Deputy Editor, Infosecurity Magazine
The UK government has published a new Code of Practice on cybersecurity governance, targeting directors and other senior business leaders.
The draft document aims to establish cybersecurity as a key focus for businesses, on par with financial and legal risks.
The code highlights a number of areas business leaders should focus on to enhance their cybersecurity governance practices:
The code has been designed by the Department for Science, Innovation and Technology (DSIT) in partnership with industry directors, cyber and governance experts and the UK’s National Cyber Security Centre (NCSC).
The government is now inviting industry input into the draft document, with a call for views running until March 19, 2024.
The government emphasized that with digital technologies now underpinning business resilience, executive and non-executive directors must take a greater role in leading technology governance strategies.
Viscount Camrose, Minister for AI and Intellectual Property, commented: “Cyber-attacks are as damaging to organizations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organization’s cybersecurity regimes – protecting their customers, workforce, business operations and our wider economy.
“This new Code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionising how we work.”
In the US, new rules from the Securities and Exchange Commission (SEC) requires publicly-listed companies to describe the board of directors’ oversight of risks from cyber threats.
Christian Borst, EMEA CTO at Vectra, said that the draft code highlights the need for businesses to urgently overhaul their approaches to cybersecurity, taking a more holistic approach.
“While incident response plans and cyber awareness training are essential to good security hygiene, businesses need to go much further to stay secure in a growing world of cybersecurity risks. Today it’s vital that security leaders, architects, and analysts focus on improving cyber resilience,” he outlined.
Sarah Pearce, Partner at law firm Hunton Andrews Kurth, welcomed the new code, particularly the guidance around having a regularly practised incident response plan in place.
"Our extensive experience assisting clients with cyber security incidents and data breaches has demonstrated quite clearly that those businesses taking precautionary measures fare far better in such instances than those that fail to do so. Preparation will mitigate harm and reduce impact on a business and its operations more broadly," she noted.
The UK government also published new statistics relating to its Cyber Essentials certification scheme in its announcement. This shows that two-thirds of businesses that adhere to the scheme have a formal incident response plan, compared to 18% who don’t.