Boards Urged to Follow New Cyber Code of Practice

Posted on by

A new government initiative launched today aims to improve cyber-resilience across UK organizations by providing new guidance for boards.

The Cyber Governance Code of Practice describes the actions company directors and board members need to take to ensure cyber-risk is managed effectively.

The government argued that improving oversight at this level is vital to growing the economy, given that 74% of large and 70% of medium-sized firms experienced attacks and breaches in the past year. It claimed that such incidents cost the national economy almost £22bn a year between 2015 and 2019.

Cybersecurity minister, Feryal Clark, said that successful cyber-attacks can disrupt operations and “drain millions” from the bottom line.

Read more on NCSC resources: NCSC Updates Code of Practice for Smart Building Security

“If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat,” Clark added.

“Our new Cyber Governance Code of Practice does exactly that – setting out in clear terms steps organizations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers.”

Designed for medium and large-sized businesses, the code and associated resources were produced by experts from the National Cyber Security Centre (NCSC), the Department for Science, Innovation and Technology (DSIT), the Institute of Directors, professional body NEDonBoard, and many others.

It includes:

  • A code of practice which describes the actions boards must take to effectively manage cyber-risk in their organization
  • A training package to explain why the code is important and how to implement its steps
  • A Cyber Security Toolkit for Boards which provides “in-depth resources” to improve cyber-risk governance

Five Modules

According to the NCSC, the Cyber Governance Training package is built around the five pillars of the code: risk management; strategy; people, incident planning, response and recovery; and assurance and oversight.

It claimed each module takes just 20 minutes to complete.

“The vast majority of modern businesses rely on information, data and digital technology to function. This means that cybersecurity risk – like financial and legal risk – needs to be on the board’s agenda,” argued NCSC CEO, Richard Horne.

“Throughout my career, I’ve seen firsthand how cybersecurity is essential for driving growth, strengthening resilience, and ensuring long-term success. This is now happening against a backdrop where increasingly complex supply chains make it more challenging to understand the cyber-risk to a company’s operations, and therefore more critical to govern cyber risk effectively.”

The new code of practice comes at a time when regulators are placing greater scrutiny on directors and board members. NIS2 holds senior management directly responsible for serious infractions, for example.  

Smaller businesses are encouraged to consult the NCSC’s Small Business Guide.