The Public Accounts Committee report of Wednesday 24 June 2026 tells DCMS that UK national museums and galleries are being left vulnerable to cyber-attack, with the Government working reactively rather than strategically. Three weeks before the Cyber Security and Resilience Bill's now-scheduled Lords second reading on Tuesday 14 July, and on the Friday close of DUAA Week One, here is what UK charities, schools and SMBs should take from the report and the three jobs that fit the next eighteen days.
Key takeaways
- The Public Accounts Committee report published on Wednesday 24 June 2026 tells the Department for Culture, Media and Sport that UK national museums and galleries are being left vulnerable to cyber and physical security threats, with the Government working in a reactive posture rather than a strategic one. Six recommendations sit behind that finding, with the two cyber-relevant ones asking DCMS to set out the concrete actions taken since the 2023 British Library incident and to establish baseline cybersecurity standards across the arm's-length body portfolio with measurable metrics.
- The Cyber Security and Resilience (Network and Information Systems) Bill, which cleared its Commons third reading on 10 June and was introduced to the Lords at first reading on 17 June 2026, now has a fixed Lords second reading date of Tuesday 14 July 2026. The Bill broadens scope under the Network and Information Systems Regulations, tightens incident reporting and codifies the supply-chain assurance question, with the practical pressure on UK charities, schools and SMBs landing first as sharper procurement questionnaires from regulated buyers in autumn 2026.
- The PAC's formal scope is the fifteen DCMS-sponsored national museums and galleries. The practical scope is wider. The PAC's frame - strategic versus reactive, baseline versus bespoke, sector-wide standards owned by a parent department - is the same frame the Department for Education sits inside for school cyber risk, and it is the same frame that lands on smaller museum, heritage, library and community charities through their supplier base. The supplier-side reading of the report is that the autumn 2026 procurement questionnaire is now the lead vector for the audience.
- Three jobs fit the eighteen days between Friday 26 June and the Lords second reading on Tuesday 14 July. Refresh the one-page exposure map to add a legacy-systems row with named retirement dates and a digitisation-programme row. Run the MFA-and-segmentation pass so every administrative, remote-access and partner-access account is on multi-factor authentication by Friday 10 July, including the Section 164A complaints inbox, with the first segmentation list - what should not be reachable from a compromised user laptop - written down. Rehearse three recovery scenarios on a tabletop by Friday 10 July: an MIS or donor-CRM ransomware lock-out, a personal-data exfiltration leak and a regulator-side complaint through the new Section 164A route.
- DUAA Week One closes today, Friday 26 June 2026. The minimum bar for the day is that the Section 164A complaints page is live, findable from the homepage, capturing every receipt with a timestamp and firing an acknowledgement automatically. A running zero after seven days is a calibration problem, not an absence of complaints. The next board pack carries the running Section 164A numbers, the legacy-systems retirement list, the digitisation-programme protections, and the post-tabletop action items, with named owners and dates against each.
It is Friday 26 June 2026, the last working day of DUAA Week One. The Section 164A data protection complaints duty has been in force for one full working week. Two days ago, on Wednesday 24 June, the Public Accounts Committee published a sharp report telling the Department for Culture, Media and Sport that UK national museums and galleries are being left vulnerable to cyber-attack, with the Government working in a reactive posture rather than a strategic one. And in Westminster the Cyber Security and Resilience (Network and Information Systems) Bill now has a fixed Lords date: second reading on Tuesday 14 July 2026, eighteen days from today.
Three live regulatory and institutional anchors landing in the same fortnight, and all pointing again at the same audience: UK charities (including the heritage and cultural-sector charities that sit alongside national museums), schools and small and mid-sized businesses. This post is a Week-One-closes scorecard for what the PAC report actually tells the audience to act on, what the now-scheduled Lords second reading means for the next eighteen days, and a short list of operational jobs that close out the calendar month.
What the PAC actually said this week
The Public Accounts Committee report, published on Wednesday 24 June 2026, is the spending watchdog's read on the DCMS-sponsored museums and galleries portfolio. The headline finding is that DCMS has identified the strategic challenges — cyber threats and physical security among them — but has not been able to point to concrete sector-wide actions that have followed. The Committee's wording is unusually direct: a reactive posture, not a strategic one.
Six recommendations sit behind that finding. The two cyber-relevant ones are the requests that DCMS set out the concrete actions it and the museums have taken to address cyber and physical security threats, and that it establishes baseline cybersecurity standards across the arm's-length body portfolio together with the metrics by which institutions will be measured against them. The PAC has also asked DCMS to explain how it will provide centrally-resourced cyber support to institutions that do not have an in-house security team, how it will coordinate shared threat intelligence across the portfolio, and how it will protect the rapidly growing digitisation programmes that turn historic collections into networked data.
The Committee did not have to invent its case study. The October 2023 ransomware attack on the British Library by the Rhysida group is the worked example sitting in the background of every paragraph of the report. Forensic analysis after that incident identified a terminal server used for remote access by trusted partners as the likely entry point, with the absence of multi-factor authentication on that server identified by the Library's own published lessons as the contributing failure. The attackers exfiltrated around 600GB of data — close to half a million files — including personal data from the CRM database. The Library entered an eighteen-month "Rebuild and Renew" recovery programme that ran into 2025; many digital services were degraded for months.
DCMS, for its part, has pointed at the Government Cyber Action Plan launched in January 2026 — the new £210 million Government Cyber Unit programme intended to drive baseline standards, address legacy technology and enhance incident response across public bodies. The PAC's reply, in effect, is that the existence of a national programme does not absolve a department of the duty to set sector-specific baselines for its own arm's-length bodies, and to be able to evidence the actions that have been taken since 2023.
Why this report lands on UK charities, schools and SMBs
The PAC's formal scope is the fifteen DCMS-sponsored national museums and galleries. The practical scope is wider. The national institutions sit at the top of a charity-sector pyramid that includes hundreds of registered museum and heritage charities, several thousand independent libraries and archives, and a long tail of cultural, educational and community charities running similar IT estates on similar budgets. Many of these are registered charities under English, Scottish or Northern Irish charity law; the PAC's recommendations on board governance, on baseline standards and on centrally-resourced support are recommendations the smaller charity sector has been arguing for itself for at least two years.
For UK schools and multi-academy trusts, the report is not a literal mandate, but the parallel is exact. The PAC's frame — strategic versus reactive, baseline versus bespoke, sector-wide standards owned by a parent department — is the same frame the Department for Education sits inside for cyber risk across the school estate. The three UK education cyberattacks of early-to-mid June made the same diagnostic point from the ground level: the schools and trusts that recovered fastest were the ones with the boring fundamentals already in place.
For small and mid-sized businesses, the report's structural lesson is the supplier lesson. Most of the museums in the PAC's scope buy from the same outsourced IT, library-management-system and visitor-services providers that mid-sized charities and businesses buy from. A baseline-cyber-standards conversation across DCMS arm's-length bodies will land, sooner or later, as a procurement-questionnaire conversation across that supplier base — the same pressure post #20 walked through alongside GCHQ's Annual Lecture and post #25 set out as the autumn 2026 procurement story.
The British Library lessons every smaller institution should already have read
The British Library's own report on the attack — published in March 2024 and quoted at length in the academic literature since — is one of the most candid post-incident write-ups any UK public body has produced. Three of its observations carry across to schools, charities and SMBs without modification.
The first is that no single perimeter is enough. The Rhysida attackers were inside the network for at least three days before the incident became apparent, used a remote-access terminal server as the entry point, and pivoted through a flat internal network architecture once they were in. The Library's own conclusion was that network segmentation — boxing the most sensitive systems off from each other, not just from the outside world — would have limited the blast radius. For a school running an MIS, a library-management system and a finance ledger on the same flat VLAN, the lesson reads identically.
The second is that legacy infrastructure was a structural amplifier. The Library's IT estate had grown over decades, with mixed-vintage servers, multiple authentication directories and inconsistent patching baselines. The PAC report repeats this concern: legacy systems are a sector-wide problem across DCMS arm's-length bodies, and the Government Cyber Action Plan's legacy-technology workstream exists precisely because most public-sector estates carry the same pattern. The audience version of this lesson is one of the three jobs below.
The third is that under-funding and a shortage of in-house IT-security expertise was a recurring root cause across the lessons. The Library was not careless — its security measures had been accredited and stress-tested — but in retrospect it wished it had prioritised differently. For a multi-academy trust or a small charity, the honest version of this lesson is that prioritising the right small set of controls and rehearsing them well beats holding a longer list aspirationally.
The three jobs before the Bill's Lords second reading on 14 July
Eighteen days separates Friday 26 June from Tuesday 14 July 2026. Three jobs fit that window, and they map cleanly onto the three-capability frame Richard Horne set out at RUSI on 17 June: understand exposure, build defences on proven fundamentals, recover quickly.
Job one is to refresh the one-page exposure map. The Wednesday-afternoon version of this map went into post #25's thirty-day plan; the Friday close-of-Week-One version adds two PAC-prompted rows. Add a row for legacy systems that no longer have a security owner, with the named retirement date that follows from the PAC's legacy-technology argument. Add a row for the digitisation programme — the collection of files, the cloud storage account, the access-management list — because the PAC's report is explicit that digitised assets become networked assets and need to be treated accordingly. This sheet is the home of Action 1 of the Cyber Resilience Pledge, board-level cyber ownership, and refreshes monthly.
Job two is the MFA-and-segmentation pass. By Friday 10 July, every administrative, remote-access and partner-access account should be on multi-factor authentication. The British Library lesson is specifically about partner-access servers; the audience's equivalents are the third-party support accounts the IT supplier uses, the temporary contractor accounts, and the legacy service accounts that no human routinely logs in to. The Section 164A complaints inbox itself sits inside this pass — putting a passkey on the inbox account, in line with the NCSC's April 2026 guidance, is the simplest single intervention that stops a complaints route becoming a second incident. The segmentation half of the job is more architectural and rarely closes in two weeks, but the first move — listing which systems should not be reachable from a compromised user laptop — is achievable inside the window and is the precondition for everything else.
Job three is recovery rehearsal. By Friday 10 July, the audience should have run a tabletop on the three most disruptive scenarios for their institution: a ransomware lock-out of the MIS or the donor CRM, an exfiltration leak of personal data into a public dump site, and a regulator-side complaint that lands through the new Section 164A route. The output is short: who decides what at each stage, what the first three calls are, what the public statement looks like in the first six hours, what the regulator-side notification looks like in the first seventy-two. The FortiBleed playbook from post #24 is the operational example of how short this kind of document needs to be to be usable in a real incident.
What is not in this post
This is not a DUAA detail walkthrough — that work lives in post #21. It is not a FortiBleed walkthrough — that work lives in post #24. It is not a re-summary of the British Library lessons in full — the published Library report and the academic literature around it do that work better than 2,000 words can. What it is, is a Friday-close-of-Week-One reading of what the PAC's report and the Bill's now-scheduled Lords second reading mean for UK charities, schools and SMBs over the next eighteen days.
The honest version of those eighteen days is short. By the end of today, the Section 164A complaints page is live, findable from the homepage, capturing every receipt with a timestamp, and firing an acknowledgement automatically — Week One closes with that as the minimum. By Friday 3 July, the one-page exposure map carries the two PAC-prompted rows. By Friday 10 July, MFA is on every administrative, remote-access and partner-access account; the segmentation list exists; and the three tabletop rehearsals have happened. By Tuesday 14 July, the audience watches the Bill's Lords second reading from a measurably stronger baseline than the one DCMS and the PAC have just argued in public about.
If that picture matches what you are reading on your own monitors this Friday afternoon, the next call is procedural, not strategic. If it does not, that is the call to make before the long July weekend. Our cyber resilience service is shaped around exactly this eighteen-day picture, and a discovery conversation takes thirty minutes.
— Boris Didov