Treasury Committee concerned about cyber strategy accountability

Andrew Tyrie  (Chairman of the Treasury Committee) and Philip Hammond have been exchanging correspondence about cyber security in the financial services sector. Mr Hammond also chairs the National Security Council Subcommittee on Cyber (NSC Cyber) said that protecting against cyber attacks is top priority for the government. He noted the launch of the National Cyber Security Strategy in November 2016, which set up the  the National Cyber Security Centre (NCSC). The NCSC is part of GCHQ, and accountable to the Foreign Secretary. In reality, though, Mr Hammond said security work crosses departmental boundaries, and is accountable to a Cabinet Committee, which is NSC Cyber.

The NCSC’s basic objective is to provide advice and guidance that enable firms to improve their own cyber resilience. It has a team solely dedicated to the finance sector and in March 2016 announced that it would be working closely with the UK financial services regulators to deliver a common framework to help protect against cyber risks. He noted PRA and FCA’s objectives, and that Treasury chairs a group overseeing cyber work from the financial regulators, Cabinet Office, NCSC and the NCA. He said this governance framework forms a single point for addressing cyber issues.

Andrew Tyrie, in response, was sceptical about the systems in place, particularly in relation to the complexity and lack of accountability in the current structure.  He raised several queries on who precisely is responsible and accountable for what parts of the cyber risk strategy.  Andrew Tyrie has once again called upon Phillip Hammond to clarify the position, saying there must be a single point of responsibility for cyber risk in the financial services sector, with a direct line of accountability to a single official, which in turn leads to accountability to a single minister.