While the final Statutory Instrument or Code of Practice haven’t yet been released, we asked Timo Kuusela, Vice President of Sales from network automation software provider PacketFront, what industry leaders should expect to happen next…
In short, the law requires operators to use best practices to prevent security risks by taking pre-emptive actions when designing, constructing, documenting, and maintaining the network. It also requires operators to protect the data as well as prohibit unauthorised access and manipulation of the network and data.
Besides performing preventive actions, operators are obliged to monitor the network and services for any security compromises. And, in case of a security breach, they must have measures in place to remediate and recover from the incident.
Finally, operators must reduce the risk for third-party suppliers in their supply chain. This includes measures that reduce the dependency of a single supplier and facilitates a vendor change.
How does the Telecommunications (Security) Act 2021 (TSA) impact altnets?
Following the latest developments, Ofcom will be using a tiering system which sets different rules for operators based on their annual turnover, these being:
- Tier 1: Over £1bn
- Tier 2: More than £50m
- Tier 3: Less than £50m in yearly turnover.
This means that the majority of altnets will fall into Tier 3 and whilst they will have to comply with their obligations under the Act, they will not necessarily have to follow the entirety of the measures contained within the Code of Practice that the Act introduces.
If Tier 3 operators are not caught by all the obligations, why should altnets still be concerned with the TSA?
For starters, they must still take ‘appropriate and proportionate measures to comply’, so they are not completely ‘off the hook’. Likewise, whilst they are not obliged to follow the entirety of the Code of Practice, they should be prepared to explain to Ofcom why they have chosen not to do so in a particular instance.
And an even more important argument is that Tier 1 and 2 operators must secure their supply chain. So, if you – as a Tier 3 operator – plan to sell services (for example connectivity to these operators), you will be part of their supply chain and thus, need to comply with the requirements of the Code of Practice as if you were a Tier 1 or 2 operator.
Besides, if you can claim compliance with the TSA, you can increase the value of your assets in a merger or acquisition process, especially if the other party is already under Tier 1 or 2 obligations. Furthermore, it is worth noting that any M&A activity that is likely to take a Tier 3 operator over the revenue threshold into Tier 2, it will require this level of compliance to be in place and will certainly be caught in a due diligence process. Therefore, those with any intention to exit or sell further down the line should have this in mind from the beginning.
So, why not make your network compliant today when you can do so ‘for free’ as part of a cost saving network automation project rather than wait until you are forced to do it at a much higher cost?
Finally, the requirements in the TSA are sensible to follow. Security is ultimately for your benefit so our advice would be to never wait until somebody compromises your network. It’s important that you ensure your network is equipped to prevent, monitor, and remedy security threats.