Efforts to legislate new cybersecurity responsibilities for key boardrooms failed this week, after a vote in the House of Commons.

MPs are debating a new cybersecurity and resilience bill and heard proposals to place a new clause in the law that would mandate boards to “exercise oversight” of security for networks and IT.

Contained in a new “clause 16”, the proposals would also create a liability for boards in the event of failing to properly supervise cybersecurity measures and mandate cybersecurity training to help board members identify security risks.

Liberal Democrat David Chadwick, the MP behind clause 16, said: “New clause 16 would make cyber-resilience a core responsibility of organisational leaderships.

“It would require boards to oversee security arrangements, approve risk management approaches, ratify themselves that protections are working on an ongoing basis and, importantly, be accountable.”

He added that “numerous” experts from within industry have told MPs “they desperately need this to happen”.

Testing times

Another proposal for the bill, a new clause 17, would force organisations to undertake “regular testing” of network security, and document the outcome and any “remedial” action taken as a result.

Chadwick said: “All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly.”

The cybersecurity and resilience bill aims to expand the scope of security regulation. Currently, it applies to “critical sectors”, such as energy, transport, health and water and a limited number of digital services.

The new bill ensures the regulations would apply to data centres, more energy providers, providers of third-party IT services and other suppliers to regulated organisations.

The bill broadly requires more reporting of cyber incidents and enable regulators to impose higher fines for failures.

Many boardroom observers believe cybersecurity risks have turned into a “true measure of organisational leadership”.

Hard-hitting attacks

Last year saw a spate of high-profile cybersecurity breaches that cost a series of big brand names hundreds of billions in lost production and consumer sales.

Both Marks & Spencer and Jaguar Land Rover were hit by attacks that proved highly disruptive, taking months to resolve.

In the case of M&S, the attack is thought to have cost as much as £100m in lost sales. In Land Rover’s case, manufacturing centres were shut down, turning the event into what is thought to have been the costliest cyber event in UK history, with an estimated impact of £1.9bn.

In October last year, the National Cyber Security Centre (NCSC) warned that cybersecurity must become the responsibility of the boardroom and not just IT chiefs.

Richard Horne, chief executive of NCSC, said that “for too long, cybersecurity has been regarded as an issue predominantly for technical staff.

“This must change. All business leaders need to take responsibility for their organisation’s cyber resilience.”

MPs voted against clauses 16 and 17, but only after government science and technology minister Kanishka Narayan said security and resilience requirements would be included in secondary legislation following consultations.

He added the NCSC’s cyber assessment framework includes “comprehensive measures on good cyber governance”.

He added: “Board level engagement is a necessary part of proactively and effectively managing cyber risks.”