Quick Links
Connect us
Directors Databank (Empannel Yourself)
Become a faculty
Blog
Become an Awards Assessor
Publications
Contact Us
The UK Cyber Governance Code - Transforming Board Leadership for the Digital Era
Board-level cybersecurity oversight has become nearly universal among Fortune 100 companies, with EY reporting in 2025 that 96% have designated at least one committee for this purpose, and 78% specifically relying on their audit committees.
As the Institute of Directors (IOD), India prepares for its November 2025 London Global Convention, the recently launched UK Cyber Governance Code of Practice presents a transformative opportunity for boards. This Code represents more than regional guidance, establishing a global blueprint for embedding cybersecurity into the core of corporate governance, perfectly aligning with the convention's theme of “navigating unpredictable disruptions”.
Current Threat Landscape and Board Imperatives
India faces an unprecedented cyber crisis, ranking 2 globally in email threats (6.9% of global detections, 24% of Asia's total) and 3rd in malware detections (4.74% globally). The country recorded over 369 million malware detections across 8.44 million endpoints, averaging 702 threats per minuteapproximately 11 cyber threats emerging every second the dominant attack vector, with India contributing 23.92% of Asia's email-based threats and a staggering 90.78% within Southern Asia. Banking, Financial Services, and Government sectors face the highest targeting, establishing India as a major cyber risk hotspot requiring urgent board-level cybersecurity attention.
Malware and AI-Driven Threat Evolution
According to the Trend Micro Report 2025, India accounts for 3.36% of global ransomware detections and a staggering 77.68% within Southern Asia, ransomware remains a major concern.
The healthcare industry's position as the most attacked sector (21.82% of all attacks) is particularly concerning. This
likely reflects the high value of medical data and the critical nature of healthcare systems, which might make organisations more likely to pay ransoms. The significant targeting of hospitality (19.57%) and banking sectors (17.38%) suggests that attackers are focusing on industries that handle large volumes of personal and financial data.
AI-Enhanced Threat Landscape
AI has led to a broad range of new applications and solutions to transform businesses, but for Chief Information Security Officers (CISOs) and the organisations they protect, it also creates new vulnerabilities. Boston Consulting Group (BCG) and GLC Advisors & Company recently surveyed CISOs to understand their concerns and priorities in an everchanging cyber risk landscape. The results show that AIpowered cyber-attacks have risen to become the top concern, up from fifth place last year and cited by 80% of CISOs in the survey. (See Exhibit 1.) Persistent concerns like cloud risk, third-party security, and endpoint protection continue to hold steady.
The integration of artificial intelligence in cyber threats represents a fundamental shift requiring board-level strategic response.
Key AI-driven threat developments boards need to consider:
• Enhanced Deception Capabilities: Generative AI enables more convincing phishing campaigns and social engineering attacks
• Automated Reconnaissance: AI accelerates threat actors' ability to identify vulnerabilities and potential victims
• Post-Breach Acceleration: AI enables faster, large-scale data extraction and analysis following successful breaches
In fact, AI-powered attacks are now the main issue keeping CISOs awake at night!
Global Context and Comparative Analysis
Global trends mirror India's challenges with equally alarming statistics. Recent UK data underscores the universal urgency of enhanced cyber governance, with the 2025 Cyber Security Breaches Survey revealing that 43% of businesses and 30% of charities experienced cyber incidents in the past year.
UK Cyber Governance Code: A Strategic Board Framework
Against this alarming backdrop, the UK Cyber Governance Code of Practice, introduced in April 2025 by the UK government and National Cyber Security Centre (NCSC), elevates cybersecurity from a technical function to a fundamental board responsibility.
With over 70% of businesses experiencing cyber incidents annually and significant gaps in vulnerability management, the Code addresses a critical governance gap that transcends national boundaries.
The Code's five foundational pillars offer universal principles for board excellence:
• Risk Management: Integrating cyber risk into enterprise frameworks alongside financial and operational risks
• Strategic Alignment: Embedding cyber resilience into business objectives and resource allocation
• Culture & Capabilities: Building organisation-wide security awareness and board-level digital literacy
• Crisis Readiness: Establishing tested incident response protocols with clear director accountability
• Governance Integration: Creating structures where cyber oversight has direct board ownership
Relevance for Boards
The Code's emphasis on board accountability aligns with global regulatory trends. Board-level cybersecurity oversight has become nearly universal among Fortune 100 companies, with EY reporting in 2025 that 96% have designated at least one committee for this purpose, and 78% specifically relying on their audit committees. This represents a fundamental shift in director responsibilities and competencies.
The UK Code's principles are particularly valuable for directors operating across jurisdictions, especially in emerging markets where regulatory environments are dynamic and cross-border risks are complex. India's experience demonstrates this reality the convergence of geopolitical tensions, technological vulnerabilities, and economic impact creates a perfect storm requiring sophisticated governance responses.
For Indian boards navigating these multifaceted challenges, the Code provides:
• Regulatory Anticipation: Voluntary adoption today prepares organisations for tomorrow's mandatory requirements, mirroring global trends in cyber accountability
• Stakeholder Confidence: Demonstrable cyber governance enhances investor trust and operational resilience
• Competitive Advantage: Early adopters gain strategic benefits in risk management and business continuity
Integration with Emerging Technologies
The Code's forward-looking approach addresses cybersecurity convergence with AI and emerging technologies such as quantum computing; this alignment ensures cyber governance evolves alongside advancing technological landscapes.
Key considerations for Technology-forward Boards
• Quantum Readiness: Preparing for post-quantum cryptography and quantum-enhanced security capabilities
• AI Governance: Ensuring ethical deployment and risk management of artificial intelligence systems
• Digital Ecosystem Security: Managing interconnected risks across complex technology landscapes
Dr. Erin Young, Head of Innovation & Technology Policy at the Institute of Directors UK, emphasised the strategic imperative: "With cyber-attacks becoming more frequent, harmful and costly, cyber resilience is now a crucial boardroom responsibility. This sentiment reflects a global imperative that extends far beyond UK borders.
Collaborative Governance: India-UK Model
The UK's collaborative approach involving organisations like the Institute of Directors IOD (UK) in the Code's development demonstrates the power of industrygovernment partnership. This model can be replicated in India, where Institute of Directors IOD (India) has significant influence, positioning the organisation as a leader in governance innovation.
Strategic Framework for India
For India, the Code provides a structured approach to address unique challenges. Emerging markets often face:
• Infrastructure Limitations: Legacy systems and connectivity gaps that create vulnerabilities
• Talent Shortages: Scarcity of cybersecurity professionals and board-level digital literacy
• Resource Constraints: Limited budgets for comprehensive security investments
• Regulatory Gaps: Evolving legal frameworks that may lag behind technological adoption
The Code's risk-based approach enables organisations to prioritise investments and build capabilities incrementally while maintaining robust governance oversight.
Conclusion
The UK Cyber Governance Code transforms cybersecurity from an IT concern to core governance responsibility, enabling boards to build institutional resilience and attract global partnerships. For IOD India members pursuing governance excellence, this framework delivers both strategic insights and market differentiation. It equips boards with the tools needed for proactive cyber leadership, ensuring organisational resilience in a digital landscape where cyber preparedness directly determines competitive success and long-term viability.
Back to HomeAuthor
Ms. Anita Nandi
She is a financial services expert and policy advocate, currently serving as Co- Founder and Policy Director at Kquanta Research LLP. She possesses 19+ years' experience in financial services, having held senior positions at American Express Europe (Amsterdam and London) and served as India Head at the City of London Corporation. Her professional background spans multiple countries, with significant contributions to UKIndia financial cooperation and policy development.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
