Strict cyber-security laws proposed for firms that provide ‘essential services’
Image credit: Proof Communication
The government has proposed introducing new laws to ensure that firms who provide essential digital services follow strict cyber-security duties, with large fines for non-compliance.
The proposal from the Department for Digital, Culture, Media & Sport (DCMS) also includes other legislation such as improved incident reporting and giving the UK Cyber Security Council, which regulates the cyber-security profession, additional powers.
It would allow it to create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
The plans follow recent high-profile cyber incidents such as the cyber attack on SolarWinds and on Microsoft Exchange Servers, which showed vulnerabilities in the third-party products and services that businesses rely on.
“Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” digital infrastructure minister Julia Lopez said.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats.
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Network and Information Systems (NIS) Regulations came into force in 2018 to improve the cyber security of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure. Organisations which fail to put in place effective cyber-security measures can be fined as much as £17m.
The government now wants to update the NIS Regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services. MSPs include security services, workplace services and IT outsourcing, which often have privileged access to their clients’ networks and systems.
The NIS regulations require essential service providers to undertake risk assessments, put in place reasonable security measures to protect their network, and report significant incidents.
DCMS research shows only 12 per cent of organisations review the cyber-security risks coming from their immediate suppliers and only 5 per cent of firms address the vulnerabilities in their wider supply chain.
National Cyber Security Centre technical director Dr Ian Levy, said: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber-security resilience.
“These measures will ensure that cyber-security risks are properly managed by organisations and those on whom they rely.”
Last year, Ireland’s health service was hit by a “very significant” ransomware attack, which caused significant disruption after the service was forced to shut down its IT systems.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.