The Government has published its Response to the Call for Views on a Code of Practice for cyber governance.

The Call for Views, launched at the beginning of last year, proposed the introduction of a Cyber Governance Code of Practice as a response to the growth of cyber incidents that have the potential to cause significant damage to organisations. It was the view of the previous government that cyber risks should be treated just as seriously and receive the same prominence within organisations as financial or legal risks.

Whilst there already exists a patchwork of existing regulatory measures that touch upon organisations’ obligations in relation to cyber risks, the Call for Views explained that many organisations found “the cyber landscape complex and challenging to navigate”. Therefore, it was proposed that a new Code would “bring together the critical governance areas that directors need to take ownership of in one place, in a form that is simple to engage with, for organisations of all sizes”.

In its draft form, the Code was structured around five overarching principles: (1) Risk Management; (2) Cyber Strategy; (3) People; (4) Incident Planning and Response; and (5) Assurance and Oversight. For each Principle, a series of ‘Actions’ were set out which included matters such as completing risk assessments, monitoring and reviewing a cyber resilience strategy, testing plans to respond to and recover from cyber incidents, and establishing an appropriate governance structure.

The Government Response confirms that there was widespread support among the respondents for the five Principles and for the design of the Code more generally. As a result, no major changes will be made to the Code before it is published.

The Call for Views also invited views on whether an assurance scheme should be introduced by which organisations could demonstrate to third parties that they are compliant with the Code. The majority of respondents were in favour of such a scheme.

However, the Response states that the Code of Practice will not be accompanied by an assurance scheme at this stage. The Government points to the dangers of such schemes being unreliable, becoming outdated, creating further burdens for organisations, and potentially introducing perverse incentives by encouraging cutting corners to achieve certification at the cost of ensuring that the organisation has effective and appropriate security measures in place. Instead, the Government commits itself to working “closely with key stakeholders to further explore the possibility of establishing an accompanying assurance scheme at a later point. This is to ensure that the benefits of a voluntary code of practice can be realised earlier without compromising the process of designing a good assurance scheme”.

Finally, in addressing the concern expressed by some that the Code will be difficult to implement for smaller organisations, the Response clarifies that the Code will largely be targeted at medium and large sized organisations of 50 or more employees.

In terms of next steps, the Response states that the Government will work with the National Cyber Security Centre to make minor edits to the Code before its publication shortly.  Work will also be done to develop materials to support the uptake and implementation of the Code, and to provide clarity on interactions between the Code and other government policy, standards, guidance, and resources.

To read more, click here.