Purpose

Decision refs I030272 dated 3rd April 2024
and
I025179 dated 4th March 2022

The Service
The majority of our IT service delivery, including elements of
Cyber Security, is currently provided by Serco. This contract is
due to expire at the end of March 2026.

The Council’s Executive approved an overall IT Service
Delivery Model and sourcing approach on the 4th May 2022 and
following a short pause to reassess the risks and issues, a second
paper was submitted 3rd April 2024 to approve revision to the
model.

In both papers, the Council recognised and approved the need for an
enhanced cyber security partner, to provide a very technical and
highly skilled independent cyber security service.

The Procurement Route
The procurement process was via the Crown Commercial Services Cyber
Security framework. This framework is a Dynamic Purchasing System,
where the field of potential bidders may change during the life of
the framework. This allows smaller, more expert enterprises to
easily compete, leveraging the developing capabilities of a rapidly
changing industry.

The competition contained several stages:
1. A filtering system, to shortlist and ensure the most appropriate
potential bidders are identified.
2. A capability assessment to further reduce the number of
potential bidders to an appropriate level.
3. An invitation to tender for against the Councils
requirement.

Of the 435 potential bidders, the Council shortlisted 86 for a
capability assessment, invited 28 to tender and received 7 on time
submissions.

Benefits
This new service complements and continues the work started in
Project Boole, to significantly enhance the Council’s cyber
security posture, reducing the costs and impact of an incident,
along with the probability.

In 2024, the average cost of recovery for a UK council from a
cyber-attack was estimated to be around £1.2 million. This
figure includes expenses related to IT system restoration, data
recovery, legal fees, and potential fines. The financial impact can
vary significantly depending on the severity of the attack and the
council's preparedness. A recent attack of Hackney Council in 2024
is reported to have cost £37m to remediate.

Decision

To award a contract to NCC Group Services
Limited for a Managed Detection and Response Service for an initial
period of 3 years, with 2 extension periods of 12 months possible,
for a total value of £1,016,980.68 for the initial 3-year
period.

To delegate the signature of the contract to the Chief Information
Officer.

To delegate authority to the Chief Information Officer to make such
decisions as are necessary to vary the contract through its term,
provided that the contract’s total value does not exceed
£2,000,000