Newsflash – Government calls for organisations to make a Cyber Resilience Pledge

With hostile cyber activity in the UK growing more intense, frequent and sophisticated, the government is taking action to counter the cyber threat and has developed tools to help businesses to defend themselves. In Autumn last year, a ministerial letter was written to the CEOs and chairs of leading UK companies inviting them to take three specific actions to help protect our cyber resilience.

Building on the excellent response from industry, the government has developed a voluntary Cyber Resilience Pledge which formalises the three actions contained within the letter and provides a tangible way for organisations to differentiate themselves on cyber resilience, from their competitors.

Organisations signing the pledge commit to take the following actions:

1. Make cyber a board responsibility

• Implement all actions within the Cyber Governance Code of Practice.
• Ensure all board members undertake the NCSC’s Cyber Governance Training within three months and then on an annual basis.

2. Sign up to Early Warning

• Register for the Early Warning service within one month of signing the pledge

3. Require Cyber Essentials across supply chains

• Register to the Cyber Essentials Supplier Check Tool within two months of signing the pledge.
• Ensure that a comprehensive audit of Cyber Essentials coverage has been conducted across the entire supply chain and that it is presented to and discussed by the Board.
• Take a risk-based approach to requiring Cyber Essentials across the supply chain (which may include requiring it from all suppliers). If Cyber Essentials is not required for certain suppliers, the board should ensure that this decision aligns with the organisations risk appetite and strategy and that adequate assurance is obtained through other means.

In addition to the above three actions, organisations signing the pledge would commit to the following:

Encourage these actions within their own supply chains - signatories should strive to engage with their suppliers to understand and better manage the cyber security risks that they are exposed to through their supply chain and encourage adoption of the above measures.

Publish the signed pledge declaration on your website - within two months, publish the signed pledge declaration on the company website. Additionally, publish an annual public update, either in the annual report or on the company website, on the steps taken to deliver against the pledge.

Further details on the Cyber Resilience Pledge can be found here. The Government Cyber Resilience Pledge Pack is available here.