Parliament urges annual reporting to ICO on cyber issues

The House of Commons’ Culture Media and Sports Committee recommends that organisations holding large amounts of personal data should report annually to the ICO on cyber security aspects. They call for reporting on staff cyber-awareness training; data security audits, and number of attacks. In addition, companies would need to demonstrate that they have an incident management plan in place and that it has been tested.

‘Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place,’ the MPs say.

The Report, Cyber Security: Protection of Personal Data Online, was issued as a response to the TalkTalk cyber-attack in October 2015, although the inquiry looked at cyber security issues more widely.

The MPs are disappointed that the ICO has not yet concluded its investigation on Talk Talk. TalkTalk commissioned PWC to review TalkTalk’s systems as part of their follow-up into the cyber-attack. It is important that TalkTalk publish as much of the PWC investigation as commercially possible without delay, and set out how they will implement any necessary changes, the MPs say.

The MPs recommend that CEOs lead a crisis response, should a major cyber attack arise. ‘But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.’

The Report was published on 20 June.

There are four sessions on data security at Great Expectations, PL&B’s 29th Annual International Conference, 4-6 July at St. John’s College, Cambridge, all on 4 July. See