TRUSTEE REPORT AND FINANCIAL STATEMENTS FOR THE YEAR ENDED 31 MARCH 2023 Company Number: 12830814 Charity Number: 1195030

UKCYBERSECURITYCOUNCIL.ORG.UK

1

CONTENTS

Trustee Report

• Foreword from the CEO

• Purpose & Benefit

• Year in Review – Achievements

• Reference & Administration

• Reserves Policy & Risk Management

• Governance Structure

• Future plans

• Trustee Role, Appointment & Induction

• Year in Review – Financial Performance

• Trustee Statement of Responsibilities

Independent Auditors Report

Statement of Financial Activities for the year end 31 March 2023 Balance Sheet as at 31 March 2023 Statement of Cash flows for the year end 31 March 2023 Notes to the Financial Statements

1

----- Start of picture text -----
17
18
19
20
21
----- End of picture text -----

Foreword from our CEO

FOREWORD FROM OUR CEO

This year we have built on our existing partnerships with NCSC and Licensed Bodies such as CiiSec, ISC2, ISACA, Crest and The Cyber Scheme to drive forward our work on Professional Standards.

We have established a strong sense of direction through our five pillars and have increased our commercial revenue through participation from our member organisations.

We have recruited new staff, put in place new infrastructure, and recruited new members to our board to support our governance and leadership. There has been a lot of change this year and this would not have been possible without the hard work and dedication of the team at the Council.

The Council has made huge strides in achieving our objectives alongside the newly established Department for Science, Innovation & Technology as detailed in this report.

Last year I laid out the four core

strategic aims for the organisation:

Structure the council to deliver the UK Cyber Security Strategy

Develop a sustainable & diverse workforce of cyber professionals

Engage with & listen to industry Make every contact matter

These are still the leading aims for the organisation, now underpinned by our work across Professional Standards, Professional Ethics, Careers & Learning, Outreach & Diversity, and Thought Leadership & Influence.

Maintaining and establishing new working groups and committees has played an important role in the Council’s work so far, and this year we saw the emergence of our Ethics Committee, Diversity Working Group and Outreach Working Group. Each with their own key objectives to further the pillar they are aligned to.

This year also marks our move to a Royal Chartered Organisation, further leaning into our role as the standard setter for the profession.

Our operations team have worked hard to create a new member offering, giving further benefit to those organisations who join us on our journey. This will affect all of our pillars, creating thought leadership, key relationships, and the opportunity for further collaboration with the profession.

I have continued to be present within the community, securing speaking slots and panel events at key conferences such as CyberUK and the International Cyber Expo, for government hosted events such as the Annual Government Security Leadership Conference, at partner events such as SASIG and CyBOK, and academia in my role as a visiting Professor for Aston University.

Our Senior Leadership Team have also spoken at, attended, and provided insight for events such as our

Elevating Ethnic Minorities in Cyber Symposium, and our Virtual UK Roadshow, offering insights into cyber progression from the 4 home nations.

As we begin the next phase of our story, Chartering the first Cyber Security Professionals, instilling confidence in our Code of Ethics, supporting more people into the cyber security sector, and removing barriers for those less represented, I am immensely proud of what we have achieved to date and hope this report details the importance of our work yet to come.

Professor Simon Hepburn

Council Chief Executive Officer

Purpose and Public Benefit

PURPOSE AND PUBLIC BENEFIT

The purpose of the UK Cyber Security Council is to act as the voice of the cyber security profession and help ensure that the UK is the safest place to live and work online, as set out in the original National Cyber Security Strategy (2016-2021).

Its aims are to:

• Inspire, inform and advance public cyber security awareness and knowledge

• Create an open, inclusive and professional cyber security culture

• Influence cyber security best practices that proactively benefit the public in the UK and beyond

• Act as the reference point for cyber security professional standards, competence and commitment

We have established 5 pillars to deliver our aims, these pillars are:

• Professional Standards - Setting the standards for practitioners across the sector

• Professional Ethics - Creating and ensuring cyber professionals adhere to our Code of Ethics

• Careers & Learning - Providing guidance on how to join and progress within cyber security

• Outreach & Diversity - Striving for an inclusive and representative sector

• Thought Leadership & Influence - Positioning the Council as the voice of the profession

By bringing together professionals within the cyber security sector, with stakeholders, government, and third sector organisations, we will establish professional standards and ethics, alongside our work to encourage progression within the sector.

We will work in collaboration with the wider industry to tackle issues such as closing the skills gap and make sure we see a more representative workforce.

Public Benefit

One of our key values is inclusion. This means everyone. We embrace diversity of all kinds and the rich knowledge this empowers us with.

We break down barriers, promote fairness and champion the need and the benefits for inclusion.

We will benefit the public through our work to demystify and simplify career paths within cyber security, which will have a tangible impact through the reduction of the skills gap in the sector.

We will ensure those in the profession are working to a defined standard and code of ethics, and make sure anyone wanting to start a career in or progress within cyber security can.

This not only benefits individuals, but also employers, businesses, and the wider community; creating a world where the whole of society is safe and secure in cyber space.

Year in review

YEAR IN REVIEW:

The Council workstreams have developed this year to include Careers and Learning as a key piece of work, alongside those previously set up including:

Professional Standards

• Outreach & Diversity in Cyber Security to develop the next generation

Professional Ethics

• Thought Leadership & Influence

These key pillars of work provide us with a foundation achieve our four strategic aims.

• Structure the council to deliver for the UK Cyber Security Strategy Develop a sustainable & diverse workforce of cyber professionals Engage with & listen to industry Make every contact matter

This financial year the Council launched our 2025 Strategy Chartering a Cyber Future.

This document outlines our five new pillars and sets objectives to achieve under each one, ensuring that we can achieve our mission to:

• Enhance and expand the nation's cyber skills, knowledge and profession at every level

• To be the self-regulatory body for, and voice of, the cyber security profession.

• To develop, promote and provide stewardship of the highest possible standards of expertise, excellence, professional conduct and practice in the profession, for the benefit of the public.

• Our Strategic Aims and Priorities contained within this document are as follows:

• Raise the profile of the cyber security profession and the UK

• Cyber Security Council. This work is ongoing.

Design schemes to award Professional Registration Titles. These schemes are now underway within our Professional Standards Directorate.

Develop an Ethical Framework providing a Code of Ethics and Guiding Principles.

This work has been completed and is accessible on our website. Upholding the Code of Ethics and investigating any breaches is managed through collaboration with our Ethics Working Group.

• Create a Cyber Career Framework linked to mapping Certifications and Qualifications within the sector.

We have launched our Cyber Career Framework alongside a Certification Framework during this financial year.

Use outreach initiatives to address the longer-term skills gap in the sector.

This has begun and continues to be developed.

Be a thought leader for the profession.

This work began with the publication of a thought leadership paper around elevating ethnic minorities in cyber.

Create a fit for purpose Royal Incorporated Organisation.

This has now been established and all staff have transferred over to the new organisation.

Achievements

YEAR IN REVIEW: ACHIEVEMENTS

This year we designed and launched two pilot schemes to award the Professional Registration Titles of Associate, Principal and Chartered.

• We established a Professional Standards Working Group alongside an Ethics Committee and developed two pilot programmes covering the specialisms of Cyber Security Governance & Risk Management, and Secure System Architecture & Design.

• We worked with partners to establish a model for Licensed Bodies to be able to assess candidates for Professional Registration Titles, and began development on an assessment portal, alongside recruiting volunteer assessors from the cyber community.

• We set clear guidelines for assessment in our documentation such as our Minimum Qualification Standard and our Standard for Professional Competence & Commitment.

Achievements

YEAR IN REVIEW: ACHIEVEMENTS

Some key achievements under the aim of ‘Create a Cyber Career Framework linked to mapping Certifications and Qualifications within the sector.’

• Developed and updated our Cyber Career Framework, including job descriptions, salaries, skills, keys tasks and progression opportunities for each of the cyber security specialisms.

• Developed and launched our Certification Framework. This tool helps individuals map their specialism and years of experience with the appropriate Certification for them, therefore saving them time and money on unnecessary certifications.

• Designed a Career Mapping Tool. This tool allows users to use the key knowledge areas established by the Cyber Body of Knowledge to match their area of interest with one of our specialisms. This means users can apply for training, jobs, and courses that are relevant to their career path.

Careers and Learning

Achievements

YEAR IN REVIEW: ACHIEVEMENTS

Under the objective of ‘Use outreach initiatives to address the longer-term skills gap in the sector’ we have:

Established two working groups, one for Outreach and one for Diversity. Each group has a specific focus, either widening the talent pool within the sector, or creating a more inclusive sector for those that are currently underrepresented.

We have hosted several virtual events showcasing the diversity of leaders and practitioners in the cyber security sector, as well as an in-person

symposium “Elevating Ethnic Minorities in Cyber”, bringing together leaders, government representatives, volunteers, career-changers, and key partners to produce tangible actions for our future work.

We produced a Thought Leadership paper – The Diversity Process Flow, which detailed the actions suggested in our symposium and was well received online through our own digital marketing channels and in press.

Outreach & Diversity

Achievements

YEAR IN REVIEW: ACHIEVEMENTS

Some key achievements under the aim to ‘Develop an Ethical Framework providing a Code of Ethics and Guiding Principles’ are as follows:

Created a new pillar ‘Professional Ethics’ managed by the Professional Standards directorate.

Established the Ethics Committee and attended regular meetings to discuss our Code of Ethics, Guiding Principles and Ethical Declaration, alongside the process for investigating ethical breaches.

Professional Ethics

Established a member and registrant platform for users to view and sign our Ethical Declaration, therefore adding further accountability for our membership and those applying for Professional Registration Titles.

Published and distributed our guidance on ethics, to help employers and businesses improve their cyber security practices.

dsf

Trustee Report

REFERENCE & ADMINISTRATION:

Company Number: 12830814 Charity Number: 1195030 Registered Address: 3rd Floor, 106 Leadenhall Street, London, EC3A 4AA

Bankers:

Lloyds Bank PLC. 25 Gresham Street,

London EC2V 7HN

Solicitors:

Birkett’s LLP. Providence House, 141-145 Princes Street, Ipswich, Suffolk, IP1 1QJ

Auditors:

Moore Kingston Smith, 9 Appold Street, London, EC2A 2AP

The UK Cyber Security Council was incorporated as a company limited by guarantee on 21 August 2020.

The UK Cyber Security Council was

registered as a Charity on 01 July 2021

Trustees:

• Claudia Natanson - Chair (appointed October 2020)

• Jessica Figueras – Vice Chair (appointed October 2020)

• Mike Watson – Treasurer (appointed October 2020)

• Carla Baker – Trustee (appointed October 2020)

• Chitra Balakrishna – Trustee (appointed October 2021)

• Nathan Nagaiah – Trustee (appointed October 2021)

• Edward Goodchild –

• Trustee (appointed October 2021)

• Frances Le Grys – Trustee (appointed October 2021)

David Davis –

Trustee (appointed October 2022) Kat Abercrombie – Trustee (appointed October 2022)

dsf

Trustee Report

RESERVES POLICY

The Trustees treat the unrestricted reserves as available for activities which forward the Charity’s objectives, and for funding the requirements for support and governance costs.

Free reserves are that part of the Council’s unrestricted funds that are freely available to spend on any of its charitable purposes.

The Council may maintain free unrestricted reserves for the following reasons:

a) to provide a level of working capital that protects the continuity;

b) to provide a level of funding for unexpected opportunities; and

c) to provide cover for risks such as unforeseen expenditure or unanticipated loss of income.

The Trustees will review the above criteria with reference to the Council’s strategy and Annual Plan and determine the target level of free reserves to meet these.

They may at times designate funds from free reserves for significant project costs or replacement of major assets.

RISK MANAGEMENT

The UK Cyber Security Council Trustees have considered the major risks to which the charity is exposed and have reviewed those risks and established policies, systems and procedures to manage them accordingly.

The risk register is updated at least quarterly, but is regularly reviewed within the operational team to ensure key changes are reflected in the risk log and appropriate plans to mitigate are put in place.

The principal risks are:

• Loss of funding or inability to secure sufficient funding to carry out the core work of the organisation • Significant delays in the development and roll out of specialist cyber standards

• Breach of data security or compliance with key regulatory authorities

• Loss of key staff and personnel

• Lack of support and buy in from the cyber security profession

Structure and Trustee Board

GOVERNANCE STRUCTURE

The Trustees are also responsible

The first four trustees were appointed in October 2020 and as a board they appointed a further four trustees in October 2021. In September 2022 two trustees were formally appointed following an election by the Council’s member organisations.

.

Our Board of Trustees has a broad range of relevant skills, knowledge and experience, spanning education, skills and professional development, commercial and business development, income generation and fundraising, legal, cyber security, financial management, risk management, business risk, professional standards and ethics, Government affairs and policy and furthering diversity, equality and inclusion.

The Council considers each of the Trustees independent in character and judgement.

Declarations of interest are acquired from new Trustees and updated by all trustees annually. No remuneration is provided other than reasonable travel and subsistence costs. Trustees regularly review the progress of the charity and its funding and work in conjunction with the executive team and membership bodies to set the strategy for the organisation.

Remuneration

The Chair reviews the remuneration of the Chief Executive and makes a recommendation to the Remuneration Committee for consideration. The Remuneration Committee also review the salaries of the Leadership Team.

Auditors

The Board of Trustees approved the appointment of Moore Kingston Smith as the Auditors on 23/3/22.

The Council are governed by our Articles of Association (as a Charity Body).

There are a maximum of 12 Trustee spaces, 8 by general appointment and 4 to be appointed by the membership; T h e r e a r e c u r r e n t l y 10 Trustees - 8 from general appointment and 2 appointed by the membership.

for the appointment of the Chief Executive, to which they delegate the day-to-day running of the Charity.

The Board has 4 sub-committees.

The Programme Board ensures the Council’s programme directorate activity including standards development and career route mapping is fit for purpose and in line with strategy and priorities of the organisation. The Finance and Audit Board review the risks, controls, and financial management of the organisation. The Remuneration Committee provides a forum, independent of the Council’s other governance bodies, for the review and approval of the remuneration of the Chief Executive, the Leadership Team, and any ex-gratia payments. The Governance and Nominations Sub-Committee ensures the Council’s governance is fit for purpose and that it is populated by suitably diverse and skilled individuals, in line with strategy and representation.

Structure and Trustee Board

ORGANISATION STRUCTURE AND MANAGEMENT

As a start up organisation it is important that the operational and management structure of the organisation is fit for purpose to deliver on the Council’s mission and objectives.

As such the Leadership Team review where there are any pinch points within the organisation and then seek to mitigate this through increased human resource or re-prioritisation of tasks.

This along with the development and implementation of new systems and processes helps staff to be more effective and efficient.

Our updated structure is made up of four directorates.

The Standards Directorate

Led by the Director of Professional Standards, this directorate is focussed on developing the professional standards based upon our identified cyber specialisms.

The Programme Directorate

Led by the Director of Programmes and Partnerships, this directorate is focussed on developing the careers road map, outreach programmes and the transition of programmes to the Council.

The Finance & Operations

Directorate Led by the Finance and Operations Manager, this directorate is focused on managing areas including the organisations finance, marketing, membership and events.

The Chief Executive’s Office

Led by the CEO, this directorate is focused on strategic planning, technical cyber, governance, external engagement and government relationships.

In the 2023/2024 financial year we will be enacting the incorporation of our Royal Chartership, which in practical terms will mean the closure of the current charity and company incorporations, and transition to the new Chartered Charity and Organisation.

All contracted staff will be transferred over to the new organisation as part of this process.

Achievements

FUTURE PLANS

The 2023-24 financial year will be the first year in which we award Professional Registration Titles to cyber professionals.

This work will include development of our Assessment Portal, administering Licensee agreements to Licensed Bodies, launching specialisms, training and retaining our Assessors, and opening registration to cyber professionals.

The Council’s additional priorities include:

Raising the profile of the Council and our Career Tools – including Certification Framework, Cyber Careers Framework, and Career Mapping Tool.

• Publishing further Thought Leadership pieces to address inequality within the sector, such as Elevating Women in Cyber Security.

• Establishing an Ethical Breach Policy through our work with our Ethics Committee.

Creating a Sustainability Plan for the organisation, looking at potential revenue streams.

Launch an online Cyber Access Hub, to share resources aimed at 13–19 year-olds, their teachers, parents and carers, to bring more young people into the profession.

• Launch our new Membership offering, giving further benefit to organiations who have supported us so far, and to recruit new members into the organisation.

Structure and Trustee Board

TRUSTEE ROLE, APPOINTMENT & INDUCTION

The role of a Trustee is to ensure that the Council fulfils its duty to its beneficiaries and delivers its vision, mission and values. Working together with the other Trustees – and in collaboration with the CEO they are instrumental in ensuring that the Council delivers its charitable objectives, and values equality, diversity and inclusion.

Our Trustees are individuals who have a strong empathy with our vision and mission combined with an in-depth understanding of our work and ambitions and they possess an understanding of the culture and needs of a values-driven organisation.

The role is one of legal liability and responsibility for the compliant running of a charity. Across the Board we seek skills and experience in running a professional organisation, although recognise that not all candidates will have these skills initially.

Trustees are legally required to act in the best interests of the Council and candidates should therefore not seek to influence the Board in terms of representing any other organisation.

Appointment of trustees

Trustees' induction and training

For all Trustees, the following core skills are essential to undertake their duties:

On appointment, new trustees are provided with information about the company including its constitution, strategy and plans, finances, staffing structure and its risk register.

As set out in the articles of association, the board of trustees comprises

• Excellent communication and influencing skills to be a strong ambassador for the Council

• not more than 12 trustees as Board Members Maximum of 4 elected from among and by the full members the chief executive of the Association as an exofficio member of the Board

Their attention is drawn to relevant Charity Commission guidance. They are offered the opportunity to meet with the chief executive and other staff for a full briefing on the organisation’s work.

• A collaborative approach and openness to other views and feedback on own contribution

• An ability to think diversely, produce innovative ideas and challenge existing thinking and perspectives

Board members may serve up to two terms of three

Organisation

years.

The Board is responsible for the governance of the charity. The trustees delegate the running of the organisation to the chief executive, within a framework of delegated authority. The board meets at least quarterly.

• Commitment to the Council’s mission and values

• Commitment to delivering public good

• Commitment to bringing high standards of ethics and transparency to the Council’s governance

• Commitment to inclusion and diversity

Achievements

YEAR IN REVIEW: FINANCIAL PERFORMANCE

Our first operating year was largely funded via a Grant Funding Agreement with the DCMS agreed in April 2021 with other income streams to be developed as the year progressed, to include membership levies, sponsorship and running of events.

Income

Expenditure

Cashflow

Into 2023-24

Overall income was £2,352,910 comprised of £2,254,663 from the DCMS Grant Funding Agreement and £98,246 from new membership levies.

The Grant Funding Agreement had a funding ceiling of £2,526,000, unclaimed funding remains in the overall Grant Funding Agreement until 31/03/2024.

Total expenditure for the year was £2,254,360 which was almost entirely spent on delivering against the DCMS’s Grant Funding Agreement.

To be noted, is the impact of our VAT structure meant a total of £220,640 was spent and not reclaimable on VAT. This structure remains in-place but a review of this is on the agenda.

Cashflow at commencement was supported by DCMS providing three-month cover for salaries upfront. This enabled the Council to move forwards with operations assisted also by the unrestricted funds from previous years.

We are grateful to DCMS for ensuring the three-month cover was implemented.

DCMS have agreed a new Grant Funding Agreement that will provide income of up to £1,250,000 with an uplift of an additional £300,000 to deliver against the contract KPIs.

Additionally, we expect to continue to on-board new members and see an increase in the total annual levies.

2023-24 will see the Council working with Licensed Bodies in awarding Charterships to industry professionals and we will see substantive income around this piece.

A sustainability plan is in production for the organisation to ensure a robust plan for financial sustainability in the future while exploring additional income streams, along with our strategy to meet these targets.

Achievements

YEAR IN REVIEW: FINANCIAL PERFORMANCE

The UK Cyber Security Council’s year ending 31 March 2023 was the second year of activity for the charity. Funded by the Department for Digital, Culture, Media & Sport (DCMS), the Council was able to:

• Grow and recruit additional members to the board of Trustees

• Develop the membership offering and enhance the corporate membership scheme

• Recruit several additional key members of staff, and form individual departments with a clear organisational structure

• Host successful events

• Develop the standards, being a key piece in the future sustainability plan

• Further develop the website and career mapping tools

This year was about establishing the core infrastructure, systems, and policies to enable the organisation to progress into our delivery phase.

There was growth in the corporate membership, which enabled the council to generate £98,246 of unrestricted income in the financial year, contributing to the journey of financial sustainability for the council.

Structure and Trustee Board

TRUSTEE STATEMENT OF RESPONSIBILITIES

The Trustees (who are also Directors of the UK Cyber Security Council for the purpose of company law) are responsible for preparing the trustee’s report and financial statements in accordance with applicable law and United Kingdom accounting practices.

Company and Charity law requires the Trustees to prepare financial statements for each financial year.

Under company law the Trustees must not approve the financial statements unless they are satisfied that they give a true and fair view of the situation of the charitable company and of the incoming resources and application of resources, including the income and expenditure for that period.

The Trustees are responsible for keeping adequate and proper accounting records that are sufficient to show and explain the charitable company’s transactions and disclose with reasonable accuracy at any time the financial position of the charitable company.

In preparing these financial statements, the Trustees are required to:

• Select suitable accounting policies and then apply them consistently

• Observe the methods and principles in the Charities SORP

• Make judgements and estimates that are reasonable and prudent

• State whether applicable UK accounting standards have been followed, subject to any material departures disclosed and explained in the financial statements; and

• Prepare the financial statements on the going concern basis unless it is inappropriate to presume the charity will continue in operation

They are also responsible for ensuring that the financial statements comply with the Companies act 2006.

The Trustees are responsible for the maintenance and integrity of the corporate and financial information included on the charitable company’s website.

As well as safeguarding the assets of the charitable company and group and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities.

Legislation in the United Kingdom governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.

The financial statements have been prepared in accordance with the special provisions of part 15 of the Companies Act 2006 relating to small companies.

In so far as we are aware:

• There is no relevant audit information of which the charities auditor is unaware; and

Approved and signed on behalf of the Trustees by

The Trustees have taken all steps that they ought to have taken to make themselves aware of any relevant audit information and to establish that the auditor is Dr Claudia Natanson MBE aware of that information. Chair of Trustees

27[th] September 2023

INDEPENDENT AUDITORS’ REPORT TO THE MEMBERS OF THE UK CYBER SECURITY COUNCIL

Opinion

We have audited the financial statements of The UK Cyber Security Council (‘the charitable company’) for the year ended 31 March 2023 which comprise the Statement of Financial Activities, the Balance Sheet, the Statement of Cash Flows and notes to the financial statements, including a summary of significant accounting policies. The financial reporting framework that has been applied in their preparation is applicable law and United Kingdom Accounting Standards, including FRS 102 ‘The Financial Reporting Standard Applicable in the UK and Ireland’ (United Kingdom Generally Accepted Accounting Practice).

In our opinion the financial statements:

• give a true and fair view of the state of the charitable company’s affairs as at 31 March 2023 and of its incoming resources and application of resources, including its income and expenditure, for the year then ended;

• have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice; and

• have been prepared in accordance with the requirements of the Companies Act 2006.

Basis for opinion

We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs(UK)) and applicable law. Our responsibilities under those standards are further described in the Auditor’s Responsibilities for the audit of financial statements section of our report. We are independent of the Corporation in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, including the FRC’s Ethical Standard, and we have fulfilled our other ethical responsibilities in accordance with these requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Emphasis of matter – financial statements prepared on a basis other than going concern

We draw attention to Note 1 to the financial statements which explains that the Charitable Undertaking of the entity (incorporating the assets, liabilities, the employees and all of the Charitable Company’s operations and activities collectively as a going concern) transferred to a separate entity with effect from midnight between 31 March 2023 and 1 April 2023.

Following the transfer of assets, the Company is expected to be closed. The trustees therefore do not consider it to be appropriate to adopt the going concern basis of accounting in preparing the financial statements. Accordingly the financial statements have been prepared on a basis other than going concern as described in Note 1. Our opinion is not modified in respect of this matter.

Other information

The other information comprises the information included in the annual report, other than the financial statements and our auditor’s report thereon. The trustees are responsible for the other information. Our opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express any form of assurance conclusion thereon.

In connection with our audit of the financial statements, our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit or otherwise appears to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we are required to determine whether there is a material misstatement in the financial statements or a material misstatement of the other information. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact.

We have nothing to report in this regard.

17

INDEPENDENT AUDITORS’ REPORT TO THE MEMBERS OF THE UK CYBER SECURITY COUNCIL

Opinions on other matters prescribed by the Companies Act 2006

In our opinion, based on the work undertaken in the course of the audit:

• the information given in the trustees’ annual report for the financial year for which the financial statements are prepared is consistent with the financial statements; and

• the trustees’ annual report have been prepared in accordance with applicable legal requirements.

Matters on which we are required to report by exception

In the light of the knowledge and understanding of the company and its environment obtained in the course of the audit, we have not identified material misstatements in the trustees’ annual report.

We have nothing to report in respect of the following matters where the Companies Act 2006 requires us to report to you if, in our opinion:

• adequate accounting records have not been kept, or returns adequate for our audit have not been received from branches not visited by us; or

• the financial statements are not in agreement with the accounting records and returns; or

• certain disclosures of trustees’ remuneration specified by law are not made; or

• we have not received all the information and explanations we require for our audit; or

• the trustees were not entitled to prepare the financial statements in accordance with the small companies regime and take advantage of the small companies exemption in preparing the Trustees’ Annual Report and from preparing a Strategic Report.

Responsibilities of trustees

As explained more fully in the trustees’ responsibilities statement set out on page 16, the trustees (who are also the directors of the charitable company for the purposes of company law) are responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view, and for such internal control as the trustees determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, the trustees are responsible for assessing the charitable company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the trustees either intend to liquidate the charitable company or to cease operations, or have no realistic alternative but to do so.

Auditor’s responsibilities for the audit of the financial statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

As part of an audit in accordance with ISAs (UK) we exercise professional judgement and maintain professional scepticism throughout the audit. We also:

• Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.

18

INDEPENDENT AUDITORS’ REPORT TO THE MEMBERS OF THE UK CYBER SECURITY COUNCIL

• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purposes of expressing an opinion on the effectiveness of the charitable company’s internal control.

• Evaluate the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by the trustees.

• Conclude on the appropriateness of the trustees’ use of the going concern basis of accounting and, based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant doubt on the charitable company’s ability to continue as a going concern. If we conclude that a material uncertainty exists, we are required to draw attention in our auditor’s report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify our opinion. Our conclusions are based on the audit evidence obtained up to the date of our auditor’s report. However, future events or conditions may cause the charitable company to cease to continue as a going concern.

• Evaluate the overall presentation, structure and content of the financial statements, including the disclosures, and whether the financial statements represent the underlying transactions and events in a manner that achieves fair presentation.

We communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that we identify during our audit.

Explanation as to what extent the audit was considered capable of detecting irregularities, including fraud

Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. The extent to which our procedures are capable of detecting irregularities, including fraud is detailed below.

The objectives of our audit in respect of fraud, are; to identify and assess the risks of material misstatement of the financial statements due to fraud; to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses to those assessed risks; and to respond appropriately to instances of fraud or suspected fraud identified during the audit. However, the primary responsibility for the prevention and detection of fraud rests with both management and those charged with governance of the charitable company.

Our approach was as follows:

• We obtained an understanding of the legal and regulatory requirements applicable to the company and considered that the most significant are the Companies Act 2006, the Charities Act 2011, UK financial reporting standards as issued by the Financial Reporting Council and UK taxation legislation.

• We obtained an understanding of how the charitable company complies with these requirements by discussions with management and those charged with governance.

• We assessed the risk of material misstatement of the financial statements, including the risk of material misstatement due to fraud and how it might occur, by holding discussions with management and those charged with governance.

• We inquired of management and those charged with governance as to any known instances of non-compliance or suspected non-compliance with laws and regulations.

• Based on this understanding, we designed specific appropriate audit procedures to identify instances of non-compliance with laws and regulations. This included making enquiries of management and those charged with governance and obtaining additional corroborative evidence as required.

19

INDEPENDENT AUDITORS’ REPORT TO THE MEMBERS OF THE UK CYBER SECURITY COUNCIL

There are inherent limitations in the audit procedures described above. We are less likely to become aware of instances of non-compliance with laws and regulations that are not closely related to events and transactions reflected in the financial statements. Also, the risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error, as fraud may involve deliberate concealment by, for example, forgery or intentional misrepresentations, or through collusion.

Use of our report

This report is made solely to the charitable company's members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006. Our audit work has been undertaken so that we might state to the company’s members those matters we are required to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to any party other than the charitable company and charitable company's members as a body, for our audit work, for this report, or for the opinions we have formed.

James Saunders (Senior Statutory Auditor) for and on behalf of Moore Kingston Smith LLP, Statutory Auditor

9 Appold Street London EC2A 2AP

Date: 20/12/2023

20

The UK Cyber Security Council

Statement of Financial Activities (incorporating an Income and Expenditure Account)

For the year ended 31 March 2023

All of the above results are derived from continuing activities. There were no other recognised gains or losses other than those stated above. Movements in funds are disclosed in Note 16 to the financial statements.

The notes on pages 20 to 30 form part of these financial statements

1

The UK Cyber Security Council

Company no. 12830814

Balance sheet

As at 31 March 2023

Approved by the trustees on and signed on their behalf by 13.12.23

…………………………….. - Trustee

…………………………….. - Name Claudia Natanson

The notes on pages 20 to 30 form part of these financial statements

2

The UK Cyber Security Council

Statement of cash flows

3

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

1 Accounting policies

a) Company information

The UK Cyber Security Council is a charitable company limited by guarantee registered in England with registration number 12830814. Its registered office address is 3rd Floor, 106 Leadenhall Street, London, England, EC3A 4AA.

b) Basis of preparation

The financial statements have been prepared in accordance with Accounting and Reporting by Charities: Statement of Recommended Practice applicable to charities preparing their accounts in accordance with the Financial Reporting Standard applicable in the UK and Republic of Ireland (FRS 102) (effective 1 January 2015) - (Charities SORP FRS 102), the Financial Reporting Standard applicable in the UK and Republic of Ireland (FRS 102) and Update Bulletin 2, and the Charities Act 2011. The accounts are presented in GBP rounded to £1, which is the functional currency of the charity.

Assets and liabilities are initially recognised at historical cost or transaction value unless otherwise stated in the relevant accounting policy or note. The functional currency is Sterling Pound (GBP).

c) Public benefit entity

The charitable company meets the definition of a public benefit entity under FRS 102.

d) Going concern

The Trustees of the charity took the decision during the year to transfer the trade and operations of the charitable company to a new Royal Charter charitable company and this transfer will take place with effect from the close of business on 31 March 2023. From that date the company will cease trading. As a result the financial statements have been prepared on a basis other than that of a going concern. No adjustments to the recognition or measurement of assets, liabilities or other transactions have been made as a result of the financial statements being prepared on a basis other that that of a going concern. No additional provisions have been recognised as a consequence of adopting a basis of preparation other than going concern.

e) Income

Income, including from Government and other grants, whether 'capital' or 'income', is recognised when the charity has entitlement to the funds, any performance conditions attached to the income have been met, it is probable that the income will be received and that the amount can be measured reliably.

Membership income is generally for a period of tweleve months. Membership income relating to future financial years is deferred.

f) Fund accounting

Restricted funds are to be used for specific purposes as laid down by the donor. Expenditure which meets these criteria is charged to the fund.

Unrestricted funds are donations and other incoming resources received or generated for the charitable purposes.

Designated funds are unrestricted funds earmarked by the trustees for particular purposes.

• g) Expenditure and irrecoverable VAT

Expenditure is recognised once there is a legal or constructive obligation to make a payment to a third party, it is probable that settlement will be required and the amount of the obligation can be measured reliably. Expenditure is classified under the following activity headings:

• Costs of raising funds relate to the costs incurred by the charitable company in inducing third parties to make voluntary contributions to it, as well as the cost of any activities with a fundraising purpose.

• Expenditure on charitable activities includes the costs of offering fellowships and delivering related services undertaken to further the purposes of the charity and their associated support costs.

• Other expenditure represents those items not falling into any other heading.

• Irrecoverable VAT is not charged as a cost against the activity for which the expenditure was incurred but identified separately as a cost itself.

h) Allocation of support costs

Resources expended are allocated to the particular activity where the cost relates directly to that activity. However, the cost of overall direction and administration of each activity (support costs), comprising the salary and overhead costs of the central function, is apportioned on the following basis which are an estimate, based on staff time, of the amount attributable to each activity.

4

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

Where such information about the aims, objectives and projects of the charity is also provided to potential donors, activity costs are apportioned between fundraising and charitable activities on the basis of area of literature occupied by each activity.

� Fundraising 0%

� Membership 0%

� Setting Standards 100%

Where information about the aims, objectives and projects of the charity is provided to potential beneficiaries, the costs associated with this publicity are allocated to charitable expenditure.

i) Intangible fixed assets

Intangible fixed assets comprise of databases and website development. The estimated useful life is estimated to be between 3 and 5 years.

j) Tangible fixed assets

Items of equipment are capitalised where the purchase price exceeds £500. Depreciation costs are allocated to activities on the basis of the use of the related assets in those activities. Assets are reviewed for impairment if circumstances indicate their carrying value may exceed their net realisable value and value in use.

Depreciation is provided at rates calculated to write down the cost of each asset to its estimated residual value over its expected useful life. The depreciation rates in use are as follows:

• IT and phone equipment

3 years

k) Financial Instruments

The charity only has financial assets and financial liabilities of a kind that qualify as basic financial instruments. Basic financial instruments are initially recognised at transaction value and subsequently measured at their settlement value.

Financial assets

Trade and other debtors are recognised at the settlement amount due after any trade discount offered. Prepayments are valued at the amount prepaid net of any trade discounts due.

Financial Liabilities

Creditors and provisions are recognised where the charity has a present obligation resulting from a past event that will probably result in the transfer of funds to a third party and the amount due to settle the obligation can be measured or estimated reliably. Creditors and provisions are normally recognised at their settlement amount after allowing for any trade discounts due.

l) Cash at bank and in hand

Cash at bank and cash in hand includes cash and short term highly liquid investments with a short maturity of three months or less from the date of acquisition or opening of the deposit or similar account. Cash balances exclude any funds held on behalf of service users.

m) Pensions

The charity contributes towards the employees' personal pension schemes. The cost of the contribution is charged to the statement of financial activities on an accruals basis.

m) Significant accounting policies

In the application of the company’s accounting policies, the charity is required to make judgements, estimates and assumptions about the carrying amount of assets and liabilities that are not readily apparent from other sources. The estimates and associated assumptions are based on historical experience and other factors that are considered to be relevant. Actual results may differ from these estimates.

The estimates and underlying assumptions are reviewed on an on-going basis. Revisions to accounting estimates are recognised in the period in which the estimate is revised, if the revision affects only that period, or in the period of the revision and future periods if the revision affects both current and future periods.

There are no estimates and assumptions that are considered to have a significant risk of causing a material adjustment to the financial statements in a future period.

5

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

2 Income from donations

3 Income from charitable activities

6

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

4 Analysis of expenditure

Of the total expenditure, £16,563 (2022: £5,500) was unrestricted and £2,129,302 was restricted (2022: £1,533,451).

7

The UK Cyber Security Council Notes to the financial statements

For the year ended 31 March 2023

5 Net incoming resources for the year

This is stated after charging / crediting:

Analysis of staff costs, trustee remuneration and expenses, and the cost of key management 6 personnel

Staff costs were as follows:

The following number of employees received employee benefits (excluding employer pension costs) during the year in bandings of costs greater than £60,000:

The total employee benefits including pension contributions of the key management personnel, made up of the Chief Executive Officer, Director of Programmes and Partnerships, Director of Finance and Operations, Finance and Operations Manager, EA and Head of Governance were £379,421 (2022 - Director of Standards, Chief Executive Officer and the Project Manager were £107,429).

The charity trustees were not paid or received any other benefits from employment with the charity in the year (2022: £nil). No charity trustee received payment for professional or other services supplied to the charity (2022: £nil).

7 Staff numbers

The average number of employees (head count based on number of staff employed) during the year was as follows:

8

The UK Cyber Security Council Notes to the financial statements

For the year ended 31 March 2023

8 Related party transactions

Three trustees were reimbursed £433 for travel expenses during the year (2022: two trustees were reimbursed £94). There are no related party transactions to disclose for 2023 (2022: none).

9 Taxation

The charitable company is exempt from corporation tax to the extent that all its income is charitable and is applied for charitable purposes.

10 Intangible fixed assets

11 Tangible fixed assets

9

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

12 Debtors

13 Creditors: amounts falling due within one year

14 Deferred income

Deferred income comprises membership fee income received during the year for future years.

15 Analysis of net assets between funds

10

The UK Cyber Security Council

Notes to the financial statements

For the year ended 31 March 2023

16 Movements in funds

Transfers include:

Capitalised fixed assets funded by restricted funds where the fixed assets are for the general objects of the charity.

Purposes of restricted funds

The grant from the Department of Digital, Culture, Media & Sports is used to cover costs of setting standards for cyber secuity and delivering the pilot.

\

17 Capital commitments

There were no capital commitments not provided for in the financial statements (2022: none).

11