According to the Cyber Security Breaches Survey 2024, 50% of businesses and 66% of high-income charities experienced cyber security breaches or attacks last year, with those figures even higher for large and medium-sized businesses. To help manage cyber security risks, the Department for Science, Innovation and Technology has published the Cyber Governance Code of Practice, available here.
What is the Cyber Governance Code of Practice?
The Cyber Governance Code of Practice ("the Code") serves as an essential guide for boards and directors of public sector and private organisations. It outlines the key governance actions boards and directors must take to protect their organisations from cyber threats. Intended to be the first point of reference for boards and directors, the Code focuses on integrating cyber security risks into wider organisational strategies, risk management frameworks and operational planning.
It encourages boards and directors to adopt a proactive approach to mitigating cyber threats, enhancing business resilience and fostering a culture of cyber security awareness throughout the organisation.
Boards and directors are expected to familiarise themselves with the Code to build and maintain cyber resilience. It emphasises that they must lead on securing their organisation’s digital infrastructure by setting a clear strategy for managing risks, embedding a security-conscious culture and ensuring preparedness for cyber incidents. Although primarily written for large and medium-sized organisations, the UK Government recommends that smaller organisations also adopt the Code’s principles. While it is not intended for those managing cyber security on a day-to-day basis, it is a valuable tool to remind boards of their responsibilities.
Despite the increasing importance of cyber security, findings from the Cyber Security Breaches Survey 2024 reveal that only 30% of UK businesses and charities have board members or trustees with explicit responsibility for cyber security. This gap highlights the pressing need for boards and directors to engage actively in cyber governance to protect their organisations from escalating digital threats. The UK Government regards the Code and the Cyber Essentials Certification Scheme as setting the minimum standards organisations should meet to manage cyber risk. The Code is also supported by Cyber Governance Training and the Cyber Security Toolkit for Boards, provided by the National Cyber Security Centre, available here.
Key Areas of Focus
Risk Management
Boards and directors are responsible for ensuring their organisations identify, prioritise and mitigate risks associated with critical technologies and services. This includes conducting regular risk assessments and managing risks from suppliers and the broader business ecosystem.
Strategy
The Code highlights the need to align cyber security strategies with organisational goals. This involves appropriate resource allocation, integration with business planning and ongoing reviews to ensure the strategy reflects the organisation’s evolving risk profile.
People
Boards and directors must ensure cyber knowledge is promoted across all levels of the organisation. This includes implementing clear policies, delivering training and establishing accountability frameworks to support a strong cyber security culture.
Incident Planning, Response and Recovery
The Code requires organisations to have a comprehensive plan for responding to and recovering from cyber incidents. These plans should be regularly reviewed and tested to ensure organisational readiness in the face of a cyber crisis.
Assurance and Oversight
Boards and directors should establish clear roles and responsibilities, implement quarterly reporting, hold regular discussions with senior executives, ensure awareness of regulatory obligations and integrate cyber security considerations into audit and assurance processes.
Why Should Boards be Concerned?
Cyber incidents can have devastating consequences, from business disruption to reputational damage and loss of customer trust. With cyber threats becoming more sophisticated and frequent, board-level involvement is no longer optional but essential.
By adopting the principles outlined in the Code, organisations can strengthen their cyber resilience. The Code equips boards with the necessary tools to manage cyber risks strategically, enabling the continued use of digital technologies without compromising security. Whether a small business or a large corporation, the principles of the Code offer a clear and practical roadmap to achieving strong, sustainable cyber governance.
Smaller organisations are also encouraged to access further support via the NCSC’s website for dedicated resources for small and medium-sized organisations.
Although the Code is currently a voluntary framework, the UK Government will monitor its adoption and improvements in cyber governance. Legislation has not been ruled out should further action be deemed necessary.
Conclusion
As cyber threats evolve, so must the approach to cyber governance. Boards and directors have a vital role to play in guiding their organisations through these risks by adhering to the Code. Through comprehensive risk management, strategic alignment, strong cyber culture and effective incident planning, they can help secure the future of their organisations.
Should you have any queries regarding compliance with the Cyber Governance Code of Practice or your legal responsibilities in managing cyber security risks, please contact David Gourlay or another member of the Manufacturing, Media & Technology team at MFMac.
This article was co-authored by Sasha Fothergill, Trainee Solicitor in MFMac's Commercial team.
