UK Government responds to ‘Call for Views’ on measures to enhance security of digital supply chains and third-party IT services
The question
Could its responses to this survey be a sign that the UK Government will introduce stronger cyber-security regulation on companies which form part of the digital supply chain?
The key takeaway
The survey revealed support for new or updated legislation, with 82% of respondents viewing this as an effective or somewhat effective solution. Proposals included awareness campaigns aimed at customers of Managed Service Providers or establishing a certification system to ensure that customers can identify reputable providers. Most respondents were also in favour of using the NCSC’s Cyber Assessment Framework to establish a baseline for the cyber security resilience of Managed Service Providers.
The background
The Department for Culture, Media and Sport (DCMS) launched a ‘Call for Views’ in May 2021 to seek industry insight which would improve the Government’s understanding of supply chain cyber security. The Call for Views was split into two parts. Part 1 sought to identify how organisations manage cyber security risk currently and what additional Government intervention would help them to do this more effectively. Part 2 sought input on the suitability of a proposed security framework for Managed Service Providers and how this could be implemented to deliver adequate security.
The development
The Call for Views garnered 214 responses over a period of just over two months. Part 1 identified numerous issues surrounding the security of digital supply chains, such as low recognition of the cyber security risks in suppliers’ systems and limited visibility into supply chains. Part 2 highlighted a dependency on a critical group of service providers, and the difficulty customers face in accessing information about the cyber security of Managed Service Providers.
The responses revealed support for Government intervention and the proposed security framework for Managed Service Providers. While the Government has not committed to a specific policy, it is currently developing the next National Cyber Security Strategy, and this survey will doubtless help to inform its approach. The Minister for Digital Infrastructure, Matt Warman, said that the Government was using this Call for Views as a ‘first step in considering whether we need updated guidance or strengthened rules’.
Why is this important?
As businesses conduct more and more of their operations online and in the process use third-party service providers, their reliance on the resilience of their providers increases. DCMS research shows that only 12% of organisations review the cyber security risks coming from their immediate suppliers and only 5% address the vulnerabilities in the wider supply chain.
The most recent analysis estimates that the average cost of a data breach is $3.86m. It is therefore in business’ interests to gain a greater understanding of the cyber security risks in their supply chains, and to engage with Government constructively in its plans to develop effective new legislation or guidance in this area. The Government has already suggested proposals such as a certification system, creating new regulatory guidance, developing updated legislation, or creating awareness campaigns aimed to increase customers’ awareness of supply chain cyber security risk.
Any practical tips?
The proposals could mean that the principles from the Cyber Assessment Framework are applied to third party service providers. These set out measures that organisations should take, such as training staff and keeping secure and accessible back-ups. It may therefore be wise for businesses that supply IT services to others to familiarise themselves with these principles and consider how they might be implemented. This might well give them an advantage over competitors who are slower out of the blocks.