UK Cyber Pledge Draws Fewer Than 15 FTSE 350 Firms at Launch
Only 70 total signatories for the UK Cyber Resilience Pledge, with fewer than 15 of 350 largest listed companies joining despite ministerial letters.

Executive Summary
Fewer than 15 of Britain's 350 largest publicly traded companies signed the UK government's flagship Cyber Resilience Pledge at its launch on Tuesday, according to a report from Recorded Future News. The low turnout comes eight months after ministers personally wrote to the chair and chief executive of every FTSE 350 firm urging them to join. In total, 70 founding signatories were named at a 10 Downing Street reception hosted by Technology Secretary Liz Kendall, but 20 of those are strategic government suppliers who were invited through a separate Government Cyber Charter, meaning only 50 signatories came from the wider economy voluntarily.
Technical Analysis
The Cyber Resilience Pledge asks signatories to commit to three actions: make cybersecurity a board-level responsibility; register for the National Cyber Security Centre's (NCSC) free Early Warning service; and adopt a risk-based approach to requiring Cyber Essentials certification across their supply chains. All three activities remain voluntary with no enforcement mechanism, the Department for Science, Innovation and Technology (DSIT) confirmed.
Major firms that did sign include Aviva, the London Stock Exchange Group, and Marks & Spencer — the latter lost hundreds of millions of pounds in a cyberattack last year, per the report. Smaller cybersecurity consultancies such as C3IA Solutions, Grey Zone Services, and Nexor also joined, though their commercial offerings align closely with the pledge's requirements.
Jamie MacColl, a senior research fellow at the Royal United Services Institute (RUSI), told Recorded Future News he was surprised by the low number. "I would be relatively surprised if most FTSE 350 companies were not meeting an equivalent standard. Why would they go through Cyber Essentials when in many cases they will have a certification that has many more controls in it?" he said.
The launch occurred against the backdrop of the delayed National Cyber Action Plan, originally scheduled for Monday but postponed due to Prime Minister Keir Starmer's resignation. The government stated that "given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle."
DSIT did not respond to questions about whether signing carries procurement consequences for strategic suppliers, nor whether it considered the FTSE 350 turnout a strong response to the ministerial letter. The government cited research estimating the average cost of a significant cyberattack on a UK business at nearly £195,000 ($260,000), with annual costs to organizations at £14.7 billion ($19.7 billion) — though that figure was produced to support the separate Cyber Security and Resilience Bill, which remains under parliamentary debate and is not expected to be enforced until 2028.
Mitigations & Recommendations
Defenders should monitor whether the voluntary pledge evolves into mandatory regulation, a pattern MacColl described as typical for UK cyber policy: "consultation, research, code of practice or conduct, some sort of voluntary pledge, and then regulation." He added, "You've almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary." Organizations that have not yet signed should evaluate the NCSC Early Warning service and Cyber Essentials certification as baseline controls regardless of pledge status.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
