As a recent wave of high-profile cyber attacks on UK businesses has only too well demonstrated, cybersecurity is no longer an issue ‘just’ for CTOs and their technical teams but is instead an issue that goes to the heart of good corporate governance. Recognising both the scale of the operational disruption that can be caused, and the financial and reputational costs of such attacks, the UK Government has now published its Cyber Governance Code of Practice, aimed at empowering senior management to take control of their organisation’s cyber resilience. This article breaks down the key aspects of the Code, explaining its scope, applicability, and implications.
Scope of the Cyber Governance Code of Practice
Developed by the Department of Science, Innovation and Technology (DSIT), the Code is intended to serve as a practical guide for boards members and directors to effectively manage cyber risks within their organisations. It is not a technical manual: instead it’s a strategic, foundational document focusing on high-level oversight and accountability. It forms part of a broader initiative on cyber governance, which includes:
- Cyber Governance Training: created by the National Cyber Security Centre (NCSC), this aims to provide board members with a better understanding of how to govern cybersecurity risks
- Cyber Security Toolkit for Boards: provides further resources and guidance for boards on how to embed cyber resilience and management throughout their organisation
- Cyber Security Codes of Practice: a suite of codes of practice developed by DSIT which together set clear expectations for cybersecurity across the board. These include the Software Security Code of Practice and the AI Cyber Security Code of Practice – see our previous alerts UK government sets sights on secure software: new Code of Practice on the horizon and Secure by design: UK government publishes final software security Code of Practice. Organisations are encouraged to adopt the relevant codes alongside the Cyber Governance Code of Practice
- Cyber Essentials: a government backed certification scheme outlining the minimum standards of cybersecurity required for all organisations.
Who does it apply to?
In its own words, the Code has been ‘tailor-made’ for the board members and directors of both public and private sector organisations (as opposed to being aimed at those who have day-to-day responsibility for managing cybersecurity). While aimed primarily at medium and large organisations, smaller tech/AI organisations are also encouraged to adopt its recommendations where possible (the NCSC also provides specific guidance for smaller organisations with up to 250 employees on its website: Cyber Security for SMEs).
Why is the Code important?
Cyber attacks from both criminal gangs and hostile states are a continuing and evolving threat: the fallout from these attacks can be devastating, not only disrupting business operations for (in a worst-case scenario) a protracted period of time, but also having potentially serious financial implications and eroding customer confidence. According to DSIT’s Cyber Security Breaches Survey 2025, four in ten businesses and three in ten charities reported suffering some form of cybersecurity breach or attack in the past 12 months: this equates to 612,000 UK businesses and 61,000 UK charities being affected. In addition, the Survey identified that whilst cybersecurity remains a key priority for the majority of UK businesses (72%), since 2021 the degree of responsibility for cybersecurity that boards have within their organisations has steadily declined. The Code attempts to address this by:
- Promoting a proactive approach: by shifting the focus from reactive incident response to proactive risk management
- Establishing clear accountability: by defining roles and responsibilities at board level, ensuring board ownership of cyber risk
- Integrating cyber risk into wider governance: by embedding cyber considerations into overall business strategy and risk management frameworks
- Building a culture of cybersecurity: by encouraging positive behaviours and accountability throughout an organisation.
What are the key areas the Code covers?
The Code addresses five key areas which are underpinned by a series of specific actions for board members and directors, as follows. In each instance board members and directors must ensure that:
Risk Management
Critical assets (technology, information, services) are identified and prioritised; cybersecurity risks are integrated into enterprise risk management and internal controls, while senior ownership of cyber risks is agreed; the organisation can meet its risk expectations (cybersecurity risk appetite must be clearly communicated); the organisation is resilient to cyber threats originating from its supply chain (regular, proportional risk assessments of suppliers must be conducted), and that risk mitigations account for changes in the organisation, technology, regulations, and the wider threat landscape.
Strategy
The organisation develops a cybersecurity strategy aligned with and embedded within the wider organisational strategy, that it is consistent with the defined risk appetite of the organisation, while meeting regulatory requirements; resources are allocated effectively to manage identified cybersecurity risks; cybersecurity is delivered effectively and achieves its intended outcomes.
People
A strong and positive cybersecurity culture promoting responsible behaviours and accountability at all levels is established, supported by clear policies; board members and directors undertake training to ensure their own cyber literacy and take responsibility for the security of the data and digital assets the organisation uses; training, education and awareness programs are effective (appropriate metrics should be used to evaluate this).
Incident planning, response, and recovery
A comprehensive cyber incident response and recovery plan for cyber incidents impacting business critical technology processes, information and services is developed, maintained, and regularly tested (at least annually) in conjunction with relevant internal and external stakeholders; responsibilities for individual regulatory obligations and communication during incidents are clearly defined; a post-incident review process is implemented to capture lessons learned and improve future plans.
Assurance and oversight
A robust cyber governance structure with clearly defined roles and responsibilities is embedded within the wider governance structure of the organisation (including ownership of cyber at executive and no-executive director level); formal reporting is carried out regularly (at least quarterly) using appropriate metrics to track and agree tolerances; regular two-way communication with senior executives take places, including with the CISO (or equivalent); cybersecurity considerations are integrated and consistent with existing internal and external audit and assurance mechanisms; senior executives are aware of relevant regulations, and of the best practice contained in the other Cyber Security Codes of Practice.
Implications and next steps
The Code provides a foundational framework for strengthening an organisation’s resilience and protecting its long-term value, whilst making the management of cyber risk a fundamental responsibility of board members and directors. As noted in the accompanying Cyber Security Toolkit for Boards:
“Crucially, good cybersecurity facilitates better cyber resilience; the ability of an organisation to protect itself from, prepare for, respond to, and recover from a cyber incident, data breach or service outage. The Executive Team, Audit Committee, Risk Committee and Remuneration Committee all have roles to play in making sure that there is the right level of assurance in the business, but ultimate accountability to the shareholders is with the Board.”
While currently voluntary, the Code has the potential to become the de facto standard for cybersecurity governance. The draft Cyber Security and Resilience Bill currently making its way through Parliament further highlights the government's commitment to establishing more comprehensive and robust cybersecurity standards in the UK. This Bill could potentially empower the Secretary of State to mandate stricter cybersecurity measures across various sectors via regulatory bodies. Irrespective of whether an organisation falls within the scope of this Bill, prioritising robust cybersecurity governance is no longer just a sound commercial strategy - it is rapidly becoming a commercial necessity. Effective cybersecurity not only protects against potential threats and demonstrates a commitment to safeguarding stakeholder interests, but also cultivates trust in an environment facing increasingly sophisticated and widespread cyberattacks.
If you would like to more information about any of the matters raised in the above article, please contact Paul O’Hareor Elizabeth Lumb.