Boards and Directors have a key part to play in cyber resilience and managing risk, and those organisations who engage with the issues at Board level can mitigate the risks more effectively. Recognising this, the UK government has introduced the Cyber Governance Code of Practice (the Code), a comprehensive framework designed to bolster cyber security governance across organisations. Published by the Department for Science, Innovation & Technology (DSIT), the Code aims to equip boards and directors with the necessary tools to effectively govern cyber security risks. As cyber threats continue to evolve, this Code represents a significant step towards enhancing the resilience of the UK's digital infrastructure.
Key Components of the Code
The Code sets out a framework to understand risk, gain assurance, and set strategy and risk appetite. It is structured around five main areas:
- Risk Management: Ensuring that organisations identify and prioritise critical technology processes and integrate cyber security risks into wider risk management and internal controls, including agreeing senior ownership of those risks.
- Strategy: Aligning cyber strategy with organisational goals and ensuring resources are allocated effectively to manage cyber risks.
- People: Promoting a positive cyber security culture and providing training to improve cyber literacy among board members.
- Incident Planning, Response, and Recovery: Establishing plans to respond to and recover from cyber incidents, ensuring regular exercises and post-incident reviews.
- Assurance and Oversight: Embedding cyber governance within the organisation's wider governance structure, requiring regular reporting and dialogue with senior executives.
Understanding the Code
Designed specifically for boards and directors of medium and large organisations in both the private and public sectors, the Code serves as a guide for leadership to understand their responsibilities in governing cyber risks, rather than for those managing day-to-day cyber security operations. It is part of a modular approach to cyber security, complemented by Cyber Essentials, a certification scheme that helps organisations implement fundamental security controls.
The Code outlines critical governance actions across the five key areas highlighted above, each supported by specific actions that boards need to undertake to ensure robust cyber security governance. For example, under risk management, boards are advised to define the organisation's risk appetite to cyber security risk and gain assurance that the risk is managed through internal controls, actions plans, risk assessments and reviews of the organisation's supply chain and business partners. This structured approach ensures that boards can effectively oversee and manage cyber risks, aligning them with organisational strategies and goals.
Implications
The Government's most recent Cyber Breaches Survey tells us that whilst 72% of businesses highlight cyber security as a high priority, only 27% of businesses had board members or trustees taking explicit responsibility for cyber security as part of their role.
The introduction of the Code emphasises the importance of leadership engagement in cyber security, recognising that effective governance requires strong involvement from boards and directors. This shift towards leadership-driven cyber security and risk management is expected to enhance organisational resilience, as boards become more proactive in addressing cyber risks.
Moreover, the Code's focus on integrating cyber security into broader organisational strategies highlights the growing recognition of cyber risk as a material threat to business continuity and competitiveness. By aligning cyber strategies with organisational goals and risk appetite, businesses can leverage digital technologies, such as AI, to drive performance while safeguarding against cyber threats.
The Code also underscores the need for a positive cyber security culture, promoting accountability, training and awareness across all levels of an organisation. This cultural shift is crucial in fostering an environment where cyber security is prioritised and embedded into everyday operations.
Final Thoughts
Marking a pivotal moment in the UK's approach to cyber security governance, the Cyber Governance Code of Practice provides a structured framework for boards and directors, aiming to enhance the resilience of organisations against cyber threats.
Recent statistics reveal that 50% of businesses and 66% of high-income charities have reported cyber security breaches or attacks in the past year. The prevalence is even higher among medium (70%) and large businesses (74%). We expect the true numbers to be much larger as these figures only account for those attacks that have been reported. Effective governance of cyber risk is essential to maintaining business continuity, competitiveness, and customer trust. By building and maintaining cyber resilience, organisations can protect their financial viability and leverage digital technologies to enhance business performance.
As cyber incidents become increasingly prevalent, the Code's emphasis on leadership engagement, strategic alignment, and cultural transformation is hoped to drive significant improvements in the UK's cyber security landscape. Organisations that adopt the Code's principles will be better positioned to navigate the complex threat landscape and protect their digital assets.
A copy of the Code can be found here
If you require any assistance with anything cyber related, please get in touch with our Cyber team here at Trowers.
