Alison Griffiths (Bognor Regis and Littlehampton) (Con)

- View Speech - Hansard -

Copy Link

-

I refer the House to my entry in the Register of Members’ Financial Interests. I commend my right hon. Friend the Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Exmouth and Exeter East (David Reed) for their excellent speeches. I particularly associate myself with their comments on the Computer Misuse Act 1990 and the need for an extension to our cyber-skills in this country. Before entering this place, I worked professionally in cyber-security and operational resilience, advising businesses of all sizes on how to reduce the risk of cyber-attacks and helping them to understand how far-reaching the consequences of a cyber-breach can be from a commercial perspective, and not just a technical one.

I am vice-Chair of the Business and Trade Committee, and we have heard direct evidence for our report on economic security from Marks & Spencer, Co-op and Jaguar Land Rover, all of which suffered catastrophic breaches last year. Although the attacks were different in form and impact, as the shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), said, they shared a common feature: they were driven by social engineering, not technical failure. Human access was exploited, trust was abused, and controls failed further up the chain. The outcomes, however, were very different.

At Co-op, a more modern, secure-by-design IT infrastructure enabled an early containment strategy, limiting the impact on customers, stores and the bottom line. Marks & Spencer, which had not prioritised early replacement of legacy infrastructure, suffered months of major disruption to customer-facing services and retail logistics. The financial impact alone for M&S is in the region of £300 million, or 45% of its prior year pre-tax profits. Jaguar Land Rover was in a different category altogether. There, the attack cut into operational technology systems tightly integrated with manufacturing operations, bringing production lines to a standstill and disrupting just-in-time supply chains. That shutdown cascaded far beyond a single company, directly impacting numerous suppliers in the midlands regional economy, as many Members have already mentioned, as well as contributing to a measurable fall in UK GDP, estimated to be in the region of £2 billion.

Those cases demonstrate that cyber-risk manifests in three ways: operational risk, financial risk and reputational risk. Too often, even at FTSE level, businesses and boards fail to grasp that this is a potentially devastating combination. I hear the same message repeatedly from industry, including at the Financial Times Cyber Resilience Summit in London, where I spoke at the end of last year. There is frustration from CISOs—chief information security officers—and security vendors that it can be difficult to develop conversations with boards and audit chairs to assign the appropriate resources and strategic prioritisation. Businesses accept that standards must rise, but they want regulation that is targeted, proportionate and focused on prevention, rather than paperwork.

The Bill does some things well. Updating the 2018 NIS framework, expanding coverage where it is genuinely needed and strengthening enforcement powers are all sensible in principle. Faster incident reporting has value, but reporting alone is not resilience. There are gaps that matter. First, the Bill does not go far enough on governance. Cyber failures are governance failures. Responsibility sits not only at board level, but clearly and specifically with chairs and audit and risk committees, yet the Bill stops short of driving meaningful accountability there. Without that pressure, cyber will continue to be delegated downward to IT and operations teams, rather than being owned at the top.

Secondly, there is a risk of confusing activity with preparedness. Increasing reporting obligations after an incident does nothing to prevent the incident from occurring. Prevention is always better than cure, and this legislation needs a stronger emphasis on baseline capability, risk maturity and early intervention.

Thirdly, we must be careful about cost, capacity and particularly enforcement. The implications for SMEs are significant, particularly those that are pulled into scope through supply chains. At the same time, regulators cannot enforce what they are not resourced to oversee. Without credible enforcement, the Bill risks becoming a paper exercise and boards will respond accordingly.

Fourthly, the Bill needs to recognise the connection between, and draw a clear distinction between, IT and operational technology. What works for enterprise IT systems may be inappropriate or even dangerous in OT environments such as manufacturing, critical national infrastructure, energy and logistics. Segregation, architecture and the configuration of security devices must be assessed. Risk profiles differ; controls differ. That nuance matters.

I want to be clear that the Opposition support the aims of this Bill in principle. Cyber-resilience requires a whole-of-society approach involving Government, regulators, businesses and boards working together, but if this legislation is to drive real change, it must be enforceable, proportionate and grounded in how organisations actually operate. Boards and audit committees must feel the weight of responsibility, regulators must have the tools and resources to act, and prevention must be prioritised over post-incident form filling. The National Cyber Security Centre has produced clear, practical guidance for boards, and that should sit at the heart of our approach. We need smarter regulation, properly enforced, not just more of it.