UK cyber pledge draws only a handful of top firms despite ministerial appeal
Fewer than 15 of Britain's 350 largest listed companies signed up to the government's flagship voluntary cybersecurity scheme at its launch on Tuesday, eight months after ministers wrote personally to the chair and chief executive of every FTSE 350 firm urging them to do so.
Tuesday’s launch had been planned to follow the unveiling of Britain’s new National Cyber Action Plan on Monday before that was delayed due to Prime Minister Keir Starmer's resignation.
In total, 70 founding signatories for the Cyber Resilience Pledge were named at the 10 Downing Street reception hosted by Technology Secretary Liz Kendall. Twenty of them are strategic government suppliers who had been invited to sign the pledge through a separate Government Cyber Charter governing the obligations of companies delivering critical services to the state.
The Department for Science, Innovation and Technology did not respond to questions from Recorded Future News about whether signing carries procurement consequences for strategic suppliers, nor whether it regarded the FTSE 350 turnout as a strong response to the ministerial letter.
If the strategic suppliers faced procurement consequences, the launch included just 50 truly voluntary signatories from across the wider economy.
Those that did sign include large firms such as Aviva, the London Stock Exchange Group and Marks & Spencer, which lost hundreds of millions of pounds in a cyberattack last year, as well as small cybersecurity consultancies including C3IA Solutions, Grey Zone Services and Nexor, for whom the pledge aligns closely with their own commercial offerings.
The pledge asks signatories to do three things: make cybersecurity a board-level responsibility; register for the National Cyber Security Centre's free Early Warning service; and take a risk-based approach to requiring the Cyber Essentials certification across their supply chains.
These activities remain voluntary and there is no mechanism to enforce them. The launch comes amid wider scrutiny of the government’s appetite to compel industry to take action on cybersecurity, and follows the NCSC complaining about organizations failing to follow its guidance and advice.
The government says “given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle.”
Jamie MacColl, a senior research fellow at the Royal United Services Institute, said he felt the number of signatories was low.
“I would be relatively surprised if most FTSE 350 companies were not meeting an equivalent standard. Why would they go through Cyber Essentials when in many cases they will have a certification that has many more controls in it?”
According to the government, “the average cost of a significant cyberattack on an individual UK business now stands at almost £195,000 ($260,000), with the annual cost to organizations estimated at £14.7 billion ($19.7 billion), excluding wider disruption across the economy.”
The £14.7 billion figure was produced by research supporting a separate measure, the Cyber Security and Resilience Bill, which is still being debated in Parliament and is not expected to be enforced until 2028.
MacColl said: “I think the pattern with UK cyber policy is often a consultation, research, code of practice or conduct, some sort of voluntary pledge, and then regulation. This could be repeating that pattern.
“You could see this as a step in the process whereby they end up regulating. You’ve almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79



