NCC Group Responds to the McPartland Review of Cyber Security and Economic Growth

In February, UK Deputy Prime Minister Oliver Dowden and Technology Secretary Michelle Donelan commissioned Rt Hon Stephen McPartland MP to lead an independent review looking at cyber security as an enabler to build trust and resilience and unleash growth across the UK economy.

To harness this potential, the Review seeks to identify opportunities for improvement and inform the Government's approach to supporting businesses to enhance their cyber security posture and achieve further growth.

In support of the Review, NCC Group submitted written evidence to the public consultation. We have also been asked to host a roundtable alongside techUK to gather further views from senior business leaders. More details on the roundtable, which takes place this Friday, 5 April, can be found here: Manchester - UK Government-commissioned McPartland Review roundtable for senior leaders across the cyber security sector (techuk.org)

NCC Group CTO, Siân John, comments on the key points from the company's response to the public consultation:

"We have long argued that good cyber security is an enabler of growth and innovation and therefore welcome the opportunity to support the McPartland Review by sharing our expertise and insights from operating at the 'front line' of cyber security.

We propose a risk-based, tiered approach that considers organisations' criticality, size, and ability to invest and allocate resources – using a mix of the levers available to Government to encourage enhanced cyber resilience:

• For those organisations that make up the UK's critical national infrastructure (CNI), we believe it is right that the Government utilise regulatory levers to require investment in cyber security. This includes critical suppliers to CNI. We support the Government's plans to legislate to enable it to bring new sectors within the scope of NIS regulations.
• For large businesses, a major cultural shift within company boards is needed, reconsidering how they are structured, enhancing understanding of cyber security concepts across senior leadership, and, ultimately, ensuring that boards take ownership of cyber risk in the same way that they own other core business risks. We propose that the Government explore introducing a duty on directors of large businesses to manage their cyber.
• It is unrealistic to expect small businesses to adhere to – and invest in – the same resilience standards as larger firms. Instead, the Government should:
  • Work with technology providers to embed secure-by-design and secure-by-default principles in their products – particularly those most relied upon by small businesses.
  • Support small businesses’ response and recovery to cyber attacks through a nationwide ‘first responder’ service that provides proportionate (free-at-the-point-of-use) support to small businesses that have been victims of a cyber attack.

There are several other measures the UK Government could incorporate into its approach to support businesses of all sizes to make the case for cyber security investment:

• Government, industry, and academia must work together to embrace and promote the concept of "cyber as a science." This includes developing cyber metrics and risk quantification from an established baseline to allow risk to be reliably measured and expressed in an informed way.
• The Government should work with insurers to drive uptake of consistent cyber metrics and risk quantification, incentivising businesses to adopt better security practices while avoiding promoting negative behaviours by both businesses and cybercriminals.
• The Government could incentivise the UK cyber industry to research and develop innovative solutions that enhance the efficiency and efficacy of cyber security solutions, bringing down the overall cost to businesses.
• The Government should develop a holistic cyber skills strategy that not only aims to develop the technical cyber skills the UK needs but also ensures all citizens, including business leaders, have the cyber literacy they need to thrive in a digital economy.
• The Computer Misuse Act 1990 (CMA) must be updated to allow the UK's cyber security professionals to do all they can to protect UK organisations, enhancing national security while also enabling the UK cyber industry to attract new talent, grow, and compete on a level playing field with global cyber firms."

What's next?

With entries for the consultation paper closing on Thursday, 28 March, the Review will set out its recommendations to the Deputy Prime Minister and Technology Secretary by 1 May 2024. Ministers will then decide on next steps.

We look forward to seeing how the Government reflects our input in forming its updated cyber laws.