Ministers Wrote to the Entire FTSE 350 About the Cyber Pledge. They Got Left “Unread”

Estimated reading time: 5 minutes

The UK government launched its Cyber Resilience Pledge at 10 Downing Street on Tuesday. Seventy businesses signed as founding members, including M&S, Aviva, the London Stock Exchange Group, Nationwide, ITV, and Microsoft UK. Here is the number that matters. Last October, government ministers, the NCSC chief, and the NCA head wrote to the chief executive and chair of every FTSE 350 company. The letter asked for the same three actions the pledge now formalizes. Nearly nine months later, roughly 20 of the 70 signatories are FTSE 350 companies or their subsidiaries.

Either way, more than 90 percent of Britain’s largest listed companies declined a personal ministerial invitation.

What the Pledge Asks

The pledge asks for three things. Signatories must make cyber security a board-level responsibility under the Cyber Governance Code of Practice. They must register for the NCSC’s free Early Warning service. And they must take a risk-based approach to requiring Cyber Essentials certification across their supply chains.

Cyber insurance news graphic on the UK Cyber Resilience Pledge. Headline reads Ministers Wrote to the Entire FTSE 350 About the Cyber Pledge, They Got Left Unread, beside a cyan outline of the Downing Street door on a dark navy background.

The launch was supposed to follow Monday’s unveiling of the National Cyber Action Plan. That plan was delayed amid the Labour leadership turmoil following Prime Minister Keir Starmer’s resignation. The pledge went ahead anyway.

Who Actually Signed

The roster spans retail, financial services, media, utilities, and technology. It also includes fine print. DSIT has been developing a Cyber Charter with its 39 strategic suppliers. All were invited to sign the pledge. More than 20 did so in this first cohort.

DSIT did not answer Recorded Future News‘ questions about whether signing carries procurement consequences for those suppliers. Strip them out, and the voluntary private-sector cohort shrinks to around 50 firms.

See also  Small Business Cyber Insurance Adoption Up 50%, Insureon Data Shows

The list also includes small cybersecurity consultancies such as C3IA Solutions, Grey Zone Services, and Nexor. Firms whose business is selling exactly what the pledge promotes. Their enthusiasm required no ministerial letter.

M&S signed after losing hundreds of millions of pounds to last year’s cyberattack. Nothing focuses a board like an empty till.

Why the FTSE 350 Stayed Home

Jamie MacColl, senior research fellow at the Royal United Services Institute, told Recorded Future News the turnout looked low. He noted most FTSE 350 firms likely already meet standards exceeding Cyber Essentials. Why certify to a floor when you already hold certifications with far more controls?

That cuts both ways. If the biggest firms are already above the bar, the pledge targets the wrong audience. If they are not, they just told the government so by staying silent.

MacColl also read the launch as a familiar UK policy sequence. Consultation, research, code of practice, voluntary pledge, then regulation. “You’ve almost given the private sector enough rope to hang itself with,” he said. Weak uptake becomes the government’s case for compulsion.

The Insurance Angle: Cyber Essentials Goes Upstream

The supply-chain provision remains the sleeper for this market. If large signatories demand Cyber Essentials from vendors, certification volume climbs. Government figures already link the scheme to sharply lower insurance claims. CINI examined those figures in prior coverage of the economic impact research.

Board-level governance requirements also map neatly onto underwriting questionnaires. Carriers have pushed for exactly this for years.

The demand-side context matters too. The Cyber Security Longitudinal Survey’s fifth wave showed uneven insurance adoption among UK organizations. Gallagher and Cebr found a persistent litigation and coverage gap. And the UK cyber insurance market keeps growing despite widespread non-purchase.

See also  UK Longitudinal Cyber Survey Flags Cyber Insurance Uptick And Supplier Risk

The Recycled Numbers

The government’s case rests on familiar figures. A £195,000 average cost per significant attack. An annual £14.7 billion cost to organizations. Those numbers come from research supporting the Cyber Security and Resilience Bill, which remains before Parliament and is not expected to come into force until 2028. CINI covered that research and its systemic-risk scenarios in November.

CINI also covered BIBA’s response to the Resilience Bill and the tripling of UK cybersecurity job demand that the legislation helped drive.

What Happens Next

Nothing in the pledge is enforced. Signatories self-report annually. The government says it will review the pledge after a 12-month cycle and may refine the actions.

Underwriters should treat a signature as intent, not evidence. The questionnaire still matters. The scan still matters.

Watch two numbers over the next year. Signatory growth beyond the strategic-supplier base. And FTSE 350 uptake. If MacColl’s pattern holds, weak numbers on both fronts become the preamble to regulation. The private sector was handed the rope. The knot is optional. For now.

FAQ – Cyber Resilience Pledge

What is the UK Cyber Resilience Pledge?

A voluntary government scheme was launched on July 7, 2026, at 10 Downing Street. Signatories commit to board-level cyber governance, NCSC Early Warning registration, and risk-based Cyber Essentials requirements for suppliers.

How many companies signed the Cyber Resilience Pledge?

Seventy founding signatories, including M&S, Aviva, LSEG, Nationwide, ITV, and Microsoft UK. More than 20 government strategic suppliers are invited through a separate Cyber Charter.

Is the Cyber Resilience Pledge legally binding?

No. It is voluntary and self-reported, with no enforcement mechanism. The government will review it after 12 months.

Why does the pledge matter for cyber insurance?

The supply-chain provision could expand Cyber Essentials certification, which government data links to fewer insurance claims. Board governance requirements also align with underwriting standards.

Leave a Comment

×