Agenda item

To receive an update on both the business continuity and cyber security items included in the Council’s Strategic Risk Register.

The  Governance and Audit Committee had requested at its meeting on the 26 June 2019  that an update be provided on both the business continuity and cyber security items included in the Council’s Strategic Risk Register

Kevin Gibbs, Executive Director: Delivery provided an update on the Cyber Attack risk.

The key points covered included:

• The business continuity risk underpinned the cyber attack risk.
• All public Local Authorities were subject to cyber attack, this had been well publicised with the Lincolnshire attack and the NHS disable a few years ago.
• There was a high likelihood of attack, as the authority relied heavily on IT systems to undertake day to day work.  It was important to do everything possible to keep up to date with system developments.
• Keeping staff up to date an aware of issues was very important. For example fishing emails used to be easy to identify, now they were more crisp and often could fool electronical systems.
• To help combat and lower the likelihood of the risk actions that had been undertaken so far included ensuring that proper security arrangements were in place an ensuring that staff were trained to a high standard.
• All staff had undertaken mandatory GDPR training.
• The Council was a Member of various government early warning groups.
• Microsoft SCP ATP II License had been acquired for advanced security on Office 365- Outlook, Office, SharePoint and Teams as well as security and compliance on all Council data.
• As Microsoft was a global player, it added a level of assurance.
• The move to cloud was expected to happen by the end of 2020. The email system had already moved to Office365.
•   The national infrastructure around cyber security sees the UK as a soft target for attack. The risk appetite didn’t corollate with the national picture but related to the local picture and what was happening around us.
• The risk appetite was what the Council wanted and what could be foreseen. 

There was no benchmarking data available to compare the risk scoring to.

• The appetite score was low as this is where the Council wanted to aim towards.
• It was important steps were taken to make sure that the Council wouldn’t be impacted.
• The unmitigated risk had increased due to the sophisticated environment we were living in.

Kevin Gibbs, Executive Director: Delivery provided an update on the Business Continuity Management risk.

The key points covered included:

• The risk appetite had decreased.  The spike in the graph had been investigated and a review of arrangements was undertaken and as a result work was undertaken to elevate gaps.
• Service Business Continuity Liaison Officers and Emergency Planning Liaison Officers had been identified to work with the Emergency Planning Unit.
• Brexit monitoring arrangements have been put in place and action plans were being developed
• The risk was higher than in 2016/17, it was thought that the organisational restructure had caused this increase. The recent increase was due to the Executive Director instigating a review which highlighted that continuity plans were not robust.
• Emergency Planning services were shared through the Joint Emergency Planning Unit (JEPU), the Councils were looking at continuity across the three bodies and comparing arrangements.
• The risk had jumped in Q1 2019/20 and had been reported to CMT in June.

Some members raised concerns surrounding the term appetite, as it was felt this was confusing and as the appetite should always be as low as possible.

Officers agreed that the word appetite was a strange word to use, but another word to use in this instance was tolerance and for members to look at appetite as how much tolerance would be acceptable per risk. Officers also commented that it was unrealistic for there to be no appetite.

Sally Hendrick, Head of Audit & Risk Management explained that a risk management review had been undertaken in 2014 by an external consultant which had needed to identify appetite within risk management which is why appetite was included within risk registers. It was important to have a target of where you want the risk to get down to.

It was requested that the word appetite be changed to target in future reports, Sally Hendrick would take this away and clarify what Institute of Risk Management states.

Member’s commented that it was important for the public to also be able to understand the wording within the reports.