How can telecoms organisations navigate the changing regulatory landscape?
The global regulatory landscape
From home appliances to Critical National Infrastructure such as transport and utility services, the world is becoming increasingly connected. Simultaneously, the networks that support these connected services are shifting from ones based on proprietary telecommunications technology that requires specific in-depth technical knowledge, to applications that use standard computing power.
End users have benefited from these changes – a shift that has been brought into focus during the pandemic, when these applications enabled large numbers of workers to work remotely. However, they have also led to an increase in the number of threat actors with the capability and motivation to successfully launch an attack on a telecommunications network.
Governments across the world are putting new regulations into place to combat this increased threat landscape. The UK Telecommunications (Security) Act 2021, which was passed into law by the UK Parliament last week, is set to be one of many new pieces of legislation and regulation being rolled out globally to help telecommunications providers become more resilient through increased cyber security .
What is the UK Telecommunications (Security) Act 2021?
The Act amends the current telecommunications legislation and sets out a path for a stronger security framework for telecoms in the UK which we may see influence schemes adopted by other jurisdictions in the future.
This new legislation involves overarching security measures that telecommunications providers will need to take to identify and reduce the risk of any security compromises, plus ensure that they are able to address any breaches that occur. There will also be specific security requirements for providers which will be addressed through secondary legislation and enforced by the UK telecoms sector regulator, Ofcom.
Codes of practice which define three tiers of telecoms providers to ensure that there is proportionality of requirements for the various sizes of telecoms providers will also be introduced. Being proportionate is something that other governing bodies globally will ideally also consider as they move to strengthen the obligations they set.
Tier one of the UK codes of practice will apply to the largest providers, whose availability and security is critical to people and businesses across the nation. Tier two includes medium-sized providers, who will likely have more time to implement these measures, and tier three will be the smallest telecommunications providers, including small businesses and micro enterprises.
The level of regulatory oversight that providers will be subject to by Ofcom will depend on these tiers, and financial penalties are set to be introduced to ensure compliance.
The Act states that if systems or data are breached, telecoms providers may be required to pay up to 10 percent of a provider’s ‘relevant turnover’, plus £100,000 per day for any continuing contravention. For additional contraventions or refusal to explain a failure to follow a code of practice, providers may have to pay up to a maximum of £10 million, plus £50,000 per day for ongoing contravention.
What can organisations do?
In the UK it is crucial that telecoms providers understand which code of practice tier they are likely to be in, so they can best understand how the new security framework will affect them and ensure that they have a plan for alignment of their current operations to ensure compliance.
Adopting a proactive approach to security now will mean that organisations can remain compliant when new requirements regulations come into place. This could include carrying out a thorough gap analysis exercise and putting plans in place to address any issues to ensure requirements are met.
Globally, it is important that telecoms providers prepare for coming regulations and ensure that they are resilient. Those that supply telecommunications equipment and services should also ensure that they are in alignment with these increasing security requirements, which will in turn boost the resilience of the sector as a whole.