A draft Code of Practice on cyber security governance aims to help directors and senior leaders shore up their defences from cyber threats.

Aimed at executive and non-executive directors and other senior leaders, the Code outlines a series of actions across areas including risk management, cyber strategy and oversight and assurance to help businesses put cyber risks on an equal footing with other threats, such as financial and legal pitfalls. 

Designed in partnership with industry directors, cyber and governance experts and the National Cyber Security Centre (NCSC), the Code recommends that directors set out clear roles and responsibilities across their organisations, boosting protections for customers and safeguarding their ability to operate safely and securely.

It calls on companies to have detailed plans in place as a foundation to responding to and recovering from any potential cyber incidents. The plan should be regularly tested and organisations should also have in place a formal system for reporting incidents. Companies are also encouraged to equip employees with adequate skills and awareness of cyber issues. 

Viscount Camrose, Minister for AI and Intellectual Property, says: “Cyber attacks are as damaging to organisations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organisation’s cyber security regimes – protecting their customers, workforce, business operations and our wider economy.

“This new Code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies that are revolutionising how we work.”

Meanwhile, the government has launched a call for views from business leaders with an interest in cyber and governance issues to share their opinions on the draft Code. “It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all areas coming forward to share their views,” Camrose adds. 

The digital economy offers huge potential benefits to the UK economy. However, it is not without its risks and they must be addressed with practical action and robust safeguards. Almost one in three (32%) firms have suffered a cyber breach or attack in the past year, with a rise in damaging ransomware attacks and malicious actors posing significant threats as they look to take advantage of cyber-security vulnerabilities. 

The government’s Cyber Essentials scheme helps organisations protect against common cyber attacks by demonstrating they have cyber-security controls in place, including effective management of security updates, suitable anti-virus software and good password management to receive a Cyber Essentials certificate. 

In the past year, 38,113 certificates were awarded to organisations, including to two in five of the UK’s largest businesses. Two thirds of businesses that adhere to Cyber Essentials have a formal cyber incident response plan, compared with just 18% of those who don’t follow its guidance, according to the latest Cyber Security Breaches Survey.

Lindy Cameron, National Cyber Security Centre CEO, says: “Cyber security is no longer a niche subject or just the responsibility of the IT department, so it is vital that CEOs and directors understand the risks to their organisation and how to mitigate potential threats.

“Senior leaders can also access the NCSC’s Cyber Security Board Toolkit, which provides practical guidance on how to implement the actions outlined in the Code, to ensure effective management of cyber risks.”

The call for views, which will be open until 19 March 2024, will help ensure the new Code is straightforward to understand and roll out, and will also help to identify any potential barriers organisations could face in bringing it into force. 

The work is part of the government’s £2.6bn National Cyber Strategy to protect and promote the UK online. 

Mike Miller, ICAEW Economic Crime Manager, says: “Cyber-enabled threats present a constantly evolving challenge for organisations of all sizes and for individuals. The wide range of economic and other crimes conducted through cyber means – from mass phishing campaigns to complex, targeted attacks such as ransomware and intellectual property theft – mean that cyber security has to be a key priority for all organisations. 

“We welcome the various tools that have been developed by the NCSC and encourage organisations, from board level down, to raise awareness and implement the measures outlined to best defend against, and respond effectively to, cyber threats.” 

• ICAEW’s Cyber Security immersion event in London on 6 June 2024 is a hands-on approach to Cyber Risk management. Find out more details and book your place.