Cyber risk in the boardroom: understanding the UK’s new Cyber Governance Code of Practice

Earlier this year, the Department of Science, Innovation and Technology (DSIT) launched its Cyber Governance Code of Practice (the Code). The Code is aimed at the boards of medium and large organisations and is intended to support board-level leadership in managing cyber risk. It has been designed as a practical framework to help integrate cyber risk into existing governance structures and decision-making processes – recognising that cyber resilience is now a core component of good corporate governance. The Code forms part of the UK Government’s broader suite of cyber governance resources, alongside its existing Cyber Security Toolkit for Boards and Cyber Governance Training. The Code is intended to be the first point of reference for board members, supported by these additional tools.

The UK cyber landscape

The Code has been introduced at a time of heightened scrutiny and growing awareness of cyber risk, following recent high-profile ransomware attacks on Marks & Spencer and the Co-op in April and May 2025. These incidents continue to cause significant disruption to operations and potentially compromise customer and employee data, underscoring the growing threat to UK businesses.

Alongside the Code, DSIT has published its Cyber Security Breaches Survey 2025, a research study on cyber resilience. This highlights gaps in board-level engagement with cyber risk, with many organisations still treating it as a technical issue rather than a strategic governance priority. The findings show that 43% of UK businesses reported a cyber breach or attack in the past year, rising to 67% of medium-sized and 74% of large businesses. 72% of businesses now identify cyber security as a high priority.

And yet only 27% have a board member with responsibility for cyber security – a figure which has declined steadily over recent years. This disconnect between risk awareness and board-level accountability underscores the need for clearer governance frameworks.

The Code

The Code aims to enshrine cyber governance as a strategic issue underpinning long term resilience and value, rather than a technical matter for IT teams. The Code is therefore not an operational manual, but a high-level governance framework designed to guide board oversight.

The Code sets out five core principles for effective cyber governance. These are supplemented by recommended actions for each core principle.

1. Risk ownership – boards must take ownership of cyber risk as a strategic issue. Actions to support this principle include: agreeing senior ownership of cyber risks and integrating them into wider risk management controls; ensuring that supplier information is routinely assessed as part of supply chain management; and implementing risk identification and management systems with board input.
2. Strategy – cyber resilience should support and enable broader business objectives. Actions to support this principle include: the development of a cyber strategy which is aligned to the organisation’s wider strategy; ensuring that this is aligned to the organisation’s risk appetite and regulatory obligations; and allocating resources to effectively implement the strategy.
3. People – the organisation should have the right skills, capabilities and cultures to manage cyber risks. Actions to support this principle include: promoting a cyber security culture; ensuring accountability across all levels; producing clear policies to guide employees; undertaking training at board level to improve literacy around the data and digital assets used by the organisation; and gaining assurance around the effectiveness of the organisation’s cyber security training.
4. Incidents – planning, response and recovery should be regularly assessed. Actions to support this principle include: the development of a robust cyber incident response plan; an annual exercise of that response plan (with lessons from each exercise reflected in its updates); and board responsibility in the event of an incident, including regulatory reporting, critical decision making and communications.
5. Assurance and oversight – clear reporting lines should be in place. Actions to support this principle include: developing a cyber governance structure with clearly defined roles and responsibilities; requiring formal board reporting on at least a quarterly basis; setting suitable metrics for reporting; and effective working with senior executives on cyber governance.

Legal and governance implications

The Code is currently voluntary, but it is likely to have significant implications for cyber governance and risk, both now and in the future:

• While the Code is formally directed at medium and large organisations, its principles are relevant to all businesses, including small businesses with digital exposure. Boards of smaller businesses should consider adopting the Code voluntarily, particularly if they operate in a regulated sector or handle sensitive information.
• The Code is a helpful benchmark in assessing directors’ compliance with legal duties, particularly the duty to promote the success of the company, and to exercise reasonable care, skill and diligence (under sections 172 and 174 of the Companies Act 2006 respectively). Similarly to other voluntary codes of governance, we may see the Code used by regulators, investors, and courts to assess compliance with directors’ duties.
• The Code may be embedded into regulation in the future, particularly if cyber risk continues to escalate or if regulatory appetite for cyber governance increases. Other codes applicable to private companies have begun life as voluntary, but have later become a mandatory ‘comply or explain’ reporting requirement.
• Finally, the Code complements existing governance obligations under the UK Corporate Governance Code and the FCA’s operational resilience framework, as well as sector-specific rules. It also aligns with broader ESG and risk oversight trends, reinforcing the expectation that boards must take an increasingly proactive and informed approach to digital resilience.

Initial practical steps for boards

Boards looking to align with the Code should consider the following actions as a practical starting point to compliance:

1. Appoint a board-level cyber lead and agree a cyber governance structure.
2. Check whether your organisation has an up-to-date analysis of its cyber risk. Risk assessments should take place regularly and be aligned to the organisation’s broader risk appetite and strategy. Ensure that suppliers form part of cyber risk assessment.
3. Develop a cyber strategy. Make sure it is aligned to broader strategy, and that adequate resources are deployed to support it.
4. Make cyber a standing item on the board agenda. Consider incorporating cyber risk reporting into internal and external audit and risk management processes.
5. Ensure your organisation is providing training at all levels on cyber resilience, and that there are appropriate cyber security policies in place.
6. Have all board members undertake DSIT’s Cyber Governance Training.
7. Check whether your organisation has a cyber incident plan to respond and recover from a cyber incident. Ensure that this plan is exercised annually to test your cyber resilience, and implement learnings.

You can access the Code here, the Cyber Security Toolkit for Boards here, and the Cyber Governance Training here.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, June 2025