NED insights: Are board members accountable?

CxB convened a Chatham House discussion among experienced non-executive directors about the evolving nature of board accountability for cyber security. The discussion highlighted a consensus that cyber resilience is no longer merely a technical issue managed in a silo, but a fundamental component of a board’s fiduciary and statutory duties.

Directors’ duties and sources of accountability

Under the Companies Act 2006, specifically sections 172 and 174, directors are legally obligated to promote the success of the company and exercise reasonable care, skill, and diligence. Participants noted that these clauses effectively mandate that directors safeguard the cyber resilience of their organisations, as the consequences of failure may impact long-term success, reputation, and the interests of employees and suppliers.

Participants noted four types of accountability to which boards are traditionally subject: direct business consequences, internal and external stakeholder criticism, media and reputational damage, and legal or regulatory action. A poignant example discussed was the cyber attack on Marks & Spencer, which reportedly cost £300 million in profit. The company faced intense scrutiny for its perceived lack of a response plan and for awarding executive pay rises shortly before the incident, illustrating how a cyber failure can rapidly escalate into a crisis of confidence in the board itself.

Regulatory pressure is intensifying

Regulatory pressure is also intensifying. Following high-profile attacks on organisations like Jaguar Land Rover, UK government has proposed stricter regulations through the Cyber Security and Resilience Bill. The responsible Minister has promised secondary legislation that would introduce requirements consistent with the NCSC’s cyber assessment framework, potentially mandating board-level responsibility. There was discussion of recommendations from the security think tank RUSI to amend the Companies Act to require a board-level cyber security officer.

Participants noted that the scope of accountability is spreading across the supply chain. Regulators no longer focus solely on the size of an organisation, but rather on the systemic risk it poses to its sector. For instance, critical suppliers are increasingly required to meet the same stringent standards as the major institutions they serve.

Despite these external pressures, a recurring theme in the debate was the lack of a common, board-level definition of what "accountability" actually entails. The group noted that while non-executive directors (NEDs) are highly motivated to ensure compliance when personal liability is at stake, many boards still struggle to translate intellectual understanding of cyber risk into effective governance.

Individual versus collective responsibility

A significant portion of the discussion focused on the tension between individual and collective responsibility. There was a strong feeling that collective accountability and awareness are vital; the entire board should follow cyber risk rather than leaving it to one individual.

While some organisations, such as in financial services, may appoint a dedicated NED to oversee cyber, participants warned that this person may not always be an expert, and general knowledge across the rest of the board is often lacking. It was noted that boards would not typically delegate financial oversight to a single accountant on the board. For smaller organisations, mandating a specialist NED may not be viable due to resource constraints, yet these entities still face significant issues with both staff and board expertise.

A translation gap and an emotional gap

Participants argued that boards need a common understanding of risk and how to obtain assurance, similar to systems already in place for financial controls. This requires knowing what needs to be done and how to verify it through evidence, rather than taking executive reports on trust.

A recurring challenge is the "translation" gap; it can be difficult for non-executives to interpret technical executive summaries, highlighting the need for someone to bridge that communication divide. Success in this area depends on directors knowing which questions to ask, how to interpret the responses, and how to frame effective follow-up questions.

Finally, the debate addressed the "emotional gap" in cyber governance. Many boards possess an intellectual understanding of cyber threats but lack a visceral sense of the potential impact. One person recalled the Chair of a healthcare organisation who, in hindsight, remarked that if the board had been "more frightened" and truly felt the threat, they would have worked harder to prepare for the serious cyber attack it suffered.

To bridge these gaps, participants suggested lowering barriers to governance by increasing board confidence through training and scenario-based exercises. One person recommended inviting an external speaker with personal experience of an incident as a board member, to convey the practical and emotional impact.

While finding time on a crowded board agenda remains a challenge, the consensus was that skilling up the board is essential to move beyond mere compliance toward true resilience.

A board’s responsibility

Ultimately, the debate underscored that whilst the UK government is viewed as a leader in national cyber resilience policy and guidance, the burden of implementation rests with each individual board. As regulation looks set to introduce even stricter requirements for board-level responsibility, the challenge for NEDs will be to integrate cyber resilience into the heart of corporate strategy.

By fostering a culture of collective accountability and focusing on the long-term consequences of digital risk, boards can better fulfil their statutory duties to promote the success and security of their companies in an increasingly volatile environment.