In December, we held our latest Risk Coalition Risk Committee Chairs’ Forum (RCCF) virtual roundtable discussion on the topic of: ‘Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs’. 

Cyber risk remains one of the most challenging risks facing many organisations.  Regulations such as the SEC’s cyber disclosure rule, the EU’s NIS2 and DORA regulations and even the FRC’s shiny new UK Corporate Governance Code require board attestations on the effectiveness (or otherwise) of organisations’ cyber risk management/resilience arrangements.  This, in turn, is making the risks of cyber risk increasingly personal for NEDs. 

We were fortunate to be joined for this RCCF discussion by leading cyber risk management expert, Andy Watkin-Child, to lead us through the complexities of both cyber risk, and the various regulatory responses emanating from the UK, US, and EU. 

Regulatory environment and corporate governance

With the recent publication of the FRC’s UK Corporate Governance Code and its ‘Provision 29’ requirement, UK listed and financially regulated firms will, from financial years starting 1 January 2026, be required to attest (on a comply or explain basis) to the effectiveness of their risk management and internal control arrangements across, inter alia, operational, financial, reporting and compliance axes. 

Given that cyber risk falls under the operational category, and even taking a fairly generous interpretation of what constitutes a material control, it seems likely that UK Code firms will need to spend considerable time and effort getting to the point where their boards are sufficiently confident to state publicly that their (cyber) risk management and internal control arrangements are adequate and effective. 

The question is, how will these firms explain the inevitable cyber incidents that will occur post attestation?  On the bright side, at least there is no ‘Go Directly to Jail’ card associated with UK Code compliance, unlike some of the international regulations we are starting to see [1].

Cyber Risk and Board Responsibility

A substantial portion of the discussion was dedicated to the growing significance of cyber risk management at board level.  No longer are boards able to wash their hands of cyber risk as an operational matter.  The new regulatory landscape expects some level of board expertise in cyber risk and for boards to be actively involved in challenging and assessing the effectiveness of cyber risk management arrangements in place. 

While regulations talk about board, rather than independent NEDs, cyber expertise, healthy board dynamics require the NED cohort to be capable of challenging the executive on the adequacy and effectiveness their organisation’s cyber risk management and resilience arrangements. 

Inevitably, this is going to result in increased demand for experienced independent NEDs with technology and cyber expertise, which is already an area where boards struggle to recruit, especially when taking diversity objectives into account. 

Operational challenges and solutions

There was a broad recognition that organisations need to invest in robust cyber risk and resilience arrangements, while recognising that the unique nature of cyber risks (i.e., we don’t know what we don’t know; the involvement of organised crime and malign state actors, etc.) mean that it’s not possible for a board to take a ‘once and done’ approach. 

Participants shared some of the practical challenges in aligning board activities with the dynamic cyber risk landscape.  The conversation highlighted the need for continuous board and senior executive education and updates on the latest cyber risks and cyber risk management techniques.  The discussion also recognised that clear (plain English) communication and understanding between the board and technical experts is a key factor in effective cyber risk management.

Adequate independent assurance is another pre-requisite for effective cyber risk management.  The discussion highlighted the critical role second line Risk Management, third line Internal Audit and external experts play in providing board members with independent assurance that their organisation’s cyber risk and resilience arrangements are both adequate and appropriate to the threat, given the State of the Art.  (Remembering that with cyber, what was State of the Art yesterday, may well be dangerously inadequate today.)

Strategic implications and future direction

The session concluded with reflections on the broader strategic implications of these regulatory developments for corporate governance.  Specifically, as regulations tighten and the cyber threat stakes escalate, there is increasing urgency for boards to proactively engage and continuously challenge the adequacy of their cyber risk and resilience arrangements. 

The need for proactive, informed board involvement was a recurring theme throughout the discussion.

[1] Actually, more likely a substantial fine but international regulations do talk about civil and criminal penalties.

Chris Burt is a co-founder of the Risk Coalition. This blog summarises a Chatham House Rule discussion held on 14 December, hosted and organised by the Risk Committee Chairs Forum (RCCF). The RCCF was established by the Risk Coalition to provide an opportunity for risk committee chairs to exchange views and discuss matters of common concern. To find out more about the Risk Coalition and its RCCF, please contact the Risk Coalition Team.