[co-author: Oliver Jones]*

On 23 January 2024, the UK Government announced a call for views and requested feedback from businesses of all sizes across every sector on its draft Cyber Governance Code of Practice (the "Draft Code"). Aimed at directors and other business leaders, the Draft Code sets out critical cyber governance areas on which organisations of all sizes should focus to better govern cyber risk.

The deadline to respond to the call for views is 11:59pm (UK) on Tuesday 19 March 2024.

The UK Government has cast a wide net for respondents, including academics, organisations without formalised boards, organisations who procure or outsource cyber security and any other interested parties.

The Draft Code

The UK Government has announced that the Draft Code has been co-designed with a range of cyber and governance experts, including from the UK National Cyber Security Centre (NCSC) and non-executive directors, auditors, consultants, chief information security officers and academics.

Whilst the final approved code will be a voluntary tool without its own statutory footing, the UK Government has said that it is working with regulators to determine how the final code can be embedded into the existing regulatory landscape in the UK – such as to work alongside the UK GDPR and Network and Information Systems (NIS) Regulations.

In a simple and concise format, the Code sets out the primary fundamental actions that business leaders and their organisations should be taking to address cyber risk. The Draft Code is comprised of five overarching cyber governance principles, each of which are supplemented through specific action points. The action points are designed to be "framed in language that directors use" to provide clearer expectations of the actions they should be taking and why this is. The five overarching principles are:

1. Risk Management;
2. Cyber Strategy;
3. People;
4. Incident Planning and Response; and
5. Assurance and Oversight.

Some examples of supplementary action points under the overarching principles include:

• Cyber Strategy - Ensure appropriate resources and investment are allocated and used effectively to develop capabilities that manage cyber security threats and the associated business risks
• Incident Planning and Response - Ensure that the organisation has a plan to respond to and recover from a cyber incident impacting business critical processes, technology and services

Alignment with the UK Cyber Governance Landscape

In announcing the call for views, the UK Government commented generally on the current UK cyber governance landscape. In particular, the UK Government acknowledged results from the UK's Cyber Security Breaches Survey 2023 which found that cyber security was seen as a high priority for senior management at 71% of businesses - constituting an 11% decrease from 82% the previous year. The Cyber Security Breaches Survey 2023 also concluded that formal incident response plans are "not widespread", with only 47% of medium-sized businesses and 64% of large businesses having a formal incident response plan in place. These figures may be alarming in light of the regulatory obligations businesses may be required to comply with, such as:

• UK GDPR: organisations are required to implement appropriate technical and operational measures to secure personal data they are processing, as well as having appropriate procedures in place to respond in the event of a personal data breach – such as with respect to whether data breach notifications to affected data subjects and/or the UK Information Commissioner's Office are required. Implementation of appropriate incident response policies may assist organisations in demonstrating their compliance with these UK GDPR obligations.
• UK NIS Regulations 2018: certain operators of essential services and relevant digital service providers may also have obligations under the NIS Regulations 2018. In scope organisations are obliged to implement appropriate security measures to guard against cyber threats. These include monitoring, auditing and testing requirements, as well as specific procedures to report and respond to security breaches.
• Regulated entities: organisations may also face a regulatory burden to adopt cyber resilience practices which could require the implementation of an incident response policy. For instance, the UK's Financial Conduct Authority and the Prudential Regulation Authority have both categorised cyber resilience as a "top priority" and expect regulated firms to have effective cyber security controls in place and to report cyber incidents.

Call for Views

The call for views is open until 11:59pm (UK) on 19 March 2024 and the scope focuses on three core areas:

1. the design of the cyber governance Code of Practice;
2. how the government can drive uptake of its use and compliance with the code; and
3. the merits and demand for an assurance process against the Draft Code.

The data gathered from the call for views will be used to ensure that the Draft Code is straightforward to understand and implement, reaches business leaders and forms a core aspect of their risk management knowledge base, and presents no barriers to being utilised. Additionally, the utility and risks of implementing an assurance process against the Draft Code will also be evaluated.

[View source.]