Proposals to expand the UK’s NIS Directive rules to cover managed service providers are a welcome precaution against supply chain attacks but could prove costly to MSPs, experts have told Tech Monitor, and those costs may be passed on to customers.

NIS Directive MSPs
Last year’s breach at IT management software provider Kaseya raised the alarm over supply chain attacks targeting MSPs. (Photo by T. Schneider/Shutterstock)

Expanding NIS Directive rules to cover MSPs

Earlier this year, the UK government proposed to expand Security of Network and Information Systems (NIS) Directive regulations, which currently apply to digital service providers such as search engines and social networks, as well as national infrastructure operators, to also cover MSPs.

The proposal was prompted by a recent uptick in supply chain attacks, in which hackers seek to compromise software and service providers to reach their network of customers.

Last year, ransomware group REvil exploited IT management software from Kaseya, used by many MSPs, to distribute its malware. Kaseya said the attack affected 60 of its customers, which in turn provide services to as many as 1,500 organisations.

Organisations have become increasingly reliant on MSPs since the start of the pandemic. In a global survey of MSPs earlier this year, 47% saw an increase in revenue due to Covid-19, and 58% experienced an increased workload.

That makes them an attractive target for supply chain attacks. “A cyberattack targeting MSPs – a major component of the supply chain – greatly multiplies the effect, especially given the rise in companies using third parties to manage their IT needs,” the Cyber Security Agency of Singapore warned last year.

Under the proposed changes to the NIS regulations, MSPs would be subject to the same rules as companies providing digital services. This would introduce mandatory cybersecurity measures and an obligation to report cybersecurity incidents to a regulator.

Many experts have welcomed the proposal. “The inclusion of managed service providers is sensible,” says Emily Taylor, CEO of Oxford Information Labs and associate fellow of think tank Chatham House. “MSPs shoulder the burden of implementing cybersecurity and providing technical services on behalf of an array of clients.”

For Taylor, the Kaseya attack made this need clear. “The Kaseya supply chain attack last year showed the potentially global impact of attacks on such providers - affecting food retailers in Sweden and kindergartens in New Zealand,” she says.

What will NIS Directive compliance cost MSPs?

But the change will come at a cost. “These proposals will be expensive for the affected MSP community,” says Brian Higgins, security specialist at tech comparison site Comparitech. “Implementation and sustainable compliance would have a significant financial and resource impact on most affected businesses.”

Helen Davenport, a partner at law firm Gowling WMG, who specialises in cybersecurity, agrees. “The costs of getting to grips with the legislation, improving cybersecurity, reporting incidents and other compliance with the regulations will add up,” she says. The NIS Directive allows regulators to recoup the costs of audits or investigations from the organisations they audit, she adds, further adding to the bill.

As it stands, small and micro businesses are exempt from the NIS regulations, due in part to the cost of compliance. In its proposals, however, the government said it is considering whether some small MSPs should be included.

“The government recognises the strong need to minimise regulatory burden on small and micro-businesses particularly in a rapidly evolving industry such as this,” it said. “However, recent incidents have highlighted the scale of risk that can be associated with managed service providers - regardless of their size."

As a result, “DCMS is exploring the option of allowing the competent authority to designate specific small and micro-businesses providing digital services to be brought into scope of NIS”.

Complying with NIS regulations would be very costly for small businesses, especially if they are already in financial difficulties, says Higgins. “What, if any, assistance to achieve compliance may be made available to keep struggling businesses trading is as yet unclear.”

The cost of NIS compliance could well be passed onto MSPs’ customers, Higgins predicts. “Since they represent a supply chain cost of doing business, it makes sense that some of these costs will inevitably be passed on down the chain,” he says.

It may also drive MSPs who fall within the NIS directive to outsource certain functions to those who aren’t, further complicating the supply chain. “Those in scope of the extended regulations will rely upon others to conduct their business,” he says.

Given the rising threat of supply chain attacks, MSPs and their customers might be happy to shoulder this extra burden. After all, says Davenport, “firms will likely have a reduction in their losses arising from cyberattacks”.

The government's consultation on the expanded NIS Directive rules ends on April 10th.

Read more: Supply chain attacks on open source software grew 650% in 2021