The UK government has published a new Code of Practice on cybersecurity governance, targeting directors and other senior business leaders.
The draft document aims to establish cybersecurity as a key focus for businesses, on par with financial and legal risks.
The code highlights a number of areas business leaders should focus on to enhance their cybersecurity governance practices:
- Risk management: Identify and prioritize the organization’s most important digital systems and services, and take effective decisions on the level of cybersecurity risk that is acceptable to the business. This should be continuously reviewed through risk assessments that account for changes in the internal, external and regulatory environments.
- Cyber strategy: Monitor and review the delivery of the cyber resilience strategy in the context of the changing risk environment, and ensure appropriate resources and investment are allocated to manage cyber threats and associated business risks.
- People: Develop clear policies that support a positive cybersecurity culture, and ensure the organization has an effective cybersecurity training and awareness program in place with metrics in place to measure its effectiveness.
- Incident planning and response: Ensure there is a plan to respond to and recover from a cyber incident impacting critical business systems, and test it regularly with internal and external stakeholders. A post incident review process should also be in place to incorporate lessons into future response and recovery plans.
- Assurance and oversight: Establish a governance structure that clearly defines roles and responsibilities, and ownership of cyber resilience at executive and non-executive director level. Regular two-way dialogue should be established with relevant senior executives, such as the CISO.
The code has been designed by the Department for Science, Innovation and Technology (DSIT) in partnership with industry directors, cyber and governance experts and the UK’s National Cyber Security Centre (NCSC).
The government is now inviting industry input into the draft document, with a call for views running until March 19, 2024.
Establishing Boardroom Responsibility for Cybersecurity
The government emphasized that with digital technologies now underpinning business resilience, executive and non-executive directors must take a greater role in leading technology governance strategies.
Viscount Camrose, Minister for AI and Intellectual Property, commented: “Cyber-attacks are as damaging to organizations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organization’s cybersecurity regimes – protecting their customers, workforce, business operations and our wider economy.
“This new Code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.”
In the US, new rules from the Securities and Exchange Commission (SEC) requires publicly-listed companies to describe the board of directors’ oversight of risks from cyber threats.
Christian Borst, EMEA CTO at Vectra, said that the draft code highlights the need for businesses to urgently overhaul their approaches to cybersecurity, taking a more holistic approach.
“While incident response plans and cyber awareness training are essential to good security hygiene, businesses need to go much further to stay secure in a growing world of cybersecurity risks. Today it’s vital that security leaders, architects, and analysts focus on improving cyber resilience,” he outlined.
Sarah Pearce, Partner at law firm Hunton Andrews Kurth, welcomed the new code, particularly the guidance around having a regularly practised incident response plan in place.
"Our extensive experience assisting clients with cyber security incidents and data breaches has demonstrated quite clearly that those businesses taking precautionary measures fare far better in such instances than those that fail to do so. Preparation will mitigate harm and reduce impact on a business and its operations more broadly," she noted.
The UK government also published new statistics relating to its Cyber Essentials certification scheme in its announcement. This shows that two-thirds of businesses that adhere to the scheme have a formal incident response plan, compared to 18% who don’t.