Decoding the world of cybersecurity

MPs warn museums remain exposed

The Public Accounts Committee says government-sponsored museums and galleries remain vulnerable to cyber and physical security threats because oversight has been reactive rather than strategic.

MPs warn museums remain exposed
Summary
  • The Public Accounts Committee says DCMS has not used its central role effectively to address cyber and physical security threats across museums and galleries.
  • The report cites the British Library cyberattack and British Museum thefts as examples of sector vulnerability.
  • The findings connect cyber resilience with governance, funding pressure, board capability, and public-sector accountability.

The Public Accounts Committee has warned that the UK’s national museums and galleries remain exposed to cyber and physical security threats because government oversight has been too reactive.

The committee’s report on the financial resilience of government-sponsored museums and galleries says the Department for Culture, Media and Sport has failed to use its central role to help institutions address fast-moving risks, including cyber security and the protection of collections. The committee pointed to the British Library cyberattack and the British Museum thefts as high-profile incidents that exposed weaknesses across the sector.

The report says DCMS has facilitated some sharing of lessons but could not provide specific examples of concrete actions taken as a result to better protect systems and collections. It also says the department lacks a clear picture of whether museums and galleries are delivering value for public money, despite providing £484 million in grant-in-aid funding to 15 institutions in 2024-25.

The cyber exposure reaches beyond one sector. Museums and galleries hold sensitive records, donor information, employee data, research material, collection records, digitised assets, commercial systems, ticketing platforms, retail operations, and public-facing services. When those systems fail, the impact can affect public access, collection management, income generation, research, reputation, and the ability to operate as a national institution.

The British Library attack remains the clearest recent example. It disrupted services, damaged digital operations, and forced a long recovery programme. Cultural institutions often operate with constrained budgets, legacy systems, specialist applications, and complex supplier arrangements. They may also lack the in-house security maturity found in more heavily regulated sectors, while still holding nationally important assets.

The committee’s criticism is about governance as well as technology. The report says DCMS has over-relied on institutional autonomy and has not taken enough initiative to support museums and galleries with strategic challenges. It also raises concerns about board vacancies and financial leadership churn. Those issues affect cyber resilience because security investment, incident preparation, supplier oversight, and recovery planning depend on governance capacity.

The committee recommends that DCMS set out clear metrics by which it will assess museums and galleries, and the consequences for institutions that do not meet those criteria. Such a framework would move the sector closer to measurable accountability rather than informal encouragement.

Public-sector cyber incidents have repeatedly shown that nationally important services and institutions may depend on ageing infrastructure, fragmented ownership, and uneven recovery capability. Public bodies are often expected to modernise services, increase digital access, and protect data while managing funding constraints and legacy estates.

Cyber security cannot be separated from that operating environment. A museum with weak asset visibility, high supplier dependency, slow procurement cycles, board vacancies, and stretched finance teams will struggle to build credible resilience even if technical staff understand the exposure.

The committee’s report and accompanying committee notice set out the public-sector accountability case. The next stage will show whether DCMS turns shared learning from past incidents into measurable expectations, funded action, and board-level ownership.

×