“In today’s digital world, where organisations increasingly rely on data and technology, cyber security is not just an IT concern – it is a business-critical risk, on a par with financial and legal challenges.”
Richard Horne, CEO of the National Cyber Security Centre
Boards Wales takeaways:
- Cyber issues rightly deserve the attention of Boards, including for smaller organisations
- The toolkit and training look like straightforward ways to support the Code of Practice
- The Code of Practice is complementary to the Wales Cyber Strategy. Wales-based organisations can sign up as members of the Cyber Resilience Centre for Wales for free
What’s new?
On April 5 2025 the UK Government published a set of resources to support Board governance. This set of resources comprises:
- A code of practice
- Training
- Security toolkit for Boards
The launch of the Code of Practice was described by Cybersecurity Minister Feryal Clark as:
…setting out in clear terms steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers.
In short, this is not a ‘nice to have’. It’s essential reading for Boards across all sectors.
Code of Practice
The code is tailored for medium or large organisations. While the vast majority of businesses (95%) in Wales are micro (i.e. employing fewer than ten people), more than a third of the workforce are employed by large enterprises (i.e. employing more than 250 people). This makes the guidance particularly relevant in a Welsh context, especially for local authorities, health boards, universities, and larger private firms. Smaller organisations aren’t left behind either. The National Cyber Security Centre offers specific guidance for them.
The Code is structured around five key pillars, each with actionable steps:
- Risk management
- Identify and prioritise critical technology
- Agree senior ownership of cyber security risks
- Define cyber security risk appetite
- Assess risk from cyber supply chain
- Conduct regular risk assessments
- Strategy
- Develop and embed a cyber security strategy within the organisational strategy
- Align cyber strategy with risk management
- Allocate resources to manage risk
- Deliver the cyber strategy
- People
- Promote good cyber security culture, behaviours and accountability
- Have policies to underpin good culture
- Implement training
- Measure the effectiveness of the training, education and awareness
- Incident planning, response and recovery
- Develop a plan to respond to a cyber attack
- Carry out annual exercise of the plan
- In the event of an attack, ensure reporting and regulatory requirements are met
- Plan for post-event review
- Assurance and oversight
- Establish a cyber governance structure, including ownership at exec and non-exec level
- Report formally on a quarterly basis
- Establish regular communications with the relevant executive officer(s)
- Ensure senior execs are aware of regulatory obligations
For organisations in Wales, public, private or third sector, this is a useful framework for reviewing and strengthening governance arrangements. While small organisations may only need a light-touch version, the underlying principles are still highly relevant.
Training; fast, free, focused
Training modules for each of the five pillars are available free from the National Cyber Security Centre (NSCS). Each module takes around 20 minutes and is designed for self-paced learning. This means Directors and Trustees can be brought up to speed in just a few hours—an efficient investment in resilience and compliance.
Toolkit
To help Boards translate the Code into action, the accompanying toolkit provides practical resources. These include step-by-step guidance (e.g. identifying critical assets), and checklists to track progress and implementation across the Code’s components. For example, there is advice on ‘identifying the critical assets in your organisation’, and then a checklist that enables you to see whether you’ve completed each of the components that make up the activity.
A Welsh perspective
Cyber governance isn’t abstract. Wales has already taken strategic action through its Cyber Strategy, including the creation of a national Cymru Security Operations Centre (SOC), launched in 2024. The SOC, delivered by Cardiff-based Socura, now supports all local authorities and fire and rescue services, and has already earned national recognition for its impact.
There is no doubt that most organisations are heavily dependent upon a range of digital tools and services to carry out their functions, and that threats to organisations are growing in number and sophistication. Between negligence and malicious attacks, there is plenty of scope for implementing good practice to reduce the likelihood of damage, and then increase the speed of return to normal.
Recent high profile cases in Wales include:
- Data Cymru (a WLGA company) potentially releasing details of vulnerable children
- Local authorities paying out tens of thousands of pounds in response to data breaches
- Ransomware attacks that affected Data Cymru, the NHS and the Welsh Language Commissioner’s office, and a secondary school just across the border in Chester.
One data breach can lead to multiple forms of extortion. Whether you’re on the Board of a council, charity, NHS trust, or private business, it’s increasingly clear that cyber resilience must be led from the top. The new Code of Practice offers a practical, structured way to do just that; however it is notable that most of the resources referred to by various organisations are not available through the medium of Welsh.
Dealing with cyber issues will require a genuine partnership between the Board and the executive. As usual, governance has an important role to play in safeguarding the organisation from both accidental failures and malicious threats.
This blog post is the personal opinion of David Clubb.