Backed by a substantial £2.6 billion investment, the government’s National Cyber Strategy aims to strengthen resilience at a national and organisational level, preparing for, responding to, and recovering from cyber-attacks.
Recognising the need for stronger frameworks of accountability and governance at the board level, the government introduces the Cyber Governance Code of Practice. This code, co-designed with industry leaders and technical experts, focuses on critical areas to guide directors in enhancing cyber resilience.
As the digital economy expands, so do cyber security risks, becoming principal threats to all organisations. The dynamic and fast-moving nature of the cyber risk environment demands a top-down approach to governance. The proposed Cyber Governance Code of Practice aims to address this need by providing a clear and actionable framework for directors to govern cyber risk effectively.
Governance in a Technology Age
In a world where digital technologies underpin business resilience, directors must take greater action to govern technology strategies. Clear leadership and effective governance are essential in capitalising on the opportunities while managing risks associated with technology adoption. Cyber governance, intertwined with business resilience, becomes a crucial aspect of this broader technology governance landscape.
What is Cyber Governance and Why is it Important?
Cyber governance, adopting a top-down approach, is critical to improving the cyber resilience of organisations. The proposed Cyber Governance Code of Practice aligns with the National Cyber
Strategy’s objective, embedding cyber resilience within company strategy and ensuring clear responsibilities across all relevant domains.
International Approaches to Cyber Governance
Globally, countries are prioritising cyber governance to address the evolving threat landscape. The proposed Cyber Governance Code aligns with international efforts, emphasising the importance of directors’ engagement and action in managing cyber risk.
Standards and Guidance Landscape
Despite existing resources, the current standards and guidance landscape falls short in driving director engagement on foundational cyber governance issues. The Cyber Governance Code of Practice aims to consolidate critical governance areas, providing a simple and clear tool for directors of organisations of all sizes.
Regulatory Environment
Existing cyber security regulations, such as the Network and Information Systems Regulations and the UK GDPR, complement the proposed Cyber Governance Code. The Code’s voluntary nature aligns with existing regulatory obligations, supporting regulatory compliance and driving improvements in cyber risk management at the board level.
Current UK Cyber Governance
Despite cyber security being a high priority, senior management’s engagement has not translated into sufficient ownership of cyber risk at the most senior level. The Cyber Governance Code of Practice seeks to bridge this gap by providing a simple and effective tool for directors to govern cyber risk.
Proposed Approach: Cyber Governance Code of Practice
Recognising the complexity of the cyber landscape, the proposed Cyber Governance Code aims to simplify and clarify directors’ actions in governing cyber risk. The call for views focuses on refining the design of the Code, driving its uptake, and exploring the potential demand for an assurance process against the Code.
Design
The draft Code of Practice, co-designed with governance experts, presents five overarching principles with director-friendly actions underneath. The call for views seeks input on the design’s clarity and effectiveness in guiding directors to govern cyber risk.
Driving Uptake
The proposed Code, launched as a voluntary tool, aligns with existing regulatory obligations. The call for views explores how the government can drive its use and compliance, including potential collaboration with regulators and industry bodies.
Assurance
To further drive uptake, the government explores the utility and risks of implementing an assurance process against the Code. The call for views seeks input on potential demand for assurance mechanisms and associated risks.
The Cyber Governance Code of Practice is a significant step towards enhancing cyber resilience in the UK. Directors, organisations, and stakeholders are being encouraged to actively participate in the call for views, contributing to the development of a safer and more prosperous digital landscape. The government looks to continue discussions on prioritising efforts to bolster the UK economy’s cyber resilience. Share your opinions by visiting Cyber Governance Code of Practice: call for views – GOV.UK (www.gov.uk).