Spotlight On The Proposed UK Cyber Governance Code of Practice
In 2017, a global ransomware attack known as WannaCry, affected 150 countries and sectors. In the UK, it targeted NHS England, and over a third of trusts were affected, leaving hospitals without access to patient data for two days. It affected 70,000 devices – including MRI scanners, blood-storage refrigerators, and theatre equipment, and cost the NHS £92 million. It was later confirmed that North Korea was behind the attack. Although WannaCry targeted a public institution, private businesses are far from safe. According to a new report by Microsoft in collaboration with the University of London, only 13 per cent of UK organisations are resilient to cyber-attacks, with the remainder either vulnerable (48 per cent) or at high risk (39 per cent) of damaging cyber attacks. Furthermore, 70 per cent of senior security professionals are worried about the dangers AI poses to their companies.
To help businesses move cyber risk and resilience higher up boards’ agendas, the UK Government has proposed the introduction of a voluntary Cyber Governance Code of Practice (the Code). The Code provides a framework to assist organisations in good governance and accountability around cyber security.
What are the main points of the UK Cyber Governance Code Of Practice?
The Code sets out underlying actions that business leaders and their organisations take when thinking about and managing cyber risk.
The Minister for AI and Intellectual Property, Viscount Camrose, stated:
“The growing use of emerging technologies, such as artificial intelligence, across organisations has elevated the importance and necessity of directors’ taking action on how to govern their implementation, harnessing their power to capitalise on the advantages they provide, while appropriately managing and mitigating their risks.”
The Code consists of five overarching cyber governance principles, each of which is supplemented through specific action points. The action points are “framed in language that directors use” so they can understand the action they should be taking and why it is important. The five overarching principles are:
-
1 Risk Management
-
2 Cyber Strategy
-
3 People
-
4 Incident Planning and Response
-
5 Assurance and Oversight
Below are some of the action points listed in the Code.
Risk Management
Cyber Strategy
People
Incident planning and response
Assurance and oversight
There are several other significant legislative changes, which have been made or are proposed, that will impact organisations that will affect any organisation that uses digital technology, including:
The government has also launched the “Smarter regulation: UK product safety review” consultation on the reform of the UK’s product safety regime. This plans to update the UK’s product safety legislation to reflect emerging digital technologies, including AI so there are no indications of any shortcomings in the UK resulting from the EU General Product Safety Regulation.
In summary
The Cyber Governance Code of Practice is part of the UK government’s £2.6 billion National Cyber Strategy aimed at protecting and promoting the UK online. If you have questions about anything mentioned in this article, please do not hesitate to contact us.
To find out more about any matters discussed in this article, please email us at info@43legal.com or phone 0121 249 2400.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.