UK Report: Hold Software Makers Liable for Security Flaws

A significant new proposal from the United Kingdom’s Business and Trade Committee calls for making software companies legally accountable for security flaws in their products. The report contends that the rising frequency and financial impact of cyber-attacks across vital sectors demonstrate that voluntary security guidelines are insufficient to safeguard the nation’s economic health.

Recent incidents have starkly illustrated the public cost of insecure software. In 2025, major organizations including Co-op, Marks & Spencer, and Jaguar Land Rover suffered damaging cyber intrusions. M&S reported losses reaching £300 million, while the Co-op was forced to handle parts of its funeral services manually after its digital systems were compromised. The committee’s findings point out that although the National Cyber Security Centre advocates a “secure by design” approach, developers currently face no penalties for releasing products containing exploitable vulnerabilities.

This regulatory gap, the report warns, leaves both the public sector and individual consumers exposed to growing dangers. It emphasizes that providers can market software with known insecure features without facing financial consequences when those weaknesses are attacked. A central recommendation urges the government to pass legislation compelling companies to adhere to the principles detailed in its Software Security Code of Practice. Presently, this code is voluntary, relies on self-assessment for monitoring, and is intended to promote, rather than mandate, secure development habits.

The committee points to international regulatory shifts as proof that stronger measures are feasible. The EU’s Cyber Resilience Act, scheduled to take full effect in 2027, is highlighted as a move toward imposing liability, granting regulators authority to demand product recalls and levy fines for non-compliance.

The underlying argument is that the UK’s economic security cannot be maintained without reducing the flood of insecure products reaching consumers. The report identifies three critical areas for action: establishing developer liability for preventable vulnerabilities, creating financial incentives for greater investment in cyber-resilience, and introducing compulsory cyber incident reporting to develop a more accurate national threat overview.

By transferring responsibility to vendors, the proposed changes seek to reverse a troubling pattern where the public ends up bearing the costs of private sector security shortcomings. Simon Phillips, CTO of Engineering at CybaVerse, remarked, “As a cybersecurity industry, we need to re-evaluate how we measure security and vendors, looking deeper into trends and categorization, i.e., vendors with recurring vulnerabilities in critical components, such as those found in edge-facing infrastructure. Why should the burden and the associated costs of incidents always be the responsibility of victims? To really drive defenses, we have to look beyond the surface, beyond the ransomware payments and into what is really enabling cybercrime to flourish.”

In its final recommendations, the committee asserted that compliance with secure-by-design principles must become the baseline standard, not an optional extra. It pressed ministers to equip enforcement bodies with the authority to monitor adherence and impose penalties on companies that fail to meet their obligations.

(Source: Info Security)