To promote uptake of a new voluntary code for cyber governance, a regulator such as the Financial Reporting Council (FRC) should promote it, according to 89% of respondents in an Airmic survey this week. Airmic is making a submission to the Department for Science, Innovation and Technology (DSIT), which is consulting businesses and organisations for views on its draft Cyber Governance Code of Practice.
Viscount Camrose, Parliamentary Under Secretary of State for the DIST, said: “Organisations have a responsibility to take action to manage their own cyber risk but stronger frameworks of accountability and good governance are needed at board level to make this a priority.”
The code focuses on the most critical areas that leaders must engage with, forming simple, actions-focused guidance, making it easier for directors to understand what actions to take.
The code is intended as a voluntary tool, so the government’s call for views was particularly keen to explore what role other bodies may play in the implementation and uptake of the code.
Julia Graham, CEO, Airmic, said: “Any guidance that goes with the code should avoid checklists, because of the ‘tick box mentality’ that this engenders, which runs counter to our shared aspiration for a more strategic – rather than technical or operational – approach to cyber issues that the UK economy needs.”
Respondents in this week’s Airmic survey also said their organisations would be encouraged to take up the code if it is consistent with other existing compliance requirements they face (79%), and if there is an assurance mechanism to support the code’s implementation (53%). As a means of improving uptake of the code, the government is exploring a self or independently assessed assurance process against the code.
Hoe-Yeong Loke, Head of Research, Airmic, said: “Airmic members believe that such a code would focus the minds of board members, in particular non-executive directors who may not have the skills or knowledge of this relatively new area of responsibility for the board.
“The code and any supporting guidance that goes alongside it need to be linked to other recognised standards such as the cybersecurity framework of the National Institute of Standards and Technology (NIST) in the US.”
Scan here to download the app