The new Cyber Governance Code of Practice is aimed at making cyber security issues a top priority for businesses, on a par with other threats such as financial and legal pitfalls.
As part of this, the code recommends that directors set out clear roles and responsibilities across their organisations to improve protections for customers and safeguard their ability to operate safely and securely.
A key focus of the code, designed in partnership with industry directors, cyber and governance experts, and the National Cyber Security Centre (NCSC), is making sure that companies have detailed plans in place to respond to and recover from any potential cyber incidents. The plan should be regularly tested so that it’s as robust as possible, with a formal system for reporting incidents.
Organisations are also encouraged to equip employees with adequate skills and awareness of cyber issues so that they can work alongside new technologies with confidence.
The government wants all businesses with an interest in cyber and governance issues to share their opinions on the draft code, thus helping to shape and deliver improved cyber security throughout the UK.
Viscount Camrose, Minister for AI and intellectual property, said, “Cyberattacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes - protecting their customers, workforce, business operations and our wider economy.
“This new code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.
“It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views.”
The introduction of the Cyber Governance Code of Practice marks a pivotal step in how the leaders and directors of all organisations approach cyber risk, underpinning the UK’s credentials as a cyber power and protecting its economy.
New statistics and analysis showing the positive impact of the government’s Cyber Essentials scheme, which helps organisations protect against common cyberattacks, will also be published today. Through the scheme, organisations which demonstrate that they have vital cyber security controls in place, including effective management of security updates, having suitable anti-virus software and removing default passwords, will be awarded a Cyber Essentials certificate. In the last year, 38,113 certificates have been awarded to organisations, with two in five (39 per cent) of the UK’s largest businesses now holding the accolade.
New analysis of the Cyber Security Breaches Survey also shows that around two thirds (66 per cent) of businesses which adhere to Cyber Essentials have a formal cyber incident response plan, compared to just 18 per cent of those who don’t follow it.
Lindy Cameron, National Cyber Security Centre CEO, said, “Cyber security is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats.
“This new Cyber Governance Code of Practice will help ensure cyber resilience is put at the top of the agenda for organisations and I’d encourage all directors, non-executive directors, and senior leaders to share their views.
“Senior leaders can also access the NCSC’s Cyber Security Board Toolkit, which provides practical guidance on how to implement the actions outlined in the code, to ensure effective management of cyber risks.”
To further help organisations improve their cyber security and provide more clarity on best practice, the government is also publishing its response to a call for views on software resilience and security today, to help address software risks and make organisations more resilient to cyber threats.
The plans include measures to ensure software is developed and maintained securely, with risks being better managed and communicated throughout supply chains. The government is working with industry to develop these proposals further, from developing a code of practice for software vendors, which will form the crux of this proposed package, to cyber security training for professionals.
The call for views, which will be open until March 19, 2024, will help ensure this new code is straightforward to understand and roll out, and will also help to identify any potential barriers organisations could face in bringing it into force.
The work is part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online.