The government has underlined its plans to bring in new laws to increase security standards in outsourced IT services and strengthen safeguards against any potential cyberattack in the UK.
It also highlighted the need for improvements in the way firms report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.
It comes as the UK Cyber Security Council, which regulates the cyber security profession, has underlined the need to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, commented: “Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats. “Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
It comes as research by the Department for Digital, Culture, Media and Sport reveals only 12% of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (5 per cent) address the vulnerabilities in their wider supply chain.
The government’s consultation on amending the NIS regulations includes proposals to:
Expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies that manage IT services on behalf of other organisations.
Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which impact their services.
Give the government the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organisations in the future which provide critical support to essential services.
Transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden.
Update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively that they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers.
NCSC Technical Director Dr Ian Levy, added: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience.
“These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”
Simon Hepburn, CEO, UK Cyber Security Council, also stated: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications.
“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”