Source · Select Committees · Public Accounts Committee
Recommendation 18
18
Accepted
Departments remain reluctant to share cyber incident information, hindering collective learning.
Conclusion
We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what has gone wrong. The Cabinet Office reassured us that if departments find any vulnerabilities that could affect other parts of government, it shares these immediately. The Cabinet Office accepted that departments could be cautious and concerned about reputational damage, but noted there may also be good reasons to not share data. The Cabinet Office told us it wants to increase transparency and that its role is to challenge departments on how much they share and help manage their concerns.38 When we asked the Cabinet Office what it was doing to promote a culture of learning from mistakes and near misses, it responded that this was one of its biggest cultural priorities.39
Government Response Summary
The government agrees and commits to improving cyber security governance by requiring digital leaders and non-executive directors by 2026, and DSIT will set expectations for board members with cyber expertise, ensure regular risk reporting, and define roles within a future Target Operating Model.
Government Response
Accepted
HM Government
Accepted
3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk decisions. Government’s intent for this is stated in the Blueprint where all public sector organisations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. 3.4 Building on this, DSIT will set expectations for departments to appoint a board member with expertise in cyber security and digital resilience, ensure that boards receive regular reporting on cyber security and digital resilience risks, define roles and responsibilities and specify mandatory risk management and governance actions in a Target Operating Model for Government Cyber and Digital Resilience.