This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
THE LENS
Digital developments in focus
All Posts
| 3 minute read

Cyber - a pressing board-level issue

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

We have seen a significant uptick in cyber preparedness activity recently and an increased focus on cyber governance. While the global cyber threat landscape continues to evolve, in the UK this activity has been driven, in part, by recent ransomware headlines at retailers like M&S, Harrods and the Co-op. Changes to the Corporate Governance Code are also having an impact. 

Lessons to take from the recent attacks 

  • The recent retailer headlines are a stark reminder of the devastating impact a cyber-attack can have on an organisation. They also demonstrate the importance of good cyber governance and preparedness. You can be the victim of a cyber-attack even if you have good security in place. There is, however, now an expectation that you will know what to do if/when an incident occurs – whether in terms of assessing the severity of an incident, managing the immediate response or dealing with the longer term implications and restoration of business confidence.  
  • Regular rehearsals of your cyber preparedness plans together with your key advisors (technical, legal, PR etc.) will help ensure those plans are fit for purpose. This is particularly important given:
    • the legal landscape around cyber is fast moving and plans need to comply with current legal and regulatory requirements.  Recent developments include new management body liability under the EU's NIS2 (for more information, see here), the UK's Cyber Security and Resilience Bill (here), new ransomware proposals (here), and cyber related fines from data regulators which detail the regulator's security expectations (here);  
    • clear lines of responsibility and communication are vital, particularly in larger organisations where both group and operating boards could be involved in a serious incident. Rehearsals can test whether these channels work in practice. 
  • Board training is also key, particularly as board members may be directly contacted by the attackers (M&S) or speaking to the media about the breach (Co-op). 

What does the Corporate Governance Code and associated guidance say about cyber? 

  • As discussed in our latest Cyber podcast, the Corporate Governance Code was recently updated. While it does not reference “cyber” expressly, it does (in Provision 29) state that Boards must “monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness”. Boards must also make an annual declaration of such effectiveness in the company’s annual report.  
  • The Code already stated that this monitoring and review should cover all material controls, but new guidance which accompanies the updated Code (although not binding) now expressly refers to controls over “information and technology risks including cybersecurity” – as examples of what might constitute material controls. This is the first time we have seen a reference to cyber in the guidance.
  • The updated Code guidance also includes a new section on Cyber Security Risk Management which refers to the need for a “top-down approach” in order to manage cyber risk effectively. This aligns with messages from bodies like the National Cyber Security Centre (NCSC), the Information Commissioner and the Institute of Directors, that cyber is a board level issue. 
  • Note: the Cyber Code of Governance, published in April 2025, is separate from the Corporate Governance Code and the accompanying guidance mentioned above. It was developed by the UK Government (Department for Science, Information and Technology) and the NCSC to support boards and directors in governing cyber security risks. It is intended to help boards of medium and large organisations understand what their responsibilities are, and what actions they need to take, around cyber risk. 

What do the Code changes mean in practice?

  • The Code guidance is not mandatory, nor is it intended to be prescriptive, and so companies must still consider whether controls over IT and cyber risks constitute material controls for their company. However, we expect that cyber will be seen in this way by many companies.
  • In terms of timing, most of the changes to the Code are already effective but the changes to Provision 29 apply from next January (with the first mandatory reporting in 2027). 
  • Many companies are actively reviewing their existing risk management and internal control processes and related record keeping processes, both to mitigate substantive risks and to ensure that they have sufficient evidence to support the new declaration of effectiveness.  Where controls over cyber are deemed to be material controls, this should therefore include a review of cyber related processes and record keeping.  
  • Organisations are also considering whether the board requires any additional external assurance to support their ability to give the declaration (which could include assurance from cyber experts).

More information: 

  • Our latest Cyber Podcast (here) discusses the current focus on Cyber Corporate Governance in more detail, and we regularly produce insights on cyber developments (here).  
  • We have also recently published an article in PL&B on the Cyber Security and Resilience Bill (here).  
Data protection privacy concept. GDPR. EU. Cyber security network. Business man protecting his data personal information. Padlock icon and internet technology networking connection on virtual interface blue background.

Sign up to receive the latest insights. Click here to subscribe to The Lens Blog.

Tags

cyber, data

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Latest Insights