Government calls for views on draft Code of Practice on cyber security governance
As part of the £2.6bn National Cyber Strategy which seeks to protect and promote the UK online, DSIT has published a call for views on a proposed Cyber Governance Code of Practice. The code focuses on the most critical areas that leaders must engage with, making it easier for directors, non-executive directors and senior leaders to understand what actions are required to manage their cyber security risk.
DSIT is inviting stakeholders from across the economy and society to provide feedback on the proposed Code, to understand if the cyber risks are presented and explained in a way that is straightforward and can be implemented. The call for views will close on Tuesday 19 March.
The proposed Cyber Governance Code of Practice
Despite the existing regulatory requirements and supporting guidance and tools, many organisations find the cyber landscape complex and challenging to navigate, with the majority in favour of for additional solutions to illustrate ‘what good looks like’. This view has been strongly supported in the engagement the government has had on governing cyber risk over the past twelve months with a range of organisations, including auditors and industry bodies.
This helps demonstrate that while resources on how to govern cyber risk more effectively do exist, they can be hard to find and engage with. In addition, the majority of existing resources are predominantly outcomes focused which can be difficult for directors to engage with when having limited time and limited understanding of cyber risk.
While there is no one-size-fits-all approach to governing business risks such as cyber risk, there are some common fundamental actions that all directors and their organisations should take. Government proposes that a cyber governance Code of Practice would bring together the critical governance areas that directors need to take ownership of in one place, in a form that is simple to engage with, for organisations of all sizes.
A cyber governance Code of Practice would formalise government’s expectations of directors for governing cyber risk as they would with any other material or principal business risk.
This code is the product of extensive engagement with organisations that manage and advise on business risk on a daily basis, and has been co-designed with industry leaders and technical experts at the National Cyber Security Centre. It focuses on the most critical areas that leaders must engage with, forming simple, actions-focused guidance, making it easier for directors to understand what actions to take.
The purpose and scope of the call for views
The call for views is focused on three particular areas:
- The design of the Cyber Governance Code of Practice: Are the actions that directors should be taking to govern cyber risk presented and explained in a way that's straightforward to understand and implement? What further guidance would help industry to implement the code effectively?
- How the government can drive uptake of its use, and compliance with the Code of Practice: Where should the Code be placed and promoted to ensure it reaches directors and forms a core aspect of their knowledge base on risk management in a digital age? What role could other bodies play in the implementation and uptake of the Code? Are there any potential barriers to implementation that should be considered, that are not already outlined in the call for views document?
- The merits and demand for an assurance process against the Code of Practice: What is the potential demand for an assurance mechanism to support the implementation of the Code? Who might find value in an independently assured ‘badge’ and for what market communication and transparency purposes it would be used? What are the associated risks of assuring cyber governance?
You can access the full Call for Views document with the proposed Cyber Governance Code of Practice here.
For further information, you can contact: [email protected]
Have your say on the Cyber Governance Code of Practice
On Tuesday 6 February techUK will be hosting two roundtable sessions with DSIT on the Cyber Governance Code of Practice to provide members with an opportunity to provide their feedback.
Roundtable 1 will be for cyber organisations to provide feedback - you can register here.
Roundtable 2 will be for directors/non-exec directors/senior leaders of organisations that the Code of Practice is designed to help to provide feedback - you can register here.