New Government Cyber Governance Code of Practice – it’s a question of leadership
Our preferred supplier Mitigo Cybersecurity give an update on the New Cyber Governance Code of Practice.
The government is continuing to press UK businesses to take a stronger approach to improving cyber resilience and ensure that all organisations of all sizes are prepared for cyber incidents. To this end, the government is issuing a new Cyber Governance Code of Practice. The intention is to highlight the fact that cyber risk should have at least the same prominence as financial or legal risks, and the responsibility and ownership of cyber resilience is a board level matter.
Why is the government doing this? This is hardly surprising given the increase in serious disruption to businesses across the country caused by cyber-attacks, largely driven by organised criminal gangs based overseas. Ransomware attacks take businesses down for many weeks or months at a time and can leave them permanently crippled. The average ransom payment in 2024 was £1.5 million (National Crime Agency) but can run into many millions of pounds. Business email compromise is rife (especially in law firms and the rest of the professional services sector), frequently resulting in significant sums being lost by firms and their clients. Yet despite all this, the 2024 government cyber breach survey found that over 80% of businesses have still not carried out a cyber security vulnerability audit, and over 70% have no formal incident response plan in place. The government believes that many boards and senior leaders have a lack of understanding of cyber issues, with little or no meaningful oversight of this business-critical risk. Indeed, it is often delegated to technical people and not looked at in the context of wider business risk management.
Who is the Code aimed at? It is aimed at directors, non-executive directors and other senior leaders. It formalises the government’s expectations regarding an organisation’s governance of cyber security and sets out the clear actions that leaders need to take to meet their responsibilities in managing cyber risk. It will of course be of interest to other stakeholders in a business including shareholders. It should make for essential reading for all private equity investors. It is designed to have application to businesses of all sizes and in all sectors. The government in particular says that it expects it to be implemented by companies employing 50 or more staff.
Will it be compulsory? At this stage, adherence to the Code will be voluntary. It will supplement the existing legal obligations which any business already has under data protection legislation. In this context, following the cases of Tuckers and Interserve, the ICO will certainly be taking a failure to adhere to the Code into account in the event of a personal data breach. The ICO has already stated that it expects to see clear evidence of management oversight of cyber risk, including regular reviews, with business leadership ensuring appropriate resources are provided to enable a proper information security programme. Interestingly, the government says that it will be exploring how the Code can also be used to support sector regulators to help with regulatory compliance. Additionally, it says that it expects to establish an accompanying assurance scheme to be rolled out at a later date. And finally, whilst the Code will initially be voluntary, depending upon take-up, it could be the subject of future legislation.
What does the Code say?
There are 5 main themes. Here are some of the actions.Risk management. This includes identifying important processes and services; conducting regular cyber risk assessments; and implementing the appropriate controls and mitigations. Ownership of risks should be at board level. Supplier and business partner risks should be routinely assessed.
Cyber strategy. Boards should have a cyber resilience strategy having regard to their level of accepted risk and legal and regulatory obligations. To be monitored and reviewed as the risk environment changes, with sufficient allocation of resources and investment.
People. Boards should ensure the importance of cyber resilience is communicated to all staff with clarity on the cyber security policies supporting the right culture. There should be training for the board itself, and the rest of staff and its effectiveness should be measured.
Incident planning and response. The plan to respond to and recover from a cyber incident should be tested at least annually. In the event of an incident, the board should take responsibility for individual regulatory obligations and ensure a post incident review process.
Assurance and oversight. The board should establish a governance structure, to include a regular monitoring process with defined responsibilities and ownership for executive and non-executives. Formal board reporting should take place at least quarterly. Cyber resilience should be integrated across both internal and external assurance mechanisms. What is the upshot?The upshot is that if cyber security is not at or near the top of your register of business risk, then it should be. And it is the board that must accept responsibility for understanding it, managing it, and providing oversight. In other words, a top-down approach.
Mitigo are LawNet’s preferred supplier for cyber risk management. Find out more about Mitigo’s Cybersecurity Services here. LawNet members can book a free no-obligation consultation, email lawnet@mitigogroup.com or call 0161 883 7849.
