Speeches by Gardner.

“I will defend myself: my point was not a criticism of the Government. I just know how hard it is for regulators to work together and iron out cross-working. They were very confident in their information-sharing skills, but it is more difficult than that. It was just a kindly meant reminder that there is not an easy sol…”

“I recently met Home Office Ministers to discuss the use of synthetic cathinones, often referred to as monkey dust, in Stoke-on-Trent. These substances cause significant harm to users and, indeed, communities. They are frequently sold via the dark web and imported through the post. Can the Secretary of State provide an …”

“13. What steps her Department is taking to use technology to increase police efficiency.”

“I think you are touching on the old problem of where liability lies when you have this long supply chain of diffused responsibility, but thank you.”

“Q I have loads. Before I come to the question I was going to ask, I want to pick you up on the worry about information sharing. I have worked across regulators, and they seemed to be really confident about information sharing, but I know that is not always the case. There is some protection of turf, and other Acts migh…”

“I know, sorry. I collapsed it down from quite a few. Richard Starnes: There is any number of different reasons. You have 12 competent authorities, at last count, with varying funding models and access to talent. Those could vary quite a bit, depending on those factors. I am not really sure how to answer that question.”

“Q I will be quick. Much of my question was already asked. I will just say that proportionality is a known principle within regulation and I take that into account. I want to push on an issue that was raised. When you are dealing with different regulators with a cross-regulatory theme, you often get conflicting guidelin…”

“Q You have answered the question I was about to ask. I may ask an addendum to that, but first I want to clarify something. If you put liability on an individual board member, that is going to cause problems. Do you think that there should be a statutory responsibility for the company to have a board member responsible …”

“Q Thank you—that was quite detailed. I have a very quick question: what measures would you want the Government to take to enhance the cyber-resilience of the UK’s critical national infrastructure? I am interested in your thoughts on requirements for failsafes and risk management, and indeed on the non-technical resilie…”

“Particularly between regulators, and how that would work. Carla Baker: I cannot necessarily talk in much detail about information sharing across regulators. It is more about information sharing across the technology industry that I can talk about.”

“Q Very quickly—I apologise if I am taking too much time—accountability is slightly different from liability. In the case of a cyber-breach that has caused harm, where would you see the liability lying? Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that t…”

“Q I am interested in who you report to should you identify a cyber-incident. I am talking about not just data breaches but wider ones that can affect operational systems. Which regulators do you deal with? If it is multiple regulators, do you feel there is a case for having one distinct regulator to cover cyber-resilie…”

“Q I am just thinking that if you are putting liability on someone, you need to make sure that they can apply the regulation in a simple and effective manner and ensure that it is enforced, so they do not carry the full burden of liability. Richard Starnes: True, but I would submit that under the Companies Act that liab…”

“Q But do you think there should be a statutory duty to have a board member responsible? Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the diff…”

“Q Ben, are you combining two risks? Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have…”

“Q I have so many questions, some of which have been touched on; I will limit myself. I was interested in the CyberUp campaign that you mentioned. What other measures, both legislative and non-legislative, could the UK Government take to enhance the cyber-resilience of the UK’s critical national infrastructure? In terms…”

“Q You mentioned stringent application of the regulatory regime. Could you explain the reasons for the lack of enforcement under the current NIS guidelines? Do you feel that the regulatory regime should be streamlined? Richard Starnes: That is a very broad question.”

“Q Okay, I am glad I clarified, because that is quite interesting. I will ask my actual question, and I am trying to get my head around this. You recommend mandating that company boards be accountable for mitigating cyber-risks, and as we know from the annual cyber-security breaches survey, there are declining levels of…”

“Q I have a couple of unconnected questions. We have asked a couple of times whether senior board members should have legal, statutory responsibility for cyber. The pros are that it is not seen as a priority, and culture change has to be top-down. However, there are issues with smaller companies bearing a responsibility…”

“Q I should point out that I once worked for the NHS AI and Digital Regulations Service and have also worked for a number of different regulators, including the ICO, so I have experience of the joys and frustrations of cross-regulatory working. We have heard evidence of the challenges experienced by businesses when they…”