By Peter Farmer
In the first of the promised series of articles about the upcoming Telecommunications Security Regulations, I’m going to talk about the new accountability requirements.
First up, remember there are three distinct elements to the new framework. There is the (already in force) Telecommunications (Security) Act 2021 which replaced 4 concise paragraphs of the Communications Act 2003 with many many sections spanning many many pages. This creates an overarching responsibility for all providers to mitigate the potential for ‘security compromises’. Technically speaking, “security compromises” is so widely drafted that common-or-garden packet loss is included, so this is not messing around. The overarching requirement captures the start-up in their parent’s basement with one customer through to the big multinationals without differentiating.
The second element are the pending regulations. These have been consulted upon and we await the final version to be laid before Parliament. This is secondary legislation, so will likely go through on a wink and a nod in a matter of days from being presented and we anticipate October 2022 for it coming into force. It also means there will be no Ofcom consultation – it’ll just become law.
These regulations apply to any provider save for a micro-entity, i.e. if you have an annual turnover of more than £634k, then you’re in scope for all of them. That’s a business with just 1428 average residential connections.
The third element is the Code of Practice. This only applies to providers whose turnover is in excess of £50m a year, however, it does provide useful clarification and guidance on the regulations.
Unfortunately, there is some fake news going around the industry. “Oh, I’m Tier 3, so this doesn’t apply to me” is a refrain I have heard a number of times. Incorrect. If your turnover is over £634k, there is a lot that does apply to you, it’s just the Code of Practice is not mandatory, but the regulations still are.
These draft regulations cover such draconian measures as requiring all security patches are applied to all your systems within fourteen days of them being available (unless you write down the reasons why you are not going to for each patch) and being able to operate your network with only resources, persons and data in the United Kingdom.
Proposed regulation 9 requires providers to have a board level (which could, for the listed companies out there be a board committee) person responsible for “effective security management” and the monitoring, auditing and recording of everything thereof. Those with ISO:27001 certification, or other equivalent standards, will recognise the structure, however, for those who are in the early stages of their maturation as businesses, this is likely to be the sort of bureaucratic nightmare that start-ups pride themselves on being anything but. Unfortunately, non-compliance with some of these requirements could be an extinction level event given Ofcom’s wide ranging enforcement powers that were brought in with the new legislation.
Unsurprisingly, the Government has also identified the risk that the nominated board level person might be a patsy, so regulation 11 brings in requirements for those involved in procuring compliance with the new laws are competent, and regulation 12 suggests that their competence be tested in disaster recovery rehearsals.
With other parts of the regulations requiring providers to pay attention to their supply chain, it is more important than ever that your chosen network partner’s technical credentials are given as much weight as hundredths of a penny on the rate to Burkina Faso. Simon, Charles and others will be posting about some of the Simwood capabilities in this area in the coming weeks.
In the meantime, if you’re a technically minded Director of a telecommunications provider, now is a good time to book vacation to overlap with the return of Parliament in September.