How can we help you?

The Department for Science, Innovation and Technology (DSIT) is seeking views on its recently published draft Cyber Governance Code of Practice (the Cyber Governance Code).

In this short analysis, we ask:

  • Why do we need the Cyber Governance Code?
  • What does DSIT want to know?
  • How can your business strengthen its cyber defences?

Why do we need the Cyber Governance Code?

High-profile cyber-attacks and data breaches are hitting the headlines on an almost daily basis. However, these represent just the tip of the iceberg: an estimated 2.39 million instances of cybercrime affected UK businesses in the 12 months up to December 2023.

However, while 71% of businesses and 62% of charities report that cyber security is a high priority for their senior management, our analysis of the Cyber Security Breaches Survey 2023 results shows a different trend of dwindling board engagement. In the 12 months preceding the Survey, only 18% of business and 17% of charities provided their staff with formal training on cyber security risks.

Given the potentially devastating effects of cyber-attacks (on the business itself, customers, employees and other key stakeholders), it is vital that executive and non-executive directors are fully aware of how cyber risk sits within the risk landscape for their organisations. DSIT rightly considers that in the current digital landscape "cyber risk should have the same prominence as financial or legal risks" for board members.

To this end, DSIT's draft Cyber Governance Code (drawn from a wealth of cyber-security best practice and resources) sets out a blueprint for top-down cyber governance.

What does DSIT want to know?

DSIT is looking for views on three broad areas:

  • Design – is the design of the Cyber Governance Code suitably straightforward, making it easy for boards to understand and implement?
  • Driving uptake – how can DSIT best drive uptake of (and compliance with) the Cyber Governance Code? Which other organisations should play a role in promoting the Cyber Governance Code and are there any potential barriers to implementation?
  • Assurance – is there demand for an assurance process to accompany Cyber Governance Code?

Given that this is such an important area, we would encourage all organisations to engage with the consultation, whether directly, or through your Trowers & Hamlins cyber contacts.

How can your business strengthen its cyber defences?

With a potential change in government on the horizon in 2024, businesses would be best advised not to sit and wait until DSIT publishes a finalised Cyber Governance Code. Regardless of the Cyber Governance Code, the cyber resilience should be at the top of your agenda now, and an issue with which board members should be getting to grips and prioritising without delay.

Taking a pre-emptive look at your organisation's cyber risks now will leave you better placed to deal with the fallout from a cyber-attack, whether that is an attack on you, your supply chain, your customer base, or all of the above.

CyberSecure 360 is our service designed to provide your organisation with expert guidance and comprehensive services, aimed at strengthening your business against ever-evolving cyber risk.Whether you are looking to test your cyber-readiness, or seeking assistance with mitigating the impact of a breach, our unique cyber risk management services will help you embark on your cyber journey with confidence.

Contact us at to discuss.