As the United Kingdom continues the process of reforming its cybersecurity laws post-Brexit, the country’s managed service providers (MSPs) are facing inclusion under the same terms that are applied to critical infrastructure companies and other highly sensitive business categories.
The updated Network and Information Systems (NIS) Regulations put a special focus on new and stronger cybersecurity laws for “essential services” companies, which also include health care and financial services. MSPs often have thousands of clients that span a broad variety of industries, and they are increasingly a target of primary interest for the world’s most advanced hackers.
UK MSPs face new reporting requirements, fine structures
MSPs are looking at expanded reporting requirements under the new laws, to include not just actual breaches but disruptions that might lead to a breach. Under the current cybersecurity laws, reporting requirements are triggered by a certain number of impacted parties; this new structure is likely to change how this works, with reporting required in more specific situations.
Fines will also be changing, though this may not be to the detriment of some individual MSPs. ICO appears to be looking at a more flexible fine system that considers number of impacted parties, company size and the level of appropriate burden given the organization’s financial circumstances, with a more transparent overall process implemented to determine actual levels of damage and risk to impacted parties.
The vast majority of UK businesses now make use of some sort of MSP service, particularly small- and medium-size businesses that cannot reasonably be expected to have their own fully staffed IT departments. Concerns about security appear to be the remaining market barrier for MSPs in the UK, and the more stringent cybersecurity laws may help to spur these companies to address the issue.
New cybersecurity laws prompted by advanced attacks on MSPs
MSPs find themselves in the same boat as energy companies and banks now in no small part due to a string of targeted attacks dating back years, many of them conducted by nation-state hacking teams looking to commit espionage.
ICO directly cited China’s “Operation Cloudhopper” of several years ago as one direct influence on the new cybersecurity laws, and it is reasonable to infer that the Russia-backed SolarWinds attack has also been on the minds of legislators. Private criminal actors have also noticed how valuable MSPs can be, however, with former king of the ransomware world REvil attacking Kaseya last year to get at its clients. Breach of an MSP leads to direct and easy access to potentially thousands of downstream clients, which have included not just private companies handling sensitive information but also government agencies.
The new cybersecurity laws are widely expected to make it through Parliament, but are not yet finalized and will not likely be active until sometime in 2023. The impact on the market is tough to project at this time, but it is very possible that MSPs will pare away services they are not particularly good at to focus on core competencies.