How the Cybersecurity and Resilience Bill could impact MSPs

The UK government’s much-anticipated Cybersecurity and Resilience Bill (CSRB) had its first and second reading in Parliament and is now progressing through the necessary next stages to become law.

Designed to improve the cybersecurity and resilience of the UK’s most important services, while taking into account the evolving challenges impacting today’s increasingly interconnected digital world, the new legislation makes crucial updates to the 2018 Network and Information Systems (NIS) Directive.

It mandates stricter controls around cyber best practices, reinforces the importance of supply chain security, and brings more organizations into the scope of government oversight, including Managed Service Providers (MSPs).

MSPs under the CSRB

MSPs have largely remained free from government oversight and were not included in the 2018 NIS regulation.

Latest Videos From

NIS covered Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs), and while the government did announce plans to include MSPs in its update to the regulation in 2022, this was never enforced.

However, under the CSRB, MSPs will also soon be mandated and obligated to meet strict new compliance requirements.

According to the regulation’s proposal, MSPs will soon be required to abide by the same requirements placed on RDSPs under the NIS 2018 regulation. The government also recently confirmed that MSPs who employ at least 50 people and have a turnover exceeding €10 million will be regulated under the bill, potentially placing approximately 1,100 MSPs within its scope.

When it comes to the requirements placed on MSPs, these include:

• Registering with the ICO
• Having appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service
• Notifying incidents to the ICO, where those incidents have a substantial impact on the provision of their service

Understanding the cyber risk to MSPs

The inclusion of MSPs in the CSRB is an important step in improving cyber resilience across the UK, and it is essential given the important role they play in today’s digital landscape.

Over the last seven years, MSPs have evolved from providing IT and communications services into providers that form the digital backbone of a significant part of the UK’s economy.

MSPs are now integral to thousands of organizations across the country, delivering everything from connectivity to IT to cybersecurity.

However, this concentration has turned them into major targets for threat actors.

Today, MSPs are routinely targeted by threat actors to launch supply chain attacks, where they gain access to one MSP and then pivot across to customer environments, launching widespread breaches.

This was demonstrated in the recent attack on Ingram Micro, when the IT distributor suffered a ransomware attack at the hands of SafePay, and customer data was reportedly compromised.

These attacks can be highly dangerous, impacting hundreds of organizations at once, while causing mass financial damage and operational disruption.

These are some of the key reasons why MSPs will soon be covered by the CSRB.

The government clearly wants to mitigate this potentially systemic risk.

However, considering many MSPs don’t have the in-house skills required to meet the new requirements, the forthcoming regulation will be a concern.

So, how can they prepare for the legislation today, before it officially comes into force?

Adopting cyber best practices within MSPs

Despite delivering security services to their clients, many MSPs are not experts in the field of cyber defense.

The requirements for delivering security have largely escalated due to customer demand, rather than an increase in in-house expertise.

However, with the CSRB, MSPs are suddenly under pressure to not only enhance their internal security, but also the security of their clients.

This means many MSPs will want to know what they can do to meet these new requirements, but without having to build out entirely new functions of business.

Fortunately, this can be achieved by collaborating with vendors that are dedicated to supporting MSPs.

Vendors can offer support to MSPs through their expertise in cybersecurity, alleviating the burden on their own resources, while also improving internal and customer defenses.

Delivering platforms that offer market-leading defenses, vendors can enhance cyber resilience for both MSPs and their customers.

However, MSPs should look for partners that support them with this new opportunity without looking to override their relationships with their clients.

Ideally, MSPs should look to partner with vendors that can not only support security across their own environments, but ones that can also enable them to deliver new and advanced capabilities to their clients without significant resourcing overhead or financial investment.

The inclusion of MSPs in the CSRB will likely come as a concern for the sector.

Suddenly, these organizations that have largely remained free from government oversight are under the spotlight.

This adjustment will undoubtedly be challenging, but the MSPs that take action today will be ready to meet the new requirements they face tomorrow, enhancing resilience across both their internal and customer environments.