A message from government: If your board has not recently discussed cyber risk, do so at your next meeting

It's no secret that UK government views the board's role in cyber resilience as absolutely fundamental. Ministers are now asking boards even more urgently to raise their game.

Letters to the board

Last week, UK government ministers Liz Kendall and Dan Jarvis wrote an open letter to business leaders warning that advancing AI systems are changing the threat landscape for UK businesses.

"Take cyber security seriously, at the very top of your organisation", they warned. "If your board has not recently discussed cyber risk, do so at your next meeting and then regularly. This is not an issue to delegate to your IT team and forget about. This will only become increasingly important."

This week, Dan Jarvis invited all organisations to sign a voluntary Cyber Resilience Pledge which will be formally launched this summer. Businesses take the pledge by commiting to take three actions:

1. Make cyber a board responsibility, by implementing the Cyber Governance Code of Practice and undertaking NCSC’s online cyber governance training

2. Sign up to NCSC's Early Warning service

3. Require Cyber Essentials across supply chains.

Ministers have already written to the CEOs and Chairs of over 180 of the UK’s leading businesses to encourage as many as possible to sign up.

Cyber regulation is expanding

Some board members will wonder whether these developments signal new regulations on the horizon.

First, it's important to note that some UK organisations are already subject to regulation which makes board responsibility for cyber resilience explicit.

For example, the Cyber Assurance Framework (CAF) which UK critical industries and government bodies are required to complete, thanks to the NIS regulations, has a section on Board Direction. The UK's Operational Resilence rules for financial services firms also call out boards' responsibilities in overseeing cyber resilience, as do EU regulations including the NIS2 Directive and DORA.

But many more organisations are likely to come into the scope of cyber regulation via the Cyber Security and Resilience Bill now before Parliament, which will extend to the suppliers of regulated entities. The wider public sector, with its suppliers, will be also mandated to comply with government cyber standards via the Cyber Action Plan.

These ministerial signals tell us that good cyber governance is rapidly becoming an everyday, expected part of corporate governance - not only a compliance issue.

Even if your organisation remains outside the scope of formal cyber regulation, your customers and other stakeholders will expect you to take action. That will increasingly come in the form of specific standards that you need to meet, but also public commitments - like the Pledge.

Taking the pledge: CxB can help

We set up CxB in 2023 because we passionately believe that cyber resilience is a board responsibility, so we're absolutely delighted to see these developments. We've been working closely with government to support the development and promotion of its support and guidance for boards, including the Cyber Governance Code of Practice.

We hope that your board will seriously consider taking the Pledge, or at the very least commit to implementing the Code, and we are here to support you with that. Do take a look at the cyber governance services we offer for boards.