Managed service providers (MSPs) in the UK will soon be subject to the terms of updated cybersecurity laws, as the UK government continues to update the Network and Information Systems (NIS) Regulations in the wake of its split from the EU.
MSPs will be brought under the same regulations that govern essential services, such as critical infrastructure and health care. The move stems in large part from an increasing focus on MSPs by the most advanced nation-state security actors, who often see them as the weakest or quickest link into government agencies or private industry espionage targets.
New cybersecurity laws that subject energy and water companies to stronger security and reporting standards will also apply to the UK’s MSPs, as NIS Regulations that were developed in 2018 under the prior EU GDPR terms are updated.
A string of serious attacks on MSPs no doubt prompted this revision, dating back to the “Operation Cloudhopper” campaign of 2014 to 2017 that hit targets all over the world. That attack was attributed to state-backed threat actors in China; similar groups in Russia were fingered for the SolarWinds attack. But private criminal groups are also interested in MSPs, with the REvil ransomware gang responsible for the 2021 attack on Kaseya.
The new cybersecurity laws are not immediate, requiring some further amount of parliamentary procedure to put in place, and it is widely expected that companies that will be subject to new rules will be given some sort of grace period in which to make necessary changes. Situations in which reporting is required will be expanded for these companies, which include cloud service providers and search engines. Some companies may also be required to report to regulatory bodies that they did not before. And the revised rules leave open the possibility that more industries will be included in the future.
Existing NIS regulations provide for fines of up to £17m for violations.
MSPs have privileged access to potentially thousands of client networks, which sometimes include government agencies and providers of critical infrastructure and services. That’s the rationale that will now put them among the more highly regulated industries in terms of cybersecurity laws.
The new reporting requirements put a great deal of focus on potential disruptions, not just for MSPs but for all covered industries. The requirements are not just reactive, in terms of simply setting time windows in which covered entities must report breaches and incidents after they happen, but are proactive in requiring incidents that could potentially cause a breach or a service outage even if such an issue has not yet developed. Notifications regarding incidents such as these are currently based on a threshold of impacted customers or data subjects, something that looks likely to change during this review period.
The new cybersecurity laws also appear to be making some changes to the fine amounts, promising a new “cost recovery system” that is more transparent and takes into account factors such as company size and the burden that the penalty would put on the organization. This would appear to give ICO more flexibility in tailoring fine amounts to the amount of actual damage or actual risk in each case.
MSPs have become a priority target in the UK in part simply because most organizations are now using them. They are particularly important to small and medium businesses (SMEs), with some fairly recent surveys finding that 83% make use of them in some capacity. However, the businesses that are holdouts overwhelmingly cite a lack of trust in the handling of their data as the main reason why they will not engage with an MSP. The new cybersecurity laws could prompt some forced improvement in this area.
But even as both adoption of them and targeting by advanced hackers has grown, UK MSPs have demonstrated problems with keeping up with modern security needs. A survey from earlier in the year found that 80% had customers experience cyber attacks, and that the majority did not feel confident in their ability to fend off attacks. The impact on the market will thus be interesting, particularly if MSPs are not given much time to get up to regulatory snuff. But though these companies may have their own struggles with cybersecurity, they are vital to smaller businesses that simply do not have the IT resources to handle their own security.
The vast majority of SMEs said that they would be willing to switch MSPs to find the one that offers them satisfactory security, which could lead to consolidation in the market as those that are already best positioned to perform and meet regulatory requirements collect business. Alternately, MSPs might splinter into businesses focused on one individual need rather than the “one-stop-shops” they currently tend to market themselves as.
But Oz Alashe MBE, CEO of CybSafe, cautions against any type of organization viewing MSPs as their lone magic security bullet: “Requiring outsourced IT providers to meet minimum security standards is undoubtedly a legislative step in the right direction. Businesses have a responsibility to protect both themselves and their consumers, and we should expect no different from third-parties. Regulations, however, can only go so far in protecting data from cyber criminals. The public and private sectors need to work together to ensure organisations are treating cyber security as a business priority. Cyber attacks are not just more frequent; they are also increasingly complex. Therefore, businesses need to begin treating a positive cyber security culture as an active core value. We need to focus on measuring and changing specific security behaviours, not just ticking boxes on a risk register. While this move from the government is positive, there is much left to be done.”