The United Kingdom recently announced its intentions to expand notification rules for managed IT (Information Technology) service providers (MSP) involved in cyber breaches. The UK government joins many other national and state legislative bodies who have been dealing with increased cyber-attacks and are facing pressure to deal with these attacks. The presence and participation of MSPs in these IT management relationships further complicates issues when developing effective regulations and policies.
NIS (Network and Information Systems) Regulations 2018
The Network and Information Systems Regulations 2018 (The NIS Regulations 2018 – GOV.UK (www.gov.uk) is a regulatory framework designed to improve the cybersecurity (and physical security) preparedness of UK networks and systems. Recent cybercrime activity and attacks on UK IT assets has caused the UK government to consider updates to the NIS 2018 Regulations.
NIS Updates Impacting MSPs
At the time of this writing, it appears that nothing has been formally adopted or passed concerning the NIS Regulations 2018. However, recent press reports have generated speculation about some ideas (specifically mentioning MSPs) that may be gaining popularity. It is concerning these MSP specific concepts where we will confine our analysis and recommendations.
One of the central ideas being considered is a mandatory reporting requirement for MSPs involved in cyber incidents. It is unclear whether the reporting requirement is solely for cyber incidents involving the MSP organization itself, or it is focused solely on the MSP customer where the MSP must disclose a cyber incident involving their customer, regardless of whether the MSP was at fault or not.
Obviously, this distinction will be critical as not all cyber incidents are the fault of the MSP. In fact, there are many examples of MSPs being “involved” in helping customers dealing with a cyber incident which was not caused by the MSP, rather, the client played some role in their breach and is now relying on the MSP for remediation and forensics.
IN addition to reporting requirements, press accounts have mentioned that financial penalties for MSP non-compliance may also be included in the NIS regulatory updates. While no specific details can be immediately identified, it would be the first time that a financial penalty is applied to the managed services profession by name.
Modification of MSP Definition
The proposed NIS changes include modifications of the definition of managed service providers. First, the NIS proposes bringing into the scope of its authority managed services providers into the previous definition of covered entities, “digital providers.” Second, the NIS examined characteristics to help further define the MSP as follows:
Updated characteristics of managed service
- The managed service is provided by one business to another business (i.e., a third party); and
- The service is related to the provision of IT services, such as systems, infrastructure, networks and/or security; and,
- The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and
- The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.
Curiously, the NIS proposed changes appear to exempt “small and micro” MSP organizations from the scope of the NIS regulation, although it does not appear to provide guidance on how those differently sized MSP organizations are defined.
Analysis & Recommendations
While the motivations behind updating the NIS Regulations 2018 are appropriate, there are potential unintended consequences to some of the specific ideas being contemplated; consequences which could have significantly negative outcomes for the UK, including both public and private sector organizations.
The reporting mandate is not only appropriate, but also consistent with what we have seen from other regulatory bodies such as the Louisiana’s MSP registration law, passed in 2020. That law created similar reporting requirements for MSPs, although it was limited to MSPs with Louisiana state agencies as customers. The Louisiana law did not institute any penalty scheme on the MSPs.
The UK regulatory changes are rooted in the rights of all governmental entities responsible for developing public policy to protect the welfare of its citizens. MSPAlliance endorses this form of review of the managed services profession. The MSPAlliance does believe, however, that there are two areas within the proposed NIS changes which will have an adverse effect on the UK government, its citizens, and its overall cybersecurity capabilities: 1) MSP penalties, and 2) changes to the definition of MSP.
MSP Financial Penalties
To the layperson, financial penalties may seem like an effective method of compliance. In many situations penalties could be a way to ensure people and organizations behave in a certain way. The financial penalties applied to the MSP occur in many situations. We first outline the effective use of financial penalties aimed at the MSP.
In the event the MSP organization suffers a data or security incident rising to the level of a notification even under NIS regulations, this scenario would be the appropriate situation wherein a financial penalty targeted at the MSP would ensure compliance with the notification behavior. Even within this fact pattern, there are numerous situations where the MSP may be in doubt as to whether a notification has been triggered.
For example, MSPs experience and defend against countless cyber-attacks regularly. Not all these attacks are successful; in fact, few of them are. Any regulatory framework proscribing financial penalties needs to be aware of this reality and accurately articulate when MSPs must notify the UK government of such an event. Otherwise, the MSPs will enter an endless cycle of filling out paperwork which will inform the UK government of nothing and create no meaningful corrective action.
Regarding the data and security incidents not involving the MSP itself, there are essentially two categories of events: 1) the customer did nothing wrong, the MSP did nothing wrong, and the bad actor was successful, and 2) the MSP did nothing wrong, but the customer failed to behave in accordance with current cyber hygiene best practices.
Definition of MSP
The proposed changes to the definition of “digital service providers” are understandable to the untrained eye as there is a demonstrable objective to harden UK cyber defenses and supply chains. However, the proposed changes to the definition of MSP may not have the desired result as widening the definition of what our profession considers an MSP will have the opposite effect.
By expanding the definition of MSP to include providers who would not meet any modern standard of MSP definition, the UK government will include into its oversight many providers who ought to be excluded from such critical infrastructure management, and therefore by extension, ought to be kept out of the UK cyber defense network.
An example of this definitional expansion can be found by defining MSP as any organization providing “regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.” Such a definition would include both MSPs, but also reactive IT or “break/fix” providers who occupy the less mature spectrum of service delivery profession. These less mature providers will have great difficulty in meeting the UK’s expectations of service delivery security and privacy.
MSPAlliance recommends a tightening of the MSP definition to include modernized description of managed IT services, which necessarily excludes reactive and outdated definitions which ought not be part of any proactively managed IT system or network.
MSPAlliance applauds the actions of the UK government in modernizing its cybersecurity regulatory and legislative posture. The acknowledged importance of MSPs in maintaining and securing UK critical infrastructure is well placed and MSPs are more than ready to meet that challenge.
MSPAlliance believes that a tightening of the definition of MSP is needed to avoid any unnecessary complications by including providers not practicing proactive managed services into the NIS regulatory framework.
Further, MSPAlliance believes that a reconsideration of the financial penalty scheme is warranted. Such a penalty framework could have an adverse effect on UK departments who previously have been unsecured not because of their MSP, but because the department has relied on the MSP as a risk transference entity and used that relationship as an excuse to not follow modern and effective cybersecurity best practices.
MSPs with such underperforming UK clients may step away from such relationships altogether to avoid financial penalties caused by clients with poor cyber hygiene.
MSPAlliance is available to discuss any of these ideas in greater detail with relevant authorities.