Spotlight On The Proposed UK Cyber Governance Code of Practice

7 Minutes

In 2017, a global ransomware attack known as WannaCry, affected 150 countries and sectors. In the UK, it targeted NHS England, and over a third of trusts were affected, leaving hospitals without access to patient data for two days. It affected 70,000 devices – including MRI scanners, blood-storage refrigerators, and theatre equipment, and cost the NHS £92 million. It was later confirmed that North Korea was behind the attack. Although WannaCry targeted a public institution, private businesses are far from safe. According to a new report by Microsoft in collaboration with the University of London, only 13 per cent of UK organisations are resilient to cyber-attacks, with the remainder either vulnerable (48 per cent) or at high risk (39 per cent) of damaging cyber attacks. Furthermore, 70 per cent of senior security professionals are worried about the dangers AI poses to their companies.

To help businesses move cyber risk and resilience higher up boards’ agendas, the UK Government has proposed the introduction of a voluntary Cyber Governance Code of Practice (the Code). The Code provides a framework to assist organisations in good governance and accountability around cyber security.

What are the main points of the UK Cyber Governance Code Of Practice?

The Code sets out underlying actions that business leaders and their organisations take when thinking about and managing cyber risk.

The Minister for AI and Intellectual Property, Viscount Camrose, stated:

“The growing use of emerging technologies, such as artificial intelligence, across organisations has elevated the importance and necessity of directors’ taking action on how to govern their implementation, harnessing their power to capitalise on the advantages they provide, while appropriately managing and mitigating their risks.”

The Code consists of five overarching cyber governance principles, each of which is supplemented through specific action points. The action points are “framed in language that directors use” so they can understand the action they should be taking and why it is important. The five overarching principles are:

    1 Risk Management
    2 Cyber Strategy
    3 People
    4 Incident Planning and Response
    5 Assurance and Oversight

Below are some of the action points listed in the Code.

Risk Management

  • Ensure that risk mitigation exercises are regularly conducted and that updates are made if internal or external regulations change.
  • Identify, prioritise and agree on the most critical digital processes, information, and services crucial to the ongoing operation of the business and achieving business objectives.
  • Cyber Strategy

  • Make the necessary resources for managing cyber risks available.
  • Monitor the organisation’s resilience strategy to ensure it matches the current cyber security risks, business goals, and regulatory environment.
  • People

  • Communicate the importance of cyber security throughout your organisation.
  • Ensure effective cyber security training, education, and awareness programmes are in place and adequate metrics to measure their effectiveness.
  • Incident planning and response

  • Put in place a plan to respond to and recover from cyber security incidents.
  • Have a post-incident review process in place so lessons can be learned and documented.
  • Assurance and oversight

  • Establish a cyber security governance structure that aligns with the overall governance structure of the company, including clear definition of roles and responsibilities, and ownership of cyber resilience at executive and non-executive director
  • To achieve assurance, develop a cyber security culture across the organisation.
  • There are several other significant legislative changes, which have been made or are proposed, that will impact organisations that will affect any organisation that uses digital technology, including:

  • The Network and Information Systems Regulations 1 and 2 (NIS) requires every company providing digital services to have a high level of security to prevent any data compromises.
  • The Online Safety Act 2023 – holds organisations accountable for the content on their platforms and the safety of their users, with heavy fines for non-compliance.
  • The draft Data Protection and Digital Information Bill amending the current UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR).
  • The draft UK Product Security and Telecommunications Infrastructure Regulations 2023, which are similar to the EU Cyber Resilience Act. It provides minimum security requirements for importers, manufacturers, and distributors of goods that are connected directly or indirectly to the internet.
  • The government has also launched the “Smarter regulation: UK product safety review” consultation on the reform of the UK’s product safety regime. This plans to update the UK’s product safety legislation to reflect emerging digital technologies, including AI so there are no indications of any shortcomings in the UK resulting from the EU General Product Safety Regulation.

    In summary

    The Cyber Governance Code of Practice is part of the UK government’s £2.6 billion National Cyber Strategy aimed at protecting and promoting the UK online. If you have questions about anything mentioned in this article, please do not hesitate to contact us.

    To find out more about any matters discussed in this article, please email us at or phone 0121 249 2400.

    The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.