Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.

The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.

However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?

I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.

It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?

The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.

One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?

There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.

Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.

Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.

We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.

The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.

The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.

To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.

Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.

I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.

Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.

If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.

Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.

It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.

The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.

The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q Your evidence is really helpful. To help with my understanding, if you look across all the suppliers in your service, are there any that you would not consider to be critical, such that if you clicked your fingers now and one of them disappeared, it would not have a material impact on your ability to maintain patient safety and deliver healthcare? Irrespective of the debate about size, what suppliers do you not determine to be critical?

Stewart Whyte: For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q Do you have integration with your local primary care IT systems? For example, GPs have the old EMIS system and so on; is that integrated into your network? From your perspective, would that be a critical supplier that would need to be regulated?

Stewart Whyte: Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I am so pleased that the hon. Member raised the point about people who are in work but still poor. I will come on to that in relation to tackling child poverty, so if she waits a second, I will respond to her questions in full.

For the moment, I want to concentrate on the more macro costs point. Food inflation has gone up to 4.9%. Food costs are a big chunk of daily spending, especially for people who are poorer. That is a direct result of decisions to raise employer national insurance contributions. It turns out that taxes on businesses get passed on to working people.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Who knew, indeed.

Energy costs are a big chunk of everybody’s outgoings, and we are still waiting for them to come down. Property costs also are a big chunk of people’s outgoings, and this is reducing and putting more pressure on the private rented sector, particularly landlords. The measures in the Budget today around the increased taxation on property revenue will be passed on to the consumer—that is, people who are renting—adding yet another cost pressure. I wish Labour Members would think through what happens not just in step one of a Budget intervention but in steps two, three and four in relation to the impact on their constituents.

One way to deal with child poverty is to look at the cliff edges of the taxation system, including the wrapping down of universal credit when someone works for 28 hours. When the Work and Pensions Committee looked at in-work poverty costs—the right hon. Member for East Ham (Sir Stephen Timms), who is in his place, was the Chair at the time—one of the things that really came out, through and through, was that lots of the families in difficulty were single-parent families and they struggled with the 28 hours’ provision because of childcare costs and the marginal benefit. We also need to look at cliff edges in relation to housing allowance and council tax. We need to get rid of the cliff edges to ensure that work always truly pays.

Also really important in helping child poverty is making sure that the child maintenance system works. There are plenty of families with a parent who should be supporting their child but is not doing so. That is absolutely scandalous and it needs to be fixed.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

We were hoping that this debate would clarify the inability of the Prime Minister to answer the question asked by the Leader of the Opposition only two weeks ago: about whether he would repeat the manifesto commitment not to raise the big three taxes. We are in a period of uncertainty that we are trying to resolve, and it has been created by this ongoing kite flying.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my constituency neighbour, and of course I am always happy to take interventions.