UK Government to Regulate MSPs in Fight Against Supply Chain Attacks

The UK government is to extend cybersecurity regulations to MSPs in a bid to counter supply chain attacks.

In May 2021 the UK government called for views on how to improve cybersecurity in supply chains and in MSPs. Then in November it announced that intervention would be required to address the problem. The government will publish the call for views later this year.

In the meantime, the government is to extend Network and Information Systems (NIS) regulations to include MSPs.

NIS regulations came into force in 2018 to improve the cybersecurity of companies which provide essential services such as water, energy, transport, health care and digital infrastructure. Organisations which fail to put in place effective cybersecurity measures can face fines as high as £17 million ($23 million).

The regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their networks. They have to report significant incidents and have plans to ensure they quickly recover from them.

Regulations currently apply to some digital services such as online marketplaces, online search engines and cloud computing. However, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.

‘It’s Not an Optional Extra’

Research by the Department for Digital, Culture, Media and Sport (DCMS) shows only 12% of organisations review the cybersecurity risks coming from their immediate suppliers. Only one in 20 firms (5%) address the vulnerabilities in their wider supply chain.

Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said the plans will “help protect essential services and our wider economy from cyber threats.

Minister Julia Lopez

“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra,” she said.

Lawmakers are also proposing improvements in the way organisations report cybersecurity incidents. Additionally, they want reform legislation to be more flexible and react to the speed of technological change.

The plans follow recent high-profile cyber incidents such as the cyberattack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products. They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the U.S.

UK MSPs and other cybersecurity professionals have roundly welcomed the proposals. Some have described them as “a wake-up call” for MSPs. Others have said it is an opportunity for firms to “practise what they preach.”

The cybersecurity channel sounds off in the slideshow above.