Risk & Resiliency Oversight and the UK Telecommunications Security Act
Supply Wisdom Team
With supply chain disruptions not likely to ebb anytime soon, regulators worldwide are enacting policies requiring businesses across various sectors to improve resiliency, most recently, the Telecommunications Security Act (TSA). TSA is a ground-breaking new framework designed to protect the UK’s telecommunications networks from today's ever-evolving cyber threats. The new framework lays out a comprehensive security standard focusing on the resiliency of telecommunications networks in the UK. Notably, Section 6.2:
(1) A network provider or service provider must take such measures as are appropriate and proportionate to identify and reduce the risks of security compromises occurring in relation to the public electronic communications network or public electronic communications service as a result of things done or omitted by third-party suppliers.
The framework provides a summary of the approach to risk assessments requiring:
Evidence from the vendor themselves;
Testing to validate the vendor’s claims;
Third party evidence
However, risk assessments are not always 100% reliable because they rely heavily on self-reported information. Vendors can be tempted to inflate their security capabilities or downplay any potential risks, leading to inaccurate or incomplete risk assessment results. Additionally, risk assessments are often limited to the security measures a vendor has in place during the assessment. This means that if the vendor’s security posture changes after the assessment are complete, the risk assessment may no longer be valid.
Most businesses today concentrate their third-party risk monitoring on financial and cyber risks. This hyper-focus, however, leaves organizations exposed to cascading risks - the chain of causality that emerges when risk and accumulated vulnerabilities connect to increase weaknesses. We continue to see evidence of cascading risk events leading up to a disruptive cyber-related event, most recently, the ION Ransomware Attack.
Telecommunication providers and other entities governed by the Telecommunications Security Act should consider real-time and continuous risk monitoring across the full spectrum of risk domains. Augmenting vendor risk assessments with real-time risk intelligence can reveal notable risk events beyond cyber that can cascade into significant disruptive events. Let us show you how Supply Wisdom can help; request a demo to learn more!