To report or not to report?

A year ago or so, the UK regulator, Ofcom, consulted upon and issued a Statement and Guidance regarding incident reporting requirements for providers.

The regime used to be a lot simpler, but, with cyber-security coming to the forefront generally, the rules have been brought up to date to account for a number of potential threat vectors.

There are four “axes”, if you will, to the reporting;

  • Mobile or Fixed or Broadcast
  • Outage or cyber-security
  • Urgent or Non-urgent
  • Quantitative or qualitative threshold

If you’re reading this, I suspect the distinction between mobile and fixed can be taken as read (and you don’t care about broadcast), but what about the rest of it?

Incident Reporting TL;DR

If there’s an outage or cyber-security incident, then depending on the size and nature of it, whether it’s a repeat (same issue or different issue, same users) and how it is being reported in the media, you may be legally required to make a report to Ofcom in 3 hours, 72 hours, or not at all.

Qualitative or Quantitative?

Firstly, any incident that “CPs are aware of being reported in the media (local, national or trade news sources)” meets the qualitative criteria for reporting. So, an outage of 1 user, if they happen to be an angry columnist for The Orcadian or IT News Africa, would trigger the threshold if the CP is aware of it. So, all UK CPs should now just get their news from the non-technology periodicals featured on Have I Got News For You.

This is literally about the only piece of regulation where having your head in the sand is arguably a legitimate excuse.

Secondly, the qualitative threshold also includes repeat incidents (there’s a more complex definition, but, broadly, same users, same service or same issue within in 4 week window).

Thirdly, Ofcom categorises these as being qualitative, but are really quantitative with a threshold of zero and automatically reportable;

  • any part of the call answering service for the emergency services or
  • any incident where a CP is aware it was linked to a loss of life,

That latter point is explicitly about incidents affecting the ability to contact the emergency services; so a fatal Health and Safety incident in a data centre leading to a service interruption, itself reportable to a different authority, does not come under this requirement. Unless it’s reported in the local press. Confused yet?

What about the quantitative criteria? There’s a matrix based on whether the outage is emergency services affecting or wider, the number of users, all of which all varies based on whether you’re fixed, mobile and in the case of the latter, an MNO or an MVNO. Oh, and MVNOs still have to report incidents caused by their MNO even if the MNO is reporting them – that’s explicit in the Guidance. This also applies to Fixed operators with switching equipment in a value chain (so if you are a BT IPEX Type A network, then if there’s an IPEX outage, you still have reporting obligations). It would not apply, in most cases, to a traditional lines and minutes reseller.

Urgent or non-urgent

Broadly, there is a 3 hour reporting requirement for an urgent incident, and 72 hours for non-urgent, and these are slightly qualified by Ofcom to say “where possible”. Major networks will have been given out-of-hours telephone numbers to call for urgent reports, but in all cases there is also a dedicated Ofcom mailbox.

Urgent incidents are defined as;

  • All incidents involving major cyber security breaches that meet the qualitative definition.
  • Affecting services to 10 million end users.
  • Affecting services to 250,000 end users, and expected to last 12 hours or more.
  • Attracting national mainstream media coverage.
  • Affecting critical Government or Public Sector services (e.g. wide spread impact on 999, 3-digit non-emergency numbers, emergency services communications).

In keeping with their usual modus operandi, Ofcom have not provided further information on what constitutes national mainstream media coverage or on what critical Government or Public Sector services are.

Everything else is non-urgent.

Outage or cyber-security

And to top it all off, there is no statutory definition of security.

Ofcom’s understanding of ‘security’ in this context includes the usual meaning given to it in relation to information security, namely protecting confidentiality, integrity and availability” is what we have to go with from the Guidance.

If you weren’t confused before, then by now, surely, you must have a headache to match mine.

The term outage is one that the industry and myself use to describe an incident; in the terms of the Guidance, what is relevant is if “A customer is affected if the main functions of a network or service are not available to them due to the incident.” Of course, if their ability to contact the Emergency Services is affected, then that’s a separate category of incident.

Potential Prejudice

There is understandably a fear that Ofcom may use information provided to it within the first 3 hours of an incident (or 72 hours for that matter) against the Communications Provider in a prejudicial manner. Or that reporting an incident would lead to an investigation that wouldn’t otherwise occur.

Thankfully, that isn’t actually the case. Firstly, Ofcom start to address it in the incident reporting Guidance:

In relation to specific incidents, rather than launching an investigation, it can be more effective for us to work informally with stakeholders, given that our priority will usually be to ensure that any security incident is addressed by CPs as soon as possible. However, we will not be slow to use our formal enforcement powers where we consider that to be appropriate.

Guidance. Paragraph 5.9

Ofcom have also stated in public meetings that they recognise that these reports can be generated without all the facts being known and as such are given the appropriate weight (or lack thereof).

But most importantly, even if Ofcom had unlimited resources and fully investigated every infraction, Ofcom are constrained by their powers in the Communications Act 2003. Ofcom are required to give the accused the ability to make representations and “Ofcom may not give a confirmation decision to a person unless, after considering any representations, they are satisfied that the person has, in one or more of the respects notified, been in contravention of a condition specified in the notification under section 96A.”

There’s quite a Prisoner’s Dilemma with incident reporting. Failure to notify in accordance with the relevant statute can attract a fine of upto £2m; a breach of the General Conditions relating to emergency services access can be upto 10% of relevant turnover or in extremis Ofcom withdrawing the provider’s authorisation to run a network – and attempting to pull the wool over the regulator’s eyes may be seen as a compounding factor in the fine setting too.

Conclusion

Incident reporting is a minefield that applies to large and small providers alike. The only solution is to sit down with the Guidance and overlay incident reporting in amongst your own major incident structure. Alas, the complexity is such that it will largely be a bespoke set of thresholds and rules for each individual provider based on their product set, size and other factors.

What we also shouldn’t lose sight of is any other duplicate reporting required; such as to the Information Commissioner or National Cyber Security Centre.

As ever, if you are affected by anything in this piece, feel free to reach out to see if we can help.

Spread the word. Share this post!