New UK Cyber Guidance Shifts Responsibility to Senior Leadership

Willis Towers Watson's article, "How you can take ownership of cyber governance in your organization," authored by Omar Al-Shahery, Trixia Apiado, and Anthony Wilson, examines the implications of the UK Department for Science, Innovation and Technology's 2025 Cyber Governance Code of Practice. According to the article, the code makes clear that CEOs and board members can no longer delegate cybersecurity responsibilities solely to chief information security officers (CISOs); instead, they must take active ownership of cyber risk governance. 

Per Willis Towers Watson, the code reframes cyber security as a leadership issue and identifies five areas where executives must be directly involved. Leaders are expected to take ownership of cyber risk by defining the organization's risk appetite and aligning cyber-security efforts with broader business strategy. Rather than treating cyber security as a purely technical matter, the code calls for hands-on engagement from the top, including improving cyber literacy through ongoing training. Executives must also ensure that their organizations are equipped to respond to incidents by developing and regularly testing detailed response and recovery plans. The code further stresses the importance of oversight, requiring boards to seek assurance through audits, reviews, and validation of controls to ensure their cyber-security programs remain effective and compliant. 

According to Willis Towers Watson, bridging the gap between technical teams and executive leadership is essential to sound cyber governance. Senior leaders are encouraged to participate actively in cyber-security decisions, strengthen their understanding of cyber risks, and foster clearer communication with CISOs. The article underscores that cyber security is now a shared organizational responsibility, not a task that can be handed off.