Sophie Newbould

Sophie is an independent regulated commercial solicitor in England, with 15 years post-qualified experience combined with an earlier background in construction and telecommunication private finance.

Sophie has specialised in data, digital and technology project procurements for over 11 years with clients that have included the Ministry of Justice, Home Office, Foreign & Commonwealth Office, BEIS/Met Office, Department for Transport, Cabinet Office, Bank of England, Police, local government, transport suppliers and the Satellite Applications Catapult.

Sophie is a longstanding member of techUK, the Procurement Lawyers Association and World ITECHLaw Association.  Over the past three years, she has won global recognition for her work in business and law (e.g. Technology Justice for Global 100 2024, Corporate INTL Award 2024, Leaders in Law and Advisory Excellence Awards for Data & Innovation Legal Practice).

Sophie is passionate about fighting corruption in public national and global infrastructure (which includes buildings, services, data, people, technology and money) for several reasons.

Firstly, a peaceful and just society must be built and maintained on sound governance principles (note EU Treaty as the precedent).

Secondly, the largest infrastructure contracts usually have public funding and are primary targets for criminality and abuse.  The threat against a peaceful and just society is therefore very real and must be protected and upheld by a legitimate democratic government – in our case, the United Kingdom.

Sophie is a commercial law expert on the subject of critical national infrastructure projects and advises on security resilience which has many pillars.

Sophie’s first dissertation titled The Legality of Reconstruction Contracts in Post-War Iraq was published in the Electronic Law Journal 2004 setting out the importance of anti-corruption in international security and infrastructure procurement (see Electronic Law Journals – LGD 2004 (2) – Kavanagh (warwick.ac.uk).  Here conclusion from this research was that the post-war security status of Iraq would be directly linked to the governance principles and procurement credibility of those reconstruction contracts.

Sophie’s second dissertation (unpublished 2005) was in response to the then New Labour Government’s proposals on processing civilian biometric identification data on the UK’s first national identification cards system.  The conclusion at that time was that compared to the security status of the criminal biometric database (small in comparison), it would not be legally viable to build, store and protect a national civilian database until its security status could be guaranteed.  Note that New Labour dropped the civilian biometric database proposals at that time.

Information Security

The Solicitors Regulation Authority prescribes and enforces strict rules and regulations on practising solicitors in the UK in relation to duties of care to clients. At the same time, though, law firm infrastructure and security has increasingly moved online despite the higher duty of care thresholds compared to an ordinary unregulated business. Unfortunately, the due diligence of these online systems is very limited before a contract is entered into.

Likewise, public sector organisations such as the NHS, police forces and education authorities are under statutory duties of care to people, place and economy.

Speaking from her experience of having advised on many of these information management systems, whilst the procurement process is well understood, the security requirements tend to sit within the contract obligations in model Government contracts.  This means that the only due diligence on cyber history, qualifications and real-time status is the certification requirements set by GCHQ/NCSC, e.g., Cyber Essentials/Cyber Essentials Plus with the ISO Standards, all of which could be aspirational.

CNI Security & Procurement

With regards to critical national infrastructure, since 2014 Sophie has worked on the following projects as a senior commercial legal advisor:

1. Home Office: Emergency Services Mobile Communications Programme (ESMCP)
2. Border Control/Cabinet Office DDaT: e-Gates Programme
3. Met Office/BEIS: Supercomputer 2020+ Programme
4. Ministry of Justice:Future IT Services (FITS)

On each of these projects, online systems and protected data processing were involved.

As part of evidence provided to Parliament on the state of cyber resilience in UK CRI, Sophie confirmed the following:

1. No security history or evidence (provided to or carried out by the authority) of the suppliers’ current security status was ever required at supplier evaluation and selection stage.
2. No supplier evaluation guidelines or security expertise was involved at early stages and during a major CRI procurement process.
3. Security obligations within the contracts were pre-written either as Crown Commercial Services model agreement templates or bespoke by top panel lawyers.  It is unclear whether the quality of these contracted security obligations was fit for purpose.  It is unclear who had sufficient levels of security expertise to authorise these obligations as reasonable and adequate.
4. If there were any key performance indicators or service level requirements in the tendered contract, I do not recall ever having a data or security expert as part of any of the programme teams present to lead on this area of contracting requirements.
5. The more experienced I have become on these procurements, the more obvious it is to me that there is a systematic lack of cyber threat and landscape expertise at Programme level.  It is also clear to me that there are budgetary constraints on commercial officials to invest time on getting the procurement and contract out rather than to understand the complexity of online risk and harms modelling for bespoke CNI programmes. I have first-hand experience of where the Model Services Agreement is adopted, further investment in drafting a more fit for purpose contract is difficult to get approved – let alone secure approval for experts to oversee data and security requirements and obligations.
6. Data Protection, Information and Cyber Security are highly specialised and too often get confused.  Because of the common practice of using standardised legal documents, these pre-written clauses are frequently assumed as adequate before publication in a procurement process. But often they are in fact inadequate and the actual parties responsible for compliance are not qualified or have insufficient experience to lead on these most important risk areas.
7. There are common gaps between the real-time exposure of parties online before, during and after live contract as compared to those parties’ respective roles and responsibilities under the contract and within their own organisations.
8. Often on CNI contracts, the risk, harms & liabilities model of the entire threat landscape is not understood by the procurement team professionals as there is insufficient security, data and technical expertise, education, skills, appetite and budget to complete this work properly.

UK Government Cyber Security Strategies

It seems the Government cannot comprehend that the economy will fall if law firms, businesses, local governments and so on continue to collapse due to relentless online crime because there is no cyber resilience.  Ambitions for 2025 are important, but the critical emergency is now, today, now, yesterday.

Share prices of the world’s largest companies have fallen within hours by 85% following a major cyber-attack. This is no way to run a digital economy.

Failing to include the root cause of harm and how to fix it in the national cyber guidance and certification materials, in the strategies, as well as the current discussions ongoing for new regulations, is woefully inadequate – if not a waste of taxpayers’ money entirely.

The content of what is required to fix the UK’s woeful security position is now being responded to via the Department for Science Innovation and Technology’s call for views on its recently published Cyber Governance Code of Practice: call for views – GOV.UK (www.gov.uk) for non-cyber directors.  Sophie is working with TechUK and APM members to bridge this gap that has now come to light across all industries and business that there is a lot more work to do to build a more cyber resilient UK and economy.