April 16, 2025 Cyber Governance
According to the 2024 Cyber Breaches Survey, half of all businesses and two thirds of high-income charities had experienced some form of cyber security breach or attack in the previous year. That percentage rose to 70% for medium sized businesses and 74% for large businesses.
It’s little wonder then that cyber risk is widely seen as one of the mission-critical risk factors within an overall corporate governance framework. And whilst the nature of the risk will vary from business to business, the potential impact of a cyber breach on any business cannot be underestimated. That is why, following a consultation in 2024, the Government in conjunction with the National Cyber Security Centre (NCSC) has launched a cyber governance code of practice.
Primarily aimed at large and medium organisations, the code nevertheless can also be applied to smaller businesses. Importantly, the code is not aimed at those charged with day-to-day cyber management. Rather, it aims to provide boards and directors with the key tools which they need to input and oversee a robust cyber governance framework.
Essentially the cyber code of practice divides governance into five key areas:
- Risk Management.
- Strategy.
- People.
- Incident planning, response and recovery.
- Assurance and oversight.
Each of these areas will share cross-overs with other key business governance areas. For example, the incident planning, response, and recovery section will feed directly in to a wider business continuity plan, whilst delivering the people aspect of the plan will require a strong tie-in with employee engagement and inclusivity metrics.
Underlying the importance which the government and NCSC place on the UK’s ability to counter cyber threats, the launch of the cyber code is accompanied by both online cyber governance training and a cyber security toolkit for boards to adapt to their own needs. The toolkit even comes with a cyber-security 101 list of questions for boards to consider at their next meeting. From the obvious opening question of whether there is a cyber security strategy in place, these questions help to develop the organisation’s specific cyber plan by examining areas such as top threats to the organisation, documentation, and gap analysis.
Delve deeper into cyber risk identification and planning and it is easy to appreciate they way in which potential cyber risks can infuse the entire organisation and why mitigation requires good corporate governance. As the NCSC comments “Cyber risk is a material risk for almost all organisations and boards and directors need to be able to govern this risk effectively.”
