Telecoms, resilience and corporate governance risk and compliance

James Humphrey-Evans and Nedko Nedev set out the corporate risk factors associated with communications networks, including those exposed by the recent Iberian outage.

Along pavements and roads in major cities, you will cross over the groundworks and chambers used by telcos for the networks we all use, just as the utility networks bring power and water to our homes and businesses. A sign on Valentia Island on Ireland’s Atlantic Coast celebrates the 1866 Transatlantic Cable Site linking the US and Europe as the “Birthplace of Globalisation”.

Globalisation, born in County Kerry in 1866

We mostly take this infrastructure for granted – at least until we read about undersea cables in the Baltic seemingly coincidentally breaking with alarming regularity – the EU Commission observing earlier this year that “[w]hile submarine cables may get damaged unintentionally, the pattern observed in recent months particularly in the Baltic Sea, suggests that this critical infrastructure is increasingly the target of deliberate hostile acts.” [1] – while back on land a power interruption closes a major airport[2] and most recently the power infrastructure of Spain and Portugal suffered outages on a massive scale[3].

This article sets out some key topics around connectivity directors should – ideally with the benefit of training – consider when managing corporate risk, especially in the light of the UK Department for Science, Innovation and Technology and UK National Cybersecurity Center issuing a new Cyber Governance Code of Practice[4] and free online training aimed at board members[5], both launched on 8 April 2024.

Directors’ duties: The longstanding statutory requirement that “A director of a company must exercise reasonable care, skill and diligence.”[6] means that directors as part of their remit need to consider resilience. The UK National Cyber Security Centre has issued a toolkit[7] to help board members embed cyber and resilience in governance. We would recommend that board members – perhaps especially non-executive directors offering independent oversight and constructive challenge – consider training on tech and resilience topics to support their firms’ compliance, resilience and business success.

Resilience as a legal and regulatory obligation: Telcos have of course been subject to resilience obligations as part of their regulatory supervision – for example in the UK there are specific legal obligations under The Telecommunications (Security) Act 2021[8] and Ofcom has issued a Statement on Network and Service Resilience Guidance[9] and has published the Network and Service Resilience Guidance itself[10].More broadly, governments are of course encouraging resilience in critical infrastructure and enshrining resilience obligations in law and regulations – for example the EU Network and Information Security Directive 2 (NIS2)[11], the EU Digital Operational Resilience Act (DORA)[12] for financial entities and most recently the measures proposed in the UK Government policy paper on Cyber security and resilience of 1 April 2025 – reflecting the uncertain geopolitical times.

“Surely not my anchor ?”

Management responsibilities: For the tech teams and management at enterprises, there are more immediate business risks to be understood and addressed operationally. We set out some considerations below to help enterprises monitor and manage these risks.

Understand reliability: Traditionally, telco vendors and operators have aspired to achieve availability of Five Nines, or 99.999%, which translates into less than 6 minutes downtime per year. With the advance of the Internet and mobile communications, users became more accepting of – or perhaps more impatient with – service degradation and short-term outages. However, the increasing universal reliance on communications for all aspect of business or government has brought renewed focus on service availability and the network and process designs required to achieve it.

Understand risk factors: The availability of a service relies on the faultless operation of the components in the system and the remedy processes in place should an issue occur. Components can become incapacitated by a multitude of factors including failure, damage, or hacking which gives service outages the appearance of a stochastic process. While a network provider can put a lot of effort into minimising some of the risk factors, it is not possible to eliminate them completely. Some exceptional events, such as cable cuts or catastrophic loss of power supply, may be completely out of the control of a network provider.

Understand risk mitigation: As it is practically impossible for a network provider to mitigate completely all issues, network designs employ redundancy for resilience. That is to say, the network is designed in such a way that if part of the network fails, the communication can be re-routed and continue uninterrupted through a different part of the network. Network redundancy is expensive as it translates into having to build and maintain additional capacity which is only used during fault events. Nevertheless, as communications have become critical for all aspects of life it has led to introduction of legislation on resilience and the associated guidance which calls for redundancy in various parts of the network to achieve such resilience.

Understand practical implementation: While Ofcom’s resilience guidance encourages network providers to ensure redundancy throughout the network, it recognises that building in redundancy in some parts of the network may be too costly. An enterprise may therefore not be able to rely fully on the redundancy that the network provider has deployed in its network.

Understand alternative providers: Even when providing redundancy, operators sometimes cross-contract capacity between them or from third parties in order to minimise their costs. In practice this means that, even if an enterprise contracts communications from multiple different network providers, this does not automatically translate into multiplication of resilience or availability, as different operators may rely at least partially on the same underlying infrastructure, such as a fibre cable.

Understand alternative technologies: While optical fibre has so far established itself as the default reliable high-capacity network medium, there are alternative technologies which may mitigate the effects of failure in networks. These include commercial wireless services, dedicated microwave links, and satellite communications. While individually alternative technologies may provide lower throughput or have higher costs per unit traffic, they may ultimately provide an overall more cost-effective pathway to mitigating communication disruption. During the recent widespread power outage on the Iberian Peninsula some terrestrial mobile networks continued operating, albeit with increasingly reduced capacity as the blackout persisted[13]. Satellite services were unaffected by terrestrial power outages and – depending on the system – could rely on space mesh networking to continue to provide connectivity between users and inter-connect to terrestrial networks. There are already commercial high-speed satellite communication services capable of serving Small and Medium Enterprises (SMEs) in remote areas[14], with various other satellite networks either in service or in deployment/planning [15],[16],[17]. As the technology for satellite-based or other wireless connectivity is improving and the overall throughput capacity increases, such connectivity could provide a credible resilient alternative or fallback even for large organisations.

Understand latency: Redundancy routes can incur increased latency and/or jitter (fluctuations in latency), as they may need to pass through additional networking devices introducing delay. The latency fluctuations are usually tolerable and would not exhibit a notable degradation in the performance of business applications. Nevertheless, financial transactions and online gaming are two business areas which may be particularly sensitive to latency or jitter and for which the latency of redundancy routes would be paramount.

Understand capacity: Redundancy routes may not have sufficient capacity to carry all re-routed traffic in case of a major fault elsewhere. It is therefore possible that, despite the deployed redundancy and availability of alternative routes, the data throughput during a fault is so low as to cause a major disruption to the communication akin to a full loss of connectivity. The risk assessment must take into account the capacity of redundancy routes and any bottlenecks in case of a fault.

Understand networks’ cyber-security: Enterprises are generally aware of the importance of secure communications including access, encryption, and integrity. Networks have become predominantly software-based operations which has increased the networks’ exposure to potential cyberthreats. Any risk assessment should take into account the potential for network disruption not only from component failures but from targeted cyber-attacks on the communication networks.

Understand your risk tolerance: The optimal network design for each enterprise ultimately depends on the risk tolerance of the business to disruption in the communication. The risk tolerance can be quantified through the additional cost of network resilience vs the costs of communication disruption from e.g. reputational damage, lost business, inefficiencies, delays, and contractual penalties. The cost of disruption will ultimately determine whether a business can afford to rely on a network with no redundancy (no tolerance to faults) or it would need to ensure dual redundancy (tolerance to one major fault) or even triple or higher redundancy (tolerance to two or more major faults).

Know your network: Enterprises need to make a step change in understanding resilience and risks of their network providers. A network is only as strong as its weakest link. You should get to know the weakest link in each of the network providers you are using to be able to assess which network providers can ensure – individually or collectively – the resilience you need to satisfy your own risk tolerance. Such knowledge will drive practical decisions on which network provider to use, whether a single network provider is sufficient to deliver the required resilience, and in choosing alternative network providers if more than one is needed.

Budgeting for resilience: Having redundancy to cater for contingencies brings cost[18], with regulators recognising that telcos need more time to implement resource intensive improvements[19], but often a necessary investment. A financial firm might have geographically diverse fibre connectivity between its data centre and a trading venue: one fibre along a road when a digging crew cause a break, while the second fibre is alongside a railway line where a derailment or landslip occurs. Sometimes, a third route as backup makes economic sense and perhaps reassurance for impacted business units who may need to assuage clients that steps have been taken to prevent a repeat.

Due diligence and contracts with network providers: Management needs to understand its own network provider relationships. When enterprises contract with prospective network providers, due diligence on the network, route, fibre age, history of fibre breaks and processes for support and fixing breaks can be helpful in managing risk, particularly where a supplier may not be open to much negotiation of SLAs. Ongoing relationship management to understand changes at the telco is also important. When reviewing SLAs, be mindful of definitions, measurement points, assumptions and carve-outs as much as the actual SLA figures – the devil is often in the detail. Remember that support and getting breaks fixed are needed precisely when a force majeure event occurs – so read, understand and (if required) seek to amend the small print.

Contracts with other key suppliers: Other key suppliers will likewise have their own telco dependencies and to the extent that those relate to key services – a call centre which cannot take or make calls is not useful. In the US, financial regulators such as the Federal Reserve suggest reviewing suppliers’ telecommunications redundancy and resilience plans[20].

Regulatory requirements: For financial entities, regulations require comprehensive IT risk management such as DORA in the EU and in the UK the FCA and PRA[21]. These regulations typically require an assessment of resilience and security of the connectivity of the regulated entity and key vendors, with ICT services supporting critical / important functions at financial entities requiring particular attention. Telecoms tend to be regarded as critical / important ICT services, but where multiple telecom suppliers are used to collectively provide resilient connectivity over different routes, it is open under the proportionality principle under DORA[22] to financial entities to assess that an individual contract is not itself a critical/important ICT Service provided that there is a high degree of confidence that the other telecom arrangements provide sufficient resilience.

Cyber insurance: Insurance may mitigate some financial losses, but cyber policies typically exclude losses relating to the suspected acts of a nation state or losses arising from failure of critical national infrastructure, such as telecommunications. The policy wording is of course key in defining the protection which may be on offer.

Technical due diligence in M&A transactions: M&A transactions are often seen as an opportunity for increased scale and operational synergies – but as 70-90% of M&A transactions do not meet their intended goals[23], due diligence across the target (including its tech and telecom arrangements) can be a sensible risk mitigant.

Summary: Any enterprise needs to understand how it can communicate with clients, employees, suppliers and other stakeholders. With threats to resilience ranging from the accidental, through hackers and through to state-sponsored hybrid acts, the authors suggest that corporates may find that some housekeeping and updating around key telecoms assets and vendor relationships is a worthwhile investment. Non-executive directors may be ideally placed to investigate and assess risks – and to encourage innovation, support risk mitigation, and even consider (measured!) risk taking.

This article is for general information and is not legal or technical advice.