Estimated reading time: 5 minutes
The UK government launched its Cyber Resilience Pledge at 10 Downing Street on Tuesday. Seventy businesses signed as founding members, including M&S, Aviva, the London Stock Exchange Group, Nationwide, ITV, and Microsoft UK. Here is the number that matters. Last October, government ministers, the NCSC chief, and the NCA head wrote to the chief executive and chair of every FTSE 350 company. The letter asked for the same three actions the pledge now formalizes. Nearly nine months later, roughly 20 of the 70 signatories are FTSE 350 companies or their subsidiaries.
Either way, more than 90 percent of Britain’s largest listed companies declined a personal ministerial invitation.
What the Pledge Asks
The pledge asks for three things. Signatories must make cyber security a board-level responsibility under the Cyber Governance Code of Practice. They must register for the NCSC’s free Early Warning service. And they must take a risk-based approach to requiring Cyber Essentials certification across their supply chains.
The launch was supposed to follow Monday’s unveiling of the National Cyber Action Plan. That plan was delayed amid the Labour leadership turmoil following Prime Minister Keir Starmer’s resignation. The pledge went ahead anyway.
Who Actually Signed
The roster spans retail, financial services, media, utilities, and technology. It also includes fine print. DSIT has been developing a Cyber Charter with its 39 strategic suppliers. All were invited to sign the pledge. More than 20 did so in this first cohort.
DSIT did not answer Recorded Future News‘ questions about whether signing carries procurement consequences for those suppliers. Strip them out, and the voluntary private-sector cohort shrinks to around 50 firms.
The list also includes small cybersecurity consultancies such as C3IA Solutions, Grey Zone Services, and Nexor. Firms whose business is selling exactly what the pledge promotes. Their enthusiasm required no ministerial letter.
M&S signed after losing hundreds of millions of pounds to last year’s cyberattack. Nothing focuses a board like an empty till.
Why the FTSE 350 Stayed Home
Jamie MacColl, senior research fellow at the Royal United Services Institute, told Recorded Future News the turnout looked low. He noted most FTSE 350 firms likely already meet standards exceeding Cyber Essentials. Why certify to a floor when you already hold certifications with far more controls?
That cuts both ways. If the biggest firms are already above the bar, the pledge targets the wrong audience. If they are not, they just told the government so by staying silent.
MacColl also read the launch as a familiar UK policy sequence. Consultation, research, code of practice, voluntary pledge, then regulation. “You’ve almost given the private sector enough rope to hang itself with,” he said. Weak uptake becomes the government’s case for compulsion.
The Insurance Angle: Cyber Essentials Goes Upstream
The supply-chain provision remains the sleeper for this market. If large signatories demand Cyber Essentials from vendors, certification volume climbs. Government figures already link the scheme to sharply lower insurance claims. CINI examined those figures in prior coverage of the economic impact research.
Board-level governance requirements also map neatly onto underwriting questionnaires. Carriers have pushed for exactly this for years.
The demand-side context matters too. The Cyber Security Longitudinal Survey’s fifth wave showed uneven insurance adoption among UK organizations. Gallagher and Cebr found a persistent litigation and coverage gap. And the UK cyber insurance market keeps growing despite widespread non-purchase.
The Recycled Numbers
The government’s case rests on familiar figures. A £195,000 average cost per significant attack. An annual £14.7 billion cost to organizations. Those numbers come from research supporting the Cyber Security and Resilience Bill, which remains before Parliament and is not expected to come into force until 2028. CINI covered that research and its systemic-risk scenarios in November.
CINI also covered BIBA’s response to the Resilience Bill and the tripling of UK cybersecurity job demand that the legislation helped drive.
What Happens Next
Nothing in the pledge is enforced. Signatories self-report annually. The government says it will review the pledge after a 12-month cycle and may refine the actions.
Underwriters should treat a signature as intent, not evidence. The questionnaire still matters. The scan still matters.
Watch two numbers over the next year. Signatory growth beyond the strategic-supplier base. And FTSE 350 uptake. If MacColl’s pattern holds, weak numbers on both fronts become the preamble to regulation. The private sector was handed the rope. The knot is optional. For now.
FAQ – Cyber Resilience Pledge
A voluntary government scheme was launched on July 7, 2026, at 10 Downing Street. Signatories commit to board-level cyber governance, NCSC Early Warning registration, and risk-based Cyber Essentials requirements for suppliers.
Seventy founding signatories, including M&S, Aviva, LSEG, Nationwide, ITV, and Microsoft UK. More than 20 government strategic suppliers are invited through a separate Cyber Charter.
Roughly 20 signatories are FTSE 350 companies or their subsidiaries, by CINI’s count. Ministers wrote personally to all 350 firms eight months before launch.
No. It is voluntary and self-reported, with no enforcement mechanism. The government will review it after 12 months.
The supply-chain provision could expand Cyber Essentials certification, which government data links to fewer insurance claims. Board governance requirements also align with underwriting standards.
Related Cyber Insurance Posts
- The Cyber Coverage Gap Is Growing. Can a Micro-Captive Close It? – PODCAST
- Post-Quantum Automotive Security: SEALSQ Maps A Chip-Level Fix
- Cyber Essentials Tied To Fewer Cyber Insurance Claims In UK Data(Opens in a new browser tab)
- Stolen credentials crisis: FTSE 100 Logins Flood Dark Web(Opens in a new browser tab)
- Healthcare Cyber Insurance Risk Climbs as Vendor Breaches Hit 85% of Practices