The UK Government put forward legislation that would require those that work in the telecoms industry, MSPs included to enhance their security operations. Now that the legislation is active telecoms professionals and those that service these businesses will need to act now to remain compliant.
The new Telecoms Security Framework will greatly enhance the security capabilities of the UK telecoms industry by mandating proactive management and remediation of security risks. It sets out security duties and requirements across a wide range of key disciplines including governance, access management, third party risk, and security operations. Whilst the framework calls for appropriate and proportional security measures to be taken, it sets high expectations for what may considered appropriate. For example, telecoms providers must ensure that new and existing networks are securely designed and constructed, which may require some telecoms providers to redesign legacy network infrastructure or accelerate plans to replace it. The penalty for non-compliance with these requirements is up to 10% of global turnover, more than double the maximum penalty under GDPR. This not only creates a very strong incentive for telecoms providers to comply but signals the Government’s intention for this framework to be amongst the strongest in the world.
Telecoms providers will need to embark on significant, multi-year security transformation programs to comply with these security requirements. The compliance burden will not be limited to just telecoms providers, as the heightened requirements for third party risk management will result in a knock-on effect on their supply chain. Telecoms providers and affected third parties should conduct a gap analysis of their current security measures against the framework’s requirements and develop a remediation programme. Compliance deadlines for specific security measures are set out in the framework, ranging from March 2024 to March 2028. Telecoms providers may determine that some requirements have already been implemented, for example, the TBEST scheme covers many of the testing requirements. They may also have or plan to implement alternative technical measures to meet their security requirements – these should be assessed and documented as they may need to justify them to Ofcom.