Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance

Leave a Reply

This article argues that obligations alone will not drive the adoption of DSIT’s Cyber Governance Code of Practice. To succeed, the Code must be backed by incentives — tax relief, insurance benefits, procurement levers, and reputational recognition — that make governance valuable to boards. Obligations can enforce compliance; incentives will create commitment.

Contents

Table of Contents

Introduction

The DSIT Cyber Governance Code of Practice consultation (2024) puts forward five strong principles: risk, strategy, people, incident planning, and assurance. On paper, they make sense.

But paper is not the problem. The real problem is adoption. Too many well-meaning frameworks have ended up as shelfware: neatly written, rarely used. If DSIT wants this Code to stick, it must understand one thing: obligations alone will not change behaviour.

Obligations force compliance. Incentives drive commitment. Without the latter, this Code risks becoming yet another compliance exercise that looks good in board packs but changes nothing in practice.

Why Obligations Alone Will Fail

Directors are already drowning in obligations. ESG, modern slavery, financial reporting, climate disclosure — the governance agenda is overloaded. Adding “cyber” to the pile risks three things:

  1. Compliance clutter
    • Boards sign off another document, but the conversation is thin.
  2. Cost without return
    • SMEs, in particular, will ask: why spend money on this if there’s no visible benefit?
  3. Superficial behaviour
    • Obligations without incentives produce box-ticking. Boards do just enough to demonstrate compliance, not enough to build resilience.

Obligations may set the floor. They will not raise the ceiling.

The Case for Incentives

If DSIT wants uptake, it must make cyber governance pay. Directors must see it as a source of value, not just cost.

1. Tax incentives

Reward organisations for investing in governance training, risk assessments, and external assurance. We already do this for R&D — why not for resilience?

2. Insurance benefits

Work with insurers to link lower premiums to demonstrable governance. Cyber insurance is growing, but it will only mature if risk pricing is tied to credible signals.

3. Procurement levers

Make compliance with the Code a prerequisite for government contracts and, over time, critical national supply chains. Nothing drives board action like access to revenue streams.

4. Reputation and trust labels

Develop a public trust label or register for organisations that adopt the Code. Boards are motivated by reputation; give them something to show.

Lessons from Other Domains

  • Carbon reduction: uptake only accelerated once linked to tax relief and procurement eligibility.
  • Financial reporting: credibility stems not from the obligation to file accounts, but from the value markets place on audited numbers.
  • Health and safety: reputational recognition (certifications, awards) has been as powerful as enforcement in shifting culture.

Cyber governance needs the same mix of carrots and sticks.

Risks of a Stick-Only Approach

If DSIT pushes obligations without incentives, the risks are obvious:

  • Low uptake: Boards will drag their feet or delegate it away.
  • Compliance theatre: Reports produced, boxes ticked, but no real resilience.
  • SME alienation: Smaller firms will see it as bureaucracy, not value, and disengage.
  • Policy failure: The Code becomes another framework that looks neat on GOV.UK but fails in boardrooms.

Conclusion

The Cyber Governance Code of Practice is a step in the right direction. But unless it is paired with incentives that make governance valuable, it will fail to achieve its purpose.

Tax breaks, insurance discounts, procurement levers, and visible reputational recognition are not optional extras. They are the difference between a Code that changes behaviour and one that disappears into the noise.

Obligations compel. Incentives persuade. For this Code to work, DSIT needs both.

References