Cybersecurity is no longer just a technical issue confined to IT. It’s a business-critical risk, and one that regulators are now expecting boards and executive teams to own.
Over the past 12 months, we’ve seen a shift; Senior leaders are being held personally accountable for cyber incidents. Not just by shareholders and customers, but by regulators. The FCA, PRA, and NIS2 are making it clear: when cyber governance fails, responsibility doesn’t stop at the CISO. It reaches the boardroom.
In conversations with executives and non-executive directors, a few themes keep coming up:
“We don’t know if we’re doing enough.”
“The board isn’t getting meaningful insight into cyber risk.”
“What happens if we’re breached, who answers for it?”
There’s a real sense of unease. And rightly so. The rules have changed, but many organisations are still playing by the old ones.
Regulation Is Raising the Stakes
In the UK, the FCA and PRA are tightening expectations around operational resilience, with a growing focus on cyber. The NIS2 Directive in the EU goes even further, introducing personal liability for senior executives in the event of a failure to manage cyber risks properly.
What this means in plain terms:
- You need to demonstrate that cyber risk is understood at the highest levels
- You need evidence that it’s being governed actively, not passively
- And when something goes wrong (which it inevitably will), you need to show how you were prepared
So What Does Good Look Like?
This isn’t about becoming a technical expert. It’s about understanding your role in governance and ensuring the right structures are in place. Here’s what I advise leadership teams to focus on:
1. Establish Clear Ownership
Who on the board is accountable for cyber risk? If it’s “everyone,” it’s no one. Assign responsibility, make it part of regular reporting, and ensure there’s time to discuss it meaningfully.
2. Expect the Right Information
If the board papers are full of jargon, ask for a business-focused view. You should see reporting that explains:
- The key cyber risks the business faces
- Their potential impact in financial or operational terms
- What’s being done to manage them
3. Test Your Readiness
Run a crisis simulation. Not a technical drill—but a board-level exercise. Can you make decisions under pressure? Do you know your legal and regulatory obligations? Who speaks to the press?
4. Get External Assurance
An independent review of your cyber governance model can highlight blind spots—and demonstrate to regulators that you’re taking oversight seriously.
It’s Not About Blame, It’s About Preparedness
Executives aren’t expected to prevent every cyber incident. However, you are expected to be prepared, ask the right questions, and ensure that your business can respond effectively.
In short: good governance protects the organisation—and protects you.
Need a sounding board?
If you’d like a confidential briefing for your board or executive team, whether as a health check or to get ahead of new regulatory requirements, I’m available to help.
The best time to get cyber governance right is before it’s tested.
Book a Strategy Call
Schedule a call to learn how we can help you safeguard your organisation
from ever-evolving cybersecurity and data protection threats.