Jill Broom, Stuart McKean and Dr Sanjana Mehta gave evidence.

Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?

Dr Sanjana Mehta:

Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.

Jill Broom:

Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.

Stuart McKean:

Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.

Q Thank you for giving evidence this morning. The Bill would not have prevented recent attacks on high-profile parts of UK industry such as Co-op, Marks and Sparks, and Jaguar Land Rover. What more do you think can be done to mitigate the risk to jobs, supply chains and the UK economy from further large-scale cyber-attacks against out-of-scope companies?

My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?

Dr Sanjana Mehta:

I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.

On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.

On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.

The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.

Stuart McKean:

I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.

Jill Broom:

Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.

We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.

Q Thank you all very much for making time. I have an implementation-focused question, perhaps directed at Stuart, but open to all. In practice, it would be helpful to understand how frequent is the case that a single company might provide multiple of the possible services in scope: MSP services, cloud hosting, data centre support and cyber-security services. What ability might we have to identify parts of an organisation that are in scope for particular bits and those that are not?

Stuart McKean:

You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.

For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.

You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.

Q It is interesting that you mentioned the complexity and skilled teams. Sanjana, you talked about the need for more skill and responsibility, and how distributed responsibility across supply chains is a big deal. That comes down to a duty of care on people who are procuring these things. The annual cyber security breaches survey found that board-level responsibility for cyber has declined in recent years. What explains that, and how could it be improved? As a quick supplementary question, do you think there should be a statutory duty for companies to have a board member responsible for cyber risk? Jill, I will go to you first.

Jill Broom:

With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.

I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.

Q But do you think there should be a statutory duty to have a board member responsible?

Jill Broom:

Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.

Q Two questions: first, for a bit of context, could the witnesses give us an idea of the objectives of cyber-attacks? Are we seeing objectives based around disruption or around extortion, either monetary or for intellectual property? Perhaps we could have a perspective on whether that differs depending on the origin of the organisation conducting the cyber-attack. Secondly, around the reporting model, is there a view on whether the model proposed in the Bill is beneficial, and whether it risks a fragmented approach, particularly if companies operate in a sector that is regulated under the jurisdiction of two regulators? Do you think that a more universal, singular reporting model would be beneficial in ensuring as strong a response as possible?

Dr Sanjana Mehta:

May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.

While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.

We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.

Jill Broom:

I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.

In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.

I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.

Q I have two questions: one to Jill and one to Dr Mehta. First, what is your view, Jill, on the relative strength of this legislation, compared to what is coming forward in the EU? Do you think that the fact that we are not following the EU will make it harder for your members to interact and trade with individuals and companies in Europe?

Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?

Jill Broom:

I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.

Dr Sanjana Mehta:

On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.

There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.

On the question of closer alignment, can you give us a sense from the international picture of whether certain regulatory regimes raise the barrier to terrorists or criminals so high that they are left alone? Is that a national thing or a company-based thing? Where are the flow lines of attack and threat? Is it on a national or a corporate basisQ ?

Stuart McKean:

I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—

I am so sorry. Could you possibly speak into the microphone? I cannot hear you.

Stuart McKean:

Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.

Q I appreciate that. My question was about where that leads them to attack, on the basis that they will take the route of least resistance. Where is that? Is that an international thing, a national thing or a corporate thing?

Stuart McKean:

It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.

Do either of the other witnesses have anything to say on that?

Jill Broom:

indicated dissent.

Dr Sanjana Mehta:

indicated dissent.

I have a question for Jill Broom. You were talking about the incident reporting requirements. Do you think the legislation strikes the right balance to encourage organisations to Q come forward when they have been attacked, so that the sector can learn from that and vulnerabilities can be patched out in other areas, or is it so stringent that organisations will be concerned about facing penalties if they are fully transparent?

Jill Broom:

I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.

Q Stuart, you were nodding, which suggests you have something to contribute.

Stuart McKean:

It is an interesting cultural challenge. You want people to be open and to report incidents that are having an impact, but at the same time, if they report those incidents they might get fined, which could be economically challenging, particularly for a small business. Yes, we want to open and to report incidents, but—and this is where the detail comes in—what is the level of detail that needs to be reported and what is the impact of reporting it? When you report it to the regulators, what are they going to do with it? How will they share it and how will it benefit everybody else? The devil is definitely in the detail, and it is a cultural change that is required.

Obviously no one wants to put crippling costs on to businesses, but cyber-security costs money—there is no way of avoiding that. We only have to look at the JLR attack to see the scale of the impact on our economy when it does not work, and we are looking at only critical national infrastructure here. Have you had any information from business about whether and to what extent this will promote increased spending on cyber-securityQ ?

Jill Broom:

We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.

Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.

Dr Sanjana Mehta:

If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.

Q Returning to the supply chain risks, I want to ask you about the difference between OT—operational technology—and IT, and whether there is sufficient detail in the Bill to protect that. If you have intelligent electronic devices from single suppliers across multiple sectors, are we confident that there is sufficient detail about what the regulatory role is in saying that suppliers should be within scope? Is more detail needed in the Bill?

Stuart McKean:

I am not an expert on the detail, but I would say that there is currently very little detail in the Bill regarding IT and OT.

Q Do you think that there should be more or not?

Stuart McKean:

The devil is always in the detail, so any more clarity that can be put in the Bill is always going to be a good thing.

Does anyone have anything else?

Jill Broom:

I think that I will need to come back to you in writing on the specifics of operational technology.

Feel free to write in, secondary to this session, if you feel that you want to expand on any answers.

I have a bit of a blended question. Earlier, Stuart, you said that some of the wording in the Bill says that only 11% of managed service providers are likely to be covered by the legislation, but in previous answers we have heard about skills shortages and where we will need to build those skills. Although I think we all want as many organisations covered as possible, where is the line? Do we currently have enough professionals working in this space to be able to deliver this level of compliance across 11% of MSPs? Given the number of people available for this very specialised work, is the 11% figure in the right ballpark, or do we need to make that wider or thinner to ensure compliance?Q

It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?

Stuart McKean:

I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.

Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.

Dr Sanjana Mehta:

If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.

That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.

Q Stuart, as an MSP, you will be familiar with the fact that the large cloud service providers tend to allow you to live failover to different regions. By default you might be hosting in the UK region, but, depending on an outage, you might live failover to the European Union or to the US, depending on the cloud service provider you are using and how it is set up. How does the legislation deal with that and allow you as an MSP to be compliant with it?

Stuart McKean:

It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.

Q Do the witnesses have a view on the benchmarks that, at the moment, do not appear to sit behind the scale of incidents that must be reported? Do you have a view on the absence of any benchmarks and the impact that they may have on smaller firms, or on the risk of over-reporting?

Stuart McKean:

Under the designation of a critical supplier, the Bill says:

“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.

That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.

Q How might we glean some clarity on that?

Stuart McKean:

It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.

Jill Broom:

I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.

Dr Sanjana Mehta:

The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.

Q The issues about complexity and how loosely the Bill is drafted have come up quite a few times, and you have given good evidence regarding your concerns. What cost to business do you anticipate if the Bill stays so loose, with so much left to secondary legislation?

Jill Broom:

There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.

I am looking around the table, and it seems to me that everybody is satisfied. Thank you very much indeed, Sanjana, Jill and Stuart, for giving your time so freely this morning—I know you are very busy people.