CybersecurityUK Launches Cyber Governance Code of Practice Consultation — January 23, 2024
The UK’s draft Cyber Governance Code of Practice outlines five principles for directors, pushing companies to embed board-level accountability, resilience exercises, and supplier assurance ahead of the March 2024 consultation deadline.
Verified for technical accuracy — Kodi C.
The UK Department for Science, Innovation and Technology (DSIT) and the National Cyber Security center (NCSC) opened consultation on a Cyber Governance Code of Practice on . The voluntary code distils five principles that place directors and senior leaders at the heart of cyber risk management: take ownership, understand your organization’s cyber risks, implement proportionate measures, prepare for incidents, and foster collaboration. DSIT intends the code to complement the UK Corporate Governance Code, Companies Act duties, and sector regulations while driving a step-change in board engagement. Consultation closes on , giving teams a narrow window to assess gaps and influence the final framework.
Why it matters for boards. Recent regulatory developments—the Financial Reporting Council’s internal controls declaration, the Information Commissioner’s Office enforcement actions, and the forthcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US—underscore that directors can no longer treat cyber security as a purely technical topic. The draft code makes explicit that boards must integrate cyber risk into enterprise governance, set a clear risk appetite, and maintain oversight of investments and assurance. Failure to show leadership could expose directors to scrutiny from investors, regulators, and insurers, especially if incidents reveal deficiencies in decision-making or resourcing.
Principle 1: Take ownership. Boards should designate a senior executive accountable for cyber risk and ensure that cyber considerations feature regularly on board agendas. The code recommends establishing governance structures that connect the board, executive committees, and operational teams, with clear reporting lines and documented responsibilities. For listed companies, this may involve integrating cyber oversight into existing risk committees or establishing standalone technology risk committees. Teams must also confirm that directors possess sufficient expertise, either through training programs or by appointing non-executive directors with cyber backgrounds.
Principle 2: Understand your risk environment. Directors will maintain situational awareness of threat actors, critical assets, dependencies, and regulatory obligations. The code encourages adoption of frameworks such as the NCSC Cyber Assessment Framework (CAF), NIST Cybersecurity Framework 2.0, or ISO/IEC 27001 to structure risk identification. Boards should request dashboards that map risks to business processes, quantify potential impacts, and show trends over time. They must also consider systemic risks that extend beyond the enterprise, such as concentration in cloud service providers or reliance on vulnerable suppliers.
Principle 3: Implement appropriate controls. The consultation draft emphasizes that boards should approve cyber strategies and investment plans that align with risk appetite. Strategies should cover identity and access management, secure development practices, data governance, detection capabilities, and resilience. Directors need assurance that controls are proportionate and regularly tested, including penetration testing, red-teaming aligned with the NCSC’s CBEST/TIBER-GB methodologies, and audits of third-party compliance. Procurement policies should embed security requirements, contractual clauses for breach notification, and right-to-audit provisions.
Principle 4: Be prepared for incidents. Boards must ensure that incident response plans, crisis communication strategies, and business continuity arrangements are up to date and exercised. The code highlights the need for multi-stakeholder rehearsals covering ransomware, supply chain compromise, and operational technology disruptions. Directors should review after-action reports, monitor remediation progress, and evaluate whether lessons learned lead to policy or architectural changes. Teams should align response plans with reporting obligations to the Information Commissioner’s Office, sector regulators, law enforcement, and stock exchanges.
Principle 5: Collaborate and share information. The draft encourages participation in industry information-sharing bodies such as the Cyber Security Information Sharing Partnership (CiSP), sector-specific intelligence groups, and cross-government exercises. Boards should direct management to cultivate relationships with suppliers, partners, and customers to coordinate on threat intelligence, joint testing, and incident response. Collaboration also includes engaging with insurers to align cyber controls with policy requirements and working with government programs on skills development.
Embedding the code into governance. Boards should integrate cyber risk discussions into annual strategy reviews, financial planning, and major project approvals. Risk appetite statements need explicit cyber metrics—for example, acceptable downtime thresholds for critical services or tolerances for data leakage events. Audit committees should coordinate with internal audit to include cyber governance in audit plans, reviewing evidence of control effectiveness, policy compliance, and remediation tracking. Remuneration committees may tie executive incentives to delivery of cyber resilience objectives, such as reducing incident response times or improving supplier assurance coverage.
Consultation priorities. Teams responding to the consultation should provide sector-specific insights on proportionality, recognizing that small charities, mid-sized manufacturers, and global financial institutions face different resource constraints. Key questions include whether the code should remain voluntary, how it should interact with existing regulatory requirements (for example, FCA/PRA operational resilience, NIS regulations, data protection laws), and what level of detail guidance should provide on metrics or maturity models. Companies should coordinate responses across legal, risk, security, and public affairs teams to present a coherent position.
Implementation roadmap. A pragmatic approach involves three phases. Phase 1: conduct a governance diagnostic comparing current practices to the five principles, identify accountable owners, and catalog documentation gaps (charters, policies, dashboards). Phase 2: design and execute remediation initiatives, such as enhancing board reporting packs, establishing cyber risk appetite statements, launching director education programs, and improving third-party risk management. Phase 3: embed continuous improvement through regular assurance reviews, scenario planning, and benchmarking against peers or frameworks like CAF or ISO/IEC 27014.
Metrics and reporting. Boards should request quantitative indicators, including percentage of critical suppliers with completed security assessments, coverage of multi-factor authentication, mean time to detect/respond to incidents, and completion rates for security awareness training. Qualitative updates should cover progress on major initiatives, results of red-team exercises, lessons learned from incidents, and status of regulatory interactions. Aligning these metrics with enterprise risk reporting ensures cyber governance is embedded rather than treated as an ad hoc agenda item.
Intersections with other regulations. The code’s principles dovetail with the FCA/PRA operational resilience regime, which requires identification of important business services and impact tolerances. They also align with the UK Data Protection Act’s accountability principle, the proposed EU Cyber Resilience Act for connected products, and international expectations under frameworks like the US Securities and Exchange Commission’s cyber disclosure rule. Multinational teams should map overlapping requirements to avoid duplication and ensure consistent messaging to regulators across jurisdictions.
Action for the consultation window. Between now and 19 March 2024, teams should: (1) brief boards and executive committees on the draft code; (2) gather feedback from business units, technology teams, and partners; (3) submit consultation responses highlighting sector needs; and (4) initiate quick wins such as updating risk appetite statements, improving incident reporting protocols, or scheduling tabletop exercises. Documenting these steps shows early engagement and lays the groundwork for adopting the final code when published.
By treating the Cyber Governance Code of Practice as a catalyst for board-led transformation, teams can elevate cyber security from a technical function to a strategic enabler. Leaders who establish clear accountability, invest in resilience, and foster collaboration will be better equipped to protect teams, comply with emerging regulations, and sustain trust in an more digital economy.
How to implement this
If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting thorough changes simultaneously. Early wins build momentum and show value to teams.
Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.
Stakeholder management
Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.
Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.
Iterating and improving
Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.
Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 91/100 — high confidence
- Topics
- UK cyber governance · Board accountability · Risk management · Regulatory consultation
- Sources cited
- 3 sources (gov.uk, ncsc.gov.uk, iso.org)
- Reading time
- 7 min
Cited sources
- Cyber Governance Code of Practice Consultation
- NCSC Blog — Helping boards get to grips with cyber risk
- ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.