A renewed push to make software providers legally responsible for insecure products has been set out in a new report from the UK’s Business and Trade Committee.
The document argues that frequent and costly cyber-attacks across major sectors show that voluntary measures are no longer enough to protect the economic stability of the UK.
Rising Public Costs From Insecure Software
A series of incidents in 2025, including attacks on Co-op, M&S and Jaguar Land Rover (JLR), underscored the financial and operational fallout from cyber-intrusions. M&S reported losses of £300m, while the Co-op shifted parts of its funeral operations to manual processes after its systems were disrupted.
The report notes that although the UK’s National Cyber Security Centre (NCSC) promotes a “secure by design” model, developers face no penalties if they release products containing exploitable flaws.
The Committee warns that this gap leaves the public sector and consumers exposed to escalating risks. It also highlights that providers can sell software with insecure features without bearing the cost if attacks exploit those weaknesses.
A core recommendation is that the Government introduce legislation requiring companies to follow the principles outlined in its Software Security Code of Practice. The current code is voluntary, monitored only through self-assessment and designed to encourage, rather than compel, secure development practices.
The report cites international moves as evidence that stronger action is possible. The EU’s Cyber Resilience Act, which enters full effect in 2027, is framed as a shift toward liability, empowering regulators to order product recalls and impose fines for non-compliance.
Why Liability Matters
The Committee argues that the UK’s economic security cannot be sustained without reducing the volume of insecure products entering the market. It sets out three areas of focus:
-
Making software developers liable for avoidable vulnerabilities
-
Incentivizing greater investment in cyber-resilience
-
Introducing mandatory reporting of cyber incidents to build a clearer national threat picture
Read more on cyber-resilience: UK Government Finally Introduces Cyber Security and Resilience Bill
By shifting responsibility to vendors, the proposed reforms aim to counter a trend in which the public absorbs the costs of private sector security failures.
“As a cybersecurity industry, we need to re-evaluate how we measure security and vendors, looking deeper into trends and categorization, i.e., vendors with recurring vulnerabilities in critical components, such as those found in edge-facing infrastructure,” commented Simon Phillips, CTO of Engineering at CybaVerse.
“Why should the burden and the associated costs of incidents always be the responsibility of victims? To really drive defenses, we have to look beyond the surface, beyond the ransomware payments and into what is really enabling cybercrime to flourish.”
The Committee concluded that compliance with secure-by-design principles should represent the baseline standard rather than a discretionary choice. It urged ministers to give enforcement bodies the power to monitor adherence and issue penalties where firms fall short.
