• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs

February 29, 2024

In December, we held our latest Risk Coalition Risk Committee Chairs’ Forum (RCCF) virtual roundtable discussion on the topic of: ‘Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs’. 

Cyber risk remains one of the most challenging risks facing many organisations.  Regulations such as the SEC’s cyber disclosure rule, the EU’s NIS2 and DORA regulations and even the FRC’s shiny new UK Corporate Governance Code require board attestations on the effectiveness (or otherwise) of organisations’ cyber risk management/resilience arrangements.  This, in turn, is making the risks of cyber risk increasingly personal for NEDs. 

We were fortunate to be joined for this RCCF discussion by leading cyber risk management expert, Andy Watkin-Child, to lead us through the complexities of both cyber risk, and the various regulatory responses emanating from the UK, US, and EU. 

Regulatory environment and corporate governance

With the recent publication of the FRC’s UK Corporate Governance Code and its ‘Provision 29’ requirement, UK listed and financially regulated firms will, from financial years starting 1 January 2026, be required to attest (on a comply or explain basis) to the effectiveness of their risk management and internal control arrangements across, inter alia, operational, financial, reporting and compliance axes. 

Given that cyber risk falls under the operational category, and even taking a fairly generous interpretation of what constitutes a material control, it seems likely that UK Code firms will need to spend considerable time and effort getting to the point where their boards are sufficiently confident to state publicly that their (cyber) risk management and internal control arrangements are adequate and effective. 

The question is, how will these firms explain the inevitable cyber incidents that will occur post attestation?  On the bright side, at least there is no ‘Go Directly to Jail’ card associated with UK Code compliance, unlike some of the international regulations we are starting to see [1].

Cyber Risk and Board Responsibility

A substantial portion of the discussion was dedicated to the growing significance of cyber risk management at board level.  No longer are boards able to wash their hands of cyber risk as an operational matter.  The new regulatory landscape expects some level of board expertise in cyber risk and for boards to be actively involved in challenging and assessing the effectiveness of cyber risk management arrangements in place. 

While regulations talk about board, rather than independent NEDs, cyber expertise, healthy board dynamics require the NED cohort to be capable of challenging the executive on the adequacy and effectiveness their organisation’s cyber risk management and resilience arrangements. 

Inevitably, this is going to result in increased demand for experienced independent NEDs with technology and cyber expertise, which is already an area where boards struggle to recruit, especially when taking diversity objectives into account. 

Operational challenges and solutions

There was a broad recognition that organisations need to invest in robust cyber risk and resilience arrangements, while recognising that the unique nature of cyber risks (i.e., we don’t know what we don’t know; the involvement of organised crime and malign state actors, etc.) mean that it’s not possible for a board to take a ‘once and done’ approach. 

Participants shared some of the practical challenges in aligning board activities with the dynamic cyber risk landscape.  The conversation highlighted the need for continuous board and senior executive education and updates on the latest cyber risks and cyber risk management techniques.  The discussion also recognised that clear (plain English) communication and understanding between the board and technical experts is a key factor in effective cyber risk management.

Adequate independent assurance is another pre-requisite for effective cyber risk management.  The discussion highlighted the critical role second line Risk Management, third line Internal Audit and external experts play in providing board members with independent assurance that their organisation’s cyber risk and resilience arrangements are both adequate and appropriate to the threat, given the State of the Art.  (Remembering that with cyber, what was State of the Art yesterday, may well be dangerously inadequate today.)

Strategic implications and future direction

The session concluded with reflections on the broader strategic implications of these regulatory developments for corporate governance.  Specifically, as regulations tighten and the cyber threat stakes escalate, there is increasing urgency for boards to proactively engage and continuously challenge the adequacy of their cyber risk and resilience arrangements. 

The need for proactive, informed board involvement was a recurring theme throughout the discussion.

[1] Actually, more likely a substantial fine but international regulations do talk about civil and criminal penalties.

Chris Burt is a co-founder of the Risk Coalition. This blog summarises a Chatham House Rule discussion held on 14 December, hosted and organised by the Risk Committee Chairs Forum (RCCF). The RCCF was established by the Risk Coalition to provide an opportunity for risk committee chairs to exchange views and discuss matters of common concern. To find out more about the Risk Coalition and its RCCF, please contact the Risk Coalition Team.

Tags: Andy Watkins-Child
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson