Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)

Debate between Kanishka Narayan and Allison Gardner
Tuesday 3rd February 2026

(1 day, 5 hours ago)

Public Bill Committees
Share Debate
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan Portrait Kanishka Narayan
- Hansard -
-

Q Thank you all very much for making time. I have an implementation-focused question, perhaps directed at Stuart, but open to all. In practice, it would be helpful to understand how frequent is the case that a single company might provide multiple of the possible services in scope: MSP services, cloud hosting, data centre support and cyber-security services. What ability might we have to identify parts of an organisation that are in scope for particular bits and those that are not?

Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.

For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.

You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.

Allison Gardner Portrait Dr Gardner
- Hansard -
- - Excerpts

Q It is interesting that you mentioned the complexity and skilled teams. Sanjana, you talked about the need for more skill and responsibility, and how distributed responsibility across supply chains is a big deal. That comes down to a duty of care on people who are procuring these things. The annual cyber security breaches survey found that board-level responsibility for cyber has declined in recent years. What explains that, and how could it be improved? As a quick supplementary question, do you think there should be a statutory duty for companies to have a board member responsible for cyber risk? Jill, I will go to you first.

Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.

I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.

Return to start of debate - Return to top of page