Intersys’ Managing Director Matthew Geyman has welcomed a new Cyber Security and Resilience Bill which will enforce robust compliance from managed service providers (MSPs).
Due to appear before Parliament later this year, the bill will build on the Network and Information Systems (NIS) 2018 regulations by updating this framework, giving regulators more powers and ensuring more organisations comply with the regulations. Broadly speaking, it will address vulnerabilities in cyber defences to improve the resilience of critical infrastructure and services, as well as the digital economy.
Critical infrastructure includes areas such as healthcare, power, transport, utilities and many public services. Crucially, the new Cyber Security and Resilience Bill will extend this to managed service providers (MSPs) who, according to Peter Kyle, secretary of state for Science, Innovation and Technology, ‘have unprecedented access to clients’ IT systems, networks, infrastructure, and data… [which]… makes them an attractive target for malicious actors and subject to cyber attacks, including those that resulted in impacts on clients.’
As the MD of an MSP and cyber security as a service (CSaaS) provider, Matthew Geyman sees this bill as an opportunity. He says, ‘This will naturally “separate the wheat from the chaff” and encourage IT providers following best practice to survive and prosper.’
Continues Matthew, ‘The Cyber Security and Resilience Bill was first mentioned in last summer’s (2024’s) King’s Speech and is good news for responsible suppliers and cyber security providers like Intersys, because we see some horror shows of poor cyber security – across every industry. I view it as a necessary and positive step towards a stronger “UK cyber readiness baseline” of cyber security and resilience for Critical National Infrastructure.
‘The measures in this bill should – and must – make events such as the 2024 NHS Cyber Attacks, which affected thousands of patients – a thing of the past.
‘While the details of the bill are still pending, I firmly believe, as was the case with NIS2, Intersys already complies because of our Risk Management Framework and approach, and our ISO27001 and Cyber Essentials Plus certifications. We are also a specialist cyber security provider as well as an MSP – our livelihood depends on following best-practice and delivering secure and compliant IT.’
What will happen next?
For firms likely to fall under the remit of the new Cyber Security and Resilience Bill, Matthew recommends using cyber security as a service from a reputable provider. This comprehensive service will deploy the necessary cyber risk assessments, remediation and monitoring required to stay safe and compliant, and meet the new rules. Also, one further step is crucial. Says Matthew, ‘I’d suggest a priority for organisations is training: increased and improved simulation and awareness training for their staff.’
These UK rules are likely to affect organisations beyond these shores dealing with UK companies as third-party contractors. Matthew stresses the need for organisations, including existing Intersys clients in the EU, India, Australia and Africa, to consider CSaaS.
One of the consequences of the bill is likely to be an increased trust in MSPs and cyber security providers. Says the UK government policy statement, Expanding the scope of the regulations to include managed services will enhance the security of IT infrastructure and reduce the risks of cyber attack. This measure is estimated to secure a further 900‑1100 MSPs. While we expect this measure to have associated costs related to security improvements and compliance, these investments will position MSPs as trusted and reliable partners in the cyber security landscape.’
Further information:
Expanding NIS Regulatory Scope
The NIS Regulations established in 2018 currently encompass five key sectors (transport, energy, drinking water, health and digital infrastructure) along with select digital services (online marketplaces, online search engines, and cloud computing services). Enforcement responsibility falls to twelve designated regulatory bodies (termed ‘competent authorities’ within the regulations). The upcoming Cyber Security and Resilience Bill will significantly extend these classifications, ‘bringing more entities into scope and putting regulators on a stronger footing so that they can carry out their important duties.’
Enhancing Incident Notification Requirements
Under the existing framework, numerous major incidents remain undisclosed, which restricts the capability to recognise and evaluate security weaknesses. The Cyber Security and Resilience Bill ‘will update and enhance the current incident reporting requirements for regulated entities by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting and enhancing transparency requirements for digital services and data centres.’
Fines
The new rules also include hefty fines for non-compliance. As reported in Resilience Forward, Matthew Geyman said, ‘With £100K-a-day fines at stake, organisations must act now.’
Read the UK government’s Cyber Security and Resilience Policy Statement.
Find out more about cyber security as a service from Intersys.