Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Bradley Thomas
Main Page: Bradley Thomas (Conservative - Bromsgrove)Department Debates - View all Bradley Thomas's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Bradley Thomas Excerpts(1 day, 8 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Dr Spencer
I beg to move, That the clause be read a Second time.
This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.
According to Richard Starnes of the Worshipful Company of Information Technologists, companies
“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”
And he said that if the FS-ISAC were replicated
“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]
Bradley Thomas (Bromsgrove) (Con)
On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
David Chadwick
New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.
New clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.
Bradley Thomas
While I agree with the hon. Member, and acknowledge witnesses’ evidence suggesting that cyber-security should be a board-level responsibility, does he share my concern that, given the complexity and technical nature of cyber-security, there is perhaps a risk of, for want of a better phrase, window dressing? It may be that non-competent people without the relevant technical expertise could be reliant on reports issued by other technical staff who do not sit at board level. We have to strike the right balance. Does the hon. Member share that concern, and how does he propose we address that?
David Chadwick
One of the measures that the new clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.
All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.
Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?