Cyber security governance

You requested:

Under the Freedom of Information Act 2000, please provide the following information for the period 1 January 2023 – 31 December 2024:

1. The number of occasions on which cyber or information security risks appeared on the agenda of your governing body (or equivalent oversight body).

2. The name(s) of any committee(s) or board(s) with formal responsibility for cyber or information security oversight.

3. Whether documented criteria exist for escalating significant cyber incidents to the governing body or senior leadership (yes/no; if yes, please provide or summarise).

4. The number of governing body members (or equivalent) who completed cyber or information security training during this period, and the total number of members in that body.

5. Whether an independent assessment of your cyber security arrangements (e.g. internal audit, external review, or third-party assessment) was reported to the governing body during this period (yes/no; if yes, please state the type of assessment).

Our response:

1. Between 1 January 2023 – 31 December 2024 cyber and information security risks appeared 20 times on the agenda of the weekly MOPAC Board meetings.
2. The MOPAC Board, compromising of the Chief Executive Officer (CEO) and Directors, is responsible for the formal oversight of cyber and information security risks.
3. MOPAC operates in line with the GLA cyber incident procedure, which can be found here: https://www.london.gov.uk/who-we-are/governance-and-spending/promoting-good-governance/our-procedures?ac-60467=60464
4. In the specified timeframe of 01 Jan 2023 and 31 Dec 2024 there were 7 Board members who all completed data protection training.
5. Yes. A external consultancy carried out a GDPR discovery day audit on 14 February 2023. This covered incident reporting, breach management and information security, and provided recommendations for improvement actions where appropriate.