The Telecommunications Security Act: Building your approach to resilience

The TSA, which came into force on the 1st of October 2022, is a framework that sets out a robust security standard designed to promote the resilience and integrity of core telecommunications networks in the UK. This includes a number of technical guidance measures (M21.01-07) aimed at “Retaining national resilience and capability”. The TSA’s holistic approach is driven by a focus on UK national resilience and the critical role that telecom providers (public electronic communications networks (PECN) and services (PECS)) play.

Most urgently, Tier 1 (the largest national-scale) telecom providers need to be compliant with the first of these requirements by 31 March 2024, with Tier 2 (medium-sized) providers to follow. But what is the right approach to building resilience?

A new approach to building resilience

Resilience disciplines - such as business continuity, IT disaster recovery, cyber security, supply chain and crisis management - have traditionally been designed, governed and managed in silos. They have typically focused on responding to narrow scenarios, such as a building fire or flood, and isolated recovery approaches, such as restoring a single application from backup.

This approach is no longer fit for purpose in an era where disruption is the norm and the risk and threat landscape is evolving at a rapid pace. Organisations are also more complex than ever, with wide-reaching, deeply entangled value chains of interconnected systems that are fragile and will fail in ways we can't predict. Organisations need to be able to adapt and respond at pace to this changing operating environment to protect themselves and create value by gaining competitive advantage.

The TSA regulation provides a unique opportunity for telecom providers to pivot from a siloed, asset-based and compliance-driven approach to a holistic resilience capability that meets regulatory requirements and delivers a competitive advantage.

1. Identify what matters most

First and foremost, telecom providers should identify their Critical Business Services (CBS) - these are the most important services an organisation delivers, not individual technology applications or systems. This will likely be closely aligned to the areas covered by the TSA. Under the regulations, any security critical function of the network or service “whose operation is likely to have a material impact on the proper operation of the entire network or service or a material part of it” should be resilient. While not everything a telecommunications provider delivers will fit this category, understanding the whole value chain enables an organisation to build a holistic and enterprise-wide approach to resilience, encompassing both the critical functions themselves, as well as the activities and services upon which they depend. Knowing what matters most allows the Board, Executive and decision-makers at every level to provide challenge and ensure the right resilience is in the right place.

A traditional Business Impact Analysis (BIA) can then supplement an organisation’s resilience, capturing the activities that don’t directly underpin CBS but are still important for the ongoing viability of the organisation. For telecom providers, whose availability and security is critical to people and businesses across the UK, these activities, and the associated security measures that protect them, ensure they are able to fulfil their obligations under the TSA.

2. Map the dependencies

To build resilience around their CBS, organisations need to understand the people, processes, technology, and third parties on which they rely. It can be a significant undertaking to map the complex web of dependencies across an organisation, but is critical to have an understanding of any single points of failure and ensure resilience investment is targeted for the greatest impact.

Once mapped, an organisation needs to establish, test, and monitor its resilience thresholds. These thresholds are not the same as existing risk appetites, and instead represent the boundary beyond which a service or organisation is unable to maintain its usual operations or recover effectively from an adverse event. Regular, scenario specific exercising provides an organisation the opportunity to prod and test these thresholds to validate their suitability.

Disruption is inevitable; understanding what level of vulnerability is acceptable - when interruptions to a core business service go from being inconvenient to intolerable - is essential. An organisation may define these thresholds against a range of criteria including financial, customer or reputational impacts. However, regulatory requirements such as the TSA, and any potential breaches of these requirements, are also critical for an organisation to build into their resilience planning - and in some cases could be as little as a few hours.

3. Integrate resilience and abolish silos

Identifying CBS and mapping their dependencies does not in itself produce resilience. The key to the success of this approach is integrating resilience disciplines. As highlighted in our PwC Global Crisis and Resilience Survey 2023, it is no longer sufficient for organisations to operate in silos as they address today’s complex and interconnected risks. They must actively move to a more integrated approach, centrally governing and aligning multiple resilience capabilities around what matters most to the business (including meeting their regulatory requirements such as the TSA), and embedding the programme into operations and the corporate culture.

Clear executive leadership and ownership of this integration is essential in building a successful approach. But this doesn’t mean that each resilience discipline is removed from its existing governance structure. Instead, organisations should consider establishing a Resilience Committee, or similar, that ensures disciplines are governed in a holistic and integrated way - driving a culture of communication, coordination and collaboration that builds integration across the capabilities.

Leveraging technology is a powerful way to drive this integration. Platforms such as Fusion Risk Management can empower organisations to identify their operational dependencies, visualise how disruptions can impact complex value chains and help to break down these silos. Tools like Fusion also provide organisations with an easy way to embed, build and monitor their resilience as it is developed across the organisation.

Conclusion

The requirements of the TSA create a need for telecom providers to build and embed resilience into their critical services as a matter of national security and regulatory obligation - but it also provides an opportunity to take a new approach to operational resilience, leveraging technology to drive change. The traditional approach, where resilience disciplines are siloed and business continuity is focused on single application failures or isolated crises, is no longer fit for purpose. The ability to adapt and respond to disruption is vital to maintaining the trust built with stakeholders at a time when the expectations of the resilience of businesses and government have never been higher.

Get in touch to discuss how we’re helping organisations to rethink their approach to resilience.

Co-written by: Kit Aherne, Senior Associate - Risk and Resilience