Governance & Compliance 3: UK Cyber Governance Code of Practice

Will:

Welcome to the third in our series of AGC, Ashurst Governance and Compliance Podcast, where we focus on the latest developments in the world of governance, compliance, and reporting. I'm Will Chalk, a partner in Ashurst's London corporate team focusing on corporate governance.

In this edition, we're going to focus on the launch by the Department for Science, Innovation and Technology of the UK Cyber Governance Code of Practice and the implications and actions which flow from it. Cyber preparedness and response is a live issue for every company. It appears it's the retail sector's turn to be hit hard at the moment, and it's often said that there are two types of companies: those which have been hacked, and those which are going to be. And it's not just retailers and financial services institutions that are being targeted. Any company which has a system on which it relies is vulnerable, whether or not that system contains personal data.

It's estimated that in 2025, the cost of cyber-related crime will be $10.5 trillion, outstripping the illegal drugs industry. And prevention is far better than cure. On average, it takes 422 days from a cyber-attack being detected to completing remediation. Chillingly, a threat actor is in a system for 59 days without being detected. So as part of the focus on prevention, DSIT has, after a call for evidence, last year launched its cyber code of practice. To take us through it, I'm delighted to be joined by Rhiannon Webster, Ashurst's UK head of data protection and cybersecurity, and relatively new to Ashurst Risk Advisory Consultancy, Rachael Falk, considered to be one of Australia's leading experts on cybersecurity and regulation, and the former CEO of Australia's Cyber Security Cooperative Research Centre. Thanks both very much for joining me. Rhiannon, can you start us off by teeing up the content of the code of practice and how it works?

Rhiannon:

Thanks Will. Yes, sure. So as you've said, it's been produced by DSIT, so that's the Department of Science, Innovation, and Technology, in conjunction with the National Centre for Cybersecurity, the NCSC, and governance experts to support boards and directors in governing cybersecurity risks.

It sets out five critical governance actions that directors are responsible for, and it's split into five principles. They are risk management, cyber strategy, people, incident planning and response, and assurance and oversight. And its aim is that cyber risk should be governed in the same way as any other material or principal business risk. It's the first of its kind in the cyber area. So today, all other codes of practice, and there are a few, for example, there's recently an AI security code of practice which has been published, are technical in nature. This isn't aimed at technical teams.

Will:

So who is the code aimed at then, Rhiannon?

Rhiannon:

So its primary audience is for the Boards and directors of medium and large organisations. It's a recognition that digital technology is critical for business, and there is a disconnect, or there's currently a disconnect at board level. Boards, some of them, leave it to technical teams and IT security teams, rather than treating it as a governance issue themselves. So this code makes it a responsibility for Boards and directors to oversee the risk which comes with the technology, and recognise that it isn't something which should be delegated to IT. It's a whole of company issue. It's also bringing to the fore that getting governance right is crucial to business. This isn't just a compliance thing, it's really important to run a successful business that you get this right. So it's a real shift in focus towards the board, to understand and own cyber risk

Will:

And there's some pretty useful guidance and other materials that sit alongside it. Do you want to just take us through what's available?

Rhiannon:

Sure. There's a whole layered approach to this. So the code itself is actually quite short, and it sits at the top. And that sets out what the actions the board should take. Underneath that, there's specific training on the DSIT website, which looks at each of those principles, and it confirms what actions board members should be taking. And then as part of that, there is also the Cyber Security Toolkit for Boards. Now, that latter document has been out for quite a while. It's a very long document, but it underpins the training, the code, and will further support directors and board members. For example, it includes lots of guidance and it includes lots of questions that they think the boards should be asking,

Will:

But your opinion, I think, is that it's pretty useful and accessible?

Rhiannon:

Yeah, it is. I've been through the training myself, it's very clear. There's some good questions, and I can see relatively lay people learning a lot from the guidance.

Will:

So Rachel, turning to you, you were involved in setting out guidance for Australian directors produced after some very high profile cyber-attacks. Presumably aspects of that are useful here, too?

Rachael:

Absolutely. Just after, and it was quite coincidental, because we were already doing this, but in October 2022, September-October 2022, Australia had two rather large cyber breaches within three weeks of each other. But we launched the first set of the cyber governance principles with the Australian Institute of Company Directors, the AICD, and my former organisation, the Cyber Security Cooperative Research Centre. And we launched the cyber governance principles for exactly this reason, that the code is also in place, because there really wasn't a best practice guidance out there for directors and boards really to understand what good looked like when it came to cyber governance. And to Rhiannon's point, this is very much not a technical issue. Whilst the method may be quite technical, what we do know is boards are responsible for how they govern and oversee cybersecurity, and cybersecurity and sort of digital risk is just another risk to be managed along with all the other risks that boards oversee.

So our guidance is slightly longer, it's 75 pages, but similar to the UK code, it's split into five core principles. And what, I suppose, our guiding principle there was we wanted to help boards and management understand what good looks like, which is kind of similar to the thread that runs through these, which is helping boards gain assurance, or gaining assurance, which is a phrase you see repeated often in the code. But we were very committed to what's called reasonable steps. Helping boards and directors understand what reasonable steps should be taken commensurate to the organisation, that their budget, and what they oversee, and the nature of the risks they have. But they're very similar in approach.

Will:

And so turning to the UK Code of Practice, there's five overarching principles, as Rhiannon's teed up, where does a director or board start?

Rachael:

Well, I think boards always have to start with what are the cyber risks that we're managing? Do we actually understand the cyber risks of our own company? And that's very similar to where we start. And the Australian one similarly starts with the clear roles and responsibility of what is the risk we're carrying. But I think all directors and boards need to have a good understanding of not just the cyber risk and what it looks like, but an understanding of ... What sometimes boards struggle with is, "We're not technical, we don't necessarily understand what's being told to us." So breaking that down and seeking assurance, but breaking every risk down into something that is accessible and they can understand. So that's where they start. And so it starts with the gaining assurance about a range of risk management objectives, which is where the UK starts. And I think similarly, how do they gain assurance that the cyber risks the organisation are carrying are being appropriately managed?

Will:

So Rhiannon, coming back to you, there appears to be a significant role for legal teams in principle four on incident planning and response. Do you want to develop that?

Rhiannon:

Yeah, sure. So there's a recognition that you need to be prepared, and that means that you need to have an incident response plan, regular testing of that plan. You need to understand your legal and regulatory requirements. You need to understand your role during a crisis, and that's everyone's role.

So focusing on two key areas there, it would be the Board's role and the legal team's role. And, as I say, you need to test that in a non-pressured environment. So there's a lot in there, in the code and then in the accompanying guidance, about what that looks like in practice. And as you've teed up, Will, the role of the legal team is crucial to this.

And I think it might be underplayed how much of a role the GC, for example, would have in this situation. We've had a number of testing and war games that we've done with clients when the GC hasn't even turned up for the testing. So to realise that how important that their role would be, there's things like maintaining privilege if that's possible. It's about understanding those legal and regulatory requirements. It's also quite surprising how many clients don't actually understand what laws cover their data and which regulators they might need to notify in the context of a breach. So all of that needs putting in place and testing, regular testing over the years.

Will:

And of course if you're a company on a public market, there's potential notification to the market, as we know from the incidents that we've been involved in together.

Rhiannon:

Absolutely. And that hasn't, I think, in the situations that we've worked in together, that hadn't been role-played about We were working with them live to work out in what situations the market needs to be told. And I think there could have been a lot of preparation around that, about what the threshold would be.

Will:

So do you think this is potentially regulation by the back door, then?

Rhiannon:

I think it's in danger of, I don't think that's a bad thing in particular. So the information commissioner's office are more and more now in their enforcement action referring to objective security standards. So by that I mean the cyber essential scheme, and NIST for cyber security frameworks. I think that's because they received a lot of criticism over the years for seeming to be quite subjective in their enforcement. So this is another tool in their armoury to be able to demonstrate that organisations who've suffered a breach haven't met what should be good practice in terms of preparedness and governance from a cyber security perspective. So the ICO has already endorsed it, they came out straight away when this was then finalised to say that they approved of it. I can see it won't be very long before it gets mentioned in an enforcement action if there's any sniff of the fact that they don't think the board had appropriately governed cyber risk sufficiently.

Will:

So is there an argument, do you say, you should take the code, take the actions that sit under all the principles, and map what you have done to apply each principle and respond to each recommended action relative to the training that sits behind it?

Rhiannon:

I think that would be an excellent idea. And I think, Will, you know more about this than me, that recording that is an important part of that compliance.

Will:

So a real need for an uplift in reporting around this sort of issue. I mean, from my perspective, thinking about listed company governance in the context of the last podcast we did on the forthcoming provision 29 of the UK Corporate Governance Code. This is an area of material controls which plays into the need for attestation as to the effectiveness of those controls in due course. So it's all linked together in my view. Rachel, some final reflections from you?

Rachel:

Look, I think absolutely, any of these sort of external guidance and the code, it's open to regulators and the courts to look at them. They're really useful principles, as everyone said, by which you can start to work through the company and work through how well, as a board, you would understand it.

I note that the definition of gaining assurance from the code is obtain and maintain confidence or verification systems, processes or controls are effective, reliable, and meet required standards, often through audits, reviews or third-party validations. And there's a lot in that. It's a few lines, but there's a lot in that.

But you can imagine that being the test, and that boards being put through, did you obtain it? How did you obtain and maintain confidence? Where are your audits and reviews? So really, the importance of group internal audits, regular reviews, and third-party validations. Again, having organisations come in and take boards and their management team through a reasonable steps review. What are you doing to prepare, to not only to be a resilient organisation, to prepare for an inevitable event as well? So there's a lot in that boards need to get across, and I think this is a really good start so that they can start to work towards something that resembles guidance principles. So whilst they might be short documents, the UK code, there's a lot in there that I think can be a signpost for boards and management teams.

Will:

And Rhiannon, what comes next?

Rhiannon:

I think we're going to have a real push for these kind of obligations of governance and training on cyber to finally make their way into legislation. So we have the Cyber Resilience Bill, which is shortly going to come before Parliament in the UK. That's going to be aimed at national critical infrastructure. There's already something called NIS 2 in Europe, which is the equivalent of Europe. And that has specific obligations in that about training of management teams on cyber risk. And I think it's highly likely that that provision will make its way into the UK too in relation to critical infrastructure. So I think we've got a code. I think the code will come in via the back door via ICO enforcement. But I also think we've got legislation on the way for the critical infrastructure elements, too.

Will:

So as always with cyber security, fascinating and terrifying and equal measure, and as pervasive an issue as it's possible to imagine. If you'd like to discuss what you and your board should do in light of the publication of the code of practice, do get in touch. Rhiannon, Rachel, thank you so much for joining me and providing such practical insight. And thank you for listening to our podcast. There's more to come, many of which will develop the issues in our board priorities for 2025, which you can also find on our website. Please do share the podcast with interested colleagues. Let us know what you think so we can improve them in the future. Bye.