David Chadwick

- Hansard -

Copy Link

-

New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.

New clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.

David Chadwick

- Hansard -

Copy Link

-

One of the measures that the new clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.

All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.

Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?

David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)

- Hansard -

Copy Link

-

New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.

When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.

We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.

David Chadwick

- Hansard -

Copy Link

-

The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.

Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.

Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.

Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.

At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.