UK Corporate Governance Code updated for 2024 - is your Board ‘on board’ with its cyber security measures?

Cyber risk is a key corporate governance issue and especially so in a less stable geopolitical context. The 2024 version of the UK Corporate Governance Code (‘the 2024 Code’), making boards of UK listed companies responsible not only for establishing but also for maintaining an effective risk management and internal control framework, will mean that this topic will need to come to the forefront of board discussions. 

One of the conclusions following the 2023 Review of Corporate Governance Reporting was that little improvement had been seen in the quality of reporting on risk management and internal controls, with more work needed by most companies to demonstrate robust systems, governance and oversight. On 22 January 2024, the Financial Reporting Council (FRC) published a new version of the Code (‘2024 Code’) and updated Corporate Governance Code Guidance (‘Guidance’). We cover the key changes introduced by the 2024 Code in our detailed article. 

However, cyber security is a key issue for all boards, and not only for those companies that apply the UK Corporate Governance Code, with a “top down” approach encouraged. 

Cyber risk considerations and the 2024 Code

The 2024 Code does not itself set out specific requirements in respect of cyber/IT security, but it does ask directors to consider the situation of the company and identify its emerging and principal risks (and their materiality to shareholders), and how they are managed and mitigated. Amongst the key changes in the 2024 Code is an amendment to Principle O, requiring the board to maintain as well as establishing an effective risk management and internal control framework.

Under amended Provision 29 of the 2024 Code, the board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. There are new requirements for the board to provide in the annual report: 

• a description of how the board has monitored and reviewed the effectiveness of the framework
• a declaration of effectiveness of the material controls as at the balance sheet date; and 
• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues

The Guidance considers cyber risk directly, recognising that board members play a crucial role in strategically approaching cyber security, ensuring operational resilience and continuous functioning of the business. The Guidance sets out the following proactive steps for governing and mitigating risk in this area:

• implement a top-down approach with board responsibility for ensuring that risks to delivering the strategy are identified, evaluated, and mitigated in line with the business risk appetite. 
• understand the risk cyber incidents pose to the strategy and ensure adequate cyber resilience is in place
• adopt a proactive approach, implementing basic safeguards. The National Cyber Security Centre’s Cyber Security Toolkit for Boards provides board members with tools for integrating cyber into organisational risk management and decision-making
• boards do not necessarily need technical expertise in this area but sufficient knowledge for constructive discussions with key personnel is important, to ensure cyber risk is being appropriately managed

In terms of the practical impact of the Guidance, the FRC states that:

• the Guidance is not intended to be prescriptive and should not be used as tick-box list of actions which should be followed in every situation
• It is for individual boards to decide on the governance arrangements most appropriate to their company’s circumstances, applying the Principles of 2024 Code and complying, or when appropriate, explaining why it has chosen to depart from one of the Code's Provisions
• the guidance is not mandatory, and not part of the 2024 Code itself. It contains suggestions of good practice to support directors and their advisors in applying the 2024 Code. Where the Guidance contains the term ‘must’ there is a direct reference to a specific, legislation, or rules

Who does the 2024 Code apply to?

The Code is applicable to all companies with a premium listing, whether incorporated in the UK or elsewhere. The 2024 Code applies to accounting periods beginning on or after 1 January 2025, with the exception of Provision 29. This provision is applicable for accounting periods beginning on or after 1 January 2026.

When do the changes apply?

The 2024 Code will apply to financial years beginning on or after 1 January 2025. The 2018 Code remains in place until this time. Provision 29 will apply for financial years beginning on or after 1 January 2026. Until then, Provision 29 of the 2018 UK Corporate Governance Code applies.

What else do you need to know?

The 2024 Code is just one step toward greater regulation in this area which is likely to continue to increase. As noted, the 2024 Code is limited in its application to companies with a premium listing in the UK (although this will be extended to a degree when changes to the UK listing regime take effect later this year). However, directors and boards of all types of companies, including private companies, should treat cyber security as a high priority. Directors’ duties under UK company law already include duties to both promote the success of the company for the benefit of its members as a whole (having regard to a non-exhaustive list of factors) and to exercise reasonable care, skill and diligence. Cyber security risk should be considered by all directors in order to discharge their duties to the company. Further, the addition of personal accountability for directors and officers is an emerging trend in new cybersecurity, privacy, AI and other data laws being adopted around the globe, such as the NIS2 Directive which EU states must implement by 17 October 2024. Many of which also have territorial reach provisions which could bring UK directors within their scope.

The UK Government has issued a call for views on a Cyber Governance Code of Practice (the “Cyber Code”) aimed at supporting directors of organisations to drive cyber resilience. The Cyber Code has been produced in conjunction with the NCSC (National Cyber Security Centre). Organisations should consider responding to the call for views to ensure that the Cyber Code best meets their requirements. Responses are due by 19 March 2024.

Meanwhile, listed companies can expect cyber security to be a hot topic for their shareholders for the forthcoming AGM season. The Pensions and Lifetime Savings Association have recently issued their updated voting guidelines for pension scheme trustees for the 2024 AGM season. The guidelines note that investors should encourage companies to disclose the governance and oversight structures in place to manage cyber security risks and to provide timely reporting of any breaches and measures taken in response. Failure to report adequately in this area may result in votes against certain key resolutions. 

Related links:
Commercially Connected January 2024
Revised UK Corporate Governance Code published
The NIS2 directive