Business leaders supported to bolster online defences to safeguard growth
Directors and company boards are being urged to shore up their cyber defences using new guidance published today, in a bid to protect their organisations from the growing tide of online threats.

- Package of measures sets clear steps boards and directors can take to protect their businesses from cyber criminals
- Improved strategies and better risk management will help secure sensitive data and ensuring business continuity and protecting growth
- New resources come days after cyber security legislation plans unveiled – securing the digital services which will deliver growth and the government’s Plan for Change
Directors and company boards are being urged to shore up their cyber defences using new guidance published today, in a bid to protect their organisations from the growing tide of online threats.
A new Code of Practice launched by the Cyber Security Minister today (8 April) sets out how business leaders can protect their day-to-day operations and secure future growth for the British economy - the engine driving the government’s Plan for Change.
One of the actions include having a cyber strategy in place to ensure cyber risk management effectively supports business resilience and growth. Other key actions include promoting a cyber secure culture so employees at all levels know what to look out for, and putting incident response plans in place, allowing organisations to quickly respond to incidents when they occur.
The Code has received backing from across UK industry with organisations including the Institute of Directors, EY and Wavestone welcoming the launch.
Cyber attacks have become increasingly common, with 74% of large businesses and 70% of medium-sized firms experiencing attacks and breaches in the past year. Cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019, with significant knock-on effects to daily operations and an organisation’s long-term reputation.
With a third of large businesses lacking a formal cyber strategy and nearly half of medium firms operating without an incident response plan, the Code provides the direction leaders need to take control of their cyber risk.
Cyber Security Minister Feryal Clark said:
A successful cyber attack doesn’t just have the potential to grind operations to a halt – it could drain millions from the bottom line.
If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat.
Our new Cyber Governance Code of Practice does exactly that – setting out in clear terms steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers.
NCSC CEO Richard Horne said:
In today’s digital world, where organisations increasingly rely on data and technology, cyber security is not just an IT concern – it is a business-critical risk, on a par with financial and legal challenges.
From my experience working alongside senior leaders across both private and public sectors, I’ve seen first-hand how robust cyber governance is essential to drive resilience, support growth, and help to ensure long-term success.
I urge all board members to engage with the new Cyber Governance resources unveiled today and make cyber security an integral part of their governance. Cyber security is a leadership imperative.
The Cyber Governance Code of Practice is the foundation of this new support package, developed in partnership with the National Cyber Security Centre and industry leaders setting out key actions boards should take to strengthen accountability and reduce risk. It’s supported by online training to help implement the Code, and a detailed Board Toolkit with further practical guidance. This will arm businesses with confidence in the tools they deploy to protect themselves online, safeguarding their businesses, their workers, and their customers.
This package, also produced in collaboration with Non-Executive Directors, ensures boards have practical, relevant resources to deepen their understanding and effectively govern cyber risks.
Small businesses looking to strengthen their online defences are encouraged to engage with the NCSC’s Small Business Guide, which provides quick and easy actions to help bolster their defences and support through the Cyber Local scheme, which provides tailored funding to boost the regional cyber skills.
Cyber security has become a central part of the government’s plans to secure the digital services which drive growth across the country to deliver on its Plan for Change.
Just last week, the Technology Secretary set out his ambition for cyber security legislation which will be introduced to Parliament later this year - a set of proposals which will protect the UK’s supply chains, critical national services, and IT service providers and suppliers. As part of the new measures, hospitals and energy suppliers are set to boost their cyber defences, protecting public services and safeguarding growth.
Stakeholder reaction
John Edwards, UK Information Commissioner, ICO said:
With cyber incidents increasing across all sectors, it is crucial for organisations and businesses to take a proactive approach to cybersecurity governance, including putting the appropriate security measures and training in place to protect people’s data while boosting innovation.
We welcome the new Cyber Governance Code of Practice and would encourage organisations to prioritise the digital safety of their assets and, ultimately, their reputation.
Jonathan Geldart, Director General, Institute of Directors said:
Cyber resilience is fundamental to organisational success and a core responsibility for boards and directors. The UK Government’s Cyber Governance package provides valuable guidance to help business leaders effectively oversee cyber risk.
Members of the Institute of Directors have actively contributed to shaping the Cyber Governance Code of Practice through consultative workshops and panel discussions. We welcome this action by the government, which will support our members, UK business and the wider economy in strengthening cyber security.
Jean-Philippe Perraud, CEO, NEDonBoard, Institute of Board Members said:
Cyber resilience is fundamental to organisational success. The Cyber Governance Code of Practice sets a clear benchmark for boardroom engagement. NEDonBoard, Institute of Board Members, supports board members in upskilling for effective oversight of cyber risk, digital transformation, and resilience.
We are proud to have been a key stakeholder and representative group, actively contributing to the development and refinement of the Cyber Governance Package. We support this important initiative by DSIT and NCSC and encourage boards to embed the principles of the Code and the pledge into their organisations’ oversight and risk management practices.
Rick Hemsley, UK Cybersecurity Leader, EY said:
We are proud to have contributed to the development of the Cyber Governance Code of Practice, drawing on our extensive real-world experience. The code will serve as a vital resource for Boards and senior leadership teams, providing them with the guidance needed to address cyber resilience. The code emphasises the importance of not only protecting sensitive data but also ensuring that organisations can respond effectively to incidents when they occur.
A strong culture of cyber resilience can help organisations to anticipate, withstand, and recover from cyber incidents, ultimately safeguarding their stakeholders and maintaining trust in their operations.
Thomas Clayton, UK Head of Cyber, Zurich UK said:
The cyber insurance market is relatively new in comparison to other propositions in our industry. It has developed rapidly in recent years to keep pace with the sophisticated tactics used in the event of an attack. The key to protecting organisations from attacks is resilience rather than simply prevention – these incidents are detrimental to business operations but also bring longer term reputational and wider economic damage.
Preparation is therefore vital and as a result, the Cyber Governance package published by the UK Government which brings clarity to the responsibility of boards and directors when it comes to governing cyber risk, is something we fully welcome and support.
Anne Kiem OBE, Chief Executive of the Chartered Institute of Internal Auditors said:
We welcome the new Cyber Governance Code of Practice, which empowers organisations to bolster their governance of cyber risks and controls. As cyber-attacks further escalate, boards must ensure that the assurance and oversight of their cyber resilience is robust and consistent with existing internal audit assurance mechanisms - as highlighted in the new Code. Internal audit is key in supporting the Code’s implementation by providing independent, insightful assurance that internal controls for cyber risks are strong and effective.
Rob Deri, CEO of BCS, The Chartered Institute for IT said:
Strong cyber governance is critical in today’s digital landscape, and it must be a board-level priority. BCS welcomes the publication of the Cyber Governance package, which provides valuable guidance in formalising cyber security practices. Cyber risk is a principal risk for organisations, and this package will be a valuable resource for our members and the wider industry.
Chris Dimitriadis, Chief Global Strategy Officer, ISACA said:
ISACA is proud to have supported DSIT in designing this significant new piece of enterprise guidance. Digital trust is critical for enterprises to innovate and drive economic growth. At ISACA, we are committed to equipping organisations and professionals with the knowledge they need to build a culture of resilience. By providing clear guidance on cyber risk management, this Code empowers boards and directors with the tools they need to strengthen organisational cyber resilience.
Esther Mallowah, Head of Tech Policy, ICAEW said:
Boards and directors recognise the importance of cyber resilience to their organisations’ success but face an ever-evolving challenge in understanding and fulfilling their responsibilities around cyber governance. The Cyber Governance package, published by the UK Government, helps to clarify their responsibilities and provides much needed direction on where to focus and what actions to take to govern cyber risk. We’re pleased the government is taking this action to support our members and to improve cyber resilience across the economy and look forward to continuing to work with DSIT on the evolution of the code.
Julia Graham, CEO, Airmic said:
Airmic supports actions to improve the management of cyber risk and the guidance for boards and top management provided by the Code of Practice and supporting materials. These will add tangible value to our members and the organisations they represent by helping to keep our country, businesses and citizens safe and resilient to risks set out in the National Risk Register, including cyber threats.
Mike Maddison, CEO of NCC Group, said:
Cyber security is an economic necessity in today’s digital and interconnected world. But, a major cultural shift within organisations’ senior leadership is needed to ensure that those running the UK’s public and private sector institutions understand our collective responsibility to invest in cyber resilience.
The Code of Practice is a welcome step in the right direction. Delivering whole-of-society cyber resilience is a complex undertaking. As part of the UK Government’s wider approach, initiatives like the Code play a key role in spotlighting senior leaders’ responsibilities and supporting the rollout of stronger digital defences.
Ben Martin, Policy Manager at the British Chambers of Commerce said:
Cyber threats against businesses are continuously evolving, and without coordinated action many SMEs will remain at risk. Research suggests there is a lack of specialist digital security knowledge in many smaller companies. This guidance is a welcome step forward to help firms take the steps needed to protect their digital assets and information.
Graham Wynn, Assistant Director for Consumer, Competition and Regulatory Affairs, British Retail Consortium said:
The BRC first published a Guide to cyber security measures for Boards and Directors nearly a decade ago. This Code with its emphasis on risk; strategy; recovery; and people is very much in line with our approach. It is vital that Boards should understand the risks and the need for a coherent plan of action in the event of an attack. The Code will help to highlight that need.
Graeme Trugdill, CEO British Insurance Brokers’ Association said:
BIBA welcomes the Cyber Governance Code of Practice published by the UK Government. This voluntary guidance will support boards and directors of medium and large businesses to govern their cyber risk and enhance their operational resilience.
Olu Odeniyi, Co-founder, CxB said:
Cyber resilience is essential for organisational success, and the UK Government’s Cyber Governance Code provides clear guidance on the responsibilities of boards and directors in managing cyber risks. We at CxB - Cyber Governance for Boards strongly welcome this initiative and contributed our expertise, thought leadership and experience to help shape the Code and the associated training, which empowers boards across all sectors to strengthen their cyber resilience.
Rowena Ironside, founder of WB Directors’ ‘Women on Boards’ network & portfolio NED said:
Cyber resilience is fundamental to organisational success - all board directors today need to have a handle on the risk and their responsibilities in this area. We welcome the Cyber Governance Package published by the UK Government, which clarifies the responsibilities of boards and directors in governing cyber risk. It will be an indispensable tool for members of our cross-sector non-executive director network to ensure the organisations they govern strengthen their security posture and contribute to a more resilient economy.
Further Information
Read the Cyber Governance Code of Practice launched today.
Visit the National Cyber Security Centre (NCSC) website for the NCSC Cyber Governance Training and NCSC Board toolkit.
DSIT media enquiries
Email press@dsit.gov.uk
Monday to Friday, 8:30am to 6pm 020 7215 3000