“I undertake to… Manage risk in a responsible manner and avoid prioritising the short-term financial interests of shareholders over the longer-term resilience and strategic objectives of the organisation as a whole” and “Promote high business standards across the supply chain”.

That is the promise that company directors and boards that sign up to the new Institute of Directors’ Code of Conduct for Directors must make.

Handley Gill Limited was instrumental in securing the inclusion of risk management and business resilience in the new Code, with a view to supporting the government’s ambition as set out in the National Cyber Security Strategy 2022 that by 2025 “A greater number of UK businesses and organisations are proactively managing their cyber risks and taking action to improve their cyber resilience”. The bar is currently set low with the DSIT Cyber Breaches Survey 2024 revealing that only 31% of businesses and 26% of charities had conducted their own cyber security risk assessment in the previous year and even fewer, just 11% of businesses and 9% of charities, had reviewed the risks posed by their immediate suppliers.

Compliance with the risk management and supply chain undertakings under the principle of responsible business in the Code first requires that directors and boards identify the risks the company faces. Risk management is a broad concept, and the risk landscape will vary between companies, but relevant risks could include:

• people risk; 

• legal and compliance risk;

• cyber risk;

• political/geopolitical risk;

• environmental and wider ESG/CSR risk;

• supply chain risk;

• macro-economic risk;

• reputational risk;

• financial risk; and, 

• innovation and technological risk.

UK companies have consistently reported ranking cyber risk as their number one concern, but what should directors be doing or expecting and exploring in order to address it and to comply with their statutory duties and good industry practice?

Informed by the NCSC’s Cyber Security Board Toolkit, the Information Commissioner’s Guide to Data Security,  and the World Economic Forum’s Principles for Board Governance of Cyber Risk, while the precise measures will depend on the size of your organisation and the risks presented by your data, we recommend the following measures:

1. Commission, review and maintain a cyber security risk assessment;

2. Develop, and periodically revisit and refresh, a cyber strategy that addresses the current assessment of the cyber threat, and secure sufficient resource to deliver it;  

3. Establish and monitor performance against KPIs for maintaining cyber security, such as in relation to the time to apply updates and patches;

4. Ensure data is appropriately segregated and subject to access controls based on the principle of least privilege;

5. Maintain asset and data registers;

6. Draft and implement an information security policy and related controls and review periodically;

7. Ensure minimum cyber security standards are implemented, such as appropriate password protections and multi-factor authentication (MFA), encryption to protect data at rest and in transit, network and endpoint security measures; as well as a data retention policy and destruction arrangements;

8. Ensure that staff receive information security training and that this is refreshed at least annually, and supplement this with cyber security awareness campaigns;

9. Implement a cyber incident response plan, ensuring it can be accessed in the event of an incident;

10. Conduct a cyber incident exercise, including the ability to restore services from backups within a reasonable time, requiring multiple backups to be retained no multiple devices with at least one non-networked and off-site;

11. Test responses to simulated phishing attacks;  

12. Establish baseline security standards and assurance mechanisms for suppliers;

13. Obtain legal advice on contractual provisions relating to cyber security requirements in standard terms;

14. Consider seeking cyber security certification, such as  Cyber Essentials, Cyber Essentials Plus or ISO 27001, or at least to align with those technical standards and demonstrate that through audits, and meet the requirements of the Payment Card Industry Data Security Standard (PCI-DSS) where applicable;

15. Enable staff, suppliers and third parties to raise any cyber security concerns, including through responsible disclosure schemes, and incidents;

16. Put steps in place to prevent and identify any shadow IT infrastructure;

17. Ensure that red teaming or other internal and/or external testing is in place to ensure the effectiveness of the cyber security measures in place, through penetration testing, vulnerability scanning and other measures;

18. Require log data, including in relation to authentication and authorisation, to be collected and retained for an appropriate period to support the detection and investigation of any compromise;

19. Retire legacy IT equipment and software that is no longer supported;

20. Sign up to free government schemes, such as Police CyberAlarm, Cyber Resilience Centres and the NCSC’s Early Warning and/or Cyber Security Information Sharing Partnership (CISP).  

Information security is wider than just cyber security and consideration should also be given to physical security measures. 

Should you require support in understanding and complying not only with your statutory obligations as a director but good industry practice as established in the Institute of Directors’ voluntary Code of Conduct for Directors, please contact us.

Find out more about our ESG and human rights services.