Cyber incidents are boardroom crises, not IT problems. They can unravel customer trust, damage share prices, and invite costly regulatory scrutiny. For senior leaders, breaches are strategic, legal, and reputational emergencies where effective oversight begins long before an incident occurs.
There are six critical cyber risk questions that boards should be asking and the answers they should expect to prepare, respond, and lead through the inevitable breach.
Question 1: Are we confident we meet UK GDPR and sector rules, and do we test compliance beyond the IT team?
First up, data protection laws. You’ve heard about UK GDPR and the Data Protection Act 2018, but here’s what really matters: if you mess this up, the ICO can hit you with fines up to £17.5 million or 4% of turnover – whichever hurts more. We’ve seen this play out with British Airways, 23andMe, and plenty of others. These aren’t theoretical risks; they’re real precedents that set the bar for what regulators expect.
Depending on your sector, you might have additional layers on top of that baseline. If you’re in finance, you’re dealing with FCA and PRA…
