The UK’s Cyber Governance Code of Practice

Cyber-attacks can pose a major threat to organisations in the UK, with the potential for far-reaching consequences on the value of the business, as well as trust, reputation and revenue. The government has launched a voluntary Cyber Governance Code of Practice (the ‘Code’) made up of a set of principles and actions, co-designed with industry leaders and technical experts at the National Cyber Security Centre.

The aim of the Code is to seek to ensure that cyber risk and resilience move higher up the board agenda and have equivalent prominence given to them as financial and legal risk. The purpose is to have a strategy on accountability and good governance applicable to cyber risk, and to encourage business owners and directors to give greater thought to cyber resilience. This in turn will enable a circle of trust and allow UK businesses to gain greater strength and cyber security.

Following the government announcing its call for views and requesting feedback from businesses on the draft Code, it is also interesting to note that for law firms the Information Commissioner’s Office recently published the legal services operational privacy certification scheme, which sets out a number of standards and internal governance controls to assist law firms in taking practical steps to promote best practice in its own firm and supply chain, to improve efficiency and give confidence to clients.

The Code itself is ‘framed in language that directors use’, in order to set clear and accessible expectations on the actions that they should be taking to manage cyber security risks. It is designed to support the government in its objective to improve cyber resilience as part of its £2.6bn National Cyber Strategy. It sets out principles and actions for directors and business leaders to help with the implementation of effective cyber governance within their organisation.

“The growing use of emerging technologies, such as artificial intelligence, across organisations has elevated the importance and necessity of directors’ taking action on how to govern their implementation, harnessing their power to capitalise on the advantages they provide, while appropriately managing and mitigating their risks.” - Viscount Camrose

The digital landscape

Advances in technology, including the pace of change, increased interoperability of the digital supply chain and the ever-increasing advance of threats and evolution of new technologies, such as artificial intelligence, all contribute to the digital landscape. As digital technologies play a more systemic role for organisations, it brings new and increased cyber risk that is no longer just an IT problem, but a ‘critical vulnerability that directly influences the health of the collective enterprise’. The government reported in its 2022 ‘Digital Regulation: driving growth and unlocking innovation’ Policy Paper that digital businesses are often operating without appropriate guardrails, and that there is a requirement for clarity for businesses and consumers alike.

The current legal landscape for digital regulation involves a number of overlapping laws and regulations, with over 10 direct regulators in key areas, such as online safety, data protection, financial services, cyber security and competition. The government comments in the Code that it will seek to work with regulators to complement existing regulations and deliver a more joined-up approach.

The Code, together with a number of other major legislative changes, which have been made or are proposed, are likely to impact organisations using digital technologies:

• The Network and Information Systems Regulations 1 and 2 (NIS) require that organisations providing digital services must ensure they have in place a high level of security to prevent any action that compromises either the data they store or any related services.
• The introduction of the Online Safety Act 2023 has pushed online safety to the top of the agenda for many organisations, as the new legislation holds organisations accountable for the content on their platforms and the safety of their users, with heavy fines for non-compliance.
• The landscape for data protection is also set to change with the possible introduction of the draft Data Protection and Digital Information Bill amending the current UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). 
• The UK recently introduced the draft UK Product Security and Telecommunications Infrastructure Regulations 2023, which are akin to the EU Cyber Resilience Act, and set out minimum security requirements for importers, manufacturers and distributors of goods that are connected to the internet, or that can be directly or indirectly connected to an internet connectable product.
• The government launched a “Smarter regulation: UK product safety review” consultation on the reform of the UK’s product safety regime. This ‘Product Safety Review’ seeks to update the UK’s product safety legislation to reflect emerging digital technologies, including artificial intelligence, in order to address perceived shortcomings in the UK resulting from the EU General Product Safety Regulation.

Navigating the breadth of these regulations together with the EU landscape, such as the EU Data Act and the EU AI Act, can be a struggle for organisations. In particular, as cyber security has become a significant risk to the viability of organisations, the government has stated in its call for evidence that there is an absence of guidance for directors to engage with cyber risk governance from the ‘top down’, and to tackle these issues at board level.

What is cyber governance?

Cyber governance is an organisation’s strategy to managing cyber security risk, from the top down. To do so, senior leaders in an organisation are required to take ownership of cyber risk; this will often involve:

• identifying the organisation’s risk appetite,
• building a framework or system to manage and mitigate those risks, and
• establishing who is responsible for decision-making.

It appears that organisations can struggle to engage with the management of cyber risk at board level. The Cyber Breaches Survey 2023 found only three in ten businesses have board members or trustees explicitly responsible for cyber security as part of their job role. Additionally, the government’s Cyber Security Incentives and Regulation Review 2020: call for evidence reported that organisations find the cyber landscape complex and challenging to navigate, with 83 per cent of respondents stating that there is a strong need among organisations for an additional government solution to illustrate ‘what good looks like’.

What does the current board-level framework for cyber governance look like?

Although there are a number of regulations directly governing digital technologies and cyber security, there is currently no specific regulatory framework governing cyber governance for UK organisations.

Various statutory and regulatory requirements address risk management more generally at board level, such as the Companies Act 2006 and other frameworks for certain larger businesses, including the Corporate Governance Code. These requirements mean that directors and boards should manage and mitigate risks facing the organisation. As the use of digital technologies increases, cyber security is one such risk, and therefore ensuring that it is adequately mapped and addressed is critical to growing business value and promoting continuity.

In recent years, the UK’s National Cyber Security Centre has published a number of tools for boards of UK organisations. For example, the Cyber Security Toolkit for Boards is designed to increase boards and senior leaders’ confidence in discussing cyber security with their key stakeholders across the business and help them make informed decisions. Additionally, the Cyber Assessment Framework articulates the outcomes expected of regulated companies, including on areas of governance such as board direction and assurance.

Despite these tools, the Cyber Security Breaches Survey 2023 found that board engagement on cyber governance has continued to decline since 2021. There remains further demand for support from the government to help organisations govern cyber risk.

The Code would be launched as a voluntary tool, without its own statutory footing, but would align with a number of existing regulations. The government is exploring using the Code to support regulators, and to understand how it can be used to assist with regulatory compliance including with the UK GDPR and NIS. Like the UK GDPR, the Code takes a principle-based approach, that allows an organisation to understand and establish its own approach to security risk management and related decision-making processes.

The Code’s principles

The Code takes the form of five overarching principles. Each principle is linked with relevant actions for directors to take, each drawn from best practice. The overarching principles are summarised below together with the appropriate actions that back each one up creating a useful framework for business leaders.

The overarching principles are as follows, backed up by appropriate actions.

Principle 1: Risk Management

• Identify priorities and agree critical digital processes, information and services.
• Conduct regular risk assessments to keep up with the changing internal, external and regulatory environments.
• Decide on the level of cyber security risk that is acceptable to the organisation.
• Allocate ownership within the organisation for cyber security risks.
• Undertake routine assessment of supplier information commensurate to the level of risk, and ensure the organisation is resilient against cyber security risks associated with suppliers, stakeholders and partners.

Principle 2: Cyber Strategy

• Monitor and review the cyber resilience strategy in accordance with the level of cyber risk, in the context of legal and regulatory obligations.
• Monitor and review the delivery of the strategy in line with business risks and the changing risk environment.
• Ensure appropriate allocation and use of resources and investment.

Principle 3: People

• Sponsor communication on the importance of cyber resilience to the organisation’s strategy.
• Create clear cyber security policies and support a positive cyber security culture.
• Undertake training to ensure cyber literacy.
• Develop and deliver an effective cyber security training, education and awareness programme with metrics in place to measure its effectiveness.

Principle 4: Incident Planning and Response

• Ensure that the organisation has a plan in place to respond to, and recover from, a cyber incident impacting business-critical processes, technology and services.
• Undertake regular testing of the plan and associated training for internal and external stakeholders.
• Following a cyber security incident, take responsibility for individual regulatory obligations, and support executives in critical decision-making and external communications.
• Undertake a post-incident review process to incorporate lessons learned into future response and recovery plans.

Principle 5: Assurance and Oversight

• Establish a governance structure, with clearly defined roles and responsibilities, and ownership of cyber resilience at an executive and non-executive director level.
• Undertake regular monitoring of cyber resilience, review respective mitigations and the cyber resilience strategy.
• Establish regular two-way dialogue with senior executives, including the chief information security officer or relevant risk owners.
• Undertake formal reporting on, at least, a quarterly basis and agree a target range for each reporting measurement.
• Establish a strategy to ensure that cyber resilience is integrated across internal and external assurance mechanisms.

The call for views runs from 23 January to 19 March 2024. The government is seeking feedback on the design of the Code, ways to drive uptake, whether there is demand for external assurance of the Code, and any barriers to implementation.

Beverley Flynn is head of IT and data protection, and Sinead Hughes is an associate in the commercial and IT team, at Stevens & Bolton
stevens-bolton.com