Reactions to the government’s move to include more manager service providers (MSPs) under the scope of the Security and Resilience Bill have started to come in, with distributors and managed service specialists pledging their support for those needing to improve their defences.
Earlier this week, the government shared a Cyber security and resilience policy statement that outlined the need for greater data protection and the impact it would have on managed service providers.
Peter Kyle, the secretary of state for Science, Innovation and Technology, outlined why the changes were happening in the policy statement and the reasons why more MSPs would come under the scope of the legislation.
“MSPs play a critical role in the UK economy by offering core IT services to businesses. These organisations have unprecedented access to clients’ IT systems, networks, infrastructure and data. This makes them an attractive target for malicious actors and subject to cyber attacks, including those that resulted in impacts on clients,” he stated.
“This measure will expand the remit of current regulations by bringing entities who provide managed services into the scope of the regulations. Placing duties on MSPs will enable us to protect a broader range of services from cyber attacks and build a better picture of the threats facing our essential services.
“Expanding the scope of the regulations to include managed services will enhance the security of IT infrastructure and reduce the risks of cyber attack. This measure is estimated to secure a further 900 to 1,100 MSPs. While we expect this measure to have associated costs related to security improvements and compliance, these investments will position MSPs as trusted and reliable partners in the cyber security landscape.”
The reaction from the industry is understanding of the need to protect customers data but aware that for some of those impacted by the Bill it will require investment in skills and policies.
John Nolan, UK & Ireland managing director of Westcon at Westcon-Comstor, said that it recognised it had a role to play in supporting MSPS affected: “As the government itself acknowledges in its policy statement, MSPs play a critical role in the UK economy by providing core IT services to businesses. From the perspective of policymakers, it makes sense to bring MSPs and other supply chain partners into the scope of the regulations as part of efforts to strengthen the security of critical IT infrastructure and reduce the risks of cyber attacks.
“While the increased regulatory burden represents a challenge to the UK’s MSPs in terms of additional costs and compliance requirements, it’s also an opportunity. By demonstrating leadership when it comes to complying with the legislation, MSPs can showcase their expertise to customers and strengthen relationships in the process, positioning themselves – to use the government’s phrase – as ‘trusted and reliable partners’ in the cyber security landscape.
“It is, of course, vital for commercial and reputational reasons that MSPs ensure compliance with the bill. Those that feel they require additional support ahead of the bill becoming law should turn to distributors and other partners for guidance and input as required.”
Max Pruger, general manager audit and compliance suite at Kaseya, was also keen to reach out to the estimated 900 to 1,100 MSPs that would be bought into the scope of the rules laid out in the Network and Information Systems Regulation (NIS) 2018.
“Governments and large corporations are adding cyber security to their supply chain risk management programs. Governments and corporations are no longer tolerating poor risk choices by vendors and are forcing security compliance through contracts and laws,” he said.
He added that it had seen similar moves by the US and Canadian governments and, “it is inevitable that the UK and European business and government leaders will start enforcing minimum security standards, with third-party validation, in their supply chains”.