Moving cyber resilience from IT to the boardroom

Boards need to ask harder questions about cybersecurity. That was the message from GCHQ Director Anne Keast-Butler at the Board Intelligence Chair Summit, where 200 leading chairs and board directors gathered to discuss 2026's biggest board challenges.

Where does cyber rank in the board risk register?

Cyber incidents are somewhat like burglaries or carjackings.

First, there's no shortage of scary statistics that attacks are on the rise — there was a sixfold increase in the costs of cybercrime in the US, for example, between 2017 and 2024.

Second, you feel uncomfortable when someone you know gets hit — between them, the 2025 cyberattacks on Marks & Spencer, Co-Op and Jaguar Land Rover are each estimated to have cost hundreds of millions of pounds.

Third, it's only when you're the victim that you realise just how disruptive and destructive they can be.

With cyberattacks, as with so many other crimes, the impact goes far beyond financial loss. Geopolitics loomed large at the Chair Summit, as did AI and innovation, but the notepads came out in force when Board Intelligence co-founder Jennifer Sundberg asked Anne Keast-Butler's advice for how boards should prepare for a cyberattack.

This suggests that cyber risk is working its way up the risk register rankings — and if it's not already at or near the top, it should be.

What should boards be doing differently about cybersecurity?

If you think you're safe, you're probably not asking the right questions. Every organisation has cyber vulnerabilities, and with complex supply chains and ubiquitous online interactions, it's not always obvious where those vulnerabilities are.

The nature of cyber risk is evolving at the same speed as the technologies that underpin our economies… vulnerabilities can emerge and change far more quickly than many organisations expect."

Anne Keast-Butler, GCHQ Director

Too often, cyber risk is managed elsewhere – delegated to vendors or treated as an operational issue, with the detail being managed far from the boardroom. With the frequency and intensity of cyber attacks set to rise into 2027, this needs to change.

Resilience to cyber threats is no longer a technical challenge confined to IT teams; it is a strategic leadership issue for boards."

Anne Keast-Butler, GCHQ Director

Boards must challenge management's assumptions and push them to look at potential business impact, while also asking harder questions about supply chain partners, resilience, and recovery time.

What is the next threat that businesses should be thinking about?

Large language models' emergence in late 2022 helped criminal gangs, terrorists and state actors launch more and stronger cyber attacks, and many organisations found themselves on the back foot. Without the benefit of hindsight, many boards underestimated that growing threat. The assembled chairs therefore wanted to know what emerging threat should be on their radar today.

The answer? Quantum computing, a technological milestone that will further challenge existing assumptions about security and computational power.

While there are ways to proactively protect against such technology, such as post-quantum encryption, organisations too often wait until a threat is live to put the necessary measures in place, by which time it's too late. Keast-Butler was clear: foresight is essential, and boards need to start thinking about being ready for quantum now.

How should boards respond if a cyberattack happens?

Preparation is your friend in any crisis and cyberattacks are no different. Effective planning and regular simulation exercises help to identify possible gaps and create the muscle memory to know who should do what, and when.

In Board Intelligence's recent Board Value Index, 54% of directors reported that their board or management team had participated multiple times in cyber incident simulations in the past 24 months – a figure you'd expect to increase with cyberattacks so frequently in the headlines. When incidents happen, it's not just prevention that matters — it's how quickly and effectively an organisation can respond and recover. During a cyberattack, non-executive directors will find themselves far more involved than usual, and not in a way that fits neatly around the other commitments in their diary. Yet their participation and support for executive board members is vital, particularly in a serious cyber incident, where management will be under extraordinary physical and emotional stress.

The recovery period deserves as much attention as the incident management planning itself. How an organisation operates through recovery — maintaining stakeholder confidence, managing communications, handling technical restoration — shapes outcomes as much as the immediate response.

What support is available?

At the Summit, Keast-Butler directed chairs to the National Cyber Security Centre (NCSC) Cyber Security Toolkit for Boards, which has guidelines for implementing robust cyber governance.

She also reminded the audience of the importance of public-private sector collaboration.

Meeting these challenges requires deep collaboration with the private sector. Building strong partnerships with industry is fundamental to strengthening the UK's collective cyber resilience."

Anne Keast-Butler, GCHQ Director

Boards can offer better oversight if they work on their own understanding of cybersecurity. Indeed, in the Board Value Index, directors in the UK and North America identified cyber resilience as one of their main board development areas.

But it's important that board development is systematic, starting with a board evaluation that identifies opportunities to improve, supported by structured training.

When the board discusses cyber security — and this needs to be at least a regular, if not standing agenda item — it also needs to be informed by focused, digestible board materials that are themselves delivered in a secure way, with passkeys preferable to passwords, and secure board portals far preferable to email attachments.

The principle applies beyond technology alone: it's far easier to design cyber resilience into an organisation from the start than to retrofit it when crisis strikes.