Cyber Security and the Board: The UK Cyber Resilience Pledge in Focus

The declaration sets out a clear, public commitment that an organisation can sign up to and publish.  It is not a certification scheme, and it does not replace existing obligations, however voluntary initiatives often arrive before enforcement, and the Pledge sets the tone for the Government’s view on cyber responsibility (more on this below).

Once volunteered, organisations are expected to publish the declaration on their website, along with annual updates on steps taken to deliver against the Pledge.

In summary, the Pledge asks boards to take explicit ownership of cyber risk, ensure directors have baseline cyber governance capability, connect to practical threat-warning services, and extend assurance expectations into the supply chain.

While short, the Pledge Commitments cover areas and outline ownership expectations of controls which are often considered satisfactory, until an incident, audit, or supplier failure proves otherwise.

Commitment 1: Boards to take responsibility for cyber

The first Commitment outlines an expectation that is becoming much more common across cyber security standards, frameworks and regulations: that the board, not the IT team, is responsible for governance.  As part of this, board members specifically must undergo the National Cyber Security Centre’s (NCSC’s) Cyber Governance Training within 3 months of the Pledge being signed.  The training comprises five interactive modules, which are aligned with the principles of the Cyber Governance Code of Practice, and is free of charge.  

In addition, boards are expected to ensure that the actions within the Cyber Governance Code of Practice will be implemented.

Commitment 2: Sign up to Early Warning

As part of the Pledge, organisations would need to register for the Early Warning service within one month of signing.  The Early Warning scheme allows organisations to receive alerts to the presence of malware and vulnerabilities affecting their network.

Commitment 3: Require Cyber Essentials across supply chains

The Pledge requires organisations to strengthen supply chain assurance by registering with the Cyber Essentials Supplier Check Tool, conducting a comprehensive audit of Cyber Essentials coverage across the supply chain, and taking those findings to the board.

If Cyber Essentials is not required for certain suppliers, the board must ensure that this decision aligns with their risk appetite and strategy, and that adequate assurance of the supplier’s security maturity is obtained through other means, for example certification to ISO 27001.

When Government publishes ‘voluntary’ cyber commitments, it is rarely doing so without reason.  Often, such voluntary pledges are an introduction to what will become a standard expectation across the business landscape in the future.  

The Commitments outlined in the Pledge echo the obligations set out in the Cyber Security and Resilience (Network and Information Systems) Bill, particularly those relating to increased board competence, oversight and accountability for cyber security.*  

It also reiterates a pattern we see increasingly across regulation: not just ‘do’, but ‘prove you did’.  The signed declaration, public statement, and annual update required by the pledge are all forms of evidence.  

In this context, the Cyber Resilience Pledge reflects a broader trend of the government formalising and elevating expectations for cyber governance, with early adopters better positioned to stay ahead of future regulatory requirements and industry standards.  

*To learn more about the Cyber Security and Resilience (Network and Information Systems) Bill and what it suggests for the future of cyber regulation, read our blog Cyber Security and the Board: A Sign of What’s to Come.

In our blog on Strengthening Your Cyber Defences: Practical Steps For Every Business, we highlighted some of the key measures all organisations should have in place to enhance their security posture and protect against attacks.  However, below are some practical steps that will help position you to meet the pledge’s expectations.

Ensuring cyber responsibility at board level

Effectively governing risk requires strong engagement, action, and ownership at the very top of organisations.  One of the first steps your organisation can take is to ensure that explicit responsibility or accountability for cyber security has been applied at board level, so that the Board can gain sufficient oversight.  Additionally, this should include establishing clear methods of reporting to the board.  Doing so will meet some of the actions required in the Cyber Governance Code of Practice.

Understand how you align with the Cyber Codes of Practice

The Cyber governance Codes of Practice stem across 5 areas: Risk Management, Strategy, People, Incident Planning Response and Recovery, along with Assurance and Oversight.  Organisations wishing to volunteer for the Pledge should look at running a gap analysis to understand their current position against the actions set out the Codes.

Supply Chain Management

Organisations should have structured and repeatable supply chain management processes to ensure that suppliers are only onboarded once considered secure, and once onboarded, are regularly assessed to check for ongoing compliance.  As part of this, all suppliers that can affect your organisation’s cyber security should be identified and documented.  Further information on effective supply chain management can be found in our blog, How to Conduct Effective Supplier Information Security Risk Management.

If you are considering signing the pledge, treat it like any other governance commitment: work out where your gaps are, implement fixes, and maintain.  For the Pledge, actions should include the steps set out below.

‍