Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Philip Virgo (CSRB13)

Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)

Primary navigation

Home

Parliamentary business

MPs, Lords & offices

About Parliament

Get involved

Visiting

Education

House of Commons

House of Lords

What's on

Bills & legislation

Committees

Publications & records

Parliament TV

News

Topics

You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee

Session 2021-22

Cyber Security and Resilience (Network and Information Systems) Bill

Written evidence submitted by Philip Virgo to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB13)

From Philip Virgo Specialist advisor to the 2016 CMS Select Committee ReportCybersecurity: Protection of Personal Data Online

After the report of the 2016 Cyber Security Enquiry was published I was given clearance by the (Rt Hon Jesse Norman MP, now Shadow Leader of the House) to speak to the recommendations to industry audiences and others.

I believe that much the evidence, analysis and thinking behind the recommendations is relevant to the current bill, particularly with regard to the topics on which I understand the Committee intends to question Ofcom and Ofgem on February 3rd

· the Regulatory approach to oversight and enforcement,

· regulator funding model,

· incentivising effective adoption and implementation of cyber regulation at company board level,

· effect of critical supply chain designation on MSPs.

The Regulatory approach to oversight and enforcement & the Funding Model

The evidence to the CMS Committee, including from the regulator (in that case the ICO) indicated that they were NEVER likely to have the resources to do more than a fraction of what was expected. Fear of the scale of the penalties they might impose after egregious organisational behaviour had led to a serious breach could, however, be highly motivational - provided such risk was not hidden in a fog of detailed advice, guidance and guidelines.

Meanwhile the evidence from the Professional Bodies and Trade Associations indicated such a wide variety of evolving, overlapping (and sometimes conflicting) professional approaches and standards, each with their own pros and cons, that expecting the regulator to keep abreast of current best (as opposed to "acceptable") practice would ALSO require resources the regulator was never likely to have.

That evidence also indicated gulfs in understanding, priority and expectations between boardroom decision processes, user middle management and professional guidance/ expectations.

I see no evidence from discussions on the current bills that the situation has changed. Indeed the challenges for regulators appear greater today than they were then.

Incentivising effective adoption and implementation of cyber regulation at company board level

The members of the CMS committee wanted to focus on recommendations that would cause those at the top of the organisation to behave differently, as opposed to seeking to delegate responsibility to speciaiists and/or contractors/suppliers. The result was Section 7 of the report. This called call for an annual return to the regulator (in that case the ICO) that would require a main board minute for approval and could be readily understood by all directors.

"Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:

• Staff cyber awareness training;

• When their security processes were last audited, by whom and to what standard(s);

• Whether they have an incident management plan in place and when it was last tested;

• What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;

• The number of enquiries they process from customers to verify authenticity of communications;

• The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).

Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)"

The effect of critical supply chain designation on MSPs

The implications of this are profound including on Fixed and Mobile communications providers and their supply chains. The current proposals appear to bear little relationship to how UK CNI networks, including for the energy, financial services and research (JANET) are currently structured/monitored regulated. The current Ofcom processes and structures remain focussed on regulating consumer, as opposed to business communications - as per the Communications Act 2003.

Creating regulatory and reporting structures that do not serve to increase vulnerability, by reducing choice of how to bypass common single points of failure and choke points (hardware, software, local, regional, national etc. etc.) will be a challenge.

January 2026

Prepared 3rd February 2026

Footer links

A-Z index

Glossary

Contact us

Freedom of Information

Jobs

Using this website

Copyright

Privacy notice
Cookie policy
Cookie Manager