Tees Valley Combined Authority has been warned it needs to update a six-year-old information security plan or face “further IT risks” to its business.
The organisation’s internal auditor RSM said the document had been created and approved in 2015, but had not been reviewed or re-approved since.
It rated this as a ‘medium’ priority for TVCA in a category on cyber risk management.
Last year one of the combined authority’s member councils, Redcar and Cleveland, fell victim to a cyber-attack which cost it more than £10m.
RSM said: “The policy does not make any mention of Tees Valley Combined Authority and instead has been developed for Stockton Council.
“The document has been created by Xentrall who are currently a partner with TVCA which would explain why TVCA are using this policy.”
A TVCA spokesman said: “Xentrall provides various back-office services to Stockton and Darlington Borough Council and had previously been supplying ICT functions to the combined authority under its own information security policy.
“As TVCA has become a group structure, some of Xentrall’s ICT functions were brought in-house earlier this year and, due to this, a review and…
