As we have seen in recent weeks, serious cyber attacks can have long-lasting effects on operations, trading and reputation. Significant financial cost and internal resource is tied to ensuing investigation, recovery, regulatory response and legal implications. Cyber criminals exploit weaknesses in systems, irrespective of an organisation's size or sector.

Recent UK statistics[1] published by the Department for Science, Innovation and Technology (DSIT) reveal that whilst cyber security remains a key focus for the majority of businesses (72%), board level responsibility for cyber security has steadily declined among businesses over the last four years. Just under 3 in 10 businesses had board members taking explicit responsibility for cyber security as part of their job. (In large businesses, the outcome was better: 66% had a board member responsible for cyber security.)

The National Cyber Security Centre (NCSC) introduced its Cyber Governance Code of Practice (the Code) on 8 April 2025.

It aims to help UK organisations embed strong cyber risk management into their corporate governance. The Code provides a framework to help senior leaders take ownership of cyber risk in the same way as they do for financial, legal and operational risk. This marks a clear signal from a regulatory perspective: cyber resilience must be led from the top.

Though the Code is voluntary for now, aligning with it will undoubtedly be good governance practice, particularly in regulated sectors or in the wake of a cyber incident. Organisations may find compliance with the Code introduced as a contractual requirement, particularly in supply chains and procurement processes.

Which organisations is the Code of Practice for?

The Code has been designed for medium and large organisations, though may be helpful for smaller entities where they play a critical role in the cyber security of wider digital supply chains. It is not intended to be used by those who are responsible for the regular management of cyber security but will be useful to highlight to boards what their responsibilities are.

Directors have a legal duty under the Companies Act 2006 to exercise reasonable care in how they oversee and manage company risks, including those related to cybersecurity. Aligning with the NCSC Cyber Governance Code of Practice helps demonstrate that directors are meeting this duty by actively overseeing cyber risk and integrating cyber risk management into corporate governance.

What are the five key principles?

The Code is built around five key governance principles:

1. Risk management

The Code makes it clear that boards must understand and oversee cyber risk. The responsibility cannot be left to the IT team in isolation. Directors should be equipped to ask the right questions and challenge cyber preparedness as part of regular governance. Cyber threats should be incorporated into existing risk management frameworks, and these must be regularly reviewed and updated.

2. Strategy

The Code encourages senior leaders to set the tone from the top. That means promoting a culture of cyber security, encouraging reporting of cyber concerns, and ensuring that cyber risk is embedded into decision-making, in all business units, across the organisation.

3. People

This principle focuses on the vital role people play in managing cyber risk. It emphasises that cyber resilience is not just about technology but that it depends on cultivating the right skills, behaviours and culture. All staff should receive appropriate and regular cyber training, including how to recognise and report phishing and other threats.

4. Incident planning, response and recovery

Boards must ensure the organisation has a clear and tested incident response plan. This includes understanding when and how to engage IT operations, legal, compliance and public relations teams, and how to minimise operational, legal and reputational damage.

5. Cyber assurance

The Code calls for appropriate assurance over cybersecurity measures. This means regular internal and third-party assessments, clear reporting on cyber posture, and understanding where gaps or vulnerabilities lie.

How can you adopt the five key principles of the Code of Practice?

Our Cyber team works with boards and senior leadership to navigate cyber risk, ensure compliance with current and emerging standards, and respond to cyber incidents. Whether advising on governance structures, supplier risk, or breach response, we help our clients demonstrate resilience and accountability in an increasingly challenging cyber threat landscape.

If you would like to discuss how the NCSC Cyber Governance Code of Practice could be adopted or embedded, or to talk through what measures you can take to help protect your business, contact our Cyber Security & Resilience team.

We support our clients managing the full life cycle of cyber resilience, covering a whole host of risk mitigation including:

  • Training for senior leadership and workforce
  • Planning and preparing for cyber incidents
  • War gaming
  • Cyber insurance policy review
  • Supply chain management and contract review
  • Incident response and dispute resolution, should the worst happen

We provide regular insights and resources on the latest developments in data protection and cyber security. Explore our six part 'Data and Cyber School' article series, or our article on cyber data resilience in retail.

To stay up to date with the latest news on cyber security, sign up to our newsletter.

Footnotes:

[1] Cyber security breaches survey 2025 - GOV.UK.