With the majority of organisations in the UK relying on digital technology to operate, it is becoming increasingly important to manage cyber risk at board level. So, what responsibilities lie with directors, and how can they structure their approach to cybersecurity?

Author: Johnty Mongan


Cybersecurity can be a daunting topic for the board, not least because the subject matter is complex, and the cyber risk landscape is constantly changing. Stricter regulations and an increase in high-profile cyber incidents have raised the expectations of partners, shareholders, customers and the wider public when it comes to a company’s digital armour.

Why should the board take cybersecurity seriously?

The digital security of an organisation can be key to its successful operation, reputation and future growth, and so it is important to look at the bigger picture and integrate cybersecurity into your objectives and risks.

  • The operation of your organisation will likely depend on the security of your digital devices and systems.
  • Cyber risk and legal risk often go hand-in-hand, for example, your obligations to protect personal data.
  • The potential for financial loss through cyber incidents can be huge, with revenue lost during down time, fraud or ransom demands.
  • Evidence of good cybersecurity can help insurers view your organisation in a favourable light for appropriate cyber cover.
  • Investing in cybersecurity can also help you take some risks in using new technology to innovate and grow.

82% of boards or senior management rate cybersecurity as a ‘very high’ or ‘fairly high’ priority.1

34% of businesses have board members or trustees accountable for cybersecurity.1

43% of UK businesses have an insurance policy in place that insures them against cyber risks.1


Board engagement

According to the Cyber Security Breaches Survey 2022,2 around four in five (82%) of boards or senior management within UK businesses rate cybersecurity as a ‘very high’ or ‘fairly high’ priority—an increase on 77% in 2021. This is compared to 72% of charities rating cybersecurity as a ‘very high’ or ‘fairly high’ priority.

Additionally, 50% of businesses and 42% of charities say they update the board on cybersecurity matters at least quarterly, and around one-third of businesses (34%) and one-quarter of charities (26%) have board members or trustees accountable for cybersecurity as part of their job.

However, despite an increased understanding of cyber risk, boards can still lack an understanding of how to improve their cybersecurity, and the resources they need in order to do so.

Understanding cyber risk management

Board members need to know how well-equipped their organisation is to handle cyber risk. Every organisation faces different types of threats and so the board’s approach to cybersecurity will vary greatly—there is no ‘one-size-fits-all’ solution. The decisions made will depend on the company’s systems, staff and culture, as well as the level of risk the organisation is willing to accept.

As a key decision-maker in your organisation, you will be accustomed to managing risks, and in some ways, cyber risk is no different. It involves getting the information you need to make well-informed decisions on the specific risks you face, using this information to understand and prioritise your risks, and then taking the appropriate steps to manage those risks.

As the governing body, the board is ultimately responsible for cybersecurity and compliance with data protection regulation. Aside from the financial and business continuity risks of a cyber-attack on your organisation, it is worth remembering that organisations that do not comply with GDPR could be met with hefty fines of as much as 4% of annual worldwide turnover, or £17.5 million, whichever number is greater.3 No director wants to shoulder the responsibility for this kind of loss.

Technology, systems and people

Protecting your organisation against cyber incidents isn’t just about having the latest technology and the most knowledgeable IT team. It’s about instilling a culture of cybersecurity across the organisation, and putting the relevant processes in place to manage it.

The biggest contributor to a cyber incident is human vulnerability, and every organisation will have employees at all levels of understanding when it comes to cybersecurity. This is where partnering with an external cybersecurity specialist can help with technical knowledge, up-to-date information and training to support your people in the role they can play in defending your organisation.

This is something we offer our clients as part of our annual Gallagher Cyber Defence Centre service, which provides a collection of tools and services for an organisation’s decision-makers to take a proactive and continuous approach to managing their cyber risk.

Key questions for the board

  • Do you have a cyber expert on the board?
  • Does the board consider cybersecurity in its overall business strategy?
  • Do you have an external cyber specialist advising the board?
  • Do the directors receive cybersecurity training?
  • What internal training does the board oversee?
  • Do you carry out exercises such as phishing simulations?
  • Do you use external cyber experts to carry out penetration testing?
  • Who evaluates and tests your backup systems?
  • What is your action plan in the event of a cyber-attack?
  • Do you have adequate cyber insurance in place?

Board members as targets

It’s also worth noting that as a board member, you may be more susceptible to being the victim of targeted cyber-attack (for example, a phishing email), due to your access to valuable assets, such as money and sensitive data. Additionally, it is not uncommon for cybercriminals to impersonate senior executives, which can then lead to a request for the transfer of money from their victim who believes the request to be from you. This is where an organisation’s security policies and reporting processes can help to mitigate this risk, and board members can lead by example when it comes to cybersecurity awareness.

The way forward

Boards have a greater responsibility than ever before to help protect their organisation from cyber incidents. The evolving threat environment and expanding attack surface, along with stakeholder demands for transparency, are adding to the challenges directors face today. Those who continue to regard cybersecurity as a ‘fairly high’ priority at most should think again.

Our specialist cybersecurity team at Gallagher is helping key decision-makers across all business sectors to help guard their organisation from potential threats—both seen and unseen—through an ‘always on’ approach to cybersecurity. Please contact us if you would like to know more about how we can help you strengthen your cyber defences and face the future with greater confidence.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.