Examining the Government’s Proposed Code of Conduct: The Business Impact


With the ever-increasing explosion of cyber threats and data breaches, governments worldwide are stepping up their efforts to regulate cyber security practices within organisations. One such initiative is the UK Government’s proposed Code of Conduct , which aims to establish standards for cyber security governance, definitively marking cyber security as a C-suite initiative.

In this blog, NormCyber’s CEO, Wayne Churchill, outlines the reasons behind the emergence of the proposed Code, highlights the key recommendations outlined within it, and discusses the potential implications for organisations moving forwards.


Exploring the origins of the proposed Code of Conduct

The Cyber Security Breaches Survey 2023 found that while cyber security is seen as a high priority by senior management at 71% of businesses and 62% of charities, this has not translated into action or greater ownership of cyber risk at the most senior level.

The government’s stance asserts that many organisations currently lack robust cyber security governance, relegating cyber security to merely “an IT issue,” rather than a concern for the Board. Recognising the inherent connection between business resilience and cyber security, the Code advocates for accountability and governance among senior stakeholders.

This push is motivated by the increasing integration of AI, which the government argues has heightened the significance and urgency for directors to assume responsibility for cyber security risks. The government advocates for boards and directors to prioritise the governance of cyber risk to  a similar extent as legal and financial threats.

The Code recommends that organisations:

  • Establish ownership of risks with relevant senior stakeholders, setting clear roles and responsibilities, boosting protections for customers, and safeguarding their ability to operate safely and securely.
  • Ensure that risk assessments are conducted regularly.
  • Have detailed plans in place to respond to and recover from potential cyber incidents.
  • Equip employees with adequate skills and awareness of cyber threats.

Challenges for Organisations Without Board-Level Cyber Security Oversight

Many organisations find themselves without the technical expertise, or ownership, at board-level to effectively address cyber security challenges. As such, the proposed regulations present significant challenges and implications for business operations moving forward:

  1. Lack of Strategic Direction: Without board-level oversight, organisations may struggle to establish a strategic direction for their cyber security efforts. This could result in fragmented and ad-hoc cyber security measures that fail to address the evolving threat landscape adequately.
  2. Limited Resources and Expertise: Small and mid-sized organisations, in particular, may lack the resources and expertise to implement robust cyber security measures. Without guidance and support from board-level stakeholders, these organisations may find it challenging to invest in the necessary technologies and personnel to protect against cyber threats effectively.
  3. Increased Regulatory Scrutiny: Organisations without board-level cyber security oversight may struggle to demonstrate compliance with the Code’s requirements, putting them at risk of regulatory fines and reputational damage.
  4. Heightened Cyber Security Risks: In the absence of effective cyber security governance, organisations are more vulnerable to cyber-attacks and data breaches. Without proactive measures in place to identify and mitigate risks, these organisations may face severe financial and operational consequences in the event of a cyber incident.
  5. Cyber Readiness and Recovery: Businesses facing these challenges inherently lack the necessary readiness to effectively address a cyber breach, leaving them inadequately prepared for Cyber Recovery – an oversight that could have significant repercussions. The absence of robust recovery plans amplifies the impact of any breach, heightening the potential disruption to critical business processes, and compromising the organisation’s brand integrity.

Simple Steps to Address the Code

While the challenges posed by the government’s proposed Code of Conduct are significant, there are simple steps that organisations can take to address them effectively:

  1. Establish Board-Level Accountability: Organisations should prioritise establishing board-level accountability for cyber security governance. This could mean appointing a CISO (full time or outsourced) or assigning cyber security responsibilities to existing board members to ensures that it remains a top priority.
  2. Invest in Cyber Security Education and Training: Providing ongoing education and training to employees on cyber security best practices can help organisations strengthen their security posture. This includes raising awareness of common cyber threats, promoting good security hygiene, and equipping employees with the knowledge and skills needed to detect and respond to cyber-attacks.
  3. Engage External Cyber Security Experts: Organisations lacking internal cyber security expertise can benefit from engaging external cyber security experts and consultants. These experts can provide valuable insights and guidance on implementing effective cyber security measures tailored to the organisation’s risk profile.
  4. Adopt a Risk-Based Approach: Taking a risk-based approach to cyber security allows organisations to prioritise their resources and efforts on mitigating the most significant risks. By conducting regular risk assessments and Penetration Tests, organisations can implement controls based on the identified risks, to better protect their critical assets and data from cyber threats.


In summary, the government’s proposed Code of Conduct for cyber security governance introduces both challenges and opportunities for organisations. While adhering to the Code’s requirements may appear daunting, acknowledging the severity of cyber threats underscores the necessity for senior stakeholder involvement.

Businesses can effectively navigate these challenges by taking proactive measures to bolster their cyber security posture, thereby safeguarding their customers, workforce, and operational integrity against cyber threats. Strengthening defensive strategies and augmenting recovery frameworks are critical imperatives for mitigating potential catastrophic outcomes.

As the government emphasises, given that cyber risk now constitutes a substantial threat to any digitally active business, irrespective of direct regulation, all organisations should adopt the Cyber Governance Code of Practice to fortify their resilience against cyber threats. By embracing these principles and implementing robust cyber security measures, businesses can not only enhance their operational resilience but also reinforce trust and confidence among stakeholders in an increasingly digitised landscape.

Wayne churchill




Written by
Wayne Churchill

Chief Executive Officer | NormCyber