His Majesty’s Revenue and Customs (HMRC) is firming up plans to procure more security information and event management (SIEM) services as it seeks to enhance its existing Security Operations Centre (SOC) capabilities, according to a request for information (RFI) published this week.
As the UK’s tax authority, HMRC is tasked with upholding the integrity of the country’s financial systems and ensuring public trust. It serves a broad public sector customer base of more than five million businesses and 45 million individuals, and manages over £800bn every financial year. As such, it faces significant and sophisticated cyber security threats on a day-to-day basis.
“This RFI seeks solution and service related information that would be capable of enhancing HMRC’s SOC through the deployment of advanced technological tools and expertise,” the department said in a tender notice. “Ideal partners will demonstrate a clear technological roadmap aligned with HMRC’s strategic needs, show a commitment to effective communication, and provide flexible and scalable solutions.
“A strong focus on long-term collaboration is essential to meet our cyber security objectives, as outlined in the RFI documents, effectively safeguarding against the continuously changing global geopolitical and economic landscape.”
At their core, SIEM systems such as the one proposed for HMRC are data aggregation services that draw information from various sources, identify anomalies that could indicate cyber threats, and take action – such as generating alerts for SOC teams or activating other countermeasures. More advanced SIEM capabilities incorporate elements of user and entity behaviour analytics (UEBA) and security orchestration, automation and response (SOAR).
Government departments unprepared
In recent weeks, both the Public Accounts Committee (PAC) and National Audit Office (NAO) have gone on record to say that departments across the British government appear to be woefully unprepared for a “catastrophic” cyber attack – largely as a result of over-reliance on legacy IT systems, a long-acknowledged issue in government.
Earlier this week, the PAC head witness statements from government IT leaders who discussed how civil servants across Westminster lack visibility into their IT systems and the extent to which they are vulnerable to cyber attacks.
The NAO report, published at the end of January 2025, found that 58 critical government IT systems had “significant gaps” in cyber resilience, and that the state of resilience of a further 228 legacy IT systems was essentially unknown.
Besides this lack of understanding, the NAO identified a lack of coordination within government that risks jeopardising a joined-up approach to cyber security at Westminster, including a lack of understanding of departmental roles and responsibilities, including those of the National Cyber Security Centre (NCSC).
It also warned of a serious skills gap, with roughly a third of open cyber security roles in government either vacant or filled by temporary contractors.
Its findings were based off a series of interviews with Cabinet Office officials who have been tasked with implementing the current Government Cyber Security Strategy: 2022-2030, as well as staffers from the NCSC, the Central Digital and Data Office (CDDO), and other civil servants working around cyber security. The NAO also sought input from the British Library, which fell victim to a significant ransomware attack in the autumn of 2023.
HMRC’s contract is currently set to begin on 1 December and will run for three years to 30 November 2028. The closing date for the RFI is midday on Friday 27 March. The department has not yet put a value to the contract.
