Boardroom Cyber Risk

Question 1: Are we confident we meet UK GDPR and sector rules, and do we test compliance beyond the IT team?

Topic: Regulatory and Legal Exposure

Let’s talk about regulatory compliance, because this is where things can get expensive fast.
First up, data protection laws. You’ve heard about UK GDPR and the Data Protection Act 2018, but here’s what really matters: if you mess this up, the ICO can hit you with fines up to £17.5 million or 4% of turnover—whichever hurts more. We’ve seen this play out with British Airways, 23andMe, and plenty of others. These aren’t theoretical risks; they’re real precedents that set the bar for what regulators expect.

Now, depending on your sector, you might have additional layers on top of that baseline. If you’re in finance, you’re dealing with FCA and PRA requirements. Legal sector? The SRA has their own expectations. And if you’re part of critical national infrastructure, NIS2 regulations are coming into play. The point is: know your regulations. All of them.

Here’s something that catches a lot of organizations off guard—contractual liability. Your business partners are increasingly writing cybersecurity obligations directly into supply contracts. I’ve seen this firsthand in the legal sector, where finance clients demand compliance with really stringent security policies. It can feel overwhelming.

My advice? Be practical about it. Yes, aim for strong security, but don’t just adopt the strictest possible policy because a client asked for it. Make sure it actually works for your business. Sometimes you need to push back on clients and explain what’s realistic. Other times, you need to go to your own leadership and say, “If we want to win this pitch or keep this client, here’s what we need to invest in.” I’ve seen firms struggle with things as basic as firewall requirements because they didn’t have that conversation early enough.

And finally, litigation. This is a growing area in the UK—class-action style claims from customers or employees after a data breach. It’s not just about regulatory fines anymore; it’s about being sued by the people whose data you were supposed to protect.

So when I ask if you’re confident about compliance, I’m really asking: have you tested it beyond the IT team? Because compliance isn’t just a technical checkbox—it’s a business-wide responsibility that needs board-level oversight.

Question 2: Do we understand our financial exposure to cyber disruption, and do we have tested recovery plans?
Topic: Financial and Operational Risk

Let me be blunt: ransomware is still the dominant threat, and it’s not going away. Mid-sized firms like yours are actually prime targets because you’re in this uncomfortable middle ground—you’ve got money worth stealing, but you probably don’t have the enterprise-grade defences that larger organizations can afford. The criminals know this, and they’re betting on it.

But here’s what really keeps me up at night: business interruption. When you get hit with ransomware or a DDoS attack, it’s not just about losing data—it’s about your entire operation grinding to a halt. Revenue stops. Supply chains break down. Customer service disappears. We saw this with Jaguar Land Rover, and it was brutal. So I always ask: how quickly can you get back on your feet?

Think about it like a “Minimum Viable Your Brand”—what’s the bare minimum you need to keep the business running and cash flowing? And more importantly, can you actually restore to that minimum viable state? Because here’s the uncomfortable truth: most organizations never properly test their restore capability. They assume their backups work. Don’t assume. Test them.

Now, let’s talk about recovery costs, because this is where the bill really adds up. The ransom itself? That’s often the smallest part. You’ve got incident response teams, forensic investigators, legal fees, PR firms, and the cost of rebuilding systems. I’ve worked with incident response retainers at several organizations and I can tell you, having that relationship established before you need it is invaluable. When you’re in crisis mode at 2 AM, you don’t want to be negotiating contracts.

Finally, cyber insurance. Premiums are going up, exclusions are getting tighter, and it’s becoming harder for mid-sized businesses to transfer the risk. Some organizations are even looking at self-insuring as an alternative, though that requires serious financial reserves and risk appetite.

So when I ask about your financial exposure, I’m really asking: have you modeled what a week of downtime would cost? Do you know how long it would take to restore operations? Have you actually tested those backups? Because understanding your exposure isn’t about pessimism—it’s about being prepared to protect what you’ve built.

Question 3: How do we measure the effectiveness of staff training, and are we holding leadership accountable for cyber culture?
Topic: Human and Cultural Factors

Here’s something that might surprise you: your biggest vulnerability often isn’t your technology—it’s your people. And I’m not just talking about malicious insiders, though those exist. I’m talking about good people making honest mistakes. A mis-sent email. A misconfigured cloud storage bucket. These accidents can be just as devastating as deliberate attacks.

Just last week, there was a story from the BBC’s Joe Tidy about insider threat incident. Hackers had approached him and offered significant sums if he would let them into the BBC using his own account. And it’s not just about data breaches—there’s reputational risk from social media mishaps too. An employee posting something racist, or having their account taken over and used to spread harmful content. These things reflect on your organization whether they happen on company time or not.

Now, let’s talk about the skills gap, because this is real. Most mid-sized businesses don’t have dedicated in-house security expertise. Instead, you’ve got an already overstretched IT team trying to handle cybersecurity on top of everything else they’re managing. That’s why we’re seeing more organizations turn to MDR—Managed Detection and Response—or external SOC teams to fill those gaps. It’s not a sign of weakness; it’s smart resource allocation.

Here’s where I need to be really direct with you: cyber is still too often seen as a technical problem rather than a business risk. And when that happens, you end up underinvesting. The NCSC has excellent guidance on this—boards need to understand that cybersecurity is fundamentally about protecting the business, not just protecting the servers.

And let’s address the elephant in the room: training fatigue. You probably do security awareness training, right? But be honest—is it actually effective, or is it just a checkbox exercise? Because if your staff are clicking through annual training modules just to get them done, you’re still exposed to phishing and social engineering attacks.

Sometimes the training is under-resourced or just impractical for how people actually work. Here’s what I’d suggest: consider tailored training specific to job roles. Your finance team faces different threats than your sales team or your HR department. Generic training misses the mark. Finance teams, in particular, need specialized training because they’re often the targets of sophisticated fraud attempts.

So when I ask how you measure training effectiveness, I’m really asking: can you demonstrate that your people’s behavior has changed? Are they reporting suspicious emails? Are they thinking about security in their daily work? And most importantly, is your leadership setting the tone by taking this seriously themselves? Because cyber culture starts at the top.

Question 4: Where are our biggest technical weak spots, and do we have the budget and roadmap to address them?
Topic: Technology and Infrastructure Risk

Let’s talk about where your technical vulnerabilities actually are, because they’re probably not where you think.
Cloud security is the big one. Everyone’s moved to SaaS and IaaS over the past few years—it’s been rapid, and honestly, necessary. But that speed has introduced risks around misconfiguration, identity management, and third-party reliance. Here’s what really matters: identity is the new “front door” to your organization. It’s not about firewalls anymore; it’s about knowing who has access to what. If you can’t answer that question confidently, you’ve got a problem.

Now, I know this sounds boring, but legacy systems are killing organizations slowly. You’ve probably got critical systems running that are outdated, poorly patched, and the vendor barely supports them anymore. Maybe they’re so old that replacing them feels impossible, or maybe they just work so you’ve left them alone. But here’s the reality: support the basics and do your patching. I can’t emphasize this enough. The majority of successful breaches exploit known vulnerabilities that have patches available. It’s not exotic zero-days—it’s basic hygiene.

Remote and hybrid working has fundamentally expanded your attack surface. Home networks, personal devices, VPNs—they’re all potential entry points. And personal devices are particularly challenging because you’ve got limited control over who or what can access your information through them. It’s similar to that identity piece I mentioned earlier. And then there’s the perennial issue of people sending work home—forwarding emails to personal accounts, working on personal laptops. Every time that happens, your information is spreading beyond your control.

Here’s something that should worry you: AI-driven attacks. Cybercriminals are using AI to craft better phishing emails, automate attacks, and exploit exposed credentials faster than ever. The barrier to entry for conducting sophisticated attacks is now even lower, and attacks are happening faster. Now, there is a silver lining—security defense tooling has also improved with AI enhancements. But you need to be investing in those tools to benefit from them.

So when I ask about your technical weak spots, I need you to think about this realistically: do you have the budget to address these issues? More importantly, do you have a roadmap? Because identifying vulnerabilities is the easy part. Having a funded, prioritized plan to fix them—that’s what separates organizations that survive breaches from those that don’t.

Question 5: How are we assessing supplier cybersecurity, and do we know our critical dependencies?
Topic: Third Party and Supply Chain Risk

Here’s an uncomfortable truth: you’re only as secure as your weakest supplier.

Think about your vendor dependencies for a moment. Cloud providers, SaaS vendors, managed service providers—you’re relying on them for critical business functions. And here’s what I always do: I check a vendor’s reputation before taking them on. This is especially important if you’re in sectors like law firms, where client confidentiality isn’t negotiable. You need to do your due diligence on vendors before you hand them the keys to your data.

But it gets more complicated. Cascade breaches are a real phenomenon. When an attack hits a supplier—maybe it’s a software update that gets compromised, or a logistics provider, or your payroll company—it can impact hundreds of downstream firms. We’ve seen this play out repeatedly. Marks & Spencer was affected through a supplier (TCS). There are countless other examples.

And here’s an interesting question I don’t hear asked enough: attacks on your customers can lead you to lose work. Look at what happened with Jaguar Land Rover. So we think about suppliers vetting their customers for credit risk, right? That’s standard practice. But should suppliers also be vetting their customers for cyber resilience? Because if your major client goes down due to a breach, you’re losing revenue through no fault of your own.

Now, let’s be realistic about due diligence challenges. Most mid-sized businesses simply don’t have the resources to fully assess every supplier’s cybersecurity posture. You can’t send detailed security questionnaires to every vendor and expect to review them all thoroughly. So what do you do?

There are tools available. Ratings agencies like BitSight or LEET Security can give you an external view of a vendor’s security posture. Assessment tools like 6Clicks and Arco can help streamline the process. They’re not perfect, but they’re better than flying blind.

When I ask how you’re assessing supplier cybersecurity, I’m really asking: do you know which suppliers are critical to your operations? Have you mapped those dependencies? Do you know what would happen if one of them went down tomorrow? Because supply chain risk isn’t theoretical—it’s one of the fastest-growing attack vectors we’re seeing.

 

Question 6: If a major breach hit tomorrow, do we have the communication and resilience strategy to protect our reputation?
Topic: Reputational and Strategic Risk

Let’s talk about what happens after a breach, because this is where reputations are made or destroyed.

Customer trust is fragile. A serious breach can lead to lost clients, cancelled contracts, and reputational damage that’s much harder to quantify than regulatory fines. The financial hit from the ICO is painful, but it’s finite. Losing your customers’ trust? That can last years. That’s why you need to have your communications plan ready in advance. Your reputation can be won or lost based on how you handle the communication in those critical first hours and days.

Here’s my strong recommendation: use professionals to help you. When you’re in crisis mode, you’re not thinking clearly. You’re stressed, you’re dealing with technical teams, lawyers, regulators, and customers all at once. Having a PR firm or crisis communications team on retainer who knows your business and can step in immediately—that’s invaluable. Don’t try to wing it when the crisis hits.

Now, here’s something interesting that’s emerged over the past few years: demonstrating strong cybersecurity is becoming a market differentiator, especially in B2B sectors. Your prospects and clients are asking about your security posture. They want to know you take this seriously. If you can show them robust controls, certifications, and a mature security program, you’re actually winning business because of it.

And speaking of demonstrating security—investor and lender expectations are rising sharply. If you’re looking for funding, if you’re working with insurers, they want proof of robust cyber resilience. Large companies have Enterprise Risk Management frameworks with cyber listed as a key risk. Insurers are now almost always looking at certifications like Cyber Essentials Plus, ISO 27001, SOC 2. They’re not just taking your word for it anymore—they’re performing their own control testing.

So when I ask if you have a communication and resilience strategy, I’m asking several things at once. Do you have a crisis plan? Have you identified who speaks on behalf of the organization? Do you have professional support lined up? Can you demonstrate to clients, investors, and insurers that you’re prepared?

Because here’s the thing: how you respond to a breach matters as much as preventing it in the first place. Everyone assumes they’ll never be breached. The smart organizations are the ones who prepare for when—not if—it happens.

Breach Response Insights: Practical Advice

Don’t Blame the Victim

When a breach occurs, resist the impulse to blame individuals or teams. Modern cyber attacks are sophisticated and often exploit systemic weaknesses rather than individual failures. Creating a blame culture discourages people from reporting suspicious activity quickly, which only compounds the problem. Instead, focus on understanding what happened and improving your defenses. Remember that even organizations with mature security programs get breached—what matters is how you respond and learn from the incident.

Have a Plan

You need an incident response plan, even though it won’t survive first contact with a real crisis. The value isn’t in following the plan perfectly—it’s in having thought through the key decisions, responsibilities, and communication flows before panic sets in. Your plan should enable you to recover in the shortest time possible with the least amount of damage. Document who needs to be contacted, what systems are critical, where your backups are located, and who has authority to make key decisions. When you’re dealing with a breach at 2 AM, you’ll be grateful for this preparation.

 

Set Up an Incident Response Retainer

With an incident response retainer, you’re not wasting time trying to find a responder, negotiating contracts, and explaining your environment—that’s all done ahead of time, which translates to less downtime, reduced financial losses, and a faster return to normalcy. Incident response retainers facilitate faster response times, more extensive services, process certainty, and help manage incident costs. If your budget allows, establish this relationship with a trusted firm before you need them. Work through the onboarding process carefully and ensure your technical teams own this relationship, not just your legal or executive team.

 

Look After Your People

During a cyber incident, you’re fighting two battles: recovering from the breach and keeping your business running. Your staff will be stressed, working long hours, and facing pressure from multiple directions. Make sure you support them with clear communication, realistic expectations, and additional resources where possible. Consider rotating people through the incident response to prevent burnout. A breach is a marathon, not a sprint, and your people are your most valuable asset in both responding to the crisis and maintaining business continuity.

Protect Your Backups and Logs

Immutable backups are non-negotiable—secure, tamper-proof backup copies, both on-premises and in the cloud, allow for clean recovery without risk of reinfection. Keeping your backups immutable, air-gapped, and cyber-resilient will protect them in the event of ransomware attacks. Attackers specifically target backups to maximize their leverage over you. Similarly, protect your logs by making them immutable—logs that can be altered or deleted are worthless for forensic investigation. Store copies of both backups and logs in locations that attackers cannot reach, even if they gain administrator access to your primary systems.

Make Sure Your Backups Actually Work

Conduct regular drills that simulate actual cyberattack scenarios to test the effectiveness of your recovery processes from those immutable backups you have, to ensure you can restore operations quickly and efficiently. Tests should be conducted at least monthly, and more frequently if you have a high volume of changes to your system. For an operating business dealing with a cyber incident, one of the most damaging aspects is the inability to continue operations. Know how quickly you can spin everything back up and get cash flowing again. Don’t assume your backups work—prove it through regular testing.

Turn On Your Logging in Advance

During a data breach, one of the first questions senior leaders ask is “what has been taken?” Without proper logging enabled beforehand, you’ll be flying blind. Implement comprehensive logging across your critical systems now, not after an incident. Test that your logs are actually capturing useful information and that you can access them when needed. Poor logging forces you to make assumptions about the scope of a breach, which can lead to inadequate disclosure, regulatory problems, and loss of stakeholder trust.

 

Don’t Try to Go After the Criminals

Leave attribution and pursuit of cybercriminals to law enforcement and intelligence agencies—this isn’t your area of expertise, and it’s not a productive use of your limited resources during a crisis. Your priority must be containment, eradication, and recovery. Attempting to “hack back” or identify attackers can compromise your legal position, interfere with law enforcement investigations, and distract from the urgent work of protecting your business and stakeholders. Focus on what you can control: securing your environment and restoring operations.

 

Make Investigations Forensically Sound

Consider that the entire incident may become subject to legal proceedings, especially if a client or data subject tries to sue your organization. Be prudent with your investigations and conduct them in a forensically sound manner from the start. This means preserving evidence properly, maintaining chain of custody, documenting all actions, and avoiding actions that could be seen as destroying evidence. Engage forensic specialists who understand legal requirements. Poor early decisions about evidence handling can severely compromise your legal position months or years later when litigation materializes.

Understand Modern Extortion Tactics

Ransomware has evolved far beyond simple file encryption. Modern attacks use multiple extortion tactics simultaneously: encryption (locking your systems), data theft and leak threats (publishing your data), third-party pressure (contacting your customers or suppliers), DDoS attacks (disrupting your online services), and regulatory pressure (threatening to report you to authorities). This “quadruple extortion” model means attackers have multiple ways to pressure you even if you have good backups. Understanding these tactics helps you prepare appropriate defenses and response strategies across technical, legal, communications, and business continuity dimensions.

Understanding the Breach Lifecycle

The typical cyber attack follows a predictable progression through nine stages. Understanding this lifecycle helps organizations recognize attacks in progress and, more importantly, focus recovery efforts on getting business operations running again.

The Nine Stages of a Breach
1.Compromise Credentials – Phishing, stolen passwords, or brute force attacks gain initial access
2.Persistent Access (optional) – Installing backdoors to maintain long-term access
3.Elevated Access – Gaining administrator or privileged account access
4.Lateral Movement – Spreading across networks to reach critical systems
5.Data Exfiltration – Stealing sensitive data for double extortion
6.Backup Destruction – Targeting backup systems to maximize leverage
7.Ransom Demand (Part I) – Initial contact and extortion threat
8.Mass Encryption/Destruction – Systems locked down, operations cease
9.Ransom Demand (Part II) – Increased pressure, deadlines, and threats

The Key Insight: Reverse the Timeline

Organizations should reverse this timeline and focus on getting their business running again. Rather than dwelling on how the attack progressed, concentrate on: – Restoring critical systems quickly – Maintaining cash flow – Serving customers – Protecting remaining assets – Learning lessons to prevent recurrence

Cyber Crisis Checklist for Boards

Immediate Actions (First 24-72 Hours)
☐ Notify the Board Ensure immediate notification of board members (or relevant committee) about the incident. Establish clear communication channels if regular systems are compromised.
☐ Activate Incident Response Team Confirm the incident response team is mobilized with clear roles: Incident Manager, Technical Manager, Communications Manager, and Legal Counsel.
☐ Engage External Support Activate incident response retainer if available. Engage forensics, legal counsel, and PR/crisis communications specialists. Contact cyber insurance provider.
☐ Assess Regulatory Obligations Review notification timelines: SEC (4 business days for material incidents), ICO (72 hours under UK GDPR), and sector-specific requirements (NIS2, FCA, etc.).
Critical Questions to Ask
☐ What is the nature and scope of the incident? Understand what systems are affected, whether data has been exfiltrated, and the potential impact on operations, customers, and stakeholders.
☐ Is the threat contained? Verify that the incident is contained and attackers no longer have access to systems. Understand the timeline for full containment and eradication.
☐ What is the business impact? Assess operational disruption, revenue impact, and recovery timeframes. Can critical business functions continue? Are backups available and tested?
☐ Is this a material incident? Consider materiality factors: financial impact, operational disruption, data compromise, reputational harm, and litigation risk. Document the materiality assessment process.
☐ What are our communication obligations? Identify who needs to be notified: regulators, customers, employees, partners, and the public. Coordinate internal and external messaging to maintain stakeholder trust.
Ongoing Board Oversight
☐ Regular Status Updates Establish regular reporting cadence (daily initially, then as appropriate) from incident response team to board or relevant committee.
☐ Support Management and Staff Ensure incident response team has adequate resources and authority. Monitor staff wellbeing and implement fatigue management strategies.
☐ Post-Incident Review Commission comprehensive post-mortem to identify lessons learned, update incident response plans, and implement improvements to prevent recurrence.
Remember: Board oversight must balance active engagement with avoiding operational interference.

Conclusion

Cyber risk is no longer a purely technical concern—it’s a fundamental business risk that requires active board oversight. The six questions in this guide provide a framework for boards to exercise that oversight effectively, covering the full spectrum from regulatory compliance to crisis communications.

The organizations that weather cyber incidents best are those that prepare comprehensively before crisis strikes. They test their backups, train their people, understand their dependencies, and have clear communication plans ready to execute. They recognize that breaches are inevitable and focus their energy on resilience and recovery rather than assuming prevention alone will suffice.
As a board member, your role is not to become a cybersecurity expert—it’s to ask the right questions, expect substantive answers, and ensure your organization has the resources, processes, and culture necessary to manage cyber risk effectively.
Start by asking these six questions. The quality of the answers you receive will tell you everything you need to know about your organization’s cyber readiness.

Cyber resilience starts with informed oversight. Make sure yours is up to the task.

About the Author

Tim Collinson’s vision is to make information security feel weightless – when it’s working properly, you don’t notice it —and that’s the objective.

Tim is a CISO with over fifteen years experience in the legal sector at international law firm Bird & Bird and offshore law and professional service firm Walkers, as well as real-estate business British Land and currency broker Prebon Yamane (now TP ICAP)

From leading security strategy to developing and managing internal security teams in a multi-jurisdictional environment, he has a deep familiarity with client requirements and regulatory frameworks, IoT and OT in property and retail, working with small and large businesses, and has taken organisations to ISO27001 certification from a standing start.