The Culture, Media and Sport Committee said that chief executive officers (CEOs) should assume "ultimate responsibility for cybersecurity within a company" but that "day to day responsibility" for cybersecurity should be allocated to another person in the business, such as the chief information officer or head of security.
Those tasked with everyday cybersecurity responsibilities should be subject to "Board oversight" and sanctions if "the company has not taken sufficient steps to protect itself from a cyber attack", it said.
To ensure cybersecurity is given sufficient attention at the top of businesses, however, "a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board", the Committee said.
The Committee's comments came in a new report it published at the end of its inquiry into cybersecurity and the protection of personal data, which it opened in the aftermath of the data breach experienced by TalkTalk last year.
The Committee also said that businesses should be required to make a number of new cybersecurity disclosures to spur more "proactive monitoring of security processes". It recommended that "organisations holding large amounts of personal data" make annual statements to the UK's Information Commissioner's Office (ICO) on a range of cybersecurity practices and procedures, including notify the ICO of "staff cyber-awareness training" and providing the watchdog with details of "when their security processes were last audited, by whom and to what standard(s)".
The Committee said the organisations should also inform the ICO about their incident management plan and testing. To combat fraud via fake communications the organisations should also notify the ICO of the "guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine" and "the number of enquiries they process from customers to verify authenticity of communications".
The Committee said the organisations should also report "the number of attacks of which they are aware and whether any were successful".
The proposed disclosure obligations reflect the need for organisations to show they are spending money on cybersecurity in an effective way, it said.
"Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened," the Committee said. "Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place."
The Culture, Media and Sport Committee also said that the ICO should introduce incentives to encourage businesses to report cyber attacks or data breaches promptly. It said businesses should also face "higher fines" if organisations have not "already provided guidance to all customers on how to verify communications".
The UK government was also encouraged to give the ICO new powers to compel local authorities to submit to data protection audits and to introduce dormant UK legislation which would make it possible for the courts to sentence criminal data protection offenders with up to two years in jail for unlawfully obtaining and selling personal data.