Recent example:
The Microsoft data breach of October 2022, saw a server misconfiguration that was reported to have caused 65,000+ companies’ data to be leaked.
This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
In 2018, the UK government demonstrated its commitment to managing cyber risks to critical national infrastructure by introducing the Network and Information Systems Regulations 2018 (NIS Regulations). These regulations came into force to improve provide a more consistent approach towards the cybersecurity of companies providing critical services including healthcare, water, energy and infrastructure, and transport. Organisations that provide these services and fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance.
Due to the growing digitisation of these organisations and their' increasing reliance on digital services, last year the government proposed changes to the NIS Regulations in order to protect essential and digital services against increasingly sophisticated and frequent cyber-attacks.
High profile attacks such as Operation CloudHopper, which targeted managed service providers (MSPs) by allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage and shows that UK’s cyber laws need to be strengthened to continue to protect vital services and the supply chains they rely on.
These revisions are due to be implemented as soon as parliamentary time will allow. This article looks at their potential impact on your business and/or supply chain.
The regulation of digital service providers will expand to include MSPs which:
MSPs will be required to register with the relevant competent authority, the Information Commissioners Office (the ICO) and have appropriate and proportionate security measures in place to ensure their networks are secure.
There will be a requirement to improve cyber incident reporting (regardless of whether or not incidents have caused immediate disruption) to regulators.
A two-tier supervisory regime will be put in place:
The Microsoft data breach of October 2022, saw a server misconfiguration that was reported to have caused 65,000+ companies’ data to be leaked.
Cyber security risks are passed through supply chains. This allows seemingly small players in the supply chain to introduce disproportionately high levels of cyber security risk to multiple organisations.
As soon as the changes to the NIS Regulations are enforced, many companies who either use, provide or rely on the broad range of digital services will need to consider their current cyber security measures, registration with the ICO, incident reporting processes, and duties under the relevant supervisory regime level.
Early advice can go a long way to establish a confident cyber security culture within your business. Please do let us know if you would like to discuss what these changes might mean for you.