On April 8, 2025, the UK government published the Cyber Code of Practice (the “Code”) to support board directors in governing cybersecurity risks. The Code is available online. The UK’s data protection regulator is actively investigating and, in some instances, fining companies for personal data breaches caused by cybersecurity issues. It is therefore more important than ever for board directors to both engage with, and mitigate against, cyber risks.
What is the Code?
The Code is designed to encourage engagement and action at the board level to improve cyber resilience within companies. It builds on other freely accessible cyber resources, particularly those provided by the UK National Cyber Security Centre, including:
- Cyber Governance Training (available, here), to help directors understand the principles set out in the Code, and to provide suggestions for putting recommended actions into practice.
- Cyber Security Toolkit for Boards (available, here), which provides a series of resources that boards can use to better understand cybersecurity issues and the actions they need to take.
The Code, along with the materials listed above, are suitable for public and private companies. Companies of all sizes should consider implementing the Code’s principles to enhance their cyber resilience posture.
What approaches are currently being take by boards in the UK?
The Code’s publication follows the findings in the UK government’s 2024 Cyber Security Breaches Survey, that:
- Approaches taken by leadership regarding cybersecurity tend to be more sophisticated in medium and large organizations. 93% of medium businesses and 98% of large businesses reported that cybersecurity is a high priority of leadership. This compares to 75% across the survey class (which also includes small businesses).
- Only 30% of all businesses surveyed have a board member or trustee who is taking responsibility for cybersecurity. This percentage is higher in the information, communication, finance, insurance, professional, scientific and technical sectors. This percentage is lower in the agriculture, construction, food, hospitality, entertainment, service and membership sectors.
- The approach to engaging with cybersecurity issues at board level varies:
- Some larger companies regularly send cybersecurity reports to the board, and cybersecurity is a standing agenda item at board meetings.
- Some boards are placing trust in their internal and / or external IT teams, to escalate serious issues to them.
- The increase in the number and sophistication of cyber-attacks has kept cybersecurity a top priority. However, factors such as lack of knowledge, training and time are still preventing boards from engaging with cybersecurity issues.
Given the increasing risk to companies that poor cyber resilience poses, and the possible perception amongst directors that cybersecurity is too technical or complex, these materials may help to demystify the topic. The materials may also improve the oversight that can be provided to operational teams across the economic spectrum.
