The UK Telecoms Security Act – What It Means for Telecom Operators

By Dave Davies

The TSA aims to tackle the growing concerns surrounding the security and reliability of telecommunications networks. With the increasing reliance on digital connectivity for both personal and professional purposes, it establishes rigorous standards and requirements for operators. The act focuses on several key areas, particularly:

  1. Strengthening network security
  2. Ensuring the integrity of network components
  3. Enhancing supply chain security
  4. Implementing comprehensive risk management strategies
  5. Establishing a robust incident reporting and response framework

What has been surprising about the introduction of the TSA is the variety of responses from different parties, with widely differing approaches to adoption and understanding by security and leadership teams across all tiers of the industry. Noncompliance with the TSA could result in  penalties of up to 10% of turnover, which should not be taken lightly, as Ofcom indicated that they will police compliance. Whereas previous GDPR compliance was seen as mandatory by all, in respect of the TSA some operators seem to only pay lip service to the spirit of the law, underfunding delivery teams or expecting costs to be borne in BAU budgets, and facing into the very real risk of large fines and reputational damage.

Impact of The UK Telecoms Security Act

The TSA has far-reaching implications for telecom operators in terms of compliance, investment, and operational efficiency. Some of the main impacts are:

  1. Increased Compliance Burden: The TSA imposes strict compliance requirements on operators, leading to increased administrative and monitoring costs. Operators must ensure that they meet these standards or risk facing significant financial penalties and reputational damage. For example, operators must maintain detailed records of customer premises equipment (CPE) deployed, especially for business customers. This includes tracking the type, location, and software versions of the equipment, allowing operators to quickly respond to potential vulnerabilities or security threats.
  2. Investment in Network Security: The act requires operators to invest heavily in network security measures, including upgrading infrastructure, implementing advanced security solutions, and ensuring the integrity of their supply chain. This would include implementing strong encryption for data transmission and storage, as well as investments in advanced threat detection and mitigation tools to protect their network infrastructure.
  3. Workforce Training and Development: The TSA necessitates an understanding of its requirements across an organisation, which means operators must invest in employee training and development to equip their workforce with the skills and knowledge needed to navigate this new regulatory environment. As part of this, regular training sessions should be conducted to educate employees about the TSA’s requirements, emerging security threats, and best practices for ensuring network security and customer privacy. Deciding which employees should receive such training in large and diverse organisations presents a cost risk if threat vectors are not appropriately understood.
  4. Enhanced Collaboration with Authorities: The TSA is designed to foster closer collaboration between operators and relevant authorities, such as the National Cybersecurity Agency, to ensure effective risk management and incident response with clear communication channels and protocols with authorities for sharing information about potential threats, vulnerabilities, and security incidents, enabling timely and coordinated response being established or improved.

TSA Adoption

To adapt and thrive in this new Teleco landscape, operators should seriously consider how they adopt the principals of the TSA into their corporate DNA. Here are some of the biggest considerations to keep in mind:

  • Develop a Comprehensive Compliance Roadmap: Create a detailed and well-structured compliance roadmap that outlines the steps needed to achieve TSA compliance. This should include timelines, milestones, and clear responsibilities for each party and aspect of the process.
  • Prioritise Security Investment: Allocate resources strategically to prioritise investment in network security and supply chain integrity. Evaluate potential risks and vulnerabilities and invest in solutions that address these concerns effectively.
  • Foster a Security-Oriented Culture: Encourage a security-oriented culture within your organisation by providing regular training and updates on the TSA’s requirements. This will not only ensure compliance, but also help create a proactive approach to security within the company.
  • Leverage External Expertise: Engage with external consultants and experts to support your compliance efforts and gain valuable insights into industry best practices. As a one-off implementation activity, a properly enacted approach to the TSA need not increased headcount, but the creation and implementation of these will certainly require support.

Despite these challenges, the scope and scale of the changes required, and the limited response by some operators, progress must be made sooner rather than later. Tier 1 providers with revenues >£1bn have until the end of March 2024 to implement these requirements, whilst Tier 2 providers with revenues >£50m, or which have any element of Critical National Infrastructure, have a further year until the end of March 2025[1].

Getting Started with TSA Compliance

Whilst essentially codifying best practice, the Telecoms Security Act is a game-changer for some players in the telecommunications industry, presenting both challenges and opportunities for operators. By understanding the implications of the act and implementing strategic change, telecom operators can enhance security, ensure compliance, and make the most of this new landscape. Navigating these complexities may seem daunting, but with the right approach, resources and advice, operators can achieve their objectives in this evolving environment.

At Cartesian, we understand the challenges that telecom operators face in complying with the Telecoms Security Act. Our consulting team is well-versed in the complexities of the TSA and is ready to help you develop a comprehensive compliance roadmap, prioritise security investments, and help foster a security-oriented culture within your organisation.

Here are just a few ways that Cartesian can help your organsation thrive in this new landscape:

  • Compliance Strategy and Roadmap Development: We’ll work closely with you to create a tailored compliance strategy, complete with milestones and responsibilities, to ensure you meet the TSA’s requirements.
  • Security Investment Prioritisation: Our team can help you identify the most critical areas for investment, ensuring you allocate resources effectively and address potential risks and vulnerabilities.
  • External Expertise and Collaboration: Our experts can serve as a valuable resource in your collaboration with authorities, offering insights and support in risk management and incident response.

Contact us for further information on how we can help.

References:

[1] https://www.gov.uk/government/consultations/proposal-for-new-telecoms-security-regulations-and-code-of-practice/telecoms-security-proposal-for-new-regulations-and-code-of-practice