Cyber risk belongs in the boardroom, not IT

If directors were legally accountable for cyber failures, they would stop treating resilience as a technical afterthought

Sir,

I read your recent piece on calls to make company boards legally liable for cyber failures (‘Make boards liable for cyber attacks, security chief warns’) with a mix of recognition and frustration. Recognition, because anyone who has worked inside a large organisation knows cyber risk is already existential. Frustration, because it has taken this long for many boards to treat it as anything other than a technical nuisance to be delegated downwards.

Boards are legally accountable for financial controls, audit failures and regulatory breaches, yet cyber resilience — which as we have seen can easily shut a business down overnight — is still too often handled several layers below director level. When an attack hits, responsibility suddenly rises to the top. Until then, it frequently disappears into PowerPoint updates and risk registers few directors truly interrogate.

I am sympathetic to concerns about over-regulation, but voluntary responsibility has clearly failed. If directors faced real legal consequences for ignoring cyber risk, conversations in boardrooms would change quickly. Cyber would stop being a quarterly update and start being treated like liquidity, solvency and compliance.

The question now is not whether boards should be accountable, but how quickly the law will catch up with reality. As with so many areas of governance, the risk is that regulation arrives only after the damage is already done.

Yours faithfully,

Andrew Collins
Reading, UK