Government review finds Hacker House grant award was ‘appropriate’
Audit finds no impropriety in funding given to firm run by PM’s friend, but DCMS minister says she intends to ‘ensure that processes are strengthened’
A government review has found nothing improper in the award of £100,000 of public money to a cybersecurity firm run by a friend of prime minister Boris Johnson.
The Government Internal Audit Agency today published the findings of its review into the money awarded via the Cyber Skills Immediate Impact Fund (CSIIF) to Hacker House – an IT security-focused training company run by Jennifer Arcuri.
The ultimate conclusion of the review was that “the assessment of eligibility and... grant award to Hacker House Ltd was appropriate”.
But it did uncover a few processes that were not followed as planned by officials at the Department for Digital, Culture, Media and Sport, as well as some “areas where questions on the grant application form would have benefitted from being clearer”.
The review acknowledged that Hacker House’s grant application – which initially sought funding of £273,000 – did not meet the “gateway” requirement that money awarded should not exceed 50% of the annual income of the company in question.
Number of applications for CSIIF's second funding round
Firms that were awarded grants – three of which would have been disqualified if gateway requirements had been enforced
Date when grants were awarded
Money given to Hacker House
Percentage of grant funding yet to be paid to Hacker House
But, in light of the fact that the total number of applications for the programme's second round of funding stood at a “manageable” 19, DCMS opted to put all of these forward to the full assessment stage.
In addition to Hacker House, a further five applications that would have failed to fulfil gateway requirements were progressed for review – and two of those ultimately received funding, meaning that three of the five companies awarded grants in the second round of funding would have been disqualified if requirements had been enforced as planned.
CSIIF approved Hacker House to receive a reduced amount of £100,000.
According to the review, the programme’s approvals board found that “although this initiative does not meet the ‘immediate’ aspect of CSIIF, we feel this initiative may, in the longer term, provide an effective solution that identifies, trains and places candidates into cybersecurity roles”.
Further approval for the £100,000 award was granted by the department for Business, Energy and Industrial Strategy, whose officials advised that any amount less than €200,000 would be acceptable as “de minimis aid” under state aid guidelines.
One notable step that DCMS officials failed to take – for Hacker House and all other organisations awarded funding – was conducting DBS checks on senior managers at the companies in question.
In a letter to the House of Commons DCMS Select Committee, culture secretary Nicky Morgan acknowledged that “this was an administrative error”.
“There is no evidence to suggest that, had the check been completed, the grant award decision would have been different,” she said. “Nonetheless, it is regrettable that the department did not implement this step. I have asked my officials to ensure that processes are strengthened and that steps are taken to remedy this omission.”
Morgan added: “My officials will focus on enhanced monitoring, ongoing due diligence, and tangible outcomes of all initiatives currently in receipt of grant funding through CSIIF… I have [also] asked my officials to consider whether there are improvements that can be made to the department’s approach to awarding innovative and novel grant initiatives, particularly where we are seeking to stimulate nascent markets. External advice will be sought where appropriate.”
Location, location, location
The goal of the CSIIF programme is to fund training programmes that “quickly increase the number and diversity of individuals entering into cybersecurity”.
The money awarded to Hacker House came under scrutiny after Arcuri and Johnson’s friendship – and the fact the two had been on several foreign trade missions together during his time as London mayor – became public knowledge. The Hacker House CEO has since indicated that Johnson never showed her any favouritism, and that all grant money awarded to the firm and any publicly funded trips she had been selected for had been earned legitimately.
In her letter to the select committee, Morgan said: “I would like to emphasise again that any notion that the prime minister or his advisers influenced – whether directly or indirectly – any aspect of the due diligence, assessment or award of any grant funding made through the CSIIF is simply not true.”
The culture secretary also used the letter to address the issue of Hacker House’s location. Callers to the UK phone number on the company’s website have found they are put through to a receptionist in the US, while the firm’s registered office at Companies House was previously a terraced house in Macclesfield, before being updated to the address of a “virtual office” provider in central London.
The culture secretary noted that CSIIF rules stipulate that all programmes need to be “carried out in England” – but do not include any requirement that firms “maintain a corporate presence in the UK”.
"Any notion that the prime minister or his advisers influenced... any grant funding made through the CSIIF is simply not true"
She added: “Companies House records show that the address given was Hacker House Ltd’s registered address on the date of application – this was verified by DCMS as part of the application process against both the register maintained by Companies House, as well as against bank statements supplied by Hacker House Ltd. As such, while not a requirement of the grant, Hacker House was a UK-registered company.”
Of the £100,000 grant funding, Hacker House has so far been paid £47,000 for work it has already completed. The award of the remaining £53,000 was “paused” while the review took place.
Now that process has concluded, PublicTechnology understands DCMS officials will presently meet with Hacker House to discuss how to proceed, and if and when planned work will recommence.
A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...
Introducing a dedicated week of features, interviews and exclusive research
For governments and armed forces around the world, the digital domain has become a potential battlefield. But this new realm of warfare brings with it many ethical and legal complications....
We are approaching the fourth anniversary of the foundation of the NCSC and the threats it was created to respond to loom larger than ever. PublicTechnology examines the growth of the UK’...
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
HPE shows why organisations are increasingly seeking to understand and consider the environmental impacts of their IT purchasing decisions
HPE makes the case for hybrid cloud services to transform and enhance relationships with citizens...