Britain’s new voluntary cyber pledge launched with fewer than 15 signatories from the FTSE 350, despite ministers writing eight months ago to the chair and chief executive of each of those major listed companies asking them to join.
The Cyber Resilience Pledge was introduced on Tuesday at a 10 Downing Street reception hosted by Technology Secretary Liz Kendall. The government named 70 founding signatories in total, but the headline number needs some reading in the small print, which, as usual, is where the useful bits live.
Twenty of the 70 are strategic government suppliers. Those companies were invited through a separate Government Cyber Charter covering firms that provide critical services to the state. The Department for Science, Innovation and Technology did not answer Recorded Future News’ questions about whether signing the pledge affects procurement for those suppliers, or whether it considered the FTSE 350 response a strong one.
If those strategic suppliers were under any procurement pressure, the launch left 50 signatories from the wider economy that were more plainly voluntary.
What companies are being asked to do
The pledge asks organizations to take three steps. They should put cybersecurity on the board’s agenda, sign up for the National Cyber Security Centre’s free Early Warning service, and use a risk-based approach when asking suppliers to obtain Cyber Essentials certification.
None of those commitments is mandatory under the pledge, and there is no enforcement mechanism attached to them. The scheme arrives while the government faces questions about how willing it is to force companies to improve cyber resilience, rather than asking nicely and hoping the board notices.
The National Cyber Security Centre has also complained that organizations are not following its guidance and advice. The pledge, then, is another test of whether voluntary measures can shift corporate behavior before ministers reach for regulation.
The government said it will keep the pledge under review as cyber threats change, with the possibility of revising the required actions after a 12-month cycle.
Who signed, and who did not
The initial list includes Aviva, the London Stock Exchange Group and Marks & Spencer. Marks & Spencer lost hundreds of millions of pounds after a cyberattack last year, according to Recorded Future News. Smaller cybersecurity firms also signed, including C3IA Solutions, Grey Zone Services and Nexor, whose businesses sit close to the services the pledge promotes.
Jamie MacColl, a senior research fellow at the Royal United Services Institute, said the sign-up level looked low. He said he would be surprised if most FTSE 350 companies were not already meeting comparable requirements, and questioned why many would choose Cyber Essentials if they already hold certifications with more controls.
The government says a significant cyberattack now costs an individual UK business almost £195,000 on average, or about $260,000. It estimates the annual cost to organizations at £14.7 billion, or about $19.7 billion, before broader economic disruption is counted.
That £14.7 billion estimate came from research supporting the Cyber Security and Resilience Bill, a separate measure still being debated in Parliament. It is not expected to be enforced until 2028.
MacColl said UK cyber policy often follows a pattern: consultation, research, a code of practice or conduct, a voluntary pledge, and then regulation. He said the pledge could become another step in that sequence if too few companies and vendors sign up, giving the government an argument that mandatory rules are needed.
The launch had been planned to follow the publication of Britain’s new National Cyber Action Plan on Monday. That announcement was delayed after Prime Minister Keir Starmer’s resignation.
This story draws on original reporting from The Record.