UKPOL.CO.UK

Tag: Liz Lloyd

  • Liz Lloyd – 2026 Speech on Software Security and Cyber Resilience

    Liz Lloyd – 2026 Speech on Software Security and Cyber Resilience

    The speech made by Liz Lloyd, the Minister for the Digital Economy, in London on 15 January 2026.

    On the 19  of September, a ransomware attack hit a major software supplier used by airports across Europe.  

    Overnight, checks and systems failed, flights were delayed, staff were forced back to pen and paper.  

    Thousands of people, families, workers and travellers were left stranded. It wasn’t an attack on any airport directly.  

    It was an attack on a software supplier, a single weak point rippled across a whole sector. 

    Incidents like this are becoming more common.  

    In the UK, 43% of businesses have experienced a cyber security breach or attack in the last 12 months. We estimate that cyber breaches cost the UK about £15 billion a year – around 0.5% of GDP.   

    And while the digital economy, especially AI, offers huge opportunities for growth across many sectors in the economy, none of that potential can be realised without confidence.  

    People need to trust the systems they use right now, but they still hesitate.  

    They worry about how their data is handled and whether the technologies they rely on are secure.  

    So software security isn’t just technical. It’s a commercial imperative. And trust is what unlocks growth.  

    Government’s first duty is to keep citizens safe. By securing our technologies, we protect citizens, their businesses, the economy.  

    Strong cyber security and supply chain security underpin enterprise, prosperity, and jobs. 

    That’s why we must do everything we can to protect against these attacks, and support our brilliant tech companies, so they can get on with what they do best.   

    We’re starting in a good place.    

    The UK has some of the strongest cyber defences globally.     

     We have fast-growing clusters of expertise in Cheltenham and Manchester, as well as Belfast and Scotland’s cyber cluster that spreads across several Scottish cities. 

     And our cyber sector is the third largest in the world – achieving double-digit growth, year on year.    

    As a government, we also know we must do our part.     

    Backed by over £210 million, the Government Cyber Action Plan published last week sets out how the government will rise to meet the growing range of online threats.  

    This will improve digital resilience across the public sector.  

    And as we strengthen government’s defences, we are also setting clear expectations for industry.  

    The Cyber Security and Resilience Bill will ensure that our critical national infrastructure is protected. 

     In October, we wrote to FTSE 350 companies, urging them to strengthen their defences – adopting things like our ‘Cyber Essentials’ certification.   

    This was followed by a similar letter to entrepreneurs and small businesses, in November, with bespoke advice for smaller teams.    

    We know these things work: organisations that adopt ‘Cyber Essentials’ are 92% less likely to claim on cyber insurance than those who don’t.     

    We have also worked closely with industry to identify the minimum actions to secure the technology that our economy relies on.   

    This includes working hand-in-glove with the NCSC [National Cyber Security Centre], UK companies, and international counterparts to develop policies that set a global standard for technology security.    

    For example, the UK’s AI Cyber Security Code of Practice has been developed into a global standard through the European Telecommunication Standards Institute.    

    This follows in the footsteps of the PSTI ACT: world leading legislation to ensure consumer devices secure by design that came into force in 2024.    

    But we cannot rest where we are.  

    The threat landscape is evolving rapidly, and adversaries are becoming more sophisticated with attacks on software.  

    Software now underpins almost every critical service in our economy, from healthcare, to transport, to national security. So it’s fundamental to our resilience and public trust.  

    To start to address this, the Department [for Science, Innovation and Technology] and the NCSC published the Software Security Code of Practice in May last year. 

    This Code outlines the minimum actions that software suppliers should take to ensure a baseline level of security across the software market. 

    But communicating those expectations is just the first step.  

    We now need to ensure that these actions are embedded in UK supply chains to provide businesses with confidence in the technologies they need to operate and to grow.  

    Currently, just 21% of organisations say they think about cyber security when buying software.   

    So it’s time to address this.     

    The question is how, exactly, we do this.    

    On one side, there are those who push for new regulation, and stronger government oversight.    

    On the other, there are those who say ‘do nothing’, businesses will get there themselves – just wait it out.     

    But I believe we can be more ambitious than that.    

    The UK is home to some of the best software firms anywhere in the world, and we’re lucky to have great examples here in this room today.   

    As well as the brilliant international firms who invest here, set up offices here, and make the UK their home.    

    I believe we need to learn from these companies – to find the ones who are leading the way and celebrate them, as role models.    

    The firms whose software is developed with security, top of mind.   

    Who appoint dedicated cyber experts.    

    Who have brilliant communication between buyer and seller.   

    Who offer best-in-class training to their workforce.    

     And whose leaders take safety seriously – with accountability at the very top.    

     That is what a true pioneer looks like.    

     And we see the same forward-thinking security posture throughout supply chains.    

    The UK hosts a burgeoning ecosystem of supply chain security experts. 

    This includes buyers leading the way in how they manage risks in their supply chains, and cyber security experts offering their services and knowledge to disseminate crucial cyber security capabilities.    

    Now we must learn from them and spread these habits to as many organisations as possible.    

    So today I am very proud to announce the UK’s new Software Security Ambassador Scheme, a group of leaders – 13 companies, in total – who are making a public commitment to champion secure software and to be role models for the UK government’s Software Security Code of Practice.  

    This Code has been written in partnership with industry and with cyber experts, at every step, including the National Cyber Security Centre.    

    And our national ambassadors span the whole software field – from vendors…   

    …Sage, Cisco, and Palo Alto Networks, Hexiosec, Zaizi and Nexor…   

    …to buyers – like Lloyds, and Santander…     

    …to expert advisors – Accenture, NCC Group, ISACA, ISC2, and Salus Cyber.    

    Now, we hope you will use your position as industry leaders, and first adopters, to spark a change in the sector more widely.    

     We’ve seen how effective this model can be.    

     A voluntary code of practice is a tried-and-true way of setting a professional standard.  

    Look at the World Health Organization’s code of practice for hand hygiene.  First introduced in 2009, the code has become a global benchmark despite not being enforced by law, and has helped to significantly reduce infection rates as hospitals can draw on a single, definitive source of best practice in one place.    

    That’s exactly what we want the Software Security Code of Practice to become.  

    Every sector that depends on software, a single trusted reference point that lifts standards across the whole economy. 

    Our Software Security Code of Practice sets out 14 principles, and clear expectations for how software should be secured in our supply chains to build a common understanding between vendors and buyers of what level of security a software supplier should be responsible for.   

    I’m delighted to say it’s already being used in the public sector, by the NHS.    

    So our health service can help to lead by example too.    

    If we get it right, this could be a real moment of achievement.    

    Great UK industry, paving the way.    

    Modelling safe, secure tech for the rest of the market.    

    And perhaps the start of a new, international benchmark too.    

    To protect our country from attacks.    

     Back British growth and prosperity.    

     And create a better future for all of us, starting here today.     

     Thank you all.

  • Liz Lloyd – 2025 Speech at TechUK Cyber Security Event

    Liz Lloyd – 2025 Speech at TechUK Cyber Security Event

    The speech made by Liz Lloyd, the Minister for the Digital Economy, at One Great George Street in London on 16 October 2025.

    It’s a real pleasure to be here with you tonight.

    And thank you Nils for my introduction – and for remembering my very long title.

    It’s a special moment for me personally. It’s my first public speech on cyber security since being appointed as Minister for the Digital Economy, and I can’t think of a better place to start than with you: the people at the heart of keeping our digital economy safe, resilient and thriving. 

    As you know, cyber security is not just a technical issue. It’s an enabler of growth and innovation. Firms with good cyber security in place can be confident of a stable environment under which they can invest and develop.  

    More widely, cyber security underpins everything we want to achieve in science, technology and innovation. Whether it’s AI, quantum, semiconductors or smart infrastructure – none of it works without trust, and trust depends on security. 

    UK cyber security sector

    So let me begin by reiterating the government’s unwavering support for the UK’s cyber security sector. 

    This sector is a crucial element in our Industrial Strategy. It’s a frontier industry – one that not only protects our national interests but drives economic growth, creates high-value jobs, and strengthens our global standing.  

    The UK cyber sector now generates over £13 billion in revenue per year and directly supports more than 67,000 jobs across 2,000 companies. In total, 143,000 people are employed in cyber security jobs across the economy. That’s a remarkable achievement – and it’s thanks to everyone in this room. 

    But we know there’s more to do. That’s why we commissioned the Cyber Growth Action Plan earlier this year – addressing the question of what government and industry need to do in the future to drive further growth.

    The plan sets out 9 recommendations across 3 pillars of culture, leadership and place. It calls for government to help stimulate informed demand for cyber security, clearer expectations for cyber risk reporting, and developing regional areas of cyber strength and specialisation. 

    It’s about helping winners grow, stimulating demand, and building public understanding of cyber security’s role in national resilience.  

    We’ll be responding to the action plan in due course, including working with our forums – such as the Cyber Growth Partnership – to discuss the recommendations and their implementation.  

    But in the meantime I wanted to touch on the other work my department has been driving forward across the sector, to help support your businesses to thrive.   

    We’re continuing to invest in programmes that support innovation. Our Cyber Runway programme – the UK’s largest cyber accelerator – is helping startups and scaleups access funding, develop products and expand internationally.  

    We recently secured a further £6 million pounds to support cyber startups by building on the Cyber Runway accelerator. 

    Then there’s CyberASAP – our academic startup accelerator – which has already created 34 spinouts, 76 new jobs and generated over £40 million pounds in investment. These programmes are helping turn pioneering ideas into commercial success. 

    As part of the Industrial Strategy we secured an additional £10 million pounds to support commercialisation of cyber research through the CyberASAP programme. 

    Driving growth is not just the role of government. You all have a role and I know that many successful cyber founders are now supporting the next generation of startups.  

    Last week an industry led group started to build on this, bringing Chief Information Security Officers (CISOs) from across all sectors of the economy into the same room as cyber startups to build collaboration through design partnerships. We will do everything we can to support this drive to find the next UK cyber unicorn. 

    And we hear from you that skills is a huge issue.  Tonight, I want to highlight a new flagship initiative: TechFirst. 

    Announced by the Prime Minister at London Tech Week back in June, TechFirst is a £187 million programme to build a sustainable domestic pipeline of tech talent.  

    It will reach one million young people with foundational skills in AI and cyber, support over 4,000 graduates and researchers, and connect skilled people with real job opportunities across the UK. 

    TechFirst builds on the success of our existing CyberFirst programme and will be delivered in partnership with industry. So I want to encourage you – the sector – to get involved.  

    Your involvement could include offering work experience, mentoring, training places, or helping to shape local delivery. Whatever it is, your support will be vital. Together, we can inspire the next generation and ensure that talent is never a barrier to growth. 

    Resilience and the Cyber Security and Resilience Bill

    Of course, we must also be honest about the threats we face. 

    Recent incidents – at Jaguar Land Rover, Co-op and M&S – have shown how disruptive and damaging cyber attacks can be. They’ve affected supply chains, halted operations, and put livelihoods at risk. Costs have run into hundreds of millions of pounds. These events are a stark reminder that resilience is not optional – it’s essential. 

    That is why the government this week wrote to the UK’s leading companies asking them to make cyber security a board level responsibility and to make full use of government support and guidance.    

    For the most critical and essential parts of our economy, we are going further by introducing the Cyber Security and Resilience Bill. 

    This legislation will expand the scope of our existing cyber regulations to cover more critical services. This includes bringing managed service providers and critical suppliers into scope. 

    The Bill will also strengthen the powers of regulators, and give government the tools to respond quickly to emerging threats. It’s a proportionate but decisive step to not only protect the critical services on which we all rely, but also strengthen cyber resilience across the UK economy. 

    The Bill will be introduced as soon as Parliamentary time allows. It has been developed working closely with regulators, industry and many of those who are here tonight.  

    I want to thank techUK for your close engagement with us as we’ve developed the Bill. We’ve really valued your feedback. 

    I want to assure you there will many opportunities to feed into our plans for implementation and there will be suitable transition periods for businesses to reflect the changes we are bringing forward. So please do continue to share your feedback – it is incredibly valuable. 

    This legislation to improve cyber resilience is focused on the most critical services. The services the public rely on to go about their normal lives – to switch on lights, turn on the tap to safe water, and know the NHS is there to support them.   

    However, the vast majority of UK businesses and organisations will not be covered by the Cyber Bill because we do not think it would be proportionate. The IT and services they rely on will become more resilient as a result of the Bill – and the support and free advice we have made available ensures firms are on a stronger footing to safeguard themselves and deal with disruption.  

    We are continuing to work with industry to help drive action and increase adoption of cyber security measures.  

    I want to work with you all to understand how we can best help businesses take up the guidance and tools the government has created.  

    For example, we know the Cyber Essentials scheme is highly effective. Organisations with a Cyber Essentials certificate are 92% less likely to make claim on their cyber insurance than those without. We’re working hard to drive adoption of Cyber Essentials, but how can we do it better? 

    Similarly, we published a Cyber Governance Code of Practice earlier this year. This helps Boards and Directors effectively manage cyber risks in their businesses – and it comes with free training from the National Cyber Security Centre. All larger organisations should be using this.  

    How will we make sure that happens – redouble our efforts? 

    New National Cyber Strategy

    Many of the answers will be set out in a National Cyber Strategy, which we’re in the process of refreshing. 

    The new strategy will reflect the evolving threat landscape and the opportunities of emerging technologies. It will focus on resilience and growth, and DSIT will play a leading role in shaping its direction. We’re working across Whitehall and with industry to ensure it delivers real outcomes and reflects the strengths of our cyber ecosystem.  

    Thank you again to everyone who has been involved.   

    Conclusion

    So, to sum up: 

    We’re backing the cyber sector – because it’s vital to our economy and our national security. 

    We’re investing in growth, innovation and talent – because a strong cyber ecosystem underpins everything we do.  

    And we’re strengthening our cyber defences – because it’s what we need to do to keep the public and the economy safe, and harness the opportunity of technology and digital advances on AI.  

    Finally, we’re asking you to continue working with us – because cyber security is a team sport. You can help us shape the future, support young people, and build a cyber sector that is secure, inclusive and built to last. 

    Thank you for everything you do. Have a great evening – and I look forward to working with you.