Greater London Authority Oversight Committee publishes the 'Cyber Security at the GLA' report

A new report warns cyberattacks on the GLA are now inevitable not a matter of if, but when

The report examines the growing cyber threat facing the GLA and wider public sector, highlighting the increasing sophistication and frequency of attacks. It finds that cyber risk is now systemic, persistent, and unavoidable. Within the report, Dianne Tranmer, Executive Director of Corporate Resources and Business Improvement at the GLA, stated, “It is increasingly a case of, not if, but when an incident will hit.”

The Committee makes 11 recommendations

1. Benchmarking Cyber Investment

Develop a formal approach (by 2027–28 budget cycle) to measure and benchmark cyber security spending and pay against public and private sector comparators.

2. Reporting on Legacy Systems and Supply Chain Risk

Introduce confidential board-level reporting in 2026 on:

• Specified legacy IT systems and associated risk levels
• Supply chain organisations with system access and associated risk levels

3. Supply Chain Certification

Confirm whether suppliers are required to hold NCSC Cyber Essentials Plus certification.

4. Staff Training Monitoring

Strengthen monitoring of mandatory cyber training completion and review training frequency across the GLA Group.

5. Addressing Workarounds and Non-Compliance

Provide clarity on work underway to understand informal IT workarounds and user non-compliance with formal cyber processes.

6. Cyber Security Exercise

Conduct a dedicated GLA cyber security exercise (with TfL support) by end of 2025–26 and report findings to the Committee.

7. Cyber Assessment Framework (CAF)

Confirm completion and adoption of the 2025 CAF 4.0 assessment.

8. Tested Contingency Plans

Confirm that the GLA has tested and proven contingency arrangements for loss of access to email and file systems.

9. London Resilience Forum Focus

Use GLA chairmanship of the LRF to maintain strong focus on city-wide cyber resilience and coordinated response planning.

10. Shared Services Guarantees

Provide a summary of cyber-related service agreements with TfL, including minimum IT service guarantees during emergency response and recovery.

11. Independent Review of TfL Attack

Share the independent review report of the September 2024 TfL cyber attack and provide a briefing on resulting actions and lessons learned.

Quotes:

*** “Just before we began this investigation, TfL suffered its biggest cyber-attack in history with critical impacts across the system. It also affected the Greater London Authority (GLA) which was part-way through a shared services transition onto TfL’s digital platforms. This incident underlined the importance of our investigation and the need to review our defences. The TfL attack caused headlines and shocked the nation when it was discovered the instigator was not a global criminal group operating from a complex technological centre but a teenager from the UK in their bedroom. Resilience to a cyber incident is a critical concern. For the sake of Londoners, we seek further assurance from that the GLA and its associated bodies that everything possible is being done defend against the next attack. In that context, this report makes eleven recommendations intended to strengthen the GLA’s approach to cyber security here in London.” -* Former Chairman the GLA Oversight Committee, Emma Best AM,