Decision details

Creation of Cyber Security Cabinet Advisory Group

Decision Maker: Leader of the Council and Cabinet Member for Strategy and Transformation

Decision status: Recommendations Approved

Is Key decision?: No

Is subject to call in?: Yes

Purpose:

In January 2024, the council experienced a cyber security incident which led to the precautionary measure to temporarily suspend access to a number of the council’s online systems. Although an investigation into the incident determined that there was no evidence that customer data had been compromised, and the council’s systems were quickly restored, the potential consequences of a cyber attack could be far reaching.

 

With the drive to provide more efficient and resilient services to residents, more of our service delivery is moving online, placing greater reliance on technology. This in turn places more risk on the potential impact of cyber attacks. It is therefore vital that the council corporately recognises this level of risk and takes appropriate levels of mitigation. 

 

As a consequence, cyber security is currently one of the highest scoring risks on the Corporate Risk Register.

 

The Council Leader has therefore called for a new Cyber Security Cabinet Advisory Group to be created.

 

Decision:

  1. To create a Cyber Security Cabinet Advisory Group in line with the terms of reference and membership set out in Annex 1 to the report;

 

2.  That the meetings will be held in closed session to allow full and frank discussions surrounding the council’s security vulnerabilities which would generate a risk from disclosing publicly.

 

Reasons for the decision:

The Council Leader has requested that a Cabinet Advisory Group is created to monitor the steps the council is taking to manage cyber security. 

 

This is both in response to the recent security incident in order to monitor the council’s progress with the recommendations which followed and also in recognition of the risk profile of cyber security generally within the council’s Corporate Risk Register.

 

Alternative options considered:

The alternatives:

 

  • reject the proposal in its entirety and not create a forum of any kind to review cyber security, or
  • identify an alternative forum for this discussion. 

 

Both of these options have been considered and discounted.

 

Given the potential impact a cyber attack could have on the organisation, and the ongoing risk score attributed to cyber security as part of the council’s Corporate Risk Register, rejecting the proposal in its entirety is not considered to be a viable option.

 

A Cabinet Advisory Group is considered to be the most appropriate mechanism to facilitate an ongoing review of cyber security which will focus on ensuring recommendations following the incident are implemented and that steps are put in place to continue to protect the council. It will also provide an opportunity for recommendations to be fed back to the Cabinet for consideration.

 

Publication date: 22/03/2024

Date of decision: 22/03/2024

Effective from: 03/04/2024

Accompanying Documents: