Board Cyber Governance: UK Issues Standard

Creating Board-level visibility into cyber security risks and posture is a current challenge. While most organizations have some form of cyber governance program in place, they often struggle communicating the program in business terms that are easy to understand at the management level. This can be especially true when it comes to “Risk Disclosure” – the public disclosure of “Material Cyber Risks” in public filings like the 10K in the US.

In October 2024, the Securities and Exchange Commission (SEC)  charged four different firms with “making materially misleading disclosures regarding cybersecurity risks and intrusions” in public filings. In these cases, the organization’s dependency on third-party providers (like Solarwinds) was not properly reflected.

Few Reporting Standards for Board Oversight

The prevention and response to data breaches continues to impact organization or all sized. According the UK Cyber Security Breaches Survey (2025), 43% of businesses and 33% of high-income charities reported some form of cyber security breach or attack in the last 12 months. The prevalence of attacks is even higher amongst medium businesses (70%) and large businesses (74%). Despite the critical nature of cyber risk management and reporting, there are no established “standards” for how to assess and report cyber risk.

UK Issues New Governance Standards

To help add consistency to Board reporting, the UK Parliament recently issued Cyber Governance Code of Practice. These standard practices are not designed for senior management, but for independent Board governance. The code contains 22 “activities” broken into five distinct categories:

A: Risk management – Identify, treat and manage cyber risk at the operational level

B: Strategy – Integrate cyber security risk into business strategy and execution

C: People – Create and maintain a culture of people trained to identify and respond to cyber risks

D: Incident planning, response and recovery – Validate that the organization can respond to major cyber incidents or business outages.

E: Assurance and oversight – Establish a formal governance and reporting structure for all constituents.

Essentially, this guidance is a high-level guide to any type of effective cyber governance program. This outline matches many recognized frameworks such as NIST CSF, DIR 2, the DST Code of Standards and UK Cyber Essentials.

The Importance of the CISO

The role of the “Chief Information Security Officer (CISO)” is critical to implementing this level of governance. This role is often called the Chief Security Officer (CSO) or Information Security Officer (ISO). The CISO is the person responsible for translating the detailed, often very complex, world of cyber risk into high-level business statements. To accomplish this, the CISO must have a unique blend of both technical and management skills.

Get a Qualified CISO

Does your organization have a dedicated cyber security leader that can bridge the gap? Many organizations have a person who is partially responsible for cyber security. Maybe this is the head of information technology. Other organizations use a senior manager or legal counsel. These individuals may be very adept and management-level discussions, but lack the technical training to understand the complexity of cyber. If you fall into one of these, please contact CSO Virtual for a FREE consultation. Our staff of cyber security pros have decades of experience.