Moved by
Lord Arbuthnot of Edrom
105: After Clause 35, insert the following new Clause—
“Cyber-security reporting
(1) The Companies Act 2006 is amended as follows.
(2) After section 416 insert—
“416A Contents of directors’ report: cyber-security
(1) The directors of a company must prepare a cyber-security report for each financial year setting out measures the company is taking to address cyber-security risk.
(2) This report should include—
(a) cyber-security audits undertaken by the company,
(b) details of breaches notifiable under the General Data Protection Regulation,
(c) measures in place to ensure the confidentiality and integrity of data processing systems, and
(d) processes in place to test and evaluate data protection measures and information technology systems.
(3) Cyber-security audits must be undertaken by organisations accredited by the Secretary of State.
(4) The cyber-security report must be approved by the board of directors and signed on behalf of the board by a director or the secretary of the company.
(5) If a report is approved that does not comply with the requirements of this section, the directors commit an offence.
(6) A person guilty of an offence under this section is liable on summary conviction to a fine.””