Only a handful of FTSE 350 giants signed up
Fewer than 15 of Britain’s 350 largest listed companies put their names to the government’s flagship voluntary cybersecurity scheme at its launch on Tuesday. That’s despite ministers writing personal letters eight months ago to the chair and chief executive of every single FTSE 350 firm, urging them to join.
The UK Cyber Resilience Pledge was unveiled at a 10 Downing Street reception hosted by Technology Secretary Liz Kendall. In total, 70 founding signatories were named. But 20 of those are strategic government suppliers — companies that deliver critical services to the state and were invited to sign via a separate Government Cyber Charter. Strip them out, and the launch included just 50 truly voluntary signatories from across the wider economy.
Among the big names that did sign: Aviva, the London Stock Exchange Group, and Marks & Spencer — the latter lost hundreds of millions of pounds in a cyberattack last year. The rest of the list is heavy on small cybersecurity consultancies like C3IA Solutions, Grey Zone Services and Nexor, for whom the pledge aligns neatly with their own commercial offerings.
What the pledge actually asks
The pledge is light-touch by design. It asks signatories to do three things:
- Make cybersecurity a board-level responsibility
- Register for the NCSC’s free Early Warning service
- Take a risk-based approach to requiring Cyber Essentials certification across their supply chains
All of it is voluntary. There is no enforcement mechanism. The Department for Science, Innovation and Technology did not respond to questions about whether signing carries procurement consequences for strategic suppliers, nor whether it regarded the FTSE 350 turnout as a strong response to the ministerial letter.
Why so few? Experts weigh in
Jamie MacColl, a senior research fellow at the Royal United Services Institute, said the number of signatories struck him as low.
“I would be relatively surprised if most FTSE 350 companies were not meeting an equivalent standard. Why would they go through Cyber Essentials when in many cases they will have a certification that has many more controls in it?”
MacColl sees a familiar pattern. “I think the pattern with UK cyber policy is often a consultation, research, code of practice or conduct, some sort of voluntary pledge, and then regulation. This could be repeating that pattern.”
He added: “You could see this as a step in the process whereby they end up regulating. You’ve almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary.”
Timing and context
Tuesday’s launch had been planned to follow the unveiling of Britain’s new National Cyber Action Plan on Monday. That was delayed due to Prime Minister Keir Starmer’s resignation.
The launch comes amid wider scrutiny of the government’s appetite to compel industry to act on cybersecurity. It follows the NCSC complaining about organizations failing to follow its guidance and advice.
The government says it will keep reviewing the pledge. In its own words: “Given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle.”
The cost of inaction
According to the government, “the average cost of a significant cyberattack on an individual UK business now stands at almost £195,000 ($260,000), with the annual cost to organizations estimated at £14.7 billion ($19.7 billion), excluding wider disruption across the economy.”
That £14.7 billion figure comes from research supporting a separate measure — the Cyber Security and Resilience Bill — which is still being debated in Parliament and is not expected to be enforced until 2028.
So for now, the message to Britain’s biggest companies is: you’re asked nicely. Whether that changes depends on how many more decide to sign up over the next 12 months.