Changes in Cyber Governance

When I was a child, if you had asked me about cyber, I would have thought you were talking about the classic film of ET rather than anything to do with my rather snazzy sinclair spectrum (anyone else remember those….?). Things have come a long way since then, and our very tech savvy children even learn about cyber at school . However, whilst we all know that cyber attacks are ongoing, and it is a question of when (not if) and how bad it is, there have been split views on who within organisations should ultimately manage this risk.

We have for some time said that cyber risk, like all business risks, is ultimately a corporate governance issue. Yes, of course the CISO / IT team have responsibility in the risk register, but it is the board who has responsibility for setting risk appetite and for the ultimate oversight of the management of this risk. This is not universally reflected in the business world however, as shown in a Marsh global survey in which 70% of respondents named IT as the primary owner and decision-maker for cyber risk management, compared to 37% who cited the C-suite.

New Corporate Governance Code

This view will have to change however, at least for UK listed companies, as the recently updated version of the UK Corporate Governance Code provides that boards should establish and maintain an effective risk management and internal control framework. Given that for most organisations cyber security is either a principal risk, or is relevant to an organisation’s management of principal risks, the changes to the Corporate Governance Code squarely puts responsibility for cyber risk in the board’s court.

However, it is not clear that boards currently know what good cyber governance looks like in practice, with the UK Government’s 2023 Cyber Breaches Survey noting that “there is a lack of understanding of what constitutes effective cyber risk management”. Unsurprising therefore, we are increasingly being asked about what good looks like. With this upcoming change to the UK Corporate Governance Code, I’d therefore put money on cyber governance being a hot topic this year.

Draft Cyber Governance Code of Practice

It is therefore timely that the Government published on 23 January 2024 a draft Cyber Governance Code of Practice on which it is seeking views, with the aim of supporting directors to drive greater cyber resilience. 

The Code consists of five overarching principles of (i) risk management, (ii) cyber strategy, (iii) people, (iv) incident planning and response, and (v) assurance and oversight. Each principle then has relevant actions attributed to it. These proposed actions are by necessity not unduly prescriptive to ensure that they have broad applicability and so there is still much scope for variation in their application. 

The Code is intended to reflect existing best practice and to complement existing industry and government resources, both in the UK and internationally. Many directors will already be familiar with the NCSC’s Cyber Security Toolkit for Boards, and the intention is that the Code and the Toolkit will work together to form a coherent set of guidance for boards. 

Once in final form, the Government’s current intention is that the Code be launched as a voluntary tool, without its own statutory footing. However, investors are increasingly focussed on governance of cyber, with Glass Lewis (an influential proxy voting firm) having last year added a new section to its proxy voting guidelines stating that “a company’s stakeholders would benefit from clear disclosure regarding the role of the board in overseeing issues related to cybersecurity”. 

It can therefore be expected that, even if the Code is voluntary, investor expectations (and concerns over individual director liability) will drive boards to follow it regardless of its voluntary nature.