UK Launches Cyber Governance Code of Practice Consultation — January 23, 2024
The UK’s draft Cyber Governance Code of Practice outlines five principles for directors, pushing companies to embed board-level accountability, resilience exercises, and supplier assurance ahead of the March 2024 consultation deadline.
Executive briefing: The UK Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) opened consultation on a Cyber Governance Code of Practice on . The voluntary code distils five principles that place directors and senior leaders at the heart of cyber risk management: take ownership, understand your organisation’s cyber risks, implement proportionate measures, prepare for incidents, and foster collaboration. DSIT intends the code to complement the UK Corporate Governance Code, Companies Act duties, and sector regulations while driving a step-change in board engagement. Consultation closes on , giving organisations a narrow window to assess gaps and influence the final framework.
Why it matters for boards. Recent regulatory developments—the Financial Reporting Council’s internal controls declaration, the Information Commissioner’s Office enforcement actions, and the forthcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US—underscore that directors can no longer treat cyber security as a purely technical topic. The draft code makes explicit that boards must integrate cyber risk into enterprise governance, set a clear risk appetite, and maintain oversight of investments and assurance. Failure to demonstrate leadership could expose directors to scrutiny from investors, regulators, and insurers, especially if incidents reveal deficiencies in decision-making or resourcing.
Principle 1: Take ownership. Boards should designate a senior executive accountable for cyber risk and ensure that cyber considerations feature regularly on board agendas. The code recommends establishing governance structures that connect the board, executive committees, and operational teams, with clear reporting lines and documented responsibilities. For listed companies, this may involve integrating cyber oversight into existing risk committees or establishing standalone technology risk committees. Organisations must also confirm that directors possess sufficient expertise, either through training programmes or by appointing non-executive directors with cyber backgrounds.
Principle 2: Understand your risk landscape. Directors are expected to maintain situational awareness of threat actors, critical assets, dependencies, and regulatory obligations. The code encourages adoption of frameworks such as the NCSC Cyber Assessment Framework (CAF), NIST Cybersecurity Framework 2.0, or ISO/IEC 27001 to structure risk identification. Boards should request dashboards that map risks to business processes, quantify potential impacts, and show trends over time. They must also consider systemic risks that extend beyond the enterprise, such as concentration in cloud service providers or reliance on vulnerable suppliers.
Principle 3: Implement appropriate controls. The consultation draft emphasises that boards should approve cyber strategies and investment plans that align with risk appetite. Strategies should cover identity and access management, secure development practices, data governance, detection capabilities, and resilience. Directors need assurance that controls are proportionate and regularly tested, including penetration testing, red-teaming aligned with the NCSC’s CBEST/TIBER-GB methodologies, and audits of third-party compliance. Procurement policies should embed security requirements, contractual clauses for breach notification, and right-to-audit provisions.
Principle 4: Be prepared for incidents. Boards must ensure that incident response plans, crisis communication strategies, and business continuity arrangements are up to date and exercised. The code highlights the need for multi-stakeholder rehearsals covering ransomware, supply chain compromise, and operational technology disruptions. Directors should review after-action reports, monitor remediation progress, and evaluate whether lessons learned lead to policy or architectural changes. Organisations should align response plans with reporting obligations to the Information Commissioner’s Office, sector regulators, law enforcement, and stock exchanges.
Principle 5: Collaborate and share information. The draft encourages participation in industry information-sharing bodies such as the Cyber Security Information Sharing Partnership (CiSP), sector-specific intelligence groups, and cross-government exercises. Boards should direct management to cultivate relationships with suppliers, partners, and customers to coordinate on threat intelligence, joint testing, and incident response. Collaboration also encompasses engaging with insurers to align cyber controls with policy requirements and working with government programmes on skills development.
Embedding the code into governance. Boards should integrate cyber risk discussions into annual strategy reviews, financial planning, and major project approvals. Risk appetite statements need explicit cyber metrics—for example, acceptable downtime thresholds for critical services or tolerances for data leakage events. Audit committees should coordinate with internal audit to include cyber governance in audit plans, reviewing evidence of control effectiveness, policy compliance, and remediation tracking. Remuneration committees may tie executive incentives to delivery of cyber resilience objectives, such as reducing incident response times or improving supplier assurance coverage.
Consultation priorities. Organisations responding to the consultation should provide sector-specific insights on proportionality, recognising that small charities, mid-sized manufacturers, and global financial institutions face different resource constraints. Key questions include whether the code should remain voluntary, how it should interact with existing regulatory requirements (e.g., FCA/PRA operational resilience, NIS regulations, data protection laws), and what level of detail guidance should provide on metrics or maturity models. Companies should coordinate responses across legal, risk, security, and public affairs teams to present a coherent position.
Implementation roadmap. A pragmatic approach involves three phases. Phase 1: conduct a governance diagnostic comparing current practices to the five principles, identify accountable owners, and catalogue documentation gaps (charters, policies, dashboards). Phase 2: design and execute remediation initiatives, such as enhancing board reporting packs, establishing cyber risk appetite statements, launching director education programmes, and improving third-party risk management. Phase 3: embed continuous improvement through regular assurance reviews, scenario planning, and benchmarking against peers or frameworks like CAF or ISO/IEC 27014.
Metrics and reporting. Boards should request quantitative indicators, including percentage of critical suppliers with completed security assessments, coverage of multi-factor authentication, mean time to detect/respond to incidents, and completion rates for security awareness training. Qualitative updates should cover progress on major initiatives, results of red-team exercises, lessons learned from incidents, and status of regulatory interactions. Aligning these metrics with enterprise risk reporting ensures cyber governance is embedded rather than treated as an ad hoc agenda item.
Intersections with other regulations. The code’s principles dovetail with the FCA/PRA operational resilience regime, which requires identification of important business services and impact tolerances. They also align with the UK Data Protection Act’s accountability principle, the proposed EU Cyber Resilience Act for connected products, and international expectations under frameworks like the US Securities and Exchange Commission’s cyber disclosure rule. Multinational organisations should map overlapping requirements to avoid duplication and ensure consistent messaging to regulators across jurisdictions.
Action for the consultation window. Between now and 19 March 2024, organisations should: (1) brief boards and executive committees on the draft code; (2) gather feedback from business units, technology teams, and partners; (3) submit consultation responses highlighting sector needs; and (4) initiate quick wins such as updating risk appetite statements, improving incident reporting protocols, or scheduling tabletop exercises. Documenting these steps demonstrates proactive engagement and lays the groundwork for adopting the final code when published.
By treating the Cyber Governance Code of Practice as a catalyst for board-led transformation, organisations can elevate cyber security from a technical function to a strategic enabler. Leaders who establish clear accountability, invest in resilience, and foster collaboration will be better equipped to protect stakeholders, comply with emerging regulations, and sustain trust in an increasingly digital economy.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.