UK Government's New Code of Practice: Treat Cyber risk on par with Financial & Legal risk - Cobweb

UK Government’s New Code of Practice: Treat Cyber risk on par with Financial & Legal risk 

Home » Content Hub » UK Government’s New Code of Practice: Treat Cyber risk on par with Financial & Legal risk

The UK government has unveiled a ground breaking Code of Practice on cybersecurity governance, specifically targeting directors and senior business leaders. This draft document seeks to elevate the importance of cybersecurity to the same level as financial and legal risks within organisations, offering a concise yet comprehensive framework for safeguarding digital assets and effectively managing cyber risks.

Risk Management

This section underlines the significance of robust risk management, urging organisations to identify, prioritise, and regularly assess digital processes, information, and services essential for business continuity and success. Cybersecurity risks must be integrated into broader enterprise risk management, extending ownership beyond the CISO. Ensuring supplier information aligns with risk levels is paramount.

Cyber Strategy

The code emphasises the need to monitor and adapt the cyber resilience strategy in line with accepted cyber risk, business strategy, and legal obligations. Adequate resources should be allocated to develop cybersecurity capabilities that effectively combat evolving threats while remaining flexible and adaptable.

People

Fostering a culture of cyber resilience is critical. Senior leaders should sponsor communications emphasising its importance within the business strategy. Establishing clear cybersecurity policies that promote a positive culture and aligning the organisation’s culture with the cyber resilience strategy is essential. Individuals must take responsibility for cyber literacy and secure data handling practices, supported by an effective training and awareness programme.

Incident Planning and Response

Being prepared for cyber incidents is paramount. Organisations should have well-defined plans for responding to and recovering from incidents affecting critical processes, technology, and services. Regular testing, involving internal and external stakeholders, and drawing lessons from testing and external incidents is vital. In an incident, individuals should take responsibility for regulatory obligations, support executives, and manage external communications. Post-incident reviews must be conducted to enhance future response and recovery plans.

Assurance and Oversight

The code advocates for a governance structure that aligns with the organisation’s existing framework. This includes defining roles and responsibilities for directors in managing cyber resilience. Implement regular monitoring, maintain dialogue with senior executives, and establish formal quarterly reporting aligned with business objectives. Ensure integration of the cyber resilience strategy into existing assurance mechanisms, achieving internal assurance.

Incorporating Global Trends:

In the United States, the Securities and Exchange Commission (SEC) has introduced new rules requiring publicly-listed companies to describe the board of directors’ oversight of risks stemming from cyber threats. This underscores the growing global recognition of the significance of cybersecurity in corporate governance.

In conclusion, the UK government’s new Code of Practice on Cybersecurity Governance for Senior Business Leaders places a resounding emphasis on the importance of senior leaders treating cybersecurity with the same gravity as financial and legal risks. By prioritising risk management, establishing an adaptable cyber strategy, promoting a culture of cyber resilience, preparing for incidents, and ensuring robust assurance mechanisms, organisations are better equipped to safeguard their digital assets in an ever-evolving digital landscape. With this code, businesses can proactively address today’s cyber risks, ensuring their continued success and resilience while aligning cybersecurity with core business objectives. 

Want to strengthen your IT strategy?