This article examines DSIT’s 2024 proposal to embed cyber responsibility into company law. It argues that directors should carry legal duties for cyber resilience, as they already do for finance and health and safety — but only if those duties are proportionate, professionalised, and practical. The consultation did not change the law, but the direction of travel is unmistakable.
Contents
Introduction
For years, directors in the UK have lived with familiar duties: fiduciary responsibility, financial reporting, health and safety. Cyber security, by contrast, has been treated as a technical problem, delegated down to IT teams, rarely named in company law.
That quiet separation was disrupted in DSIT’s Cyber Governance Code of Practice consultation (Jan/Feb 2024). For the first time, government openly asked whether cyber resilience should be treated as a directors’ duty under company law. If adopted, this would be a tectonic shift: moving cyber from the server room into the statute book.
The Current Landscape of Directors’ Duties
The Companies Act 2006 sets clear expectations:
- Promote the success of the company.
- Exercise reasonable care, skill, and diligence.
- Safeguard shareholder and creditor interests.
- Comply with regulatory obligations.
Cyber risk is not named. At best, it is implied: directors must manage any risk material to the business. In practice, most boards treat cyber as a delegated matter. The CIO or CISO gives a report; the board nods and moves on. Governance stops there.
Why Cyber Now Belongs in Law
- Materiality of risk
- The average breach now costs over $4m globally. For SMEs, it can be fatal. Cyber is no longer peripheral; it is existential.
- Trust and accountability
- Customers, investors, regulators, and insurers all demand resilience. Without legal duty, directors can evade responsibility.
- Parity with other risks
- Financial reporting and health and safety are legal duties because failure undermines trust. Cyber sits squarely in that category.
- Systemic exposure
- Breaches ripple across supply chains, sectors, and infrastructure. This is not a private problem; it is systemic.
Embedding cyber in directors’ duties would recognise what is already true: cyber is a governance issue at the heart of business continuity.
Risks of Legal Embedding
But this is not simple. If handled badly, it could backfire.
- Knowledge gap
- Most directors are not cyber literate. Legal liability without training risks scapegoating, not accountability.
- Compliance theatre
- Directors may prioritise legal cover over genuine resilience — producing paperwork rather than outcomes.
- SME burden
- For smaller firms, legal duties could feel disproportionate, leading to disengagement or box-ticking.
- The impossibility problem
- Absolute security is impossible. The law must be framed around reasonable governance, not perfection.
Lessons from Other Domains
- Financial reporting: Directors sign off audited accounts. They are liable, but rely on chartered professionals for assurance. Cyber could follow this model.
- Health and safety: Duties are legal, but compliance is measured against reasonable standards, not absolute safety.
- Environmental governance: Proportionality is built in, with sector-specific obligations for SMEs.
The lesson is clear: legal duties work when they combine accountability, professional support, and proportionality.
What the Consultation Signals
DSIT’s consultation did not rewrite the law, but it pointed in that direction. Directors were asked to:
- Own risk appetite.
- Oversee supplier resilience.
- Personally engage with cyber literacy training.
- Take responsibility for incident planning and regulatory obligations.
This is guidance, not statute. But it is also cultural groundwork. Boards are being prepared to accept that cyber is not “someone else’s job” — it is a director’s duty.
Conclusion: The Direction of Travel
The UK has not yet embedded cyber into company law. But the consultation makes the trajectory clear: it is coming.
The challenge is to design duties that are:
- Proportionate: so SMEs can engage without being crushed.
- Professionalised: so directors can rely on recognised experts, not guesswork.
- Practical: so liability is based on reasonable governance, not impossible guarantees.
If government gets this right, embedding cyber into directors’ duties will not be a burden. It will be the logical next step in modern governance — treating cyber resilience with the same seriousness as finance, health and safety, and ESG.
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025