The Cyber Governance Code: Restarting and reinforcing resilience conversations in financial services

The UK’s National Cyber Security Centre recently published its Cyber Governance Code of Practice, an important new tool to bolster cyber security governance across organisations. The Code has been specifically designed to assist governance fora, and those who attend and support them, in effectively managing cyber risk and resource.

The Code aims to provide a framework for effectively governing cyber security risks while driving and supporting organisational strategies through robust cyber practices. It sets out a series of actions across five key areas including risk management, people and strategy. As the UK financial regulators have been communicating for some time now, cyber governance is no longer just a technical issue; it is a critical business risk that requires active involvement from senior managers. 

Interaction with Op Res

For financial services, the operational resilience regime continues to set the regulatory standard for cyber governance. Much of the Code rhymes with the approach that the OpRes regime takes. For example, section D of the Code sets out a series of actions to take in respect of incident planning, response and recovery. These actions include having a plan to respond and recover from an incident, running an annual stress test and taking accountability for individual regulatory reporting. The last of these are particularly topical in the context of recent consultations where the FCA, PRA and Bank of England proposed new rules on submitting reports of operational incidents that breach defined reporting thresholds. 

Taking the temperature and restarting the conversation

The nature of the Code and its practical applications makes tabling it at the next meeting a good opportunity to “temperature check” cyber governance in your firm or business unit. It also serves as a grounding document for people with less experience in governing cyber risk specifically. 

For those supporting governance structures and / or reporting to boards and committees, reading the Code is essential preparation. Business unit leaders should be able to offer a fulsome response to each of the actions in the Code, demonstrating how it is lived out in their business unit with practical and tailored examples to be able to give proper assurance. 

The Code is also an opportunity to reinforce cyber governance and engage functional stakeholders on the topic. There will likely be more scrutiny once the FCA and other regulators finalise their operational incident reporting regimes, making the launch of the Code a good opportunity to refocus the conversation on cyber resilience.