UK Publishes Cyber Governance Code of Practice for Consultation

On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.

Cyber Governance Code of Practice

The UK government has acknowledged that there is more to be done with respect to frameworks and governance at a board level to make cyber resilience a priority, in particular in the context of business’ use of emerging technologies, such as AI, which pose “dynamic” and “fast-paced” risk. The Cyber Security Breaches Survey 2023 found that while 71% of senior management see cybersecurity as high-priority, only 30% of businesses have board members explicitly responsible for cybersecurity as part of their job role. The draft Code aims to assist directors and leadership strengthen the cyber resilience of their organizations at a senior level by adopting a “top-down” approach to give cyber risk the same prominence as e.g., financial, or legal risk.

Five Principles for Effective Cybersecurity Governance

Drawing on best practices, the draft Code focuses on the UK Government’s view of the most critical governance areas for senior management engagement and practical actions-focused guidance.

The draft Code proposes five overarching principles together with the relevant corresponding actions. The principles and examples of some of the proposed actions are as follows:

  1. Risk management e.g., ensuring that the most important digital processes, information, and services critical to the ongoing operation of the business have been identified, prioritized, and agreed as well as establishing confidence to allow taking effective decisions on the level of risk;
  2. Cyber strategy e.g., monitoring and reviewing the organization’s cyber resilience strategy in accordance with the level of accepted cyber risk, and in the context of applicable legal and regulatory obligations;
  3. People e.g., developing a positive cybersecurity culture by implementing policies and sponsoring communications and training on the importance of cyber resilience to the business;
  4. Incident planning and response e.g., ensuring that the organization has a plan to respond to and recover from a cyber incident impacting business critical processes, technology and services, at least annual testing of response plans and ensuring that a post incident review process is in place; and
  5. Assurance and oversight e.g., establishing a governance structure by including a clear definition of roles and responsibilities, and ownership of cyber resilience at executive and non-executive director level, establishing formal reporting, and determining how internal assurance can be achieved.

Regulatory Framework and Next Steps

The draft Code is currently proposed as a voluntary tool and the UK government is exploring how the draft Code can assist with existing regulatory compliance obligations under e.g., the UK General Data Protection Regulation (the “UK GDPR”) and the Network and Information Systems (“NIS”) regulations.

The UK government is now seeking public feedback on the draft Code until 19 March 2024, including the design of the draft Code, how uptake can be driven and the demand for an assurance process against the draft Code. Following the end of this consultation period, the UK government will respond with a summary of views received to outline the conclusions and the next steps for the draft Code.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.