Cyber Wake-Up Call for Boards: Why the New UK Cyber Governance Code of Practice Can’t Be Ignored

Nikhil Mehan
If you are a business owner and still see cyber threats as “just an IT issue,” it’s time for a rethink. The UK Government and the National Cyber Security Centre has recently released a Cyber Governance Code of Practice (the Code) — and it’s aimed squarely at the boardroom.
Cybercrime isn’t slowing down. It’s evolving, it’s smarter, and it’s hitting the big names. Just ask M&S and the Co-op.
What Happened?
M&S found itself in chaos when a ransomware attack via a third-party provider brought online ordering, contactless payments, and Click & Collect services to a halt. Various reports have indicated that the fallout from this cyber-attack could cost the retailer £300 million.
Co-op was hit shortly after — also linked to a supplier breach affecting the data of 6.2 million customers — however it reacted faster. Systems were shut down proactively, manual workarounds were brought in, and customer disruption was kept to a minimum.
The difference? Co-op discovered the issue quickly, acted fast and kept people informed. M&S? Not so much.
The Code
The new Code sets out the following 5 key things that the board of a business need to take ownership of which in respect of “cyber governance”:
- cyber risk at the board level — not left to IT alone;
- cyber strategy aligned with business goals;
- a culture of cyber awareness, with training led from the top;
- incident planning — test it, don’t just write it; and
- supplier risk management — your weakest link might not be in your building.
The Code is voluntary for now, but don’t let that fool you. The Cyber Security and Resilience Bill is expected to be introduced this year — and with it, potentially eye-watering fines for non-compliance.
Why This Matters to Your Business
These recent breaches show that even household names aren’t immune — and the financial, reputational and legal fallout is real. The message from the Government is crystal clear: cyber risk is no longer a tech issue; it’s a governance issue and cyber resilience starts at the top.
Boards need to be proactive, not reactive. That means having a clear plan, knowing your supply chain vulnerabilities, and being ready to act fast when (not if) something goes wrong.
How Bermans can help
If you are a board director and need advice on how to comply with the Code, need a review on your current cyber governance measures or need help to understand your future legal obligations, then please get in touch with us here at Bermans. Better to be prepared now than picking up the pieces later.
Please also read the recent article by Richard Riley, Partner & Head of Commercial, in respect of what to do if your business suffers a personal data breach Bermans What to Do If Your Business Suffers a Personal Data Breach | Bermans