The pledge, expected to launch formally in the summer, carries three core requirements: boards must own cybersecurity as a governance matter, organisations must enrol in the National Cyber Security Centre's early-warning service, and Cyber Essentials certification must be required across entire supply chains. For operators of firms with fewer than 500 employees, the supply-chain clause is the sharpest edge. It means that SMEs acting as suppliers to larger signatories will face certification demands whether or not they sign the pledge themselves.
What the cyber-resilience pledge requires of boards
The pledge is structured around three commitments, as outlined in the minister's letter.
First, cybersecurity must be treated as an explicit board-level responsibility. That goes beyond appointing a chief information security officer or delegating risk to an IT team. Directors would be expected to demonstrate, to investors and trading partners alike, that digital defence features in board papers, risk registers, and audit discussions.
Second, signatories must register with the NCSC's early-warning service, a free tool that alerts organisations to threats detected against their internet-facing infrastructure. Registration is straightforward, yet take-up across the SME community remains low.
Third, and most consequential for smaller firms, signatories must mandate Cyber Essentials certification throughout their supply chains. Only around 56,000 Cyber Essentials certificates were issued in 2025, covering roughly 1 per cent of UK businesses, according to government figures. Extending the requirement down supply chains would multiply the compliance burden significantly. Any SME that sells goods or services to a pledge signatory could find certification becoming a condition of contract renewal.
Baroness Lloyd struck an urgent tone in her letter to business leaders.
"The cyber threat facing UK businesses is serious, growing and evolving fast. AI is giving attackers capabilities that would have seemed extraordinary just a year ago and no organisation can afford to be complacent. Cyber-resilience isn't just a technical issue; it's a board responsibility and we're asking every boardroom in Britain to prove they treat it as one."
The pledge is voluntary, but the signal is deliberate. Ministers appear to expect that investors, insurers, and procurement teams will begin treating sign-up as a proxy for governance quality, much as ESG disclosures moved from optional to expected over the past decade.
Why AI-powered attack tools raise the stakes for SMEs
The timing of the pledge is not coincidental. Anthropic, the San Francisco-based AI developer, recently disclosed that it had chosen not to release Mythos, a model developed for cybersecurity work, because of its capacity to identify software vulnerabilities autonomously, as reported by BM Magazine. Instead, the company provided the model to 40 US technology firms for defensive use.
The UK AI Security Institute, one of the few bodies outside the United States to have evaluated Mythos, concluded that the model is "at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained," according to its assessment. It stopped short of confirming whether Mythos could breach better-fortified targets.
For SMEs, the implication is direct. The category of "small, weakly defended" enterprise systems maps closely onto the thousands of firms that lack dedicated security teams or up-to-date patching regimes. AI models capable of autonomous exploitation lower the skill barrier for attackers, meaning that threats once confined to well-resourced criminal groups could proliferate.
Major UK lenders are already responding. Barclays (LSE: BARC), Lloyds Banking Group (LSE: LLOY), and NatWest Group (LSE: NWG) are understood to be in talks with Anthropic about accessing Mythos for defensive purposes, according to BM Magazine. Andrew Bailey, governor of the Bank of England, described Anthropic as having potentially "found a way to crack the whole cyber-risk world open," a notably forthright assessment from Threadneedle Street.
Dan Jarvis, the security minister, is expected to reinforce the message at CyberUK this week. Drawing on the recent ransomware attack that disrupted Jaguar Land Rover, Jarvis will argue that had the same damage been inflicted by a physical attack, "it would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country, breaking glass, smashing up computers and driving cars right off the forecourt," according to prepared remarks reported by BM Magazine.
The Cyber Security and Resilience Bill: what is coming next
The voluntary pledge sits ahead of harder-edged legislation. The Cyber Security and Resilience Bill, currently before Parliament, will impose mandatory cyber standards on firms operating in critical sectors, according to the government's published policy summary.
The Bill's scope has not been finalised, but it is expected to cover operators of essential services and digital service providers, extending obligations that currently apply under retained EU Network and Information Systems regulations. Penalties for non-compliance are likely to follow the pattern set by data-protection enforcement: significant enough to command board attention.
For SMEs outside critical sectors, the Bill may not apply directly. But the pledge creates a parallel track of expectation. If large firms in regulated sectors must certify their supply chains, the compliance obligation cascades. A facilities-management company, a logistics provider, or a software vendor serving a critical-sector client could find itself subject to contractual cyber requirements that mirror the Bill's statutory ones.
Insurance markets may accelerate the shift. Cyber-insurance underwriters have already tightened terms in recent renewal cycles, and several Lloyd's of London syndicates now require evidence of Cyber Essentials certification or equivalent controls before quoting cover. A visible government pledge, backed by named signatories, gives underwriters another data point when pricing risk.
Practical steps for operators who have not started
For boards that have not yet engaged with cyber governance, the pledge outlines a clear starting point.
Assign board-level ownership
Cybersecurity should appear as a standing item on the board agenda, with a named director accountable for oversight. This need not be a technical appointment. The objective is to ensure that risk appetite, incident-response planning, and investment decisions sit at the governance level rather than being buried in operational reporting.
Enrol in the NCSC early-warning service
The service is free and takes minutes to set up. It scans for known threats against an organisation's registered domains and IP addresses, providing alerts that allow early remediation. For firms without a dedicated security operations centre, it represents a low-cost first line of intelligence.
Pursue Cyber Essentials certification
The scheme covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Certification costs start from around £300 for self-assessment, rising for the "Plus" tier, which includes an independent technical audit. For most SMEs, the controls are achievable without specialist consultancy.
Audit supply-chain requirements
Firms that supply goods or services to larger organisations should check whether their clients intend to sign the pledge. If so, contractual demands for Cyber Essentials certification may follow. Early preparation avoids last-minute scrambles that disrupt trading relationships.
Review cyber-insurance terms
Directors should examine their current policy wording for exclusions related to unpatched systems, lack of multi-factor authentication, or absence of recognised certifications. Gaps in basic controls can void cover precisely when it is needed most.
The pledge is voluntary. The direction of travel is not. Ministers have made clear that they expect boards to act ahead of legislation, and the commercial ecosystem, from insurers to procurement teams, is likely to follow suit. For SMEs, the cost of inaction is no longer limited to the risk of a breach. It extends to lost contracts, higher premiums, and questions from investors about whether the board is governing digital risk at all.
