Cyber Security and Resilience (Network and Information Systems) Bill
Debate between Mike Reader and Kit MalthouseTuesday 6th January 2026
(3 days, 16 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts
Mike Reader (Northampton South) (Lab)
I start with a story; it is a real story, but I have changed the names for obvious reasons. It was a Tuesday afternoon and I had a call from our CEO, David, who said to me, “Mike, I am jumping on a plane, but I need you to speak to a law firm we have been working with. This lady called Sandra will ring you from A&A law firm. I want you to speak to her. She will talk to you about a project we have been working on. Sorry I have not been able to read you in until now.” I think, “This is a bit strange. David’s a very busy man, but why would he ring me jumping on a plane?”
Sandra rang me, and it seemed pretty legit. We had a chat and it turns out we may know someone in common. I looked her up on LinkedIn: her firm is legit, she is there, and she has connections similar to mine. She tells me, “I need you to sign a non-disclosure agreement so we can talk to you about the opportunity we are working on with David.” I said that was fine and signed the NDA. I was sent a Teams link and joined a call with Sandra and some of her colleagues. Also on the call was David, my chief exec, whose signal was not good. He said, “Mike, I’m on a plane, but I’ve tried to join just to say thanks so much for being a part of this. We’re looking at an acquisition in your business area. I want you to work with A&A legal partners to ensure they have got the information they need. This is a real opportunity for us to grow. You know that we have been looking to grow the business.” Then his signal dropped off.
I carried on the conversation with Sandra and her partners. They started asking for information that perhaps they did not need—for example, about operational matters and how the business worked. They followed up with another call, in which they started asking for financial information about some of our clients. They followed up with another call in which they asked for financial information about the business. At that point, I thought, “I had better ring David and just make sure this is legit.” When I rang David, I found that he had no idea this was going on. Our business was being attacked through a deepfake intrusion. They had mirrored our chief exec, and used his voice for a call and his image for a Teams call. Had I—this story is actually about a friend of mine—not called my boss to say, “Is this legit?” they could have got away with goodness knows what. That seems quite far-fetched, but Arup, another big British firm, got done by a very similar deepfake scam; it lost £20 million to scammers.
I start with that real story about something that happened to one of my colleagues, because this Bill is really important. It is a framework Bill that will set out how we put in place better standards, procedures and controls, but actually where many businesses—be they data centre providers, managed service providers or those already covered by legislation—fall down is at the point when a human is in the loop. We heard from my hon. Friend the Member for Harlow (Chris Vince) about how to get the culture right, and how to ensure that people are considered in future legislation and guidance that will come off the back of the Bill. I wanted to open up and make that point, because through the Bill, we can do all we can on technical processes and procedures, but it is really important that we focus on the human in the loop and the human aspect, as that is often where these major attacks start.
I am really pleased to support the Bill. Cyber-security and cyber-crime impact our daily lives. I will not repeat the stats, which we have heard from many hon. Members on both sides of the House. They impact the businesses that support our economy, our public services and our banking sector—things that we use every day. It is therefore right that the Bill has been brought forward, although there was a considerable delay following the work done in 2022 by the previous Government. I am pleased that the Bill seems to have cross-party support.
The Bill recognises that attacks involve a wide range of methods, and may involve data centres, outsourced IT providers and complex supply chains working in the sector. That is critical for my constituents in Northampton, who are on the northbound data super-highway from London. In the last six months, we have heard announcements of over £1 billion of investment in new data centres, in both the public and private sectors. I thank the Minister and his Department for all their hard work in securing that investment, which will create new jobs in my constituency. Without improved regulation and clarity, that investment remains slightly uncertain. The Bill will definitely improve that clarity and certainty for the sector, as well as for the many businesses in my constituency that rely on a managed service provider for their IT or provide data centres. That is particularly important for all hon. Members, because the control centre that looks after our security is in my constituency. That data security is therefore particularly important for our personal wellbeing.
I have also looked at this issue from the perspective of the many businesses in my constituency who use managed service providers for their IT. They include large businesses. In my previous business—a business of 7,000 or 8,000 people—an MSP provided our help desk; when I had a problem, I would ring it up. The inclusion of managed service providers is critical to give us better protection and improve standards and resilience, and therefore reduce burdens on the businesses that use them, particularly their cyber insurance costs. I have two asks of Government on this. First, as other Members have done, I ask that we do this proportionately, as change in this area may have a considerable impact on small businesses—both on their MSP costs and their direct costs. I also ask that we work hard to consider how the legislation works with international law, particularly as my experience is that a lot of MSPs, such as HelpDesk, use overseas workforces.
I welcome the stronger reporting requirements. I recognise the point made by the hon. Member for Bromsgrove (Bradley Thomas) about his ten-minute rule Bill on regulation and reporting. From a business perspective, as long as there is clarity—the Bill sets out that there will be greater clarity for business—we get honesty, trust and a business environment in which people understand what they have to do and when they have to do it. The Bill moves us towards that.
I also welcome the much stronger enforcement powers in the Bill. That sends a real message to criminals that there are significant risks to them. To businesses, I say that money talks, and when there are stronger enforcement risks to someone’s business, all of a sudden cyber-security ends up higher up the corporate risk register.
As the Bill is implemented, I ask for genuine consultation with industry. It is particularly important to note that this is a framework Bill.
Kit Malthouse (North West Hampshire) (Con)
The hon. Gentleman is making a very interesting and pertinent speech. I hope he will welcome the fact that the Bill strengthens the requirement on companies to not only look at prevention but have an adequate recovery plan. Does he think that there is adequate sanction in the Bill for those companies that are deemed not to have an adequate recovery plan? My reading is that regulators cannot necessarily fine for a negligent recovery. As the hon. Gentleman said, the human factor so often matters, but surely that matters as much in recovery as it does in prevention.
Mike Reader
I think the Bill goes some way on that, and it is clear that future legislation and guidance will start to frame those issues. There are other ways that we can drive businesses to improve their business resilience planning. It is part of the standard Government procurement process to require business continuity planning to be demonstrated, and many large businesses in our constituencies will be trying to transact with Government, whether local or national, with the NHS or others. Business resilience is also required at other times when the state interacts with business; I think of procurement particularly. My background is in one of those key areas.
I was just saying to the Minister that one concern I have is that this is a framework Bill. There is to be a lot of future guidance, so we need continued consultation—this message has been made by others as well—so that the standards are really clear. The legislation was getting quite messy. We want to make it a lot clearer. We want to be really clear with business, and we want to give organisations early notice, so that they can adjust, rather than springing this on business as we push to address a real threat that has been recognised right across industry.
I come back to my original point: we should consider the human in the loop. When we set guidance and requirements, we should look at how businesses think about the human aspect, as well as the technocratic solutions that would be in a business continuity plan or similar. This is a necessary Bill. I support its aims and focus. It signals real confidence to the market—to those already operating in it, and to those who are coming to invest in great places like Northampton, to build the data centres and other infrastructure that we need.