It has been reported that the UK’s cybersecurity laws will be updated to require outsourced IT providers to meet security standards as part of efforts to better protect supply chains, the Government has announced. The Network and Information Systems (NIS) Regulations will be updated so third-party firms providing IT services to businesses will be compelled to have effective cybersecurity measures in place to protect them and their client’s data, with fines for non-compliance.
Those rules already apply to UK companies providing critical services in a range of sectors including energy, water and transport, but will now bring outsourced firms into scope as well. The decision comes after a consultation and in the wake of increasing levels of cyber attacks targeting critical infrastructure in countries around the world as a way of inflicting substantial damage on entire nations. The Government said it has noted the increase in attacks, which also target supply chains as a way of compromising potentially thousands of organisations at the same time.
This is by no means surprising for those of us in the industry who have seen the gradual evolution of this story. What started with technical guidelines and recommendations to help organisations avoid the most common mistakes, have now been followed through by hard requirements and potentially financial consequences for noncompliance.
“The importance of structured cybersecurity management strategies throughout the product lifecycle is being recognised in parallel, not just across the many geographic regions of the world, but also in specific industry sectors – starting with those with the most safety-critical systems such as healthcare, automotive, and energy – where sector-specific regulations are already established. Recently we have seen similar proposed legislation also extending to consumer IoT devices, such as the UK Product Security and Telecommunications Infrastructure bill and the draft EU Cyber Resilience Act.
“What will remain a challenge, however, is that the software supply chain is often invisible to many organisations and given the proliferation of open source component usage, as well as shadow IT, this opaqueness creates numerous challenges where security departments struggle to quantify and assess what they have. Furthermore there are a series of external trends such as the push for digitisation of everything which vastly increases not just the scale and scope of offerings we need to consider but also the speed and rate of change of the software features within those devices.
“For those involved in delivering IT products and services, this is likely to require a step change in not only the diligence that is performed during construction and acquisition, but also extensive planning for the complete lifecycle of these offerings – including having the capability to respond rapidly and be able to replace vulnerable sub-components which could be identified many years into the future.
“Transparency is key here – not just with regard to SBOM, but also clearly delineating roles and responsibilities for performing security testing and vulnerability management across the digital supply chain, both during development as well as continuing across the full product lifecycle.