“(1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body’s network and information systems.

(2) In exercising oversight, the management body must—

(a) approve the approach taken by the body to the management of risks to the security and resilience of the body’s network and information systems; and

(b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks.

(3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.

(4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices.

(5) For the purposes of this section, a relevant body is one which is –

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier

within the meaning of the NIS Regulations.”—

This new clause would require active board oversight of, and accountability for, security and resilience measures, where a relevant body is governed by a board or similar body.

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

With this it will be convenient to discuss new Clause 17—Requirement for regular testing of network and information systems—

“(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.

(2) Testing undertaken in accordance with this section must –

(a) be proportionate, having regard to the size, nature and risk profile of the business; and

(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.

(3) A relevant body must document –

(a) the outcomes of testing undertaken in accordance with this section; and

(b) any remedial actions required or taken in response to the testing.

(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.

(5) For the purposes of this section, a relevant body is one which is –

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier within the meaning of the NIS Regulations.”

This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request.

New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.

New Clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.

While I agree with the hon. Member, and acknowledge witnesses’ evidence suggesting that cyber-security should be a board-level responsibility, does he share my concern that, given the complexity and technical nature of cyber-security, there is perhaps a risk of, for want of a better phrase, window dressing? It may be that non-competent people without the relevant technical expertise could be reliant on reports issued by other technical staff who do not sit at board level. We have to strike the right balance. Does the hon. Member share that concern, and how does he propose we address that?

One of the measures that the new Clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.

All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.

Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?

New clause 17 seeks to bolster our protections by requiring regular and proportionate testing to identify and remedy weaknesses before they escalate. The digital world moves quickly. Threats evolve constantly and defences that worked last year may already be obsolete. Regular internal testing exposes weaknesses before attackers can, and offers the opportunity for early, easy fixes. Documenting results and sharing them upon request with regulators ensures transparency and strengthens a regulator’s ability to identify suspicious patterns across their sector before they materialise into a real crisis. This is about prevention and not reaction. Once more, similar provisions are made in the EU by legislation such as the Digital Operational Resilience Act for financial services businesses. The UK surely deserves the same opportunity for preventive protections.

Together, the new clauses would create leadership responsibility, continuous assessment and improvement—

Will the hon. Member give way?

I will.

I am a little confused—which is easily done, I hasten to add. The new Clause says:

“The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.”

Does the hon. Member not think that the directors of companies are already responsible and accountable for their companies? Why does the state need to tell them more about those responsibilities?

I think this once more comes down to state capacity and how we see the state’s role. Clearly there needs to be an expansion of the state’s powers—that is why the Bill was introduced—to mandate in writing various requirements of the companies that provide the critical infrastructure upon which our country relies. The hon. Member will remember the numerous witnesses who told us that board accountability was crucial. Some told us that in public and some in private. They are the people who are doing this job, and whom the Government are asking to do this job. That is why we should listen to them and why we will press the new clauses to a vote.

The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an Amendment, which we are not speaking about today, on a similar subject.

Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.

How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?

New Clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.

On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?

Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?

I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new Clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.

Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.

I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.

New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.

I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.

Is the Minister aware that the financial services industry is required to conduct regular testing of its systems, and that sectors like aviation and nuclear have designated individuals in their security organisations who are responsible for overseeing those sorts of practices?

I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.

It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.

Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.

The Shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.

My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.

I thank the Minister for that commitment. Would he consider setting up a meeting between GDS and those MPs who have expertise in this area, so that we can share our expertise and reassure ourselves that this is going in the right direction and at the speed that is necessary?

My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.

In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.

During the evidence sessions, numerous very knowledgeable witnesses called for these new clauses, so I will push them both to a vote.

Question put, That the clause be read a Second time.

The Committee divided: Ayes 2, Noes 9.

Question accordingly negatived.