(Sponsored content)

The government is continuing to press UK businesses to take a stronger approach to improving cyber resilience and ensure that all organisations of all sizes are prepared for cyber incidents. To this end, the government is issuing a new Cyber Governance Code of Practice. The intention is to highlight the fact that cyber risk should have at least the same prominence as financial or legal risks, and the responsibility and ownership of cyber resilience is a board level matter.

Lindsay Hill

Lindsay Hill, CEO Mitigo

Why is the government doing this?

This is hardly surprising given the increase in serious disruption to businesses across the country caused by cyber-attacks, largely driven by organised criminal gangs based overseas. Ransomware attacks take businesses down for many weeks or months at a time and can leave them permanently crippled. The average ransom payment in 2024 was £1.5 million (National Crime Agency) but can run into many millions of pounds. Business email compromise is rife (especially in law firms and the rest of the professional services sector), frequently resulting in significant sums being lost by firms and their clients. Yet despite all this, the 2024 government cyber breach survey found that over 80% of businesses have still not carried out a cyber security vulnerability audit, and over 70% have no formal incident response plan in place. The government believes that many boards and senior leaders have a lack of understanding of cyber issues, with little or no meaningful oversight of this business critical risk. Indeed, it is often delegated to technical people and not looked at in the context of wider business risk management.

Who is the Code aimed at?

It is aimed at directors, non-executive directors and other senior leaders. It formalises the government’s expectations regarding an organisation’s governance of cyber security and sets out the clear actions that leaders need to take to meet their responsibilities in managing cyber risk. It will of course be of interest to other stakeholders in a business including shareholders. It should make for essential reading for all private equity investors. It is designed to have application to businesses of all sizes and in all sectors.

Will it be compulsory?

At this stage, adherence to the Code will be voluntary. It will supplement the existing obligations which any business already has under data protection legislation and relevant regulatory environment. Following the cases of Tuckers and Interserve, the ICO will certainly be taking a failure to adhere to the Code into account in the event of a personal data breach. The ICO has already stated that it expects to see clear evidence of management oversight of cyber risk, including regular reviews, with business leadership ensuring appropriate resources are provided to enable a proper information security programme. Interestingly, the government says that it will be exploring how the Code can also be used to support sector regulators to help with regulatory compliance. Additionally, it says that it expects to establish an accompanying assurance scheme to be rolled out at a later date. And finally, whilst the Code will initially be voluntary, depending upon take-up, it could be the subject of future legislation.

What does the Code cover?

The 5 main themes are risk management; cyber strategy; people; incident planning & response; and assurance and oversight.  Each theme includes specific actions which should be taken.

What is the upshot?

The upshot is that if cyber security is not at or near the top of your register of business risk, then it should be. And it is the most senior management in your law firm that must accept responsibility for understanding it, managing it, and providing oversight. In other words, a top down approach.

The Law Society has partnered with Mitigo to offer specialist cyber risk management to its members, with exclusive discounts.  For more information contact Mitigo on 020 8191 9205 or email lawsociety@mitigogroup.com.

 

Mitigo-Cyber-Security-Logo-Large-scaled

https://mitigogroup.com/partnership-pages/the-law-society/

lawsociety@mitigogroup.com

0208 191 9205

Topics