NIS Directive consultation feedback and the impact on Third Party Risk Management

NIS Directive and Third Party Risk

In August 2017 the UK government issued a consultation document on compliance requirements for the upcoming Directive on security of network and information systems (NIS Directive).

Following its consultation period the government has now released it’s formal response and guidance for organisations that fall under the requirements of the Directive.

We take a quick look at some of the headlines and how they may impact your Third Party risk management program and strategy:

Clarity on the scope of NIS

The thresholds for OESs being within the scope of the Directive have been clarified and the terms of definition for DSPs have been expanded upon. Organisations are within the scope of the Directive if they are identified as companies that would cause the most significant impact to the UK economy if they were to suffer a disruption to business operations.

However, suppliers and Third Party service providers to OESs and DSPs will not be within the scope of the NIS Directive. It will be the responsibility of the individual organisations to ensure their supplier has appropriate security measures.

Competent authorities to be appointed

The UK will appoint several competent authorities, and there will be “a clear separation of powers between the NCSC and competent authorities”. It is a long-standing policy that lead government departments are responsible for various risks, including cyber, and it would be inconsistent with this policy to allow the NCSC to regulate the Directive.

While no changes have been made to the proposed security requirements of OESs from the initial document, the 14 high-level security principles will apply and have been updated. The 14 principles cover four core areas:

Managing security risk, which involves governance, risk management, asset management and supply chain risks.

Defending systems against cyber-attack, which covers service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, and staff awareness and training.

Detecting cyber security events, which involves security monitoring and anomaly detection.

Minimising the impact of cyber security incidents, which includes response and recovery planning and improvements.

Operators of essential services (OESs) and digital service providers (DSPs) will be expected to implement effective security measures appropriate to associated risks, as well as measures that minimise the impact of incidents and ensure business continuity.

The next critical date for OESs and DSPs will be April 2018 when the NIS Cyber Assessment Framework (CAF) is schedule for publications. The CAF will be used by competent authorities to determine acceptable levels of cyber security under the NIS Directive, and audit / assess how organisations apply the 14 security principles.

Revised penalties for non-compliance

Penalties for those organisations that fail to comply with the regulations are intended to motivate organisations to enhance their cyber resilience while remaining proportionate to the potential risks. The government has taken into consideration the public feedback on what they initially proposed as penalties for non-compliance and has made amendments to the penalty regime.

Firstly, there will be no fines based on percentage of global turnover, and secondly the maximum penalty has been reduced to £17 million. The new penalty regime reads:

“a maximum financial penalty of £17m, which will cover all contraventions, such as (for example) failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures.”

Although the government has indicated that the focus of the first year will be mostly to provide support and guide OESs on achieving compliance, it has made it clear that even in the first year competent authorities will be entitled to issue penalties for significant non-compliance.

Preparing your NIS compliance strategy

The NIS Directive raises the stakes for the management of cyber security and risk assurance in organisations in the UK, and across Europe. Organisations should now look to develop a resilient security postures based upon best practice from leading international standards, as is highlighted in the 14 high-level security principles.

There are two relevant international standards that set out best practice approach: ISO/IEC 27001:2003, the international standard for an information security management system (ISMS), and ISO 22301:2012, the international standard for a business continuity management system (BCMS).

Using these standards as guidance will give you a documented cyber resilience program that will protect your information systems and network from the majority of threats and support a swift recovery if and when an incident occurs.

However, it is important to remember that suppliers and Third Party service providers to OESs and DSPs will not be within the scope of the NIS Directive. It will be the responsibility of the individual organisations to ensure their supplier has appropriate security measures.

You’re only as Strong as your Weakest Link

At DVV Solutions we recommend an approach to achieving NIS Directive compliance that incorporates a comprehensive cyber resilience programme including:

1. Registering and reviewing the contractual terms of all Third Party suppliers
– Detail WHO has WHAT access to WHICH systems and data, and WHY (this will help drive subsequent remediative decisions and actions)
– Ensure all existing and new supplier agreements require compliance with the Directive and subsequent enactments

2. Robust cyber security defences, which are tested and proved
– Periodic or event-triggered risk assessments of your entire supplier base
– Detailed onsite investigation and evaluation of security controls deployed by your third party IT suppliers in situ

3. Proactive and preventative measures across your IT and data supply chain
– Continuous monitoring of the threat landscape and emerging risk factors
– Screening and pre-assessment of potential new service providers and Third Party technology partners

4. Tools and systems to effectively deal with and report incidents and data breaches
– Automated processes and workflows
– Cloud-based information and evidence sharing platforms

That’s where DVV Solutions can help. With over 18 years of experience as a specialist provider of Cyber Security, Third Party Supplier Risk and Governance, Risk & Compliance (GRC) solutions we understand what it takes to build a complete understanding of Third Party risk throughout your organisation. We work with you to:

• Scrutinise your Third Party relationships – service by service, supplier by supplier
• Identify and evaluate real risks and emerging threats
• Develop and manage your risk exposure, cyber strategy and data protection strategies
• Establish and mature your Third Party Risk Management capabilities
• Ensure regulatory compliance with standards including NIS, GDPR and PCI, and
• Provide clear and concise guidance that illustrates the impact and value of your IT security investments

We’d be pleased to hear from you and help find the most effective way to achieve optimal security and NIS compliance throughout your data supply chain.

Call Us: +44 (0) 161 476 8700

Contact Us: Complete our online contact form