Enhancing Cybersecurity Governance

In many cybersecurity incidents we manage, the control failures or otherwise avoidable causes often stem from insufficient investment in cybersecurity. The reality for any organisation is the significant risk of being hacked, losing valuable data or facing a nation-state attack. However, board members and legal teams may lack a comprehensive understanding of cybersecurity and its legal implications.

Increased focus on cybersecurity oversight

The Joint Standards introduced by the Prudential Authority and the Financial Sector Conduct Authority, which are mandatory for financial institutions from June 2025, emphasise cybersecurity oversight and governance. The board of directors is responsible for implementing and monitoring a robust cybersecurity framework.

Yet, the technicalities of protecting technology may be outside their expertise. Therefore, an education programme targeting in-house legal teams, senior management and board members is crucial. This programme should inform them of the risks and basic cybersecurity requirements, enabling them to make informed decisions about cybersecurity investments.

The importance of cybersecurity risk management

A serious cybersecurity incident can be catastrophic. Even in the best-case scenario, managing such an incident requires enormous resources and diverts attention from regular business operations. For instance, a ransomware attack, even if you pay a ransom or have excellent backups, can take weeks to resolve and months or years to address ongoing legal consequences.

Our recent incident responses have revealed, even in well-prepared organisations, gaps in disaster recovery planning for a full outage caused by a ransom attack and in preparedness for managing third-party incidents. While not all eventualities can be planned for, understanding cybersecurity control failures at the top management level and seeking expert advice can significantly enhance an organisation’s cybersecurity maturity. Cybersecurity should be a regular agenda item at board meetings, requiring continuous monitoring, investment and improvement. The chief information security officer (CISO) should have adequate time to justify necessary investments and experts should be brought in to bridge the gap between legal and technical issues.

Education and collaboration

Educating boards and legal teams on cybersecurity and ensuring in-house legal teams are aware of cybersecurity and artificial intelligence (AI) risks is crucial. One major challenge in cyber incident response and regulatory investigations is protecting legal privilege over cyber incident investigations, especially with foreign parent or subsidiary involvement, which can lead to class action litigation following an incident. Legal involvement is essential to manage these risks.

In-house legal teams need to understand the true legal risks of a cybersecurity incident and empower the CISO to secure the necessary funding to truly manage risk. Legal teams and CISOs must work in partnership. It may not be the CISO’s strength to prepare a document trail or monitor processes and remediation steps, which are critical in an investigation and legal defence. This is where the legal expertise can build the organisation’s resilience and readiness.

Integrating cybersecurity into risk management

Effective governance and management of cybersecurity and AI risk require collaboration between legal teams, cybersecurity teams, the executive and the board of directors. Risks should be identified at the start of a project and during regular reviews, not after an incident occurs. Human error, rather than system failure, is often the culprit, but a combination of factors could have been detected and corrected.

One way to reduce cyber-incident risks is to enforce a strict data retention policy. Reducing the amount of data available to steal minimises the target size. Prioritising data management systems will improve cyber resilience.

The successful organisation of the future integrates its CISO and legal functions within its risk management portfolio, centralising cybersecurity management rather than relegating it to the information technology team. By fostering a culture of continuous education, collaboration and investment in cybersecurity, organisations can better prepare for and mitigate the risks associated with cyber threats.