- 14 July 2025
Organisations must raise the profile they give to cyber-risk because cybercrime is evolving.
The hazards of cyber-attacks are growing and UK boards are spending more time on this area of risk. In 2025 cybersecurity became the top board-level risk with 71% of respondents to the 2025 Boardroom Bellwether survey predicting that their cyber security threats would grow and two-thirds confirming that their organisations are increasing their investment in cyber resilience.
Recent cyber-attacks on M&S, the Co-op, Harrods and Glasgow City Council show that the threat of cyber-crime is constant. The impact of cyber harm, which includes financial loss, operational disruption, and reputational damage, is higher than ever due to increasing digital dependence, aging technology, remote working, artificial intelligence and the commercialization of cyber-crime. Government minister Pat McFadden has warned companies to "treat cyber security as an absolute priority".
The harm which cyber-crime does can carry on long after the criminals have moved on, due to regulatory fines and legal actions by affected stakeholders. See here for an example of the legal claims being pursued against M&S & Co-op by affected customers. Protecting your organisation has never been more important.
UK organisations face two “cyber gaps”; a technical-gap between the evolving threats faced in the UK and the technology in place to defend against them, and a knowledge-gap relating to the limited knowledge that most employees and board members have of cyber-risks and cyber-protection. Whilst such terms as malware, ransomware, and phishing have entered into common parlance, the public understanding of these different threats remains low.
The board has an essential role in cyber-security. It is the board which allocates budget, sets priorities, and holds management accountable. To fulfil their functions, boards need to be supported with accurate information and the role of the governance professional is absolutely vital. Below are ten recommendations to help your board manage its cyber-responsibilities more effectively.
Guidance for board reporting on cyber-security
1. Clarify risk roles and the relationship between the main board and the risk committee. Many organisations have a Risk Committee, which operates as a sub-committee of the Board of Directors, and some have dedicated cyber-risk committees. Whilst committees have great value for depth of analysis, all directors should receive the cyber report as cyber security is now a major risk for all organisations. One board member is usually given a special responsibility for risk oversight, most commonly the Chair of the Risk Committee.
2. Give cybersecurity priority on the main board agenda. For many organisations, cybersecurity is now a standing item on the agenda of main board. Ensure that any issues flagged in the cybersecurity report get time on the agenda. The board may then delegate the Risk Committee to decide implementation details.
3. Focus on the most critical cyber threats. Do you know which data your organisation holds is most valuable to cyber criminals? Which of this data is stored unencrypted? Has our organisation identified IT hardware and software, systems and processes that are business-critical? What additional protections do we have for “highly sensitive data” such as bank account details, salaries, health records, and passwords.
4. Include cyber incidents on the board report. Details about past incidents, lessons learned, and improvements to the incident response plan.
5. Improve board education. Whilst awareness and concern relating to cybercrime is high, the general level of knowledge about how cyber-criminals operate is very low. What is your plan for ensuring that board members have the knowledge they need to assess risks and make decisions? Develop a cyber-crime education plan for the board. Cyber-crime education, because of its nature, is never a “once off” event, but always a continual process.
6. Keep your risk register up to date. Cyber-security will feature strongly on the Risk register. Ensure that the risk register is always updated with information from the cyber-reports.
7. Increase the frequency of security audits. Many organisations chose to conduct quarterly internal audits with an annual external audit. Make sure the findings are included in the board report.
8. Obtain supply chain reassurance. Many of the weaknesses exploited by cyber-criminals occur in supply chains. What cyber-assurance do we have of our third-party vendors, software providers, and other entities involved in the delivery of goods or services? How can we improve this? What data do we share with partners, and what are their protocols? Do we receive regular test reports on third party systems?
9. Update your cyber-threat incident response plan. What are our organisations cyber-crime escalation protocols? How does the organisation assess cyber threats? What is the escalation procedure? What communications protocols are in place?
10. Whistleblowing. Internal whistleblowing is a vital safety valve which allows employees to report cybersecurity vulnerabilities, security breaches, unethical practices, compliance failures or illegal activity. When was our whistleblowing system last used? Have we made its existence and purpose clear to all employees?
Boards require support to exercise their “cyber-governance” role. The company secretary is the best placed person to ensure that the reports received by the board are fit for purpose, that adequate agenda time is provided and that actions are followed up. Cybersecurity reporting is a growing field and one where governance professionals have a major contribution to make.
We’re here to support you
At The Chartered Governance Institute UK & Ireland, we offer bespoke training in strategy, leadership and governance support, designed specifically for boards, executive teams and governance professionals across the not-for-profit and public sectors.
Through our training, you can:
- Build board-level confidence on cyber governance
- Integrate cybersecurity risk into broader strategic thinking
- Understand your organisation’s vulnerabilities—and how to respond
To find out more or commission a session tailored to your organisation’s needs contact:
Tara Wilson, Head of Business Development
E: [email protected]
D: +44 (0)20 7612 7021
Visit our strategy, leadership and governance support page: https://www.cgi.org.uk/qualifications-training/bespoke-training/strategy-leadership-and-governance-support/