Boardroom cyber risk: Questions boards should ask and the answers they should be getting

Cyber incidents are boardroom crises, not IT problems. They can unravel customer trust, damage share prices, and invite costly regulatory scrutiny. For senior leaders, breaches are strategic, legal, and reputational emergencies where effective oversight begins long before an incident occurs. 

There are six critical cyber risk questions that boards should be asking and the answers they should expect to prepare, respond, and lead through the inevitable breach. 

Question 1: Are we confident we meet UK GDPR and sector rules, and do we test compliance beyond the IT team? 

First up, data protection laws. You’ve heard about UK GDPR and the Data Protection Act 2018, but here’s what really matters: if you mess this up, the ICO can hit you with fines up to £17.5 million or 4% of turnover – whichever hurts more. We’ve seen this play out with British Airways, 23andMe, and plenty of others. These aren’t theoretical risks; they’re real precedents that set the bar for what regulators expect. 

Depending on your sector, you might have additional layers on top of that baseline. If you’re in finance, you’re dealing with FCA and PRA requirements. Legal sector? The SRA has their own expectations. And if you’re part of critical national infrastructure, NIS2 regulations are coming into play. The point is: know your regulations. All of them. 

Here’s something that catches a lot of organisations off guard – contractual liability. Your business partners are increasingly writing cybersecurity obligations directly into supply contracts.  

Our advice? Be practical about it. Aim for strong security, but don’t just adopt the strictest possible policy because a client asked for it. Make sure it works for your business. Sometimes you need to push back on clients and explain what’s realistic. Other times, you need to go to your own leadership and say, “If we want to win this pitch or keep this client, here’s what we need to invest in.”  

And finally, litigation. This is a growing area in the UK – class-action style claims from customers or employees after a data breach. It’s not just about regulatory fines anymore; it’s about being sued by the people whose data you were supposed to protect. 

Question 2: Do we understand our financial exposure to cyber disruption, and do we have tested recovery plans? 

Ransomware is still the dominant threat, and it’s not going away. Mid-sized firms are prime targets because they’re in this uncomfortable middle ground – they’ve got money worth stealing, but they probably don’t have the enterprise-grade defences that larger organisations can afford. The criminals know this, and they’re betting on it. 

But here’s what really keeps us up at night: business interruption. When you get hit with ransomware or a DDoS attack, it’s not just about losing data – it’s about your entire operation grinding to a halt. Revenue stops. Supply chains break down. Customer service disappears. We saw this with Jaguar Land Rover, and it was brutal. So, we always ask: how quickly can you get back on your feet? 

Think about it like a “Minimum Viable Your Brand” – what’s the bare minimum you need to keep the business running and cash flowing? And more importantly, can you restore to that minimum viable state? Because here’s the uncomfortable truth: most organisations never properly test their restore capability. They assume their backups work. Don’t assume. Test them. 

Now, let’s talk about recovery costs, because this is where the bill really adds up. The ransom itself? That’s often the smallest part. You’ve got incident response teams, forensic investigators, legal fees, PR firms, and the cost of rebuilding systems.  

Finally, cyber insurance. Premiums are going up, exclusions are getting tighter, and it’s becoming harder for mid-sized businesses to transfer the risk. Some organisations are even looking at self-insuring as an alternative, though that requires serious financial reserves and risk appetite. 

Question 3: How do we measure the effectiveness of staff training, and are we holding leadership accountable for cyber culture? 

Here’s something that might surprise you: your biggest vulnerability often isn’t your technology – it’s your people. And we’re not just talking about malicious insiders, though those exist. We’re talking about good people making honest mistakes. A mis-sent email. A misconfigured cloud storage bucket. These accidents can be just as devastating as deliberate attacks. 

Then there’s the skills gap. Most mid-sized businesses don’t have dedicated in-house security expertise. Instead, you’ve got an already overstretched IT team trying to handle cybersecurity on top of everything else they’re managing. That’s why we’re seeing more organizations turn to MDR, Managed Detection and Response, or external SOC teams to fill those gaps. It’s not a sign of weakness; it’s smart resource allocation. 

Cyber is still too often seen as a technical problem rather than a business risk. And when that happens, you end up underinvesting. The NCSC has excellent guidance on this – boards need to understand that cybersecurity is fundamentally about protecting the business, not just protecting the servers. 

And then there’s training fatigue. You probably do security awareness training, right? But be honest, is it actually effective, or is it just a checkbox exercise? Because if your staff are clicking through annual training modules just to get them done, you’re still exposed to phishing and social engineering attacks. 

Sometimes the training is under-resourced or just impractical for how people work. Here’s what we’d suggest: consider tailored training specific to job roles. Your finance team faces different threats than your sales team or your HR department. Generic training misses the mark.  

Question 4: Where are our biggest technical weak spots, and do we have the budget and roadmap to address them? 

Cloud security is the big one. Everyone’s moved to SaaS and IaaS over the past few years – it’s been rapid, and honestly, necessary. But that speed has introduced risks around misconfiguration, identity management, and third-party reliance. Identity is the new “front door” to your organization. It’s not about firewalls anymore; it’s about knowing who has access to what. If you can’t answer that question confidently, you’ve got a problem. 

Now, this sounds boring, but legacy systems are killing organisations slowly. You’ve probably got critical systems running that are outdated, poorly patched, and the vendor barely supports them anymore. Maybe they’re so old that replacing them feels impossible, or maybe they just work so you’ve left them alone. But here’s the reality: support the basics and do your patching. The majority of successful breaches exploit known vulnerabilities that have patches available. It’s not exotic zero-days—it’s basic hygiene. 

Remote and hybrid working has fundamentally expanded your attack surface. Home networks, personal devices, VPNs—they’re all potential entry points. And personal devices are particularly challenging because you’ve got limited control over who or what can access your information through them. And then there’s the perennial issue of people sending work home – forwarding emails to personal accounts, working on personal laptops. Every time that happens, your information is spreading beyond your control. 

Here’s something that should worry you: AI-driven attacks. Cybercriminals are using AI to craft better phishing emails, automate attacks, and exploit exposed credentials faster than ever. The barrier to entry for conducting sophisticated attacks is now even lower, and attacks are happening faster. Now, there is a silver lining – security defence tooling has also improved with AI enhancements. But you need to be investing in those tools to benefit from them. 

Question 5: How are we assessing supplier cybersecurity, and do we know our critical dependencies? 

The uncomfortable truth is that you’re only as secure as your weakest supplier. 

Think about your vendor dependencies for a moment. Cloud providers, SaaS vendors, managed service providers – you’re relying on them for critical business functions. And here’s what we always do: we check a vendor’s reputation before taking them on. This is especially important if you’re in sectors like law firms, where client confidentiality isn’t negotiable. You need to do your due diligence on vendors before you hand them the keys to your data. 

But it gets more complicated. Cascade breaches are a real phenomenon. When an attack hits a supplier, it can impact hundreds of downstream firms. We’ve seen this play out repeatedly. Marks & Spencer was affected through a supplier (TCS). There are countless other examples. 

And here’s an interesting question we don’t hear asked enough: attacks on your customers can lead you to lose work. Does this mean suppliers should also be vetting their customers for cyber resilience? Because if your major client goes down due to a breach, you’re losing revenue through no fault of your own. 

Now, let’s be realistic about due diligence challenges. Most mid-sized businesses simply don’t have the resources to fully assess every supplier’s cybersecurity posture. You can’t send detailed security questionnaires to every vendor and expect to review them all thoroughly. So, what do you do? 

There are tools available. Ratings agencies like BitSight or LEET Security can give you an external view of a vendor’s security posture. Assessment tools like 6Clicks and Arco can help streamline the process. They’re not perfect, but they’re better than flying blind. 

Question 6: If a major breach hit tomorrow, do we have the communication and resilience strategy to protect our reputation? 

Customer trust is fragile. A serious breach can lead to lost clients, cancelled contracts, and reputational damage that’s much harder to quantify than regulatory fines. The financial hit from the ICO is painful, but it’s finite. Losing your customers’ trust? That can last years. That’s why you need to have your communications plan ready in advance. Your reputation can be won or lost based on how you handle the communication in those critical first hours and days. 

Here’s our strong recommendation: use professionals to help you. When you’re in crisis mode, you’re not thinking clearly. You’re stressed, you’re dealing with technical teams, lawyers, regulators, and customers all at once. Having a PR firm or crisis communications team on retainer who knows your business and can step in immediately – that’s invaluable. Don’t try to wing it when the crisis hits. 

Demonstrating strong cybersecurity is becoming a market differentiator, especially in B2B sectors. Your prospects and clients are asking about your security posture. They want to know you take this seriously. If you can show them robust controls, certifications, and a mature security program, you’re actually winning business because of it. 

And speaking of demonstrating security – investor and lender expectations are rising sharply. If you’re looking for funding, if you’re working with insurers, they want proof of robust cyber resilience. Large companies have Enterprise Risk Management frameworks with cyber listed as a key risk. Insurers are now almost always looking at certifications like Cyber Essentials Plus, ISO 27001, SOC 2. They’re not just taking your word for it anymore – they’re performing their own control testing. 

So when we ask if you have a communication and resilience strategy, we’re asking several things at once. Do you have a crisis plan? Have you identified who speaks on behalf of the organisation? Do you have professional support lined up? Can you demonstrate to clients, investors, and insurers that you’re prepared? 

Because here’s the thing: how you respond to a breach matters as much as preventing it in the first place. Everyone assumes they’ll never be breached. The smart organizations are the ones who prepare for when—not if—it happens.