Search Hill Dickinson

New government cybersecurity proposals

Details

The Department for Digital, Culture, Media and Sport (DCMS) has recently announced proposals for a number of measures intended to improve security within digital supply chains, and is inviting views from industry stakeholders until 11 July 2021.

This comes as part of the government’s recent focus on improving the management of cybersecurity issues within UK industry, as recent research by DCMS has indicated that the majority of organisations do not review the cybersecurity risks that may be present in their supply chains. To tackle this, the government is considering imposing a compliance framework for companies that provide managed IT services to other organisations in order to ensure that the UK maintains a high standard of resilience across its digital infrastructure.

The proposals are intended to build on the National Cyber Security Centre’s existing Cyber Assessment Framework guidance, and could require companies that fall within its scope, described as ‘Managed Service Providers’, to (among other objectives):

  • have specific policies to control access to systems and devices;
  • understand, detect, assess, and systematically manage security risks;
  • protect data (both at rest and in transit); and
  • put suitable incident management processes in place.

Current regulatory landscape

It is worth noting that many of the proposals are already considered best practice within the field of cybersecurity, and some of the proposals appear to mirror requirements that are already in force under existing legislation such as the UK GDPR and the Security of Network and Information Systems Regulations 2018 (the NIS Regulations).

However, the scope of the new proposals is deliberately much broader and the category of ‘Managed Service Provider’ is designed to capture many IT and cloud computing services that are not currently within the scope of the NIS Regulations.

Depending on how the government eventually chooses to implement these proposals, this could mean that many organisations within the IT sector will be required to meet a higher mandatory standard than at present. By comparison, organisations that already work within the scope of the existing regulatory frameworks as a matter of routine may only need minor adjustments in order to maintain a compliant approach with any future implementation.

Next steps

For now, it is important to remember that these are just proposals and the government has not committed to any particular outcome following this consultation. However, whether you are a supplier or a customer, it may be a good time to consider the guidance found in the Cyber Assessment Framework and possibly take steps to review your own organisation’s current cybersecurity policies.

If you would like to discuss any of the matters raised in this article, please contact David Baines.

Regulatory

Ever-changing and strict regulatory demands on businesses mean infringements are increasingly resulting in multi-million pound fines and prosecutions. These can put your business, reputation and, for individuals, liberty at risk.

Turn to our specialist lawyers for practical, prompt advice, providing peace of mind when you need it most.

You will benefit from an effective defence strategy combined with media experience to minimise reputational risk. Early advice and intervention is crucial, so get in touch with us straight away. We can help 24/7.

We can also work with you on pro-active measures such as incident training including mock trials and interviews.