Telecoms companies will be subject to new security rules as The Telecommunications (Security) Act becomes law in November.
This Act comes in response to the government’s Telecoms Supply Chain Review which found providers often have little incentive to adopt the best security practices.
The new regulations and code of practice were developed with the National Cyber Security Centre and Ofcom and aim to improve the UK’s cyber resilience by ensuring providers
-protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed
-protect software and equipment which monitor and analyse their networks and services
-have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards
-take account of supply chain risks, and understand and control who can access and make changes to the operation of their networks and services to enhance security
NCSC Technical Director Dr Ian Levy added: “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”
If companies fail to meet their duties, Ofcom will be able to issue fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day.
From October, providers must be:
-identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers. This includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network.
-keeping tight control of who can make network-wide changes.
-protecting against certain malicious signalling coming into the network which could cause outages;
-having a good understanding of risks facing their networks.
-making sure business processes are supporting security (e.g. proper board accountability).
Providers will be expected to have achieved these outcomes by March 2024.