British lawmakers have warned that the UK’s national galleries and museums face a dangerous future after being let down by the government on cybersecurity.

Parliament’s Public Accounts Committee (PAC) said in a report published on June 24 that the Department for Culture, Media and Sport (DCMS) has failed to take the initiative on “strategic challenges” like cyber threats.

“The department has been reactive rather than strategic, having identified issues that need addressing, but with few examples of it initiating concrete action as a result,” it said.

The PAC also warned that government neglect risked exposing galleries and museums to physical as well as cybersecurity threats. It wants DCMS to set out “concrete actions” it has and is taking to address these issues.

The committee cited the ransomware attack on the British Library and thefts from the British Museum as proof the government’s approach is failing.

“While it is primarily up to museums and galleries and their trustees to address their physical and cybersecurity, the department has an important role in capturing lessons from such events and sharing these across the sector,” it said.

“Although the department has facilitated the sharing of lessons from these two cases, it could not provide us with specific examples of actions taken as a result to protect museums’ and galleries’ systems and collections.”

Read more: British Library Still Reeling After Major Cyber Incident

A Plan of Action

According to the report, DCMS acknowledged that its approach to date had been on supporting institutions reactively following an attack, and promoting best practice sharing such as getting the British Library to share its experience with other “arms-length bodies”.

"The department assured us that it was now working closely with the organizations on how it can provide central advice on improving cyber-resilience and minimising the threat and impact of cyber-attacks,” the report noted.

“The department told us it was working with the museums and galleries on how it can address skills shortages and create ‘artefacts’ that can be used and shared across its arm’s-length bodies to address their differing cybersecurity needs.”

DCMS also cited its Cyber Action Plan as proof of its efforts to boost cyber resilience across public bodies by 2030.

The plan, backed by £210m ($285m) of government money, aims to improve baseline security standards and  central government support for departments, as well as tackle legacy tech, improve visibility of risks, enhance incident response and more.

The ransomware attack on the British Library damaged much of its server estate and led to the theft of 600GB of internal data. The library said in 2024 that it had already spent £1.6m recovering from the incident.