A letter has been sent to all companies in the FTSE 100 and FTSE 250 urging them to take steps to ensure that they are adequately protected against cyber threats.

The letter – signed by the Secretary of State for Science, Innovation and Technology, Chancellor, Secretary of State for Business and Trade, Minister of Security, CEO of the National Cyber Security Centre (NCSC), and Director General of the National Crime Agency – makes clear that “hostile cyber activity in the UK is growing more intense, frequent and sophisticated”, requiring an “urgent collective response”.

The letter coincides with the publication of the NCSC’s annual review (found here) which reiterates the need to embed cyber risk management into corporate governance. The review also provides a comprehensive survey of the current threat landscape, and provides its own advice on what businesses can do to protect themselves.

Three specific steps are identified in the letter as needing to be taken by CEOs and Chairs as a matter of urgency to ensure that their companies are more resilient to cyber attacks:

1. Make cyber risk a Board-level priority using the Cyber Governance Code of Practice

We have commented on the Code of Practice previously here. The letter urges organisations to ensure that its contents are implemented and the accompanying training is completed by all Board members. Similarly, it recommends that organisations rehearse how they would respond to a major incident, and plan how operations would be continued and rebuilt “following a destructive cyber incident”. In its Annual Review, the NCSC adds that operational crisis response materials should be held “either digitally or physically on isolated platforms or hardcopy”.

2. Sign up the NCSC’s Early Warning service

As the letter explains, this is a free service that informs organisations about potential cyber attacks on their network. Those in charge are encouraged to register for the service, and ensure that their suppliers do too.

3. Require Cyber Essentials in your supply chain

Finally, the letter points out that only 14% of UK businesses assess the cyber risks posed by their immediate suppliers. Businesses are encouraged to consult the Cyber Essentials scheme which certifies that organisations have cyber protections in place to prevent common attacks, and to ensure that those in its supply chain meet the Cyber Essentials standards at a minimum.

To read the letter in full, click here.