Coping with rising regulations in the cybersecurity space
Telecoms.com periodically invites expert third parties to share their thinking with our audience. In this piece Nils Ahrlich, Head of Security Consulting, Cloud and Networking Services at Nokia, assesses the cybersecurity regulatory environment from an operator perspective.
March 5, 2024
More stringent government cybersecurity regulations are posing operational headaches for communication service providers (CSPs).
While regulations vary from country to country, operators are quickly realizing why compliance is not just a box to tick but is non-negotiable for avoiding hefty fines and a damaged reputation. A recent survey from TM Forum showed that 51% of CSPs are factoring in regulatory compliance when prioritizing their security spending. This demonstrates senior leadership's growing awareness of its critical role, and of non-compliance consequences.
The significance of cybersecurity regulations for CSPs
CSPs are entrusted with valuable customer data and critical services, and any compromise in security can have far-reaching consequences. HardenStance, a telecom and IT security analyst firm, states that when it comes to government regulations there’s a “regulatory regime for cybersecurity that demands that telcos report incidents faster and, in more detail, than many of them currently do.” This is why many governments encourage collaboration between CSPs, regulatory bodies, and other stakeholders to address emerging threats and engage in information-sharing initiatives.
Country-specific regulations have specific implications for CSPs but it’s important to understand what this means for operators who fulfill regulations. First, they can confidently communicate to stakeholders that they have met specific regulations by an industry-accepted regulatory body – which builds trust. Second, they can prove their integrity and reliability to help avoid data losses or service disruption due to hacks and attacks.
What country-specific security regulations mean for mission-critical networks
Regulations shouldn’t be considered roadblocks but milestones toward a secure digital future for CSPs and other critical entities. By implementing strong cyber protection measures such as encryption, access controls, and secure network practices, operators can potentially save millions of dollars. Consider just some of the key regulations that have already taken effect:
Telecom Security Act (TSA) – Enacted in the UK in October 2022, this law impacts telecom and service providers, hardware vendors, and software developers. By March 2024, Tier 1 providers are tasked with rolling out initial measures, such as alerting affected parties of security breaches and promptly notifying OFCOM, the UK's communications regulator. Failing to comply could lead to daily fines as steep as £100,000.
Executive Order 14028 – Launched in May 2021 in the United States, this mandate compels network providers operated by federal institutions to disclose cyber incidents and threats that may jeopardize government networks.
NIS2 Directive – Revised in 2023, this European Union legislation now extends the responsibilities of telecommunications companies in the realm of cybersecurity. Entities must integrate cyber risk management strategies, exchange cyber threat intelligence, and adhere to rigorous reporting schedules for cyber incidents, with some reports due within 24 hours. Potential penalties amount to up to 2% of the company's annual turnover for non-compliance.
IMDA – In Singapore, this legislation establishes stringent Quality of Service (QoS) requirements for operators, requiring the submission of regular reports on service quality. Operators found in breach of these telecommunications and postal QoS regulations are subject to financial penalties, which can amount to as much as $50,000 for each instance of non-compliance.
Key steps to ensure telecom operators meet industry best practices
Meeting industry best practices allows telecom operators to further excel in their business operations. First and foremost, it’s essential to thoroughly research and understand the regulatory requirements of the country where the operator is based. Second, operators can leverage features and capabilities given by relevant standards (3GPP, ITU-T, ETSI, etc.) as well as customer reference installations. This foundation will pave the way to enhance cybersecurity operations and reporting structure. A roadmap will not just allow CSPs to pass industry best practices but also feel confident in cyber protection measures.
Incident response and reporting: In the event of a cyberattack, a quick and efficient incident response is indispensable. To minimize potential damage, CSPs must establish incident response plans based on responsibilities, procedures, workflows, and eventual automation and AI. Proactively reporting security breaches to regulatory bodies and affected parties is essential as failure to do so can land you in a lot of hot water from a legal and reputational perspective.
Robust security infrastructure: Invest in cybersecurity safeguards that exceed regulatory and compliance requirements and conduct regular assessments and audits to help identify risks and ensure compliance. If internal resources are not available, use a trusted partner who can support cyber-risk assessments, security concepts, or security operation procedures.
To summarize, while navigating country-specific regulations can be tricky, compliance is non-negotiable to avoid financial penalties and improve trust with all customers. Understanding the global regulatory landscape while adhering to compliance requirements and continuously improving security infrastructure is not easy. Yet it’s important to look at these regulations not just as a legal obligation but as an opportunity for operators to demonstrate their commitment to cybersecurity and protect their customers.
Nils Ahrlich has over 20 years of experience in security, IT and telecommunications. In his role as head of Security Consulting at Nokia CNS, he oversees all major operator technologies including Cloud and IoT as well as multiple adjacent industries. Prior to his current role, Nils headed the Security Service Line as part of the Professional Service of Nokia Siemens Networks.
Read more about:
DiscussionAbout the Author
You May Also Like