UK Cyber Governance Code of Practice: what it could mean for you

The UK Government recently closed its consultation on a new Cyber Governance Code of Practice (the Draft Code). The Draft Code is aimed at providing directors and boards with practical guidance on things they can do to promote cyber governance and improve their general cyber security posture, so they are best placed to defend against, respond to, and recover from any potential cyber incidents.

With the importance of cyber resilience increasing, Partner, Rosehana Amin and Senior Associate, Georgia Schulberg, discuss the implications of the Draft Code and what this may mean for organisations. 

The proposed Cyber Governance Code of Practice

The proposed Draft Code forms part of the government’s plan to improve cyber resilience, as set out in their 2022 National Cyber Strategy, which outlined that £2.6 billion will be invested into cyber and legacy IT. The Strategy sets out the government’s approach to ensure that the “UK remains confident, capable and resilient in this fast-moving digital world” and to protect and promote UK interests in cyberspace. These developments stem from the government's recognition that whilst the UK must capitalise on the opportunity presented by the growing cyber and tech landscape (as this is fundamental to doing business), the risks associated with its adoption and use must be managed proportionately. 

The Draft Code, which was jointly developed by the Department for Science, Innovation and Technology, industry leaders and the National Cyber Security Centre (NCSC), seeks to respond to the growing risks of cyber security, such as increasing opportunities “for malicious actors to exploit vulnerabilities in IT systems and disrupt business continuity.” As noted by the government, figures show that “almost one in three (32%) firms have suffered a cyber breach or attack in the past year, with a rise in damaging ransomware attacks and malicious actors posing significant threats as they look to take advantage of cyber security vulnerabilities.”

As these risks continue to materialise, the government considers that cyber security risks should have as much “prominence as financial or legal risks”, and that cyber risk management processes should be integrated “with existing business resilience and risk management practices.” 

This will therefore require boards and directors of all sizes of organisation to “embrace, engage with and understand cyber security within their own organisations.” Neglect for cyber security and a lack of understanding with respect to cyber in the wider business continuity context currently conveys the idea that “many senior leaders are failing to take responsible action to mitigate threats to business operations.”

However, in consulting on this Draft Code, the government hopes to ensure better governance, which is pivotal to improving cyber resilience, utilising a top-down approach in which senior leaders of organisations can take ownership of cyber security issues. 

Scope and objectives of the Draft Code

With the introduction of the Draft Code, the government hopes to formalise expectations of directors in relation to managing cyber risks. This follows the results from the 2020 Cyber Security Incentives and Regulation Review, which showed that organisations found the cyber landscape complex and challenging to navigate, with 83% of respondents calling for “additional solutions to illustrate ‘what good looks like’.”

To achieve this, the Draft Code outlines the scope of recommendations through proposed ‘actions’ under five key principles: 

1. Risk management: The proposal outlines five actions in relation to risk management which are geared towards ensuring that cyber security risks are adequately accounted for as part of “the organisation’s broader enterprise risk management and internal control activities.”
2. Cyber strategy: The Draft Code is aimed at ensuring that businesses regularly monitor and review cyber resilience strategies. In addition, the actions will seek to ensure that “appropriate resources and investment are allocated and used effectively to develop capabilities that manage cyber security threats and the associated business risks.”
3. People: As part of ensuring cyber resilience, the Draft Code outlines actions in relation to encouraging a positive cyber security culture within organisations, such as ensuring that there are clear cyber security policies, increasing cyber literacy by conducting training, and having metrics in place to measure the effectiveness of these programmes. 
4. Incident planning and response: A key goal of the Draft Code is ensuring that organisations have detailed plans in place to respond to, and recover from, potential cyber incidents. To address this, the Draft Code requires regular (at least annual) testing of plans to ensure that they are robust, with a formal system for reporting incidents and a post-incident review process in order to incorporate the lessons learned. The actions also encourage equipping employees with adequate skills and awareness of cyber issues, so they can work alongside new technologies in confidence. 
5. Assurance and oversight: The final actions outlined in the Draft Code establish measures to strengthen cyber resilience through governance and defined roles and responsibilities. Cyber risk governance, as noted in the Draft Code, will be key to ensuring that organisations can take “full advantage of digital technologies which fuels innovation and drives their competitiveness.”

Value of compliance 

Whilst the Draft Code would be launched as a voluntary tool without statutory footing, the government will work closely with regulators, such as the Information Commissioner’s Office (ICO), to understand how the Draft Code can be used to ensure compliance with other legislation such as the General Data Protection Regulation (GDPR) and the Network and Information Systems Regulations (NIS). Given the “material risk” that cyber security poses to businesses, uptake of the Draft Code will be encouraged to ensure that organisations remain ahead of these issues and to ensure the integrity of the UK economy. 

While it remains unclear whether the government will seek to implement an assurance scheme in connection with the proposed regime, it recognises that doing so could promote implementation and compliance. There can be significant benefits of assurance, as noted within our previous article, here, on the first certification scheme for legal service providers to be approved by the ICO:

• Similarly to the certification scheme, adherence to and assurance against the Draft Code may reduce the risk of cyber incidents via the development and monitoring of a robust cyber security strategy. 
• Additionally, assurance would enable numerous stakeholders such as shareholders, customers, insurers, and business partners to “derive confidence in an organisation that has external assurance of their governance of cyber risks.” Assurance would therefore provide a direct way in which to demonstrate to key parties that cyber resilience is integrated into business management plans.
• As another important consideration, the ICO may consider certification as a mitigating factor when considering enforcement action in the event of a data/cyber incident. As noted in the ICO’s recent Data Protection Fining Guidance, published 18 March 2024, “the Commissioner will have regard to adherence to approved codes of conduct pursuant to Article 40 UK GDPR or approved certification mechanisms pursuant to Article 42 UK GDPR.” Consequently, assurance against the Draft Code and taking all steps necessary with regard to data and cyber security infrastructure may reduce the propensity for enforcement actions in the event of a breach.
• Data breaches also have statutory notification requirements under s.67 of the Data Protection Act 2018 and Article 33 UK GDPR. Therefore, having thorough incident response planning, including reporting, as required under the Draft Code, will support organisations’ abilities to adhere to regulatory expectations. 

Next steps 

The consultation and call for evidence closed on 19 March 2024, so it remains to be seen how the evolution and design of the Draft Code will develop, aligned with any feedback received. The current indication is that the government will provide their response this summer. 

It is essential for boards and directors to carefully consider their exposure to cyber risk. We would always recommend the implementation of policies and procedures to ensure your readiness for any cyber incident. Clyde & Co’s readiness services assist in improving your organisation’s cyber resilience, ensuring you are in the best position to respond to an incident. We highlight many of the actions now proposed in the Draft Code, such as offering guidance on an effective incident response plan and testing this plan by way of our Cyber Tabletop and Simulation Exercises, offering an informal operational environment for team members to build their understanding of the incident response process, consider key decision points, and align on roles and responsibilities.