On 23 January 2024, the UK Government announced a call for views and requested feedback from businesses of all sizes across every sector on its draft  Cyber Governance Code of Practice (the "Draft Code"). Aimed at directors and other business leaders, the Draft Code sets out critical cyber governance areas on which organisations of all sizes should focus to better govern cyber risk.

The deadline to respond to the call for views is 11:59pm (UK) on Tuesday 19 March 2024.

The UK Government has cast a wide net for respondents, including academics, organisations without formalised boards, organisations who procure or outsource cyber security and any other interested parties.

The Draft Code

The UK Government has announced that the Draft Code has been co-designed with a range of cyber and governance experts, including from the UK National Cyber Security Centre (NCSC) and non-executive directors, auditors, consultants, chief information security officers and academics.

Whilst the final approved code will be a voluntary tool without its own statutory footing, the UK Government has said that it is working with regulators to determine how the final code can be embedded into the existing regulatory landscape in the UK – such as to work alongside the UK GDPR and Network and Information Systems (NIS) Regulations.

In a simple and concise format, the Code sets out the primary fundamental actions that business leaders and their organisations should be taking to address cyber risk. The Draft Code is comprised of five overarching cyber governance principles, each of which are supplemented through specific action points. The action points are designed to be "framed in language that directors use" to provide clearer expectations of the actions they should be taking and why this is. The five overarching principles are:

  1. Risk Management;
  2. Cyber Strategy;
  3. People;
  4. Incident Planning and Response; and
  5. Assurance and Oversight.

Some examples of supplementary action points under the overarching principles include:

  • Cyber Strategy - Ensure appropriate resources and investment are allocated and used effectively to develop capabilities that manage cyber security threats and the associated business risks
  • Incident Planning and Response -  Ensure that the organisation has a plan to respond to and recover from a cyber incident impacting business critical processes, technology and services

Alignment with the UK Cyber Governance Landscape

In announcing the call for views, the UK Government commented generally on the current UK cyber governance landscape. In particular, the UK Government acknowledged results from the UK's  Cyber Security Breaches Survey 2023 which found that cyber security was seen as a high priority for senior management at 71% of businesses - constituting an 11% decrease from 82% the previous year. The Cyber Security Breaches Survey 2023 also concluded that formal incident response plans are "not widespread", with only 47% of medium-sized businesses and 64% of large businesses having a formal incident response plan in place. These figures may be alarming in light of the regulatory obligations businesses may be required to comply with, such as:

  • UK GDPR: organisations are required to implement appropriate technical and operational measures to secure personal data they are processing, as well as having appropriate procedures in place to respond in the event of a personal data breach – such as with respect to whether data breach notifications to affected data subjects and/or the UK Information Commissioner's Office are required. Implementation of appropriate incident response policies may assist organisations in demonstrating their compliance with these UK GDPR obligations.
  • UK NIS Regulations 2018 certain operators of essential services and relevant digital service providers may also have obligations under the NIS Regulations 2018. In scope organisations are obliged to implement appropriate security measures to guard against cyber threats. These include monitoring, auditing and testing requirements, as well as specific procedures to report and respond to security breaches.
  • Regulated entities organisations may also face a regulatory burden to adopt cyber resilience practices which could require the implementation of an incident response policy. For instance, the UK's Financial Conduct Authority and the Prudential Regulation Authority have both categorised cyber resilience as a "top priority" and expect regulated firms to have effective cyber security controls in place and to report cyber incidents.

Call for Views

The call for views is open until 11:59pm (UK) on 19 March 2024  and the scope focuses on three core areas:

  1. the design of the cyber governance Code of Practice;
  2. how the government can drive uptake of its use and compliance with the code; and
  3. the merits and demand for an assurance process against the Draft Code.

The data gathered from the call for views will be used to ensure that the Draft Code is straightforward to understand and implement, reaches business leaders and forms a core aspect of their risk management knowledge base, and presents no barriers to being utilised. Additionally, the utility and risks of implementing an assurance process against the Draft Code will also be evaluated.

Originally published on the 9th of February, 2024.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.