Cyber governance code of practice: What you need to know

Cyber Governance Code of Practice: What you need to know as the UK government tries to bring structure to a landscape dominated by rapid pace and uncertainty.

Cyber governance is a massive boardroom issue and a critical concern for all corporate stakeholders. 

Many are spooked by how fast it evolves, and the sheer volume of leaders and lobbyists warning that we are ill-prepared to face it. What troubles many directors is simply the question of who takes what responsibilities. What does the board do, and what should be passed down to executives and employees?

In the UK, the government – through its National Cyber Security Centre (NCSC) – has come up with a cyber governance “guidebook” to help British businesses clear the fog and understand how they should approach the rapidly evolving cyber landscape. 

As it’s new, expect some elements to change over the years, but the fundamental principles will largely stay the same. 

Here’s what’s in it:

It is a framework designed specifically to help boards in the United Kingdom manage their cyber risk effectively. 

It is structured into five key principles that should shape directors’ approach to cyber issues:

1. Risk management: Identifying and prioritising critical tech-based risks and integrating efforts to manage them. 
2. Cyber strategy: Ensuring that the company’s cyber strategy aligns with the company’s overall goals and doesn’t work against them. 
3. People: ensuring that any executive or employee tasked with managing cyber issues has the training and resources they need. 
4. Incident planning and response: Developing and testing incident response plans to ensure preparedness for events like cyber attacks or power failures. 
5. Assurance and oversight: Establishing mechanisms for regular review and assurance. 

For each principle, the NCSC has provided a collection of resources and toolkits, which are supposed to turn theory into practice and explain what success in each area looks like in the day-to-day corporate governance environment.

No, not as of 2025. However, take that with a tiny bit of caution. 

The code is intended to be a resource which directors can use voluntarily to upgrade their cyber management capabilities. If the UK watchdogs find that it’s working well and being used widely, they are unlikely to change that “voluntary” status. 

However, a government communication has advised that if there are no improvements in cyber risk management, it will “look into options for firmer levers to promote greater uptake. This may include the future introduction of legislation and/or the utilisation of public procurement requirements.”

This is crucial to remember. We’re always seeing reports of cyber failures catching companies off guard. Events like the 2024 Crowdstrike outage or the UK Post Office Scandal represent times when companies were unprepared or ill-equipped to deal with cyber risk. Codes of practice are designed to prevent similar events in the future.

Absolutely. 

Inevitable teething issues aside, cyber risk management is one of the biggest boardroom issues in the world. It has been for years, even before the pandemic drove a massive upsurge in our cyber-dependencies. 

The bottom line is that in today’s corporate environment, good cyber risk management means enhanced resilience. The code is your roadmap to make this happen. 

It may not be perfect, and it may not precisely fit with the model of your business or industry, but it does provide the groundwork for effective risk management. What’s more, this groundwork has the government stamp of approval. Since regulators are always playing a more active role in shaping corporate governance responsibilities, that stamp of approval is a crucial sign that you should get on board. 

Other benefits include the confidence that following the code will give to investors. Your work may only boil down to the simple sentence: “Fully compliant with the Cyber Governance Code of Best Practice” when dealing with such investors, but don’t underestimate the power those words can have – especially now, while the code is still fresh. 

Ultimately, following the code gives a competitive advantage. It’s not because you’re box-ticking or “doing as you’re told,” – it’s because the code encourages you to find the right expertise and training now to ensure you can handle all cyber risk coming your way. 

This sets your company up for success.

Will the Cyber Governance Code of Practice make a difference on your board? It’s up to you, and remain so for the foreseeable future. However, that shouldn’t detract from the principle that following a code like this will be hugely beneficial. 

Why? Because it encourages the right training, the right expertise, and the proper behaviour around cyber resilience at a time when the issue has never been more important.