UK MSPs could be fined up to £17m under proposed cybersecurity regulations

Government proposes expanding NIS regulations to include MSPs which could carry hefty fines for those that don’t implement effective cybersecurity measures

The UK government is proposing new laws to ramp up cybersecurity standards for MSPs, including fines of up to £17m for those which fail to put in place effective cybersecurity measures.

As part of its £2.6bn National Cyber Strategy 2022, the government says new laws are needed "to drive up security standards in outsourced IT services used by almost all UK businesses".

It is consulting on proposals which include making improvements in the way organisations report cybersecurity incidents and reforming legislation so that it is "more flexible and can react to the speed of technological change".

The government also believes that the UK Cyber Security Council should be granted powers to "raise the bar" and "create a set of agreed qualifications and certifications for those which work in cybersecurity and IT services".

And it also wants to update the Network and Information Systems (NIS) Regulations - which are aimed at improving the cybersecurity of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure - to include MSPs which provide "specialised online and digital services".

If it goes ahead, it means MSPs will have to comply by the same regulations as other industries already included in the regulations, which could mean fines of up to £17m if they do not implement effective cybersecurity measures.

Under additional plans to change the NIS regulations, the government is proposing a transfer of "all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation" which it claims will create a "more flexible finance system and reduce the taxpayers' burden".

It would also include large companies having to notify regulators of all cybersecurity attacks they suffer, not just those which impact their services.

The latest proposals follow a call for views which took place last year and which found that intervention would be "very effective" in reducing MSP supply chain attacks.

Announcing the findings in November, the Department for Culture, Media and Sport (DCMS) said it had "reinforced the need for a range of interventions" and that it planned to work with industry experts "to develop a set of policy solutions aimed at increasing the cybersecurity resilience of digital solutions."

The reaction

Announcing the proposals, the minister of state for media, data, and digital infrastructure, Julia Lopez, said the measures would ensure that IT businesses take cybersecurity more seriously.

"Cyber-attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses' digital supply chains and outsourced IT services that could be fixed or patched," she said.

"The plans we are announcing today will help protect essential services and our wider economy from cyber threats

"Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra."

And the proposals have been met with a warm reaction from those that sell to the channel. Bruce Hockin, channel sales director for Northern Europe at Picus Security, said this will be a wake-up call for those which have not invested in security.

"Some managed services providers will be daunted by the prospect of having to comply with the same security requirements as operators of essential services as well as facing potential fines of up to £17m for serious cyber incidents," he said.

"Over recent years, we have seen multiple examples of MSPs targeted by threat actors and the impact that large supply chain attacks such as Kaseya and Blackbaud can have.

"The majority of MSPs prioritise security highly. However this news may be a wake-up call to the ones that don't to invest in the resources they need to better protect themselves and their clients."

"It's good to see that the government is also thinking about how it can improve cybersecurity skills in the UK but one could argue there's no point in tightening the regulations if there are not enough skilled professionals to deliver any improvements that are needed."

CTO of MSP DoIT Internaitonal, Vadim Solovey, welcomed the update to the NIS regulations, claiming that while it could introduce new costs to MSPs, the net result benefits everyone.

"As the number and nature of businesses serving the market changes, it's necessary that the Network and Information Systems (NIS) regulations reflect that change and mandate that newer entrants, including Managed Service Providers (MSPs), meet the same cyber resilience requirements as other external parties," he said.

"While the regulatory update may introduce additional costs and administrative burden, the net result is a more secure ecosystem and peace of mind that our critical systems are safe — which benefits everyone."

Oliver Pinson-Roxburgh, CEO at Defense.com said: "This new consultation from the government is a welcome step to bolster the cyber resilience of British businesses.

"For too long, cybersecurity legislation has taken on a narrow view of cyber risk, failing to properly account for the multitude of third-party service providers who support IT infrastructure operations today.

"The prospect of these new laws should be a call to action for MSPs right away. These firms play a vital role in the nation's critical infrastructure and have a responsibility to deliver a universal, end-to-end approach to cybersecurity."