A recent survey conducted by Airmic revealed that a substantial majority (89%) believe that entities like the Financial Reporting Council (FRC) should champion the adoption of a newly proposed voluntary cyber governance code.
The insight came from Airmic’s contribution to a consultation initiated by the Department for Science, Innovation and Technology (DSIT) on its draft Cyber Governance Code of Practice, aimed at gathering input from businesses and organizations.
Survey respondents also indicated that alignment with existing compliance frameworks (79%) and the provision of an assurance mechanism to support the code’s enactment (53%) would significantly motivate their organizations to embrace the code. In response, the government is considering the introduction of a self-assessment or independent evaluation process to facilitate code compliance.
The DSIT’s Parliamentary Under Secretary of State, Viscount Camrose, emphasised the importance of organisations actively managing their cyber risks.
“Organisations have a responsibility to take action to manage their own cyber risk but stronger frameworks of accountability and good governance are needed at board level to make this a priority,” Camrose said.
The proposed code targets critical leadership concerns, offering advice to aid directors in identifying necessary measures for cyber risk management. Further recent research from the association found that cyber incidents, including ransomware attacks, were the predominant risk for organisations associated with Airmic members in 2024.
Airmic CEO Julia Graham advocated for guidance to be included with the code to encourage firms to steer clear of prescriptive operational checklists, which could foster a box-ticking culture. She argued this approach contradicts the broader objective of adopting a strategic perspective on cyber challenges.
“Any guidance that goes with the code should avoid checklists, because of the ‘tick box mentality’ that this engenders, which runs counter to our shared aspiration for a more strategic – rather than technical or operational – approach to cyber issues that the UK economy needs,” Graham said.
Airmic’s head of research, Hoe-Yeong Loke, also pointed out the code’s potential to concentrate the attention of board members, especially non-executive directors unfamiliar with this burgeoning responsibility.
“The code and any supporting guidance that goes alongside it needs to be linked to other recognised standards such as the cybersecurity framework of the National Institute of Standards and Technology (NIST) in the US,” Loke said.
What are your thoughts on this story? Please feel free to share your comments below.