanding the scope of ‘digital services’ regulated under the NIS regime to cover managed service providers. There would be a two-tier supervisory regime for all digital service providers: a new proactive (ex-ante) supervision tier for the most critical providers, alongside the existing reactive supervision tier for all others. The lighter-touch regime for digital service providers introduced by the original NIS regime did not envisage the recent pace of digitisation and does not therefore reflect how critical many of these services are today;
  
  
• Critical suppliers: creating a new power to bring additional organisations within the NIS regime where they supply certain critical services to entities already in scope. The government would be able to designate such entities as ‘critical dependencies’ which would mean they would have to comply with the same obligations (security, incident reporting etc.) as the operators of essential services to whom they supply services.
  
  
• New powers, new sectors: creating new delegated powers to enable the government to update (they say ‘future proof’) the regulations, with appropriate safeguards. This could include bringing new sectors in scope in the future – the consultation suggests a wide range of possible examples (for ‘illustrative’ purposes only) ranging from data centres and the manufacturing of pharmaceuticals to construction and education;
  
  
• Incident reporting: strengthening existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents. The consultation notes, for example, that few ransomware and other cyber incidents have been reported under the NIS regime to-date, presumably as they did not impact the provision of the essential (or digital) service. However "it is imperative that such significant incidents are reported", particularly as they often leave operators vulnerable to follow-up attacks; and
  
  
• Funding: extending the existing cost recovery provisions to allow regulators (for example, the ICO, Ofcom and Ofgem) to recover their reasonable implementation costs from the companies that they regulate.

From the plans mentioned above, the move to bring more digital service providers in scope of the NIS regime has made many of the headlines. The proposals are unsurprising, given recent high profile cyber attacks targeting managed services providers to gain access to their clients at scale. Recent supply chain consultations (see my earlier blog) also highlighted how reliant organisation are on managed services and how difficult it can be, as a customer, to demand increased security measures from large suppliers. Bringing them into the NIS regime would, the government argue, provide a baseline for expected cyber security provisions - they would need to have appropriate and proportionate security measures in place. It would also allow them to be regulated by the ICO as a relevant digital service provider, alongside the online search engines, online marketplaces and cloud computing service providers currently in scope.

However, the consultation also highlights that there are some difficult decisions to be made when agreeing the detail of how this will work. For example, the government acknowledges that the definition of managed services will be a difficult one to get right. The proposals capture a broad range of B2B services – a non-exhaustive list is set out in Annex 1 of the consultation and examples given include security monitoring, managed network services and the outsourcing of IT or business processes – but it also discusses possibly narrowing this scope.

Of interest to those organisations who engage, rather than are, managed service providers, the consultation also recognises that co-operation between managed service providers and their customers is needed to effectively manage shared cyber risks. To do this, customers need sufficient information to make informed business, and risk, decisions about their suppliers. The government is therefore also considering (alongside this proposal) whether further guidance on supplier-customer cyber resilience cooperation is needed, particularly for those critical providers who will be covered by the pro-active regime.

Note: the consultation closes on 10 April 2022.