The UK government has released a new Cyber Governance Code of Practice, urging directors and board members in both public and private sectors to take greater responsibility for cyber security. The Code, launched on 8 April by Cyber Security Minister Feryal Clark, sets out clear guidance on how organisations can reduce risk, protect day-to-day operations and support long-term business growth.
The Code is a central part of the government’s Plan for Change, aiming to improve resilience across the UK economy. It focuses on key governance actions, such as implementing a formal cyber strategy, fostering a cyber-aware workplace culture and establishing incident response plans that allow organisations to respond quickly when breaches occur.
Support for the Code has come from across industry, including the Institute of Directors, EY and Wavestone. It also includes a practical package of support tools developed with the National Cyber Security Centre and input from non-executive directors. These resources are designed to help boards implement the Code effectively, including online training and a detailed Board Toolkit.
Cyber attacks remain a growing threat to UK businesses. Government data shows that 74% of large organisations and 70% of medium-sized firms experienced cyber breaches over the past year. Between 2015 and 2019, the cost of cyber crime to the UK economy reached nearly £22 billion.
Addressing Gaps in Cyber Risk Preparedness
The government’s initiative comes in response to concerns over leadership preparedness in managing cyber threats. A third of large UK companies still operate without a formal cyber strategy. Almost half of medium-sized firms have no incident response plan in place.
Cyber Security Minister Feryal Clark said, “A successful cyber attack doesn’t just have the potential to grind operations to a halt – it could drain millions from the bottom line. If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat.”
She added that the Code outlines specific, actionable steps to help protect operations and secure the livelihoods of workers and customers. The guidance aims to make it easier for organisations to identify vulnerabilities and ensure cyber risk management is directly linked to business continuity and growth.
Embedding Cyber Accountability in the Boardroom
The Code has been developed with direct involvement from industry representatives, including non-executive directors and governance experts. Jean-Philippe Perraud, CEO of NEDonBoard, Institute of Board Members, said the Code represents a clear benchmark for boardroom engagement with cyber risk.
“Cyber resilience is fundamental to organisational success. The Cyber Governance Code of Practice sets a clear benchmark for boardroom engagement. NEDonBoard supports board members in upskilling for effective oversight of cyber risk, digital transformation and resilience,” he said.
Perraud confirmed that NEDonBoard had contributed to the development of the Code and urged boards to incorporate its principles into risk management practices.
The Code also promotes the importance of culture in cyber security. It encourages leaders to foster awareness across all levels of the organisation so that staff know how to recognise and respond to threats. The inclusion of people-focused practices has been welcomed by security leaders.
Andrew Rose, CSO at SoSafe, commented, “It’s great to see that the 22 areas of focus include the promotion of a cyber culture to protect our organisations, highlighting the important role our people play in developing a robust security structure. Humans are both our primary attack surface and our first line of defence.”
He noted that although the Code is not legally binding, it outlines best practices that organisations should take seriously. Rose suggested that incorporating these guidelines into formal regulation would strengthen protection across sectors.
