Skip to main content

Language: English / Gàidhlig

Loading…
Chamber and committees

Public Audit Committee

Meeting date: Thursday, February 10, 2022


Contents


Section 22 Report: “The 2020/21 audit of the Scottish Environment Protection Agency”

The Convener

The next item on our agenda is consideration of “The 2020/21 audit of the Scottish Environment Protection Agency”. We are joined by the Auditor General, Stephen Boyle, and, via videolink, by Morag Campsie, who is a senior manager of audit services in Audit Scotland, and Joanne Brown, who is a partner in Grant Thornton UK LLP and carried out the audit.

I invite the Auditor General to make an opening statement.

Stephen Boyle

On Christmas eve 2020, the Scottish Environment Protection Agency experienced a sophisticated ransomware attack that meant that its systems and data were inaccessible to its staff and customers. The majority of SEPA’s data, including underlying financial records, was encrypted, stolen or lost.

Under section 22 of the Public Finance and Accountability (Scotland) Act 2000, I have prepared the report on the 2020-21 audit of SEPA to highlight the significant impact that the attack has had on SEPA’s operations and staff, on its ability to deliver its services and on the preparation of its annual report and accounts.

SEPA had to recreate accounting records from bank and Her Majesty’s Revenue and Customs records. That made it difficult for the auditor to gain sufficient evidence to substantiate about £42 million of income from contracts. As a result, the auditor, Grant Thornton, has issued a disclaimer of its audit opinion, which is an unusual choice for an auditor to make.

SEPA was able to prioritise and deliver some of its critical services within 24 hours of the attack. However, more than 12 months on from the attack, it continues to rebuild and reinstate its systems. The full financial impact of the attack is not yet known. Therefore, SEPA will continue to face financial and operational challenges in the years to come.

SEPA has demonstrated a willingness to learn, and to help other organisations to learn, from the attack. There are continuing investigations, and not all the findings can be made publicly available so as not to expose potential vulnerabilities. It is important that all public sector bodies learn from the incident. Independent reviews identified that SEPA had good cybersecurity arrangements in place, but 44 recommendations were made. SEPA has accepted them and is taking action on them. No organisation can fully mitigate the risk of a cyberattack, but it is crucial that public bodies are prepared and have fully tested plans in place.

I am joined by Joanne Brown, who is the external auditor and will be able to support me in answering the committee’s questions on the annual audit, its impact and how SEPA has responded. I am also joined by Morag Campsie, one of the senior managers in Audit Scotland, who leads on much of our digital work. Between the three of us, we will do our best to answer your questions.

That is much appreciated. We will go straight to questions.

Sharon Dowey

The Auditor General touched on my first questions in his opening statement. Paragraphs 8 and 9 of the report state:

“SEPA commissioned independent reviews of the cyber-attack so that it, and the wider public sector, could learn lessons.”

The reviews concluded

“that SEPA had a high level of cyber security maturity, but further improvements could be made”.

They also

“made 44 recommendations for SEPA”

to take forward

“to enhance processes and controls in relation to information security.”

Given that SEPA was found to have a high level of security maturity, 44 recommendations seems to be a lot. How likely is it that other public sector organisations that are also considered to have a high level of security maturity are at risk from a similar cyberattack? Have all the recommendations been passed over, and is SEPA taking action on them?

Stephen Boyle

Joanne Brown and, perhaps, Morag Campsie will want to say a word or two about that. Inevitably, the recommendations will be split between high, medium and low risk. Joanne Brown will say a bit more about the grading of those and the progress on their implementation.

That does not detract from the overall conclusion that we made in the report that SEPA was well prepared, as the independent reviews concluded. It had a high level of cyberawareness, it provided training for its staff and tested its systems, and it had emergency plans in place.

We should bear in mind that the organisation is a regulator that responds to emergency incidents, which have all fed through to create an organisational culture of preparedness. However, I stress the point that preparedness can take an organisation only so far. As we note in the report, if there is determined criminal intent, any organisation can be vulnerable to a cyberattack.

By way of context, I note that, at the time of SEPA’s incident, there were other incidents in the Irish health system and in a small public body in Wales. Even in the past few days, there have been further reported incidents in the Foreign, Commonwealth and Development Office. No organisation can entirely guard against a cyberattack. In that context, we concluded that SEPA was well prepared and had a high level of maturity, but even that did not prevent the circumstances that I am sure we will talk about further.

I will pause to see whether Joanne Brown and Morag Campsie want to add anything.

Joanne Brown (Grant Thornton UK LLP)

The 44 improvement recommendations were pulled across from all the independent reviews. As the Auditor General outlined, those are categorised in terms of priority and risk. From speaking to SEPA, we know that approximately half the recommendations have been completed and that it is on track to complete the majority of them by the end of March. We will focus on that in our external audit for 2021-22.

SEPA routinely reports progress against the action plan to the agency management team and through to the audit committee. A couple of the recommendations require longer-term consideration, particularly in relation to investment and priority. SEPA continues to discuss such matters with the Scottish Government, so those actions might slip beyond 31 March, but SEPA is tracking the situation carefully, and a number of the actions have been completed.

Thank you. I was going to ask about progress, but you have already answered my question.

That is great. Willie Coffey, who joins us online, has a question.

Willie Coffey

Auditor General, one of the lessons from the attack is that the cybercriminal fraternity is a step ahead of the game, despite organisations’ best efforts to have the best systems, including security systems, in place. I imagine that a number of the recommendations try to address that.

The cyberattack is still the subject of an on-going police investigation, but are you able to tell us exactly where the attack managed to penetrate SEPA’s systems—the route source—or will that remain confidential?

Stephen Boyle

As you would expect, we will say as much as we can today. As we set out in the report, the general consensus is that the route into SEPA’s systems was through a phishing incident or attack. Committee members will be aware that that involves an email—masquerading as a genuine email—that contains a link; typically, a member of staff clicks on the link, which sets off a chain of events through which virus ransomware gets into systems. Unfortunately, that means that it is likely that an element of human error allowed the attack to have a route into SEPA’s systems. As is set out in the report, we have probably gone as far as we are able to on the specifics of that.

It is safe to say that, no matter how much training and preparation is done, such phishing attacks happen, even in well-prepared organisations with high levels of maturity. However, such preparation needs to be reinforced with training for information technology departments and colleagues across the piece, so that everybody exercises a degree of caution when they receive an external email and thinks really carefully before they click on a link.

Willie Coffey

I imagine that cyberattackers make a reasoned guess about how we all behave when we use computers. We are all vulnerable to inadvertently clicking on a link in an email—that seems to be a common route. It seems to me that all systems need the sophistication to guard against that, even when we make those mistakes. Perhaps your colleagues can talk about whether additional protections can be put into systems so that, if we are subjected to phishing and even if we click links, a degree of protection is still available.

Stephen Boyle

I will invite Morag Campsie to say more about what unfolded and how we might guard against the aftereffects of a successful phishing attack.

One unfortunate feature of the attack, as we say a number of times in the report, was its sophistication. That was what made it so debilitating. It is important that backups are available. When an attack happens, data is compromised or locked. Organisations typically have a backup server and can quickly recreate the information, but that did not happen in the SEPA case because the backups were also lost or hacked, as we set out in the report. The impact of that is still being felt as SEPA recreates its systems. It led to an audit qualification about the availability and reliability of the information in SEPA’s accounts. The learning from that really matters.

I invite Morag Campsie to talk about what comes next and how a public body can guard its systems even when a phishing incident happens.

Morag Campsie (Audit Scotland)

It is really important that everyone in an organisation is cyberaware. Training is crucial, as is the culture within the organisation. People must know what to do if they spot anything suspicious or if they think that they might have clicked on a link. They must feel confident to notify the appropriate people quickly so that incident response plans can be put in place. Organisations must have a tried and tested cyber incident response plan in place.

A lot can also be done with infrastructure through network segmentation, authentication and ensuring that user access is controlled. The report on SEPA and the four independent reviews make a number of recommendations about protection of assets and how to detect, respond to and recover from attacks.

As the incident demonstrated, collaborative effort is needed. The Scottish Government cyber resilience unit, the National Cyber Security Centre and the Scottish Business Resilience Centre worked closely with SEPA on the response to ensure that SEPA took action quickly and that the rest of the public sector was kept informed throughout the process.

Willie Coffey

The backup data seemed to be targeted at an early stage. I am a wee bit surprised about how easy it was to access the backup systems. From my long experience of working in computing, I would have expected it to be logical for the backup data to be physically separate so that it could not be subjected to that sort of cyberattack. It should be completely protected and separate from the main data, but that does not seem to have been the case here. Should you recommend that SEPA and other organisations look more closely at that, and that they should separate and protect any data that is essential to keeping their business running?

10:45  

Stephen Boyle

I will ask Joanne Brown to say a bit more about the recommendations and whether those relate to backups, but you have reached a fair conclusion, Mr Coffey. The principle of backups is that they are available in the event not just of an IT security attack but of a system failure, so that organisations can recreate, restore and pick up where they left off, as it were. It is also fair to say that the point about sophistication that we draw out in the report is that such a targeting of backups is one of the hallmarks of ransomware attacks.

For the record, I state that SEPA did not pay the ransom. Public money was not used to that effect. However, not having access to the backups has been debilitating to the organisation in relation to the availability of its records, the recreation of its accounts and so forth. It was a challenging set of circumstances.

I ask Joanne Brown to speak about how the recommendations relate to backups.

Joanne Brown

SEPA had in place a digital transformation strategy. As a result of the cyberattack, it has escalated that digital transformation. However, within the 44 improvement actions, there is something specific about backups. Part of that involves looking at cloud-based storage, including cloud-based backups, and strengthening the backup arrangements that are in place. That is captured in the action plan, and SEPA is taking the matter very seriously in the improvement plan.

Willie Coffey

Does that give assurance, though? There is bound to be another attempt at a similar attack on an organisation. In my opinion, it is still dangerous to have a direct link to the backup data and servers from the main data and servers. There should be some physical and logical separation of the two so that, if the attack is successful in one part of the operation’s data, it does not succeed in the other. Does SEPA plan to consider that?

Joanne Brown

My understanding is that a number of conversations are going on with those who supported SEPA in the independent reviews on how best to ensure the security of backups. Obviously, the attack on SEPA was very sophisticated, and an attacker will do their best to manipulate and get around a system. However, SEPA is taking advice on how best to have that segregation and protect the backups, should something impact on it from a cyber perspective in the future.

Willie Coffey

That is good to hear. Convener, you will be delighted to hear that, in my day, when I worked in computing, our guys used to put the backup in a case and take it to the bank. We would actually take a hard drive away and make sure that it was physically protected so that, if something like that happened, the information could be immediately restored. There is a lesson from the past in that regard.

My final query is about staff training. It is recognised that SEPA staff were well trained in all those aspects and were aware of them. Are there further plans to improve training in relation to cyberattacks and to make staff more aware of the possibilities and the risks?

Stephen Boyle

I will start, and Joanne Brown might want to say a bit more.

It is a fair conclusion that, across the organisation, SEPA had a high level of cyberawareness. As we note in the report, 95 per cent of people were up to date in their training. It could be reasonable to ask whether it was one of the 5 per cent who clicked on the link, but I do not think that we know the answer to that. Inevitably, there is staff turnover. For whatever reason, people might not be available to do their training. However, the 95 per cent figure represents a good level of confidence that an organisation is prepared, but further training is always important.

It is not just for the organisation but for individual SEPA staff members to follow through on the recommendations, and their experience must be shared with other public bodies. It is important to recognise that SEPA has been doing that. In a way that has probably been difficult for the organisation, it has laid out the circumstances that it faced and has reported publicly on the steps that it has taken. Such transparency is welcome, and there is a necessity for other public bodies to learn from its experience and to do their best—although there is no guarantee—to avoid a cyberattack like the one that SEPA faced.

I invite Joanne Brown to add anything that she wishes to add about training and next steps.

Joanne Brown

I will add only that training is also captured in the improvement action plan, which looks at mandatory training as well as a programme of greater awareness training. SEPA has more than 1,000 staff across its organisation, which is a high number, so it has considered mandating such training and how to ensure that all staff are reached by the training and complete it. SEPA has in place that forward plan, which has not just come off the back of the improvement plan. It is looking at how it can continue to strengthen training, especially awareness training, across the organisation.

Thank you very much.

The Convener

Thanks, Willie. I will come back to you before the end of the session for the other area of questioning that you have.

Craig Hoy wants to explore SEPA’s response, both immediate and in the medium term, to the crisis and attack when it happened.

Craig Hoy

It looks as though the ransomware attack was quite carefully timed, coming as it did at midnight on Christmas eve. We are aware from the report that the staff member who was responsible was unable to contact any member of senior management to escalate the issue. Have you explored whether SEPA now has in place contingency plans to ensure that, should such a situation arise again, that channel of communication will be open and available?

Stephen Boyle

Joanne Brown can confirm this, but I believe that our understanding is that that is the case. SEPA has reviewed its immediate response protocols, and not just as they relate to the contactability of senior management, important as that is. Paragraph 15 of the report points out that SEPA’s information services department was not part of the immediate response protocol, either. Given the nature of the attack, that is clearly another learning point for the organisation.

I understand that both of those points have been rectified, but I ask Joanne Brown to confirm that that is the case.

Joanne Brown

Yes, I confirm that it is the case. I also highlight that the report, in paragraph 19, talks about business continuity plans and their storage. Unfortunately, those plans could not be accessed after the incident, so SEPA has since strengthened its security with regard to how it documents business continuity and who is aware of that.

Craig Hoy

That is reassuring. In paragraph 18, the report states:

“SEPA has been open and transparent from the start to ensure that staff, the public and other public-sector organisations”

were aware of what was happening. You have also referred to the fact that no ransom was paid. Can you outline the benefits of SEPA taking that approach? Are you aware of any other examples in the public sector in Scotland where that approach was not taken and, for example, public funds were used to make a ransom payment?

Stephen Boyle

I am happy to cover both of those questions. There is a balance to be struck on transparency. SEPA shared learning from the incident and helped other public bodies to, where possible, avoid the pitfalls that it experienced. I again state that we commend SEPA for taking that approach. The other side of the balance is that transparency exposes vulnerabilities that could put the body at risk of further cyberattacks. Our understanding is that SEPA is carefully treading that fine line, so as not to offer any further opportunities to criminal enterprise in respect of the Christmas eve incident.

SEPA has not paid a ransom, and nor are we aware of any other public bodies having done so. The context is important. Public bodies are subject to phishing attacks—attempts to penetrate their systems—day in and day out. Because of training and the sophistication of IT security, to date the vast majority of those attacks have been prevented. It also maybe speaks to SEPA’s point that, unfortunately, this will not be the last attack. There will come a day when there is another cyberincident and, in order for the effects to be mitigated as much as possible, SEPA sharing its experience is an important component of helping other bodies to respond to and prevent attacks.

Craig Hoy

With regard to lessons learned, the emergency management team identified 103 projects that were to be undertaken as part of the recovery plan and were due to be completed by June 2021. Have you assessed whether all 103 projects have been completed?

Stephen Boyle

We are seeing real progress, but 103 projects is no small undertaking, and they have varying degrees of importance and significance in their timing. With any action plan for following recommendations, it matters that the plan is clear, that it sets out who is responsible and that there is governance around tracking progress. Joanne Brown can confirm the status of progress against the actions.

Joanne Brown

In our 2021-22 audit, we will look closely at those projects and the status of their progress. It was a large number of projects and the EMT has taken them in order of priority, relating to SEPA services, customers, stakeholders and then staff. The 103 projects were prioritised in order to reinstate SEPA’s systems. In 2021-22 and beyond, there will be further projects, as SEPA moves through digital transformation and recreates and reimplements new systems. We will specifically look at that and comment on it in our 2021-22 audit.

The Convener

Auditor General, one of the striking things in your opening statement was the fact that the auditor issued a disclaimer of opinion on SEPA’s annual report and accounts for 2020-21 and, therefore, the accounts have not been signed off. You used the word “unusual” for that choice, and it is extremely unusual. You also said that that was principally because of unsatisfactory records or evidence around a notional £42 million of income from fees. Who takes the decision to put in that disclaimer and not sign off the accounts? Is it Joanne Brown at Grant Thornton, or is it you, the Auditor General, at Audit Scotland? At what level is that decision taken?

Stephen Boyle

I am happy to say a bit more about that, but Joanne Brown is the appointed external auditor. In her role at Grant Thornton, Joanne is appointed by the Auditor General to conduct the annual external audit of SEPA and she will arrive at her own judgments on the annual report and accounts that are presented to her with regard to auditing standards and the code of audit practice.

In a moment, I will pass over to Joanne to set out for the committee how she arrived at that judgment with regard to her independent auditor’s report and opinion. To put the decision in context, it is very unusual. There are very few examples where an auditor has been unable to see sufficient evidence to support the provision of an opinion on an annual report and accounts of a public body in Scotland. The circumstances have clearly contributed to the unavailability of accounting and banking records. Very specifically, as we note in the report, which is drawn from Joanne Brown’s annual audit report, that relates to income from contracts.

As we have touched on this morning, as a regulator, SEPA charges fees for some of its services, and Grant Thornton reached a judgment that it was not able to see sufficient evidence on income from those contracts. That has a pervasive effect on many components of the annual report and accounts. Joanne and I have spoken about that at length and I clearly understand why Grant Thornton was not able to give an opinion and thus issued its disclaimer of opinion.

That is probably enough from me. I am sure that Joanne will want to say more.

11:00  

Joanne Brown

SEPA lost its entire financial ledger and all its financial records in the cyberattack. It had to recreate those financial records in order to recreate the financial statements. From the start of our 2020-21 audit, we were in conversation with SEPA’s audit committee, which is charged with governance, about the difficulties of undertaking an audit, the alternative audit procedures, and what that could mean for our opinion. That challenge was recognised by management and the audit committee.

The individuals in the finance team in SEPA worked hard to recreate the financial records. They used bank records, data recovered via emails and whatever records they had to rebuild the financial position during the year and those financial statements.

Although we were able to get assurance about expenditure, we did not get audit evidence or assurance about income. We could see income hit the cash flow and see it in the bank, but neither we nor SEPA could match that to individual customers. The question for us is whether there is any material misstatement in the accounting records.

It is clearly unusual to issue a disclaimer of opinion. SEPA’s audit committee and its board debated the timing and explored whether they could get the financial records that were needed, so that we would not put some form of qualification on the accounts. They considered what that timetable might look like. For example, I am aware of one organisation in England that experienced a cyberattack, after which it took almost three years for it to create financial statements for that year.

The SEPA management and board had a conversation about what they could practically do and what would make sense. They accepted that there would be a qualification in the accounts, due to the seriousness of the loss of the financial ledger.

The report covers the year 2020-21. Will we at some point—even if it is three years hence—see signed off accounts for SEPA for 2020-21, or is that possibility gone forever?

Joanne Brown

We have signed off the accounts, although the disclaimer opinion comes with many caveats that say that we were unable to sign them off and give an opinion as we usually would.

It is our intention to audit the 2021-22 accounts. SEPA has put a financial ledger in place and has recreated its records. The controls in place for 2021-22 are those that SEPA had prior to the cyberattack. We are working closely with SEPA to be able to give an opinion on the 2021-22 accounts. We recognise that there will be opening balances relating to income. We want assurances about that to be able to give an unqualified opinion for 2021-22.

From an audit perspective, we will be able to provide an opinion in 2021-22. We just need to consider what that looks like when we do that audit work.

The Convener

Thank you for clarifying that. That is helpful.

You have inferred this to an extent, but one thing that comes out in the report is that temporary arrangements have had to be put in place for things such as paying staff salaries and paying suppliers. From your auditing perspective, were you satisfied that those temporary financial arrangements were sound?

Joanne Brown

We looked at the temporary arrangements that were put in place, such as the segregation of duties and approvals, and at the judgments or otherwise that the finance team made in making those payments. We were satisfied that controls were in place.

You mentioned payroll. Until the payroll system was rebuilt, there were satisfactory controls in place to ensure payment of staff through the banking system. For 2021-22, SEPA is looking to reinstate all the good financial controls that it had prior to the cyberattack in the new financial system and the new ways of working.

The Convener

I presume that that means that you—I do not know whether it is just you or a team—have to work closely with SEPA’s finance people and audit committee to ensure that things remain on track and go at the fastest pace that can be done while retaining the integrity of the accounting systems. Are you devoting a lot of your time to developing the situation from where it has been?

Joanne Brown

As you would expect, we are working closely with SEPA. In the aftermath of the cyberattack, we had conversations pretty much straight away with the finance team about the impact of the attack on the financial ledger. We also had a number of discussions during the audit about the financial controls that SEPA was putting in place and how we could effectively do the audit. Those conversations continue, particularly as we examine how SEPA implements the recommendations and as we consider how to plan the 2021-22 audit, what financial controls are likely to be in place and the timing.

We have a good relationship with SEPA. Its finance team has been open and honest about the financial controls and the judgments and estimates that it has had to make in creating financial records.

Willie Coffey has at least one question that follows up that line of inquiry.

Willie Coffey

Before I ask a question on SEPA’s financial sustainability in light of the cyberattack, I will ask about something else about which I am curious.

What volume of data are we talking about? In the report, I can see only a reference in the appendix, on page 9, to about 1.2GB of data being stolen. Is that it? Are we talking about only 1.2GB of data? That is a tiny amount of data that has had such a catastrophic impact.

I refer to my earlier point about offline storage. You can buy data sticks that accommodate huge amounts of data for £10 or £50. You can put almost your entire data set on separate physical data sticks. Nothing can hack them if you do that.

Is there any information on the volume of data that SEPA lost and whether the right strategy is in place to protect it?

Stephen Boyle

You highlight the appendix, where we say that 1.2GB of data is

“equivalent to a small fraction of the contents of an average laptop hard drive”.

In the greater scheme of things, it is not a huge amount of data but, of course, 1.2GB can contain many tens of thousands of records and transaction histories. As Joanne Brown outlined and as we say in the report, that means that some of those vital financial and system records that SEPA needs to function were locked, encrypted or lost.

That probably speaks to the point that you make about our ever-increasing reliability on IT systems as we lead our lives and as public bodies deliver their services. However, as you said in earlier questions, Mr Coffey, it is important that, when such an event happens, sufficient back-up is in place to recreate records, notwithstanding the sophistication of the attack, which also targeted the back-ups.

Although, in the greater scheme of things, 1.2GB is small and could be held in the palm of your hand in an external storage drive, it can still contain tens of thousands of records, as was the case in SEPA’s circumstances. To relate that to the audit qualification, it meant that Joanne Brown and her team were not able to see sufficient evidence for how that translated into the £42 million of income from contracts.

Willie Coffey

My final question is about the long-term implications for SEPA’s financial sustainability. You said that we do not know the full cost of the cyberattack, but do you have any indications of how it will affect SEPA’s financial sustainability?

Stephen Boyle

Yes. We touch on the financial sustainability point in the report, and I will say a bit more about that. SEPA’s financial strategy had identified up to £17.9 million of vulnerability and variability in the longer term, to 2024. As Joanne Brown mentioned, there is now a digital transformation strategy, which SEPA is reasonably deploying. It is not necessarily trying to go back to where it had been but is perhaps using the incident as a catalyst for how it will deliver its services in the future and what that will mean for the nature of its activity and its work.

As is the case for all public bodies, SEPA needs to manage, track and profile its financial position and the sustainability of that into the future. SEPA has forecast that there will be a surplus of £6.2 million in 2021-22, and it will use that to support its recovery and transformation. As Joanne Brown mentioned, she will continue to track, monitor and report on financial sustainability during the annual audit.

The Convener

I have a final question. In a sense, it is absolutely critical that we ask it. Clearly, there are wider implications for the whole public sector of the incident on 24 December 2020. In paragraph 34 of the report, you make it clear that it is important that all public sector bodies review the recommendations of the independent reviews that have been carried out on SEPA’s cyberattack, and that lessons are learned from what happened to SEPA. Will you talk us through your understanding of any steps that have been taken to date, either by the Scottish Government or by other public sector bodies, to make sure that lessons are learned and that the experience that SEPA has gone through is shared and acted on?

Stephen Boyle

I will start and will ask Morag Campsie to say a bit more about the Scottish Government’s role and its cyber strategy, not just as part of the important learning from the incident but as part of how, more widely, it is leading in helping all public bodies in Scotland to learn from that and to safeguard against such incidents.

I will also make a point about external auditors. Between us, the Accounts Commission and I appoint the external auditors of more than 200 public bodies. Those auditors look annually at aspects of IT controls and will report through our annual audit reports on the extent to which those are robust, particularly in cases of any deficiencies. As ever, there is an onus on public bodies to be satisfied about their internal control arrangements and how robust they are. That includes cyber. There is an audit responsibility; there is also a responsibility on individual organisations.

I will bring in Morag to say a bit more about the strategy and the Scottish Government’s intentions on cyber.

Morag Campsie

As we have said, SEPA and the Scottish Government have shared the three independent reviews, which are readily available to public sector bodies. There has also been a series of events to raise awareness.

As the Auditor General said, the strategic framework, which built on the cyber strategy, came out in February 2021 and sets out action plans for the public, private and third sectors. There is also an action plan for learning, development and skills. As we have said, it is key to ensure that employees are cyberaware and that IT specialists have the right skills. The committee took evidence earlier about skills planning, which is key in making sure that the skills pipeline is in place for computing skills. The Scottish Government is looking to ensure that that pipeline is invested in.

The national cyberincident response arrangements must be effective, as well. The Scottish Government intends to bring in a central collaborative function, to ensure that all resources and technical expertise are pooled. The public sector has a number of organisations with different skills and of different sizes, with different resources available to them. There is a role for the Scottish Government to ensure that organisations can go to a centralised function to get information, share intelligence and make use of resources so that they are as prepared as possible and can respond quickly. We will continue to monitor the implementation of those arrangements.

Auditor General, do you want to add anything to that?

Stephen Boyle

Morag has set it out reasonably. Just to agree with her, it is an important point that there is a wide range in the scale of public bodies in Scotland. The ability to recruit and retain people with key IT skills is challenging for all of them. A vital component is that, through the Government, there are centres of excellence to support all public bodies to guard against, prepare for, mitigate, and, if necessary, recover from a cyberincident.

The Convener

Thank you very much indeed. As you know, the committee retains a watching brief on information and communications technology projects, not least from the point of view of capital expenditure, but we will look at the security aspects as well. We all need to learn the lessons of the experience that SEPA has undergone. As is mentioned in the report, an organisation that is, by its nature, geared up to dealing with emergencies has had to deal with something that it might not have foreseen. The whole public sector needs to take broader lessons from that.

I thank Morag Campsie and Joanne Brown, who joined us online, and the Auditor General very much indeed for their evidence. It has been a useful session for us and we will shortly consider our next steps.

11:17 Meeting continued in private until 11:41.