I thank the crowds of noble Lords for their valuable contributions to the debate. I will make some general comments to start and then come to specific points that noble Lords have made.
Consumers assume that if a product is for sale it is secure, but too often—I think we are in agreement on this—that is not the case. Many consumers are at risk of cyberattacks, theft, fraud and even physical danger. These regulations will change that, ensuring that protections are implemented for our commonly used items such as smartphones, smartwatches and smart baby monitors, as well as the UK citizens and businesses that use them.
Cybercrime is thought to cost the UK billions of pounds every year, with one report by Detica and the Cabinet Office estimating the total cost at £27 billion a year. In 2020-21 the National Fraud Intelligence Bureau reported receiving over 30,000 reports of cybercrime, resulting in estimated losses of £9.6 million for the victims. Cybercrime is on the rise, and vulnerable internet-of-things products are a key attack vector for criminals. This instrument is an essential step in fighting the dangers of cyber risks.
While the product security regime will come into effect only next April, with the support of this House, I want to take this opportunity to reflect on how far we have come on this agenda. The development of the regime has been supported by a huge range of officials but I extend particular thanks to Peter Stephens, Jasper Pandza, Veena Dholiwar, Maria Bormaliyska, Jonathan Angwin, Warda Hassan, Howard Cheng and Eilidh Tickle for their dedicated and diligent advice.
I thank all experts who have contributed to delivering this regime since 2016. Among them stands Professor David Rogers, to whom I pay particular thanks for his leading role in developing the Code of Practice for Consumer IoT Security on which the security requirements of this instrument are based. Lastly, I too thank Which? for being a champion of consumer security, and for holding the Government to account throughout the process of delivering these important measures and on this agenda more broadly.
I shall now respond to the questions that have been asked. On the topic of why the security baseline does not go further, a matter raised by both noble Lords, we do not believe at this stage that there is sufficient evidence to suggest that mandating security requirements beyond the initial baseline would be appropriate. Specifically, we do not currently consider it appropriate to mandate minimum security-update periods for relevant connectable products before the impact of the initial security requirements is known. Governments mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits or of leaving citizens exposed to cyber threats.
However, the Government agree that, for a number of consumer connectable product verticals, implementation of the three security requirements alone would not be sufficient. Legislation, however, is not the only incentive driving the security practices adopted by tech manufacturers. Evidence suggests that consumers value and consider the security of a product when making purchasing decisions, but assume that products available for them to purchase will not expose them to avoidable security risks.
In ensuring that manufacturers are transparent with UK consumers about how a product’s security will be maintained, we expect the product security regime to incentivise improved standards of cybersecurity beyond the initial three requirements. The Government will closely monitor the impact of the initial security requirements on standards of cybersecurity across the sector, and will not hesitate to mandate further requirements using the powers provided by the parent Act if necessary.
1.45 pm