Get Ready for a New UK Datacentre Security Regulation
Table Of Contents:
The UK’s economy is increasingly digital-centric. According to the government, data contributed nearly 7% to GDP in 2022, and three-quarters of all service exports from the country were reliant on data. This represents a fantastic opportunity for growth, but also exposes organisations and the customers that rely on them to new risks. That’s why the government has published new proposals to regulate the third-party datacentres that power much of the digital economy.
In their current form, the rules would introduce a new statutory framework and regulatory function, mandating minimum baseline security requirements for datacentre owners. Experts believe best practice security frameworks like ISO 27001 could be a useful way for such organisations to ensure compliance.
Why Do We Need More Secure Datacentres?
Datacentres sit at the heart of the digital economy, enabling organisations of all sizes operating across all sectors to deliver seamless online services and operate more efficiently. The government estimates that 28% of all UK businesses use services hosted in datacentres, rising to 62% of large companies. Yet both extreme weather events and cyber-threats such as data breaches and ransomware are a growing challenge. A parliamentary committee recently warned that the UK is at a “high risk” of experiencing a “catastrophic” ransomware attack.
Whatever the cause of an incident, serious outages can take a significant financial and reputational toll on datacentre owners and the businesses and end-customers that rely on these facilities. According to the Uptime Institute’s figures for 2022, 80% of datacentre managers and operators have experienced some type of outage in the previous three years. Over 60% of failures in 2022 resulted in total losses of at least $100,000 up from 39% in 2019. The share costing $1m+ increased from 11% to 15% over the same period.
Yet while cloud service provider (CSP) and managed service provider (MSP) facilities are already regulated by the UK’s Network and Information Systems Regulations (NIS) 2018, the same is not true of other third-party datacentres. This makes the UK an outlier among major economies. And it’s why the government has issued a new public consultation document: Protecting and enhancing the security and resilience of UK data infrastructure.
What Do the Proposals Entail?
The proposed rules would specifically cover colocation and co-hosting datacentre service providers. Facility owners would be required to register with a designated regulator and provide “relevant information” about their UK operations. This regulator would have power to manage and enforce the new framework, taking growth and innovation into account when making any decisions.
Datacentre owners would also need to comply with a series of security and resilience measures, related to:
⦁ Risk management
⦁ Physical and cybersecurity of facilities, networks and systems
⦁ Incident management – with significant incidents to be reported to the regulator and potentially disclosed to customers/affected parties
⦁ Resilience and service continuity
⦁ Monitoring, detection, auditing and testing
⦁ Governance and personnel
⦁ Supply chain management
“Data is an increasingly important driver of our economic growth and plays a pivotal role across our public services. So ensuring companies storing it have the right protections in place to limit risks from threats such as cyber-attacks and extreme weather, will help us reap the benefits and give businesses peace of mind,” argued data and digital infrastructure minister, John Whittingdale, in a statement.
“The government is serious about keeping data safe, which is why we are calling on these businesses to actively share their insights and expertise, whilst also making sure we have the right regulations in place. By making security a top priority in how we handle data, we’re not only tackling new challenges but also making the UK a global leader in promoting safe and responsible technology.”
Standards and Frameworks Can Help
However, as with any new regulatory proposal, there are potential challenges, according to James McQuiggan, security awareness advocate at KnowBe4.
“Firstly, the one-size-fits-all approach may only be suitable for some datacentre operators, especially smaller ones that might struggle with the costs and complexities of compliance,” he tells ISMS.online.
“Secondly, there’s a risk of overregulation, which might stifle innovation or lead to a compliance-focused rather than a security-focused mindset. Lastly, there’s the challenge of keeping up with rapidly evolving cyber threats, where regulations might become outdated quickly.”
Datacentre operators will need to deploy the latest data security and resilience technologies while ensuring compatibility and minimal downtime, all while minimising technical debt, McQuiggan adds.
“Adhering to an ever-growing list of regulations and industry standards can take time and effort, especially for smaller operators. Balancing compliance with operational efficiency is a significant challenge,” he argues.
However, best practice standards could help. Crucially, the government’s consultation document points out that “standards, assessment frameworks and other tools can be used to improve and assure security and resilience mitigations.” This opens the door to use of international standards like ISO 27001, which provides a framework for establishing, implementing and managing an information security management system (ISMS).
“The framework emphasises continuous improvement, which aligns well with the dynamic nature of cybersecurity threats and technological advancements. It can help datacentre owners systematically manage sensitive company information and ensure data security,” says McQuiggan.
“Additionally, organisations holding the ISO 2700x certifications can demonstrate to vendors, clients, and regulators that the datacentre is serious about managing information security risks effectively.”
The consultation on the new law will run until February 22, with various stakeholders, including datacentre operators, cloud providers and industry experts invited to submit their feedback on the proposals. The government believes that this, the new Data Protection and Digital Information Bill and the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 will together help to boost the cyber-resilience of the UK’s digital economy, at a time of escalating threats and a growing corporate attack surface. Time will tell.