UK's Cyber Resilience Pledge Sees Lukewarm FTSE 350 Uptake
The UK government's new voluntary Cyber Resilience Pledge has launched with fewer than 15 of Britain's 350 largest listed companies signing on, despite direct appeals from ministers. The initiative aims to bolster national cybersecurity by encouraging board-level responsibility and supply chain certification, but its voluntary nature raises questions about its immediate impact and the potential for future regulation.
# UK's Cyber Resilience Pledge Faces Low Initial Engagement from FTSE 350
The **UK government's** flagship voluntary cybersecurity scheme, the **Cyber Resilience Pledge**, has launched to a notably subdued response from the nation's largest companies. Despite personal appeals from ministers to the chairs and CEOs of every **FTSE 350** firm eight months prior, fewer than 15 of these major companies have signed up.
The launch event, held at **10 Downing Street** and hosted by Technology Secretary **Liz Kendall**, saw a total of 70 founding signatories. However, 20 of these are strategic government suppliers who were invited through a separate **Government Cyber Charter**, which dictates obligations for companies delivering critical state services. This distinction implies that only 50 truly voluntary signatories from the broader economy participated.
## The Pledge's Core Tenets
The **Cyber Resilience Pledge** asks signatories to commit to three key actions:
* Elevate cybersecurity to a board-level responsibility.
* Register for the **National Cyber Security Centre's (NCSC)** free **Early Warning service**.
* Adopt a risk-based approach to mandating **Cyber Essentials certification** across their supply chains.
Crucially, these activities remain voluntary, with no enforcement mechanisms currently in place. This approach comes amid broader scrutiny regarding the government's willingness to compel industry action on cybersecurity, especially following previous **NCSC** complaints about organizations failing to adhere to its guidance.
## Notable Signatories and Industry Skepticism
Among the large firms that did sign were **Aviva**, the **London Stock Exchange Group**, and **Marks & Spencer**, the latter having reportedly lost hundreds of millions of pounds in a cyberattack last year. Smaller cybersecurity consultancies, such as **C3IA Solutions**, **Grey Zone Services**, and **Nexor**, also joined, aligning the pledge with their commercial offerings.
**Jamie MacColl**, a senior research fellow at the **Royal United Services Institute**, expressed surprise at the low number of signatories, questioning the incentive for **FTSE 350** companies already meeting or exceeding equivalent cybersecurity standards.
## The Cost of Inaction and Future Prospects
The government highlights the significant financial impact of cyberattacks, estimating the average cost of a major incident on a UK business at nearly Β£195,000 ($260,000). The annual cost to organizations is projected to be Β£14.7 billion ($19.7 billion), excluding wider economic disruption.
This Β£14.7 billion figure stems from research supporting the separate **Cyber Security and Resilience Bill**, which is still undergoing parliamentary debate and is not expected to be enforced until 2028.
MacColl suggests that the current voluntary pledge might be a precursor to future regulation, fitting a pattern often seen in UK cyber policy: consultation, research, voluntary pledges, and then ultimately, regulation. He notes, "Youβve almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary."
The government has stated it will review the pledge's suitability and potentially refine its actions after a 12-month cycle, acknowledging the evolving threat landscape.