With the increasing use of emerging technologies across organisations, boards need to ensure technology implementations are appropriately governed, and the associated risks are managed and mitigated. Avik Chandra analyses the Government's proposed Cyber Governance Code of Practice and outlines your next steps for stronger cyber governance.
Governing cyber risk: What’s expected from boards?
Governing cyber risk: Who’s taking ownership?
Effective cyber security risk governance is essential to organisations’ business resilience and competitiveness. To address this the Government has published a proposed Cyber Governance Code of Practice (the Code), with a consultation period that has just ended. The Code formalises its expectations of boards of directors, of organisations of all sizes, in governing cyber risk, treating it with the same level of importance as any other significant or material business risk.
The proposed Code is intended to be voluntary when implemented – but with cyber risks a significant threat to any organisation with a digital presence, all businesses should consider implementing it. Here we look at its importance, key recommendations, and implications for organisations in the future.
Today, organisations face a higher risk than ever before of being disrupted by both malicious and unintentional cyber security incidents. As the number of cyber threats continues to increase, it's crucial that organisations prioritise risk management strategies to safeguard their assets. The Government’s Cyber security breaches survey 2024 reports that around 74% of large businesses have experienced cyber security breaches or attacks within the past year.
The survey also revealed that while board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations, only 30% of all businesses have board members explicitly responsible for cyber security as part of their job role (63% in large businesses). Lack of knowledge, training and time remained key issues that prevent boards from engaging more in cyber security. The report also highlighted a contrast between more structured board engagement in larger organisations and more informal approaches in smaller organisations, where responsibility is often delegated to third-party providers.
Given the inherent link between business resilience and cyber security risks, the proposed Code emphasises the need for accountability and governance among the board of directors. The mounting cyber risk is no longer just a technology issue, but a critical vulnerability that directly affects the overall health of the organisation.
To effectively govern cyber risk, the new Code recommends a top-down approach. Board members need to take ownership of cyber risk, comprehend the threats that the organisation faces and evaluate the actions taken to manage them. Cyber resilience should be integrated into the organisation's strategy and all relevant business processes, with clearly defined responsibilities for managing cyber resilience across all relevant business domains to prevent silos.
Despite having regulatory requirements and several good practice standards on cyber risk governance, organisations still struggle to navigate the complex cyber landscape. The available resources aren't designed explicitly for company directors, and the language used is unfamiliar, making it difficult for them to engage. Therefore, directors and their organisations should take common fundamental actions to manage cyber risks.
The proposed Code streamlines critical governance areas that directors need to take ownership of in one place, in a form that is simple to engage with, for organisations of all sizes. It formalises the Government’s expectations of directors for governing cyber risk, treating it with the same level of importance as any other principal business risk.
Developed in partnership with a diverse group of experts – including non-executive directors, auditors, consultants, chief information security officer (CISOs) and academics - the Code's primary objective is to offer directors clear and actionable guidance to effectively manage the complicated and challenging cyber environment. Going beyond compliance, it seeks to foster a culture of cyber resilience within organisations.
The principles and actions within the Code have been derived from good practices and are intended to align with and complement existing government resources, such as Cyber Essentials Plus and the National Cyber Security Centre's (NCSC) 10 Steps to Cyber Security. Additionally, the Code provides a coherent set of guidance that works alongside the NCSC’s Cyber Security Toolkit for Boards.
The Code recommends five overarching principles for managing cyber risks, each with a set of easily understandable actions designed for directors.
Key steps here include identifying and prioritising digital assets, conducting regular risk assessments, and developing strategies that account for changes in the environment. Cyber security risks should be addressed as part of enterprise risk management with ownership at the board level. Moreover, you should regularly assess suppliers' control environments and ensure they're prepared to withstand cyber threats associated with them.
Monitor and review the delivery of the cyber resilience strategy in line with the business strategy and the ever-changing risk environment. Allocate resources and investment efficiently to build capabilities that effectively manage cyber security threats and their associated risks.
Establish cyber security policies that promote a positive security culture, ensuring that the culture aligns with the cyber resilience strategy. Sponsor communications on the importance of cyber resilience to the business. Ensure that the organisation has an effective cyber security training programme, including education and awareness, with metrics in place to measure its effectiveness.
Your organisation needs a plan to respond to and recover from a cyber incident. This needs to be regularly tested with associated training involving relevant internal and external stakeholders. If an incident occurs, take responsibility for regulatory obligations, support external communication and have a post-incident process in place to incorporate lessons learned into future response and recovery plans.
Establish a governance structure with ownership of cyber resilience at executive and non-executive director levels. Regular monitoring of the cyber resilience strategy is needed. Also, communicate regularly with relevant senior management including, but not limited to, the CISO or relevant risk owner. Determine how to achieve assurance and integrate the cyber resilience strategy with existing assurance mechanisms. To read more about this, please refer to Technology resilience is now a priority for internal audit.
Businesses shouldn't wait for the finalised Cyber Governance Code of Practice to prioritise cyber resilience. Taking a proactive approach to assessing cyber risks can help you prepare for the potential impact of a cyber-attack that could affect the organisation, its partners and its customers.
To help them implement the recommendations of the Cyber Governance Code of Practice, organisations and boards should take the following actions now.
Assign a board-level executive to sponsor and oversee the cyber security strategy and measures undertaken by the organisation. Ensure cyber risks and incident response measures are included on the agenda for every board meeting, audit committee and other relevant forums.
Prioritise your resources and efforts to mitigate key cyber security risks by adopting a risk-based approach. Conducting regular risk assessments enables the identification of potential threats, and implementation of controls based on the identified risks, which can better protect critical assets and data from cyber threats.
Providing regular training to employees and contractors on cyber security good practices to help strengthen your security posture. Increase awareness of several cyber threats, promote good security practices, and provide members of staff with the necessary knowledge and skills to identify and respond to cyber incidents. Additionally, set up tailored training on cyber security for the board and other critical stakeholders to increase their awareness of potential risks facing the organisation.
Those without internal cyber security expertise can seek support from external cyber security experts to provide insights and guidance on implementing effective cyber security measures that align with the organisation's risk profile. Additionally, you should determine how to obtain independent assurance over your organisation's cyber security controls.
The Cyber Governance Code of Practice is just one tool to help you manage your cyber risks, with many large and listed companies choosing NIST, CIS or similar frameworks, which provide additional technical cyber security controls beyond the Code. While awaiting the final Code, boards need to take the lead in prioritising cyber resilience. By adopting these principles and ensuring robust cyber security measures, you can minimise the impact of cyber-attacks, safeguard your reputation and ensure business continuity.
For more insight, guidance and to support your technology teams in establishing ongoing assurance over your cyber security controls get in touch with Avik Chandra.
Get the latest insights, events and guidance, straight to your inbox.