The UK government has opened a consultation on its draft Cyber Governance Code of Practice (the “Code”), which was published on 23 January this year. The Code was developed collaboratively with technical experts and industry heads, after a government review concluded that organisations might be encouraged to reduce cyber risks if there was greater government intervention in the area.
The idea behind the Code is to create a formal record of what the UK government expects company directors to do to govern cyber risk. It is based on the five pillars of risk management, cyber strategy, people, incident planning and response and assurance and oversight, with various “actions” sitting beneath each pillar. You can read the Code in full and learn more about the call for views here.
The UK government is welcoming contributions until Tuesday 19 March 2024 on three issues relating to the Code in particular:
- Design of the Code – including its structure of pillars with principles sitting underneath. The government’s intention is for the actions and principles to form a set of guidance along with the NSC’s Cyber Security Toolkit.
- Optimising uptake and compliance with the Code – including where it would be best to place it to ensure it reaches directors, the role other entities can play in uptake and implementation and what might impede its rolling out.
- Assurance processes in respect of the Code – including whether a self or independent assessment process will be more effective, the desirability of such a mechanism where the value might lie in independent assurance and any associated risks.
Those in senior roles in UK organisations may want to consider the Code at this draft stage not only to feedback on the specific issues, but also because there is a wider opportunity to feed back on the draft text with any concerns or comments.