UK Government Response to the Call For Views on Cyber Governance

Following our previous article in which we flagged the call for views on the UK government's proposal for a Cyber Governance Code of Practice ("CGCP"), the government has now published its response to the feedback submitted between 23 January to 19 March 2024. The final version of the CGCP is expected to be published in "early 2025".

The CGCP outlines the baseline responsibilities for senior leadership of an organisation to promote strong organisational cyber security. Below we explore the genesis of the CGCP, its role, summaries of the call for views and the government's response.

The problem

The government's position, based on a 2020 call for views and the 2024 Cyber Breaches Survey, revealed that while cyber security is regarded as a high priority for senior management, a lack of knowledge, training and time means boards and senior leaders can struggle to engage on cyber issues. In combination with these factors, a lack of explicit responsibility or accountability for driving cybersecurity conversations across many organisations (70% according to the 2024 Cyber Breaches Survey) has raised governmental concern as to potential gaps in the senior oversight of cyber risk, despite the potentially severe and diverse consequences of a cyber incident. This can lead to cyber decisions being delegated to technical experts, and/or considered in isolation of wider business risk. The challenges in communicating cyber-related challenges and opportunities from technical parts of the business to the wider organisation and senior leadership can lead to budget shortfalls and negative impacts on an organisation's cyber risk profile more generally; materially affecting an organisation's defence and resilience posture. These issues are compounded by the fact that many organisations still do not adequately consider cyber risk outside their immediate organisation (i.e. in their supply chain) from a governance perspective.

The role of the CGCP

While the government has committed to strengthening the cyber security of Critical National Infrastructure (“CNI”) through the upcoming Cyber Security and Resilience Bill, it is also keen to ensure cyber resilience of the wider economy; whilst schemes such as Cyber First, Cyber Essentials and Cyber Essentials Plus all support this effort at a technical level, senior management engagement is seen an area that requires further improvement.

Although the UK National Cyber Security Centre ("NCSC") has published a Board Toolkit[1] and certain sectors have further guidance[2], it was felt that there was still a need for extra guidance on best practice.

The CGCP, developed through the collaboration of the UK government's Department for Science, Innovation and Technology, NCSC and stakeholders from a range of industries is the government's attempt at formalising its expectations in this area and sets out clear actions that directors and Non-Executive Directors need to take in order to demonstrate that they are meeting their responsibilities in managing cyber risk.

As will be apparent from reading the above, the code is described as a "foundational code that has a particular focus on medium and large organisations but can be used by all organisations".

The draft code is split into five overarching principles (underpinned, in each case, by 3-5 actions) and seeks to provide more specific and practical guidance on good practices than is present in the more outcome-focussed language that is commonly seen in other forms of cyber regulation in the UK. Nevertheless, the actions are not prescriptive in a granular fashion, to maintain broad applicability across different sectors.

Summary of responses received & Governmental response

The government has confirmed that it will not be making material changes to the CGCP, opting instead to insert clarificatory language and monitor uptake once the final version is published before deciding on any further action.

1. 1. Aim and design

The responses demonstrated overall support for the aims and design of the code, although approximately 40% of respondents requested additional principles and actions (a key theme being a suggested addition of a technical measures principle covering areas such as the maintenance and management of technical and IT controls).

The government has declined to make additions along technical lines before publishing the final version, stating that there are a number of reasons for not including technical elements to the CGCP, primarily due to the intended audience being non-cyber specialists - but it will make minor changes to clarify language and include signposts to relevant NCSC guidance on technical issues.

1. 2. Assurance

Most respondents were in favour of an assurance scheme, although opinions differed on exactly what might be sufficient. Respondents were cautious about over-reliance on assurance schemes, especially where their limitations are not understood (for example, that certification only applies to a part of an organisation or that it's validity period may have expired). Whilst approximately half of respondents were interested in external assurance, detractors pointed towards existing accreditations and the additional burden that external assurance requirements may place on smaller organisations. Of those respondents who were undecided, the cost and associated benefits appeared to be the main hurdle. There was also little consensus on who the assurance should be conducted by: whether it should be a government department, an arms-length-body or private firms. There was strong interest in self-assessment backed up by an external review, although there was also significant interest in independent audit—which the government has interpreted as appetite for a tiered external assurance scheme (akin to Cyber Essentials and Cyber Essentials Plus).

The government has responded that there are considerable challenges to establishing an effective assurance scheme which would be useful and wishes for the benefits of the CGCP to be realised as soon as possible. Therefore, the government has confirmed that it will not include an accompanying assurance scheme when publishing the CGCP, but it will work with stakeholders to explore establishing an assurance scheme in the future. This will help avoid providing a "quick fix" for organisations seeking to simply achieve certification rather than a thoughtful analysis of the necessary tasks required to achieve adequate cyber risk governance.

1. 3. Scope and implications on uptake

The wide target audience of the code was cited as likely to give rise to a different level of uptake across businesses. Respondents raised concerns smaller organisations would struggle to implement the guidance and that it was not adapted to small organisations. The top 3 barriers to uptake were found to be 1) cyber resilience was not a priority of the directors for organisations of all sizes 2) reaching the directors of SMEs was challenging 3) there remained a tendency to view the code as a cyber technical piece of guidance.

The government has responded by saying that it will clarify that the primary target of the CGCP is businesses with 50 employees or more (i.e. those classed as medium sized and above) as the government believes that these businesses should be able to implement the CGCP. It acknowledged that many small businesses play critical roles in wider digital supply chains and that these businesses should seek to use the code to inform cyber governance and practices; adapting principles of the CGCP to their individual circumstances. The government expects organisations with a high risk profile, such as CNI, to use the CGCP to inform their relationships with suppliers of all sizes[3]. The government will also continue working with the NCSC to explore how to support small businesses with good cybersecurity (including principles contained in the CGCP).

1. 4. Links to other standards and resources

The responses indicated an appetite for further clarity on the links between the CGCP and other existing materials and strong support for the code to be linked to existing government guidance and legislation, particularly as published by the NCSC. It was also suggested that the code could be incorporated into existing board and director training programmes and, potentially, insurance questionnaires.

The government intends to provide information on how the CGCP relates to existing standards and guidance when it publishes the CGCP. It will map the CGCP to the NSCS Board Toolkit to aid implementation and will explore the possibility of conducting further formal mapping to key international and industry standards.

1. 5. Promoting uptake

Respondents indicated an interest in government engaging with a wide range of stakeholders, commonly citing risk/audit committees, CISOs, regulators and auditors, professional, trade and industry bodies and key professions such as auditors, lawyers, insurers as being able to encourage uptake within an organisation and hold it accountable.

A minority of respondents indicated that putting the CGCP on a legislative basis would be desirable in response to their answers on this topic and as regards assurance.

The government has taken the feedback onboard and committed to working with a wide range of stakeholders to encourage uptake and will also use its existing network of cyber security professionals to test the design and assess impact of the CGCP's implementation.

The government also intends to develop a public pledge to allow key partners that are implementing the code to be celebrated and to seek to drive uptake by positive example.

However, the government has stopped short of making compliance mandatory at this stage. The CGCP will be published as a voluntary tool and the government will monitor uptake and effectiveness. If uptake is deemed to be too limited, of the government response raises the possibility of "firmer levers" being deployed. As a softer approach,

Next steps

The government expects to publish the final version of the CGCP in "early 2025".

OUR view

Board engagement over cyber security issues has remained a difficult topic for organisations to grapple with, often not due to lack of interest, but rather because of difficulties in understanding the issues and translating cyber risk from a technical to an organisational topic. This can make implementing effective board level controls difficult. In this regard, the CGCP initiative is a welcome one.

The voluntary nature of the CGCP follows a general pattern in the UK of preferring to try voluntary guidance before implementing stricter legislative obligations. This decision may also reflect the current context of seeking to avoid and reduce regulatory burdens in an effort to drive economic growth.

While compliance with the CGCP will be voluntary, it does provide another yardstick against which to measure organisations' cyber resilience posture and, in particular, their boards' and senior management's oversight and engagement. Regulators may start to take compliance (or not) into account when assessing compliance with the cyber related regulation (which as noted above, is often "outcomes focused" and therefore open to interpretation). For example, regulators may start to take into account compliance (or not) with the CGCP when assessing whether an organisation had appropriate organisation measures in place to protect against cyber risk. We may also start to see the code being deployed in a litigation context, with non-compliance used as a means for claimants to seek to demonstrate breach of legal duty.

Sources

The original code of governance can be viewed at the following page (see "Annex A" of the page): https://www.gov.uk/government/calls-for-evidence/cyber-governance-code-of-practice-call-for-views/cyber-governance-code-of-practice-call-for-views#annex-a-cyber-governance-code-of-practice

The government's response can be viewed at the following page: https://www.gov.uk/government/publications/government-response-on-cyber-governance/government-response-to-the-call-for-views-on-cyber-governance