At the recent FT Chairs’ Forum, a clear theme emerged: the cyber threat facing organisations is evolving rapidly. Geopolitical tensions and supply chain interdependence are not new but technological developments, such as advanced AI tools, illustrate how quickly the landscape is changing.* Against this backdrop, the question for Chairs is no longer whether cyber risk is a board issue, but how boards exercise effective oversight in practice.

1. Cyber governance under the spotlight

The UK Government’s recent Cyber Resilience Pledge, sent to many of the UK’s largest organisations, reinforces not only that cyber is a board-level responsibility but the expectations on larger businesses to support cyber resilience throughout their supply chains. The voluntary Pledge asks boards to implement the Cyber Governance Code of Practice and undertake regular NCSC** training. Both align with expectations seen in recent regulatory enforcement (and our experience of ongoing engagement) for organisations to have governance in place to ensure compliance with NCSC, and other technical, guidance.

For listed companies, the UK Corporate Governance Code is also sharpening focus: the requirement for boards to make an annual declaration on the effectiveness of material controls means that, for many organisations, cyber controls will fall squarely within the board’s formal assurance framework.

Most large organisations already oversee cyber risk at board level.*** However, there is no single model. Some boards delegate detailed oversight to an audit or risk committee, enabling more agile decision-making during an incident. Others supplement this through NEDs with specific technical expertise, whether at committee or full board level.

That said, as the threat landscape evolves, governance arrangements are coming under greater scrutiny. A model that relies too heavily on a single “cyber expert” risks narrowing engagement without changing broader accountability. Cyber is not simply an IT issue: it engages operational resilience, strategy and risk appetite, and requires collective board judgement. Likewise, the focus in the Cyber Resilience Pledge on businesses requiring cyber improvements throughout their supply chain illustrates that a key question is whether governance structures support informed, whole-board and whole-business engagement.

2. Understanding the risks

Boards are expected to understand the principal cyber risks facing the organisation, whether from ransomware, intellectual property theft or emerging AI-enabled threats. They should also receive regular reporting which enables them to properly manage cyber risk.

The Cyber Governance Code of Practice envisages formal reporting at least quarterly, alongside regular engagement between the board, the CISO and senior management. However, frequency is only part of the picture. The more fundamental challenge is ensuring that directors are equipped to interrogate and challenge what they are told.

As guidance to the UK Corporate Governance Code notes, board members do not need deep technical expertise, but they do need sufficient understanding to support constructive challenge. This has always been important in ensuring the ‘basics’ are done but can be particularly challenging in newer areas such as AI. External guidance can assist but will also be seen as a minimum benchmark. For example, the NCSC’s Boardroom Toolkit has published a list of Questions for boards to ask about cyber security

3. Building muscle memory

There is now a clear expectation, across government, regulators and the market, that organisations maintain cyber resilience and incident response plans, and that these are regularly tested by, and through simulations involving, the board and senior executives.

While no exercise can replicate the precise circumstances of a live attack, experience consistently shows that simulation exercises build critical organisational “muscle memory”. They enable faster, clearer decision-making under pressure and ensure that roles, escalation pathways and the relevant criteria to consider (for example when deciding whether to pay a ransom or which systems to ‘turn off’ or restore) are understood in advance - rather than being worked out in real time.


It is important for board’s to understand new cyber risks. The main AI-powered risks facing organisations according to the UK’s data regulator, the ICO, include:

  • AI-enhanced phishing: attackers use AI to generate highly convincing, personalised messages impersonating colleagues, clients or trusted suppliers.
  • Deepfake social engineering: AI-generated audio and video can be used to impersonate colleagues or IT staff to trick employees into resetting credentials or granting system access.
  • Automated vulnerability scanning and exploitation: AI tools can rapidly scan systems, identify weaknesses and launch targeted attacks.
  • AI-powered malware: malicious code that adapts its behaviour in real time to evade detection by conventional antivirus and security tools.
  • Credential stuffing and password attacks: AI accelerates brute-force and credential stuffing attacks, making weak or reused passwords more vulnerable.
  • Data poisoning: where AI models are used in your services, attackers may attempt to corrupt training data or manipulate model outputs to cause harm or extract sensitive data.
  • Indirect prompt injection attacks: where malicious instructions are embedded in external content that an AI system processes and misinterprets as legitimate commands. This includes tool poisoning, where this is hidden within the metadata of tools that an AI agent interacts with.

 

Back to top

* On 15th April the UK Government wrote an open letter to business leaders on AI cyber threats.

** The National Cyber Security Centre (NCSC) is the UK’s national technical authority for cyber security and information assurance and part of GCHQ.

*** 68% according to the UK Government’s 2026 Cyber Breaches Survey, although that figure sits at 31% for all business involved in the survey.