On 30 November 2022, the UK government announced that Managed Service Providers (“MSP”) will be brought within the scope of the Network and Information Systems (“NIS”) Regulations designed to boost the UK’s cyber resilience against online attacks.
Many organisations rely on outsourcing management of IT infrastructure to MSPs. They can manage an organisation’s networks, applications, on-going help-desk service, data-storage, security and monitoring services, and the list goes on. Consequently, the very nature of MSPs means that a ransomware attack upon an MSP can have far reaching consequences. Data belonging to a number of organisations may be encrypted and/or exfiltrated in one attack. In addition, with privileged access, there is a clear risk that an attack to permeate into multiple IT ecosystems.
During August this year, Advanced, which is an MPS, was targeted by LockBit 3.0 ransomware which led to an outage of NHS 111 and disruption to as many as 16 organisations which uses Advance to support their health and care platforms.[1] Advanced will likely still be dealing with the repercussions of the attack for a long time.
Consultation
On 19 January 2022, the government published a call for views on amending NIS in line with the government’s recommendations to expand the scope of digital services regulated under the NIS Regulations to include “managed services”.
NIS Regulations
NIS came into force in the UK on 10 May 2018. It is designed to address threats posed to network and information systems; therefore, improving and protecting the functioning of the digital economy. Although NIS concerns itself primarily with cybersecurity measures, it also covers physical and environmental factors.
NIS currently applies to two groups of organisations: (1) operators of essential services (“OES”) (transport, energy, water, health, and digital infrastructure sectors); and (2) digital service providers (“DSPs”) (online marketplaces, online search engines, and cloud computing services).
The Information Commissioners Office (“ICO”) is responsible for all regulatory oversight in relation to DSPs compliance with NIS. The ICO has a number of powers including enforcement notices, powers of inspection, and penalties. Failure to comply with NIS Regulations could render an organisation liable to a fine of up to £17million.
Outcome and Implementation
The government will now prioritise incorporation of MSPs within the remit of NIS. The aim is to capture a broad range of managed services defined by meeting all of the following characteristics:
- they are supplied to a client by an external supplier;
- they involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
- they are categorised as business to business (B2B) rather than business to consumer (B2C) services; and
- their provision relies on network and information systems
The precise definition of MSP for the purpose of NIS is yet to be finalised and the government has acknowledged the fine balance it has to strike between a narrow definition, reducing the number of entities that ought to be regulated, against a broad definition which may inappropriately increase the regulatory burden.
The government is considering introducing further risk-based characteristics such a whether the MSP:
- has privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems; or
- perform essential or sensitive functions, such as the processing and/or storage of confidential or business-critical data
Comment
The government’s proposals to bring MSPs within the remit of NIS is unsurprising. It is notable that 86% of those who responded to the consultation agreed that there are benefits to bringing MSPs within the remit of NIS. The announcement represents a positive step towards improving cybersecurity resilience in the UK by enforcing minimum security standard for MSPs and, in turn, reducing the risk in supply chain cybersecurity. Of course, any implementation of the proposals will not act as a silver bullet against cyber-attacks and so organisations, MSPs or otherwise, will still need to adopt a robust cybersecurity framework.
Changes to NIS, however small, currently require primary legislation to be laid before Parliament (although note the government has also proposed that delegated powers are written into the primary legislation to allow amendments to the scope of NIS without the need for primary legislation in the future). The definition of MSP for the purpose of NIS will require careful consideration and will no doubt be subject to an interesting debate.
[1] https://www.digitalhealth.net/2022/10/client-data-exfiltrated-advanced-nhs-cyber-attack/
