Q: Can you briefly provide a background to the proposed Cyber Governance Code of Practice?
In January 2025, the government published its response to the draft Cyber Governance Code of Practice, published in January 2024 followed by a consultation process. The proposed Code aims to enhance cyber resilience across UK businesses by providing clear guidelines to directors and boards on how to effectively manage cyber risks. It is intended to provide a clear set of actions, framed in the language that boards use, and to clarify the links between cyber and other business risks, formalising the government’s expectations of boards in governing cyber risk.
Q: When and how will it become operational, and for who?
The government has broadly accepted the Code as it was published in 2024, subject to some minor amendments to wording (to provide better clarity and ensure the terminology is correctly pitched for the intended audience), the final version is scheduled for publication “early 2025” and will be for voluntary adoption by all companies, except small businesses – being those with fewer than 50 employees. However, the government has noted that many small businesses play a critical role in the cyber security of wider digital supply chains and should consider using the Code in some form to inform their cyber governance practices.
Q: The Code mentions reporting, this seems like internal reporting, but what do we expect in terms of external reporting. We already see many companies include cyber risk in the Annual Report Risk reporting section?
One of the actions detailed in the draft Code, in the Risk Management section, is:
- Ensure that cyber security risks are addressed as part of the organisation’s broader enterprise risk management and internal control activities and establish ownership of risks with relevant seniors beyond the CISO.
This would suggest, although there is no direction on external reporting in the draft, that by virtue of including cyber risk in the internal control activities of the organisation, it will fall under the reporting in the 2024 UK Corporate Governance Code’s section 4 – Audit, risk and internal control – and its associated disclosures in the annual report.
Q: What are your top tips for companies to consider in relation to this Code?
The Cyber Governance Code of Practice also forms an integral part of a wider package of codes of practice being developed by the Department for Science, Innovation and Technology (DSIT) as part of the government’s broader approach to improve cyber security practices and cyber resilience across the UK as part of their Cyber Essentials scheme. DSIT has developed a modular approach to implementing codes of practice to help organisations understand how they interact and which codes are relevant to them, reviewing this modular approach will support organisations in mapping their cyber processes into the various Codes being developed under Cyber Essentials. All of this work is being undertaken in partnership with the National Cyber Security Centre and further guidance is available within their Cyber Security Toolkit for Boards, which remains a great place to start for boards in understanding their accountability for cyber risk and ensuring systems, process, employees and culture are appropriate for the level of risk the board is willing to accept.
Want more?
Read all about monthly industry updates in our February Bulletin.
Want to hear more from our Experts?
We work with our teams across EQ to bring you a summary each month of what is happening within the financial services industry that impacts the share registration and employee share plans space. Register below to receive our monthly update.