Boardroom Essential

Lessons to take from the recent attacks

The recent retailer headlines are a stark reminder of the devastating impact a cyber attack can have on an organisation. They also demonstrate the importance of good cyber governance and preparedness. You can be the victim of a cyber attack even if you have good security in place. There is, however, now an expectation that you will know what to do if/when an incident occurs – whether in terms of assessing the severity of an incident, managing the immediate response or dealing with the longer-term implications and restoration of business confidence.  

Regular rehearsals of your cyber preparedness plans alongside your key advisors (technical, legal, financial) will help ensure those plans are fit for purpose. This is particularly important given:

• the legal landscape around cyber is fast moving and plans need to comply with current legal and regulatory requirements.  Recent developments include new management body liability under EU law (for more information about the so-called NIS2 Directive, see here), the UK's Cyber Security and Resilience Bill (here), new ransomware proposals (here), and cyber related fines from data regulators which detail the regulator's security expectations (here);
• clear lines of responsibility and communication are vital, particularly in larger organisations where both group and operating boards could be involved in a serious incident. Rehearsals can test whether these channels work in practice.

Board training is also key, particularly as directors may be directly contacted by the attackers (M&S) or speaking to the media about the breach (Co-op).

What does the Corporate Governance Code and associated guidance say about cyber?

The Corporate Governance Code was recently updated. While it does not reference “cyber” expressly, it does state that Boards must “monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness”. Boards must also make an annual declaration of such effectiveness in the company’s annual report.

The Code already stated that this monitoring and review should cover all material controls, but the newly updated FRC Guidance that accompanies the Code (although not binding) now expressly refers to controls over “information and technology risks including cybersecurity” – as examples of what might constitute material controls. This is the first time we have seen a reference to cyber in the guidance.

The updated Code guidance also includes a new section on Cyber Security Risk Management which refers to the need for a “top-down approach” in order to manage cyber risk effectively. This aligns with messages from bodies like the National Cyber Security Centre (NCSC), the Information Commissioner and the Institute of Directors, that cyber is a board level issue.

Note that the Cyber Code of Governance, published in April 2025, is distinct from the Corporate Governance Code and the accompanying guidance mentioned above. It was developed by Department for Science, Information and Technology and the NCSC to support boards and directors in governing cyber security risks. It is intended to help boards of medium and large organisations understand what their responsibilities are and what actions they need to take around cyber risk.

What does this mean in practice?

The Corporate Governance Code guidance is not mandatory (the Code itself is, of course, applicable on a “comply or explain” basis), nor is it intended to be prescriptive, and so companies must still consider whether controls over IT and cyber risks constitute material controls for their company. However, we expect that cyber will be seen in this way by many companies.

In terms of timing, most of the changes to the Code are already effective but the new provisions relating to risk management and internal control systems apply from January 2026 (with the first mandatory reporting in 2027).

Many companies are actively reviewing their existing risk management and internal control processes and related record keeping, both to mitigate substantive risks and to ensure that they have sufficient evidence to support the new declaration of effectiveness.  Where controls over cyber are deemed to be material controls, this should therefore include a review of cyber related processes and record keeping.

Organisations are also considering whether the board requires any additional external assurance to support their ability to give the declaration (which could include assurance from cyber experts).

More information

Our latest Cyber Podcast discusses the current focus on Cyber Corporate Governance in more detail, and we regularly produce insights on cyber developments.

Background

Under the Companies Act 2006 a director must act in the way he or she considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole, and in doing so have regard to a non-exhaustive list of factors – known as the “enlightened shareholder” factors. One of these factors is “the impact of the company's operations on the community and the environment”. The Act does not give more guidance on how to interpret this factor nor how to balance environmental factors with the other factors when deciding how to promoe the company’s success, leaving it up to boards and, where a point is litigated, the courts, to work it out.

Nature-related risks

From a corporate perspective, climate and nature are fundamentally issues of risk. These risks can derive either from a business’s particular reliance or dependency on the environment, or in the way that the business impacts the environment. Broadly, these risks fall into four categories:

1. Physical risks, such as extreme weather events, rising sea levels, degradation of natural ecosystems;
2. Transition risks, such as stranded assets, increased regulatory environment for carbon emissions and products derived from nature (e.g. deforestation);
3. Liability risks, including legal action stemming from failure to address climate-related issues, or damage to ecosystems; and
4. Systemic risks, for example where resource scarcity leads to macro-level economic or societal impacts on financial and market stability.

The relevance of nature-related risks to a company is a fact-sensitive question, and directors should consider how the success and best interests of the company (in both the short and long term) may be affected by nature-related dependencies or impacts to which the company is exposed.

On the flip side, there may be nature-related opportunities, such as new business lines, products or markets.

Business-specific analysis

The relevance of these areas of risk and opportunity vary according to the sector and the company. Financial institutions tend to lead the way in considering the intersection of nature and capital, and manufacturing companies are predominantly addressing impacts from a value chain perspective, whilst considering how these play into broader stakeholder relationships with customers and investors.

What steps should boards take?

Courts in the UK have, to date, interpreted the law in a way which affords a wide discretion to directors to the extent to which they have regard to the relevant factors in determining how to promote the success of the company. They are more likely to focus on whether boards have adequately identified and considered nature-related risks and opportunities in reaching a decision. Boards should therefore take steps to:

• ensure that nature and climate considerations are put on the agenda, discussed and documented;
• identify the nature-related risks and opportunities facing their company;
• assess which of those risks and opportunities are relevant and non-trivial;
• take expert advice where appropriate;
• decide in good faith whether a course of action is appropriate to mitigate those risks or take advantage of those opportunities; and
• record their decision-making process in writing.  

Non-climate issues: a blind spot?

Finally, in this context, it is important to note that while most ESG-related activism has so far centred on climate issues, other (non-climate) related issues potentially present a greater difficulty for boards because they are often less well-understood and have less developed regulatory frameworks for reporting and risk/opportunity management. They require boards to understand the impact a nature-related risk may have on the business at a holistic level. While considerations of climate-related risks are often macro-focussed, nature-related issues, if they are considered, tend to only be addressed at a more micro level. Non-climate related issues(including social impact) therefore present a potential blind spot for boards and, if not properly addressed, a source of potential liability. 

“Hybrid” LTIPs

In 2025 we have seen an increasing number of FTSE companies adopt “hybrid” long-term incentive plans to incentivise their executive directors. This is a form of share plan common in the US, although the standard performance share plan model remains the marked majority market practice in the UK.

A “hybrid plan” structure is essentially an amalgamation of the traditional performance share plan model with the “restricted share plan” that we have seen more companies adopting over the last five years. Under the hybrid structure, in the same year, a participant receives an award of shares which are subject to stretching performance targets, plus a restricted share award which is (only) subject to ongoing employment and usually a relatively achievable performance underpin. Last year, we saw three companies adopt this new form of remuneration framework. At the time of writing, 17 companies in the FTSE 350 had adopted “hybrid” incentive plans.

Mixed signals from proxy firms

The different approaches taken by the proxy agencies in the 2025 AGM season to these plans has been marked.

The Investment Association guidelines which came out late last year explicitly countenanced the fact that companies might consider hybrid incentive arrangements, where it was commercially appropriate for them – for more information, see our November 2024 issue.

However, looking at FTSE AGMs to date this year, ISS (the US proxy advisory firm) has recommended a vote against the implementation of the vast majority of these hybrid incentive plans. Given the influence of ISS, particularly amongst US-based shareholders, there is clearly a need, when considering this type of plan, for up-front shareholder consultation and a powerful rationale for why a hybrid arrangement is particularly appropriate for your company.

As an alternative to “hybrid plans”, there have also been examples of companies:

• increasing the maximum opportunity of annual bonus and long-term incentive awards; or
• simply increasing the base salary of executive directors (in some instances, by over 15%).

Because annual bonus and long-term incentive opportunities are frequently expressed as a percentage of base salary, the latter approach has proved to be the principal focus of shareholder dissent in the 2025 AGM season as it effectively influences not only base salary, but bonus and LTIP outcomes as well.  

CBI “roadmap” for reform

Earlier this month, the CBI published a report – “Revitalising UK Public Markets: A roadmap for reforms to listed equity markets” – setting out various recommendations. Among the report’s recommendations are calls for reforms that will “allow UK companies to compete for global talent”. In particular, the CBI calls for a review led by the Department for Business and Trade that would focus on:

• ensuring that the existing executive remuneration legislative regime remains fit for purpose and does not impose a disproportionate burden on UK-listed companies compared to their competitors; and
• assessing whether the principle currently set out in the UK Corporate Governance Code that non-executive directors should not receive share options or awards, in order to preserve their independence, should be revisited. Delivery of part of a non-executive’s pay in shares or share options is again far more common in the US.

The return to physical meetings

The trend of moving back to holding purely physical meetings has continued in 2025.  The key reason cited by companies is that the costs of providing for remote participation are not sustainable given the limited demand for it. Based on the 188 FTSE 350 companies that had published their Notice of AGM by 31 May 2025[1]:

• 68% held or proposed to hold a (purely) physical AGM.
• A relatively small number held hybrid meetings (22 FTSE 100 and 7 FTSE 250 companies), i.e. shareholders could participate fully either physically or virtually.
• Other formats included physical meetings with some form of webcast or dial-in facility, but stopping short of virtual participation.
• Five FTSE 100 companies held ‘digitally-enabled’ AGMs where there is still a physical quorum (to satisfy the place element of s311 Companies Act 2006) but shareholders are strongly encouraged not to attend in person but to instead join online. If shareholders try to attend the physical location, they will instead be provided with online access to the meeting (via a laptop or other device).
• Only three companies (all FTSE 250) held fully virtual meetings. 
  
  

The thorny question of fully virtual meetings

Due to the Companies Act requirement that the notice of a meeting must state the place of that meeting, there is some uncertainty as to whether a meeting that takes place wholly virtually, with no physical place, can be legally valid.

Against this background, the GC100 recently polled its members about their preferred AGM meeting format.  Those that responded stated that the lack of clarity as to whether fully virtual meetings are legal, given the ‘place’ requirement of the Act, was enough to prevent them moving to a fully virtual format for their AGM for now.  A number of respondents said they would move to a virtual format if this uncertainty were to be clarified, although some of these said they would only do so if an enabling change to the articles of association were not required.

The government is actively considering how the law on virtual meetings can be clarified. Our recent discussions with the Department of Business and Trade, however, reveal that there are real tensions between UK corporates and UK investor bodies and proxy advisors.

On the one hand, UK corporates would generally like the board to be able to decide whether the AGM should be held virtually, and various arguments have been made in favour of clarifying the law to permit virtual meetings:

• the inability to hold virtual meetings is a competitive disadvantage given that virtual AGMs are common in Europe and the US;
• holding a physical meeting can raise safety concerns. Some companies have again this year had to deal with protesters outside and, in a few cases, inside their AGM; and
• where security is an issue, there are significant costs associated with having to provide sophisticated security arrangements and personnel.

UK investor bodies and proxy advisors, on the other hand, are against fully virtual meetings, and current voting guidance from the proxy advisory firms indicates that a fully virtual meeting will trigger votes against the company in question. In particular, they argue that:

• the AGM is a key event for shareholder engagement with the board and that physical or (at the most) hybrid meetings should be the norm;
• shareholder rights generally are being eroded, such as the protections which were removed in the July 2024 overhaul of the UK Listing Rules; and
• annual meetings conducted entirely online would allow boards to cherry-pick easy questions, avoid being accountable for failings and suppress debate.

An alliance of pension schemes, including the £34 billion railworkers scheme and the £36 billion BT fund, have recently joined forces to create a new lobbying group, the Governance for Growth Investor Campaign (CGIC) to defend board governance standards and to fight proposals to allow listed companies to abandon physical meetings.

Wherever the government lands on this question, nothing will happen for some time as the changes will come through the Audit Reform and Corporate Governance Bill due to be published later this year.  Even with a favourable reception, this Bill is unlikely to make it onto the statute books before 2027, leaving plenty of time for more debate.

In the meantime, we expect to see the trend towards physical meetings continue next year. Depending on what the Bill contains, we may perhaps see companies seeking to amend their articles of association at the 2026 AGM to enable virtual meetings from 2027 on, although many will hold fire. Companies which have been targeted by protestors in the past will probably continue to hold “digitally-enabled” AGMs in 2026 or adopt other innovative technological approaches to reduce protestors’ potential impact.

Questions for non-executive directors at the AGM

We have heard, anecdotally, that there has been an uptick in questions directed at non-executive directors themselves:

• The most frequently asked question required them to provide a brief summary of the work they had undertaken since joining the board in order to justify the fees paid to them.
• They have also been asked what training they had undertaken since joining the board, particularly in relation to diversity, equality and inclusion.

This ties in with the provisions of the Financial Reporting Council’s Corporate Governance Code Guidance 2024 which provides that committee chairs should attend the AGM and be prepared to answer questions on their interaction with stakeholders and their actions over the year. The guidance also includes questions non-executive directors should consider in relation to their committee roles. A well drafted annual report will, of course, also include details of non-executives’ training and activities over the reporting year in question.

Votes against director election resolutions

A combination of a more relaxed approach to remuneration packages from the Investment Association in its revised Remuneration Principles, and for some companies, the abolition of the bankers’ bonus cap has seen an increase in performance-related packages for directors.  In some cases, executives are taking a decrease in annual pay in exchange for the opportunity to earn far more in bonuses.  This has resulted in a significant increase in director election resolutions receiving over 10% of votes against, and some votes against have been significantly higher than that, although only one director election resolution has failed completely. For more information, see the Remuneration Update in this issue.

It is hoped that shareholder dissent in relation to executive pay may start to ebb a little in 2026 if investors start to adopt a more pragmatic approach towards attracting international executive talent. 

Listing reforms

Most significantly, in January 2026 the FCA will relax its rules on when a company seeking to admit its shares to a UK market must publish a prospectus, the information that must be included and when a company and its directors may be liable for forward-looking statements in a prospectus.

• It will be quicker and cheaper for companies to raise large amounts of money in a secondary fundraising because – for UK purposes at least – no prospectus will be required for a rights issue or other secondary fundraising that comprises less than 75% of the company’s existing share capital (or 100% for a closed-ended investment fund) – compared to 20% at present. It remains to be seen to what extent this relaxation will enable UK companies to raise capital overseas without a prospectus, particularly if offering into the US, where the requirements of US securities law and investor expectations may require companies to disclose more information or even publish a voluntary prospectus.
• It will be easier for companies to offer their own shares as consideration on a takeover or other acquisition, as usually no prospectus will be required. For more information, see our briefing. 

Prospect of greater retail investment

There has been some progress towards encouraging more retail investment in public and private equities. In her Mansion House speech, the Chancellor confirmed that Long-Term Asset Funds can be included in stocks and shares ISAs and that the Government is considering changing the ISA rules to incentivise savers to hold more investments and less cash. 

A “tell SID” style campaign to promote the benefits of retail investment is due to be launched next April, and FCA-authorised firms will shortly be able to offer a new type of “targeted support” to retail clients, which broadly is designed to enable them to access basic, sensible investment advice without having to pay the fees, and jump through the regulatory hoops, associated with obtaining bespoke advice. For their part, companies continue to be encouraged by investor bodies to consider including a retail offer on IPOs and placings.

The draw of the US?

Despite strong competition from the US markets, the vast majority of UK companies are staying put, at least for now. Over two-thirds of UK companies that have transferred their listing to the US in the last ten years are trading down on their issue price. Those companies that have transferred are also predominantly US businesses for whom the US market make sense. Most companies listed in London have concluded that, at least for the time being, the US grass is not necessarily greener, and investors would prefer them to remain here. Uncertainty about whether and when the company may be included in US indices, as well as the increased complexity and cost involved in the process, also need to be factored in.

Pension reforms

The UK Government is accelerating pension reforms to encourage more investment in UK equities. 

• The Government is consolidating 86 defined benefit Local Government Pension Schemes into a handful of “mega funds”, to enable them to adopt more active and diversified fund management strategies.
• Other pensions reforms being considered include increasing employer and employee pension contributions - although this may face political difficulties - and encouraging schemes to allocate a greater proportion of their assets to UK companies. Mandating a specified proportion would likely face stiff resistance, especially from defined contribution schemes, and may be too difficult a nettle to grasp, but schemes may instead be required to disclose their allocation to UK equities and, possibly, offered tax incentives to increase such allocation.

PISCES

To help improve UK liquidity and encourage investment into UK private companies, the FCA has recently put in place a new regulatory framework (known as PISCES) to enable private companies to have their shares traded intermittently on a regulated secondary trading platform. The London Stock Exchange is expected to be one of the first to offer such a platform, to be known as the Private Securities Market, which is expected to become operational later this year or early next. For further details see our PISCES briefing.

Further reforms down the track?

While the measures described above will help, more needs to be done. Earlier this month, the CBI published a report entitled “Revitalising UK Public Markets: A roadmap for reforms to listed equity markets” in which it recommends further reforms and actions, including:

• encouraging companies listed elsewhere, particularly in Asia, to have secondary listings in London; 
• allowing companies to offer remuneration packages for CEOs of global businesses that are in line with those offered by global competitors;
• rethinking non-executive remuneration, including whether companies should be permitted to pay their non-executive directors in shares or options in certain circumstances;
• exploring ways of encouraging companies to invest for growth and less on dividends and buybacks; and 
• simplifying and reducing reporting burdens on listed companies, particularly where they are substantially more onerous than those for private companies of equivalent size.

We will watch with interest which of these recommendations are taken forward.