What Does the UK Government’s Cyber-Governance Code of Practice Mean for Your Business?
Table Of Contents:
There was a time when cybersecurity was very much viewed as a technology function. No longer. Governments and regulators across the globe are increasingly mandating that boards take on more responsibility for managing cyber risk. It’s in new SEC’s rules introduced last year and in the forthcoming NIS2 directive, which will make senior management personally liable for serious breaches. Not to be outdone, the UK government is following suit with a proposed new Code of Practice for cyber governance.
Although it’s voluntary, the government has stated its intent to embed the code into the “existing regulatory landscape”. Boards would do well to take note.
What’s in the Guidance?
Published in January in draft form, the code comes amidst a dispiriting backdrop of breaches. According to the government, over half medium (59%) and large (69%) UK businesses suffered a serious cyber-attack or breach in the 12 months to April 2023. The same study reveals that, although nearly three-quarters (71%) of senior managers say they view cybersecurity as a “high priority”, only 30% of businesses have board members or trustees explicitly responsible for cyber as part of their role.
With that, the code of practice is split into five pillars:
Risk management: Ensuring the company’s most critical digital processes, data and services have been identified, prioritised and agreed. This includes regular risk assessments and mitigation steps, decisions regarding risk levels, and supplier risk management.
Cyber strategy: Monitoring and reviewing cyber-resilience strategy in line with risk appetite, business strategy, and legal and regulatory obligations. This includes ensuring the appropriate resources are allocated in line with ever-changing business risk.
People: Sponsoring communications on the importance of cyber-resilience to the business, delivering clear cybersecurity policies that support a positive security culture, and driving and taking part in security training programmes.
Incident planning and response: Ensuring the organisation has a plan to respond to and recover from cyber incidents impacting business-critical processes and services. This includes regular testing of the plan, post-incident reviews and taking responsibility for regulatory obligations.
Assurance and oversight: Establishing a governance structure that aligns with the organisation, including clear definition of roles and responsibilities, and ownership of cyber-resilience at director level. Regulator monitoring of cyber-resilience, establishing a two-way dialogue with key execs and formal quarterly reporting, and ensuring cyber-resilience strategy is integrated across existing assurance mechanisms.
How Should Organisations Respond?
Darren Anstee, CTO at Netscout, argues that boards have traditionally struggled with incident planning.
“The guidance is that testing of an organisation’s incident handling plan, and associated training, should happen at least annually. Most organisations do this now, and that is much better than a decade ago, but just doing this annually is not frequent enough,” he tells ISMS.online.
“We want testing to drive process familiarity and optimisation – it shouldn’t be purely about finding out where the plan needs to be updated because it no longer matches an organisations processes and technology. That’s the risk with testing annually.
Anstee adds that boards could also improve their assurance and oversight.
“The challenge here is not new, in that translating what happens in terms of threat defence and cyber risk into something meaningful at the business risk level can be difficult,” he argues.
“This usually means correlating multiple datasets together to generate understandable metrics and visualisations. This is possible, and very important if we want cyber risk to be well managed, but many organisations don’t have the resources to do this well.”
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university, argues that boards often fail to adequately manage cyber risk because they lack engagement, expertise and focus.
“Some areas where organisations are failing include failing to conduct thorough risk assessments or establish clear cybersecurity strategies, leaving them vulnerable to threats. Other areas are inadequate investment, outdated policies, poor communication between departments, and a compliance-centric approach can also undermine cybersecurity governance,” he tells ISMS.online.
“Ultimately the code should help organisations establish robust governance frameworks, involve leadership in cybersecurity decisions, conduct regular risk assessments, allocate sufficient resources, foster a cybersecurity-aware culture, and continuously improve their cybersecurity governance practices to adapt to evolving threats.”
Next Steps with ISO 27001
Compliance with the best practice standards and frameworks like ISO 27001, NIST Cybersecurity Framework, CIS Controls and COBIT could help boards go a long way to meeting their objectives under the five pillars, Curran argues.
“ISO 27001 offers a systematic approach to identify, assess, and mitigate security risks, aiding in prioritising digital assets and integrating risk management into governance. It will also benefit cyber strategy as it aligns an Information Security Management System (ISMS) with business strategy, ensuring efficient resource allocation for cybersecurity strategy monitoring and review,” he explains.
“ISO 27001 promotes security culture through policies and training, enhancing employees’ cyber literacy in line with the organisation’s security strategy. It also encourages incident response planning … and it aids in defining roles, monitoring, reporting, and communication with senior executives – facilitating cybersecurity integration into governance structures.”
Although voluntary, the code will play an important role in the evolving regulatory landscape, explains Sarah Pearce, partner at Hunton Andrews Kurth.
“The Companies Act 2006 and the UK Corporate Governance Code contain certain requirements and I understand this code and associated guidance is due to be updated to ensure consistency with the government’s proposed [cyber-governance] code of practice,” she tells ISMS.online.
“The government has said it recognises that the code is ‘not sufficient on its own at driving the required improvements in cyber-risk management at board level’. It is exploring its use in supporting regulators to understand how it could be used to assist with regulatory compliance, including with the UK GDPR and NIS Regulations.”