Out-Law News 2 min. read
06 Jul 2017, 4:15 pm
The telecoms regulator said there are currently inconsistencies in the number and scale of incidents reported to it by the operators, which it attributed to the way the existing guidelines are interpreted, rather than "differences in the underlying resilience of the operators’ networks".
Under planned new guidance (32-page / 575KB PDF), mobile operators that provide voice or data services or networks to retail customers would be obliged to tell Ofcom if it has suffered a "service loss or major disruption" to those services for "one or more technology", such as 2G, 3G and/or 4G services, at 25 or more of its sites if that disruption lasts for at least two hours.
In a similar vein, where such services are offered in rural areas, mobile operators would be required to report service loss or major disruption that arises at any of its sites where the disruption lasts for at least eight hours.
In its proposed new guidance, which relates to the obligations telecoms companies face under the UK's Communications Act, Ofcom also set out its expectations about the steps telcos should take to manage cybersecurity risks. The existing guidance that applies has been in place since 2014.
Ofcom said it is "concerned that security risks may not always receive sufficient attention at the highest levels in some organisations" and that, in future, it plans to "seek evidence of the risk management processes that were used and of specific risk decisions that were taken" when investigation potential breaches.
"We will expect to see that relevant security risks are regularly considered and have appropriate owners at all levels, up to and including the Board," Ofcom said. "We will also emphasise the need for [communication providers] to have a sufficient level of internal security capability to ensure those considering such risks are appropriately informed."
Ofcom endorsed cybersecurity standard certifications for telcos and also said it would expect the businesses to engage in "vulnerability testing" once a new pilot scheme led by the Department for Culture, Media and Sport – recently renamed the Department for Digital, Culture, Media and Sport – is operational.
The regulator also said telcos should follow guidance issued by the UK government and other agencies to help protect the security and integrity of their data and systems. It said it intends to update its guidance to make clear that telcos that do not follow cybersecurity guidance issued by the UK's new National Cyber Security Centre, or the European Union Agency for Network and Information Security (ENISA), risk enforcement action if breaches occur.
Ofcom said: "The threats to the security of communications services have changed somewhat over the last three years and hence the guidance we provide on how to address them needs to change accordingly."
Under the Communications Act, telecoms companies are subject to an overarching obligation to protect the security of the network or services they provide. They "must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services". This includes taking steps to ensure that the impact of any security incidents on customers is prevented or minimised.
Telecoms network providers are required to inform Ofcom if they suffer a breach of security that "has a significant impact on the operation" of their network or if there is a "reduction in the availability" of their network that has "a significant impact on the network". Telecoms service providers are also required to notify Ofcom if they suffer a security breach which has a significant impact on the operation of their service.
Ofcom's guidance sets out more detail on the security measures the telecoms providers must have in place. Ofcom's proposals are open to consultation until 7 September.