Cyber pledge puts boards on notice

Cyber pledge puts boards on notice

Cyber governance is becoming a direct test of operational resilience. A new UK pledge asks organisations to strengthen board oversight, supplier standards, and engagement with National Cyber Security Centre tools.


The UK government has launched a Cyber Resilience Pledge with more than 60 founding signatories, putting cyber security more firmly into board oversight, supplier management, and operational risk planning.

The voluntary pledge, launched at 10 Downing Street on 7 July, asks organisations to take three practical steps: make cyber security a board-level responsibility, register for the National Cyber Security Centre’s Early Warning service, and take a risk-based approach to requiring Cyber Essentials certification across supply chains.

Founding signatories include M&S, Nationwide Building Society, ITV, Microsoft UK, Cloudflare, Deloitte, Accenture UK, Vodafone Group, VodafoneThree, Aviva, Capgemini UK, LSEG, Morrisons, Ocado Retail, Sage, SSE, United Utilities Water, and several government strategic suppliers.

The Department for Science, Innovation and Technology said the pledge forms a central pillar of the Government’s National Cyber Action Plan and has been designed primarily for medium and large organisations, while remaining open to businesses and organisations of all sizes and sectors.

Cyber risk is increasingly being treated as a business continuity, governance, and financial exposure, rather than as a technical control that sits only inside IT teams. The Government said cyber attacks cost the UK £14.7bn a year, with more than five million cyber crimes committed against UK companies last year. It also said the National Cyber Security Centre handled 204 nationally significant incidents in the year to September, up from 89 a year earlier.

Technology Secretary Liz Kendall said: “Today, some of Britain’s biggest businesses are taking action to strengthen their cyber defences and setting a powerful example for others to follow. By signing this Pledge, they are showing that cyber resilience is no longer just an IT issue – it is a business imperative.

“Cyber attacks can disrupt services, put customers’ data at risk and have a real impact on the bottom line. As AI makes these threats more sophisticated and easier to launch, no organisation can afford to stand still.

“That’s why we’re working with businesses to help them strengthen their defences. The steps in this Pledge are practical, achievable and proven to make a difference. Today’s signatories are leading the way, and I encourage organisations across the UK to follow their example.”

Darren Hardman, CEO of Microsoft UK and Ireland, said: “As AI reshapes both the threats we face and our response to them, stronger board-level accountability and supply chain security are how the UK stays ahead. Microsoft has been a cybersecurity partner to the UK Government for more than 20 years, and we’re proud to sign the Cyber Resilience Pledge, using AI to help defend the UK’s critical national infrastructure, public services and businesses against cyber attacks.”

David Boda, Chief Security and Resilience Officer at Nationwide, said: “Uplifting the cyber resilience of the UK economy is a collective endeavour that no one organisation or sector can achieve alone. As a modern mutual Nationwide Building Society are proud to play our part and be a signatory of the Cyber Resilience Pledge.”

The pledge gives organisations a practical framework as incoming cyber rules continue to take shape. The Cyber Security and Resilience Bill is already raising resilience obligations for essential services, suppliers, and digital infrastructure, with the voluntary pledge sitting alongside that legislative track as an immediate benchmark for corporate behaviour.

The supply chain requirement is likely to carry much of the operational weight. Large organisations are increasingly exposed through vendors, managed service providers, cloud platforms, payment systems, logistics partners, data processors, and outsourced technology teams. A breach inside a supplier can disrupt customer service, expose personal data, interrupt financial flows, or create regulatory reporting obligations even when the primary company’s own systems have not been directly compromised.

Cyber Essentials certification has long been used as a baseline for smaller suppliers seeking public sector or large-company work. Wider use of the pledge could deepen that expectation, particularly where a supplier handles sensitive data, connects to core systems, or provides a business-critical service. Procurement teams will therefore need to treat cyber controls as part of onboarding, contract renewal, vendor segmentation, and ongoing supplier monitoring.

At board level, cyber risk demands more than periodic updates on software patching or penetration tests. Directors need a clear view of incident response, customer impact, supplier dependency, insurance exposure, regulatory reporting, and recovery time. That does not require every board member to become a technical specialist, but it does require cyber decisions to be linked to capital allocation, risk appetite, and operational continuity.

AI adds further pressure to that governance challenge. Tools that improve threat detection, automate defensive response, and strengthen security operations can also help attackers generate phishing content, identify vulnerabilities, and scale attacks against weaker systems. As offensive and defensive capabilities both develop, cyber oversight has to keep pace with changes in the threat model rather than rely on static annual assurance.

The pledge is voluntary, but public commitments create expectations. Signatories will be judged on whether board oversight, supplier standards, and NCSC engagement are reflected in systems, budgets, contracts, and incident response plans. A later breach would quickly raise questions over whether the commitment had changed behaviour or simply sat beside existing policies.

Adoption beyond the founding cohort will determine whether the pledge becomes a recognised marker of cyber maturity. If procurement teams, insurers, investors, and regulators begin to treat it as evidence of minimum good practice, the pressure to sign and implement could extend well beyond the companies present at launch.



  • Water fines raise the cost of failure

    Water fines raise the cost of failure

    Water companies face faster penalties under tougher environmental enforcement rules. New powers introduce £500,000 civil fines, automatic penalties, and closer scrutiny of operational performance.


  • SME plan runs into parliamentary pressure

    SME plan runs into parliamentary pressure

    Small companies face renewed scrutiny over policy and cost pressure. MPs have challenged ministers on tax, procurement, energy costs, crime, franchise protections, and support for high street resilience.


  • Cyber pledge puts boards on notice

    Cyber pledge puts boards on notice

    Cyber governance is becoming a direct test of operational resilience. A new UK pledge asks organisations to strengthen board oversight, supplier standards, and engagement with National Cyber Security Centre tools.