The landscape of cyber security has fundamentally shifted, moving from a niche IT concern to a systemic risk that demands active, long-term leadership from the board.
For financial services firms, where operational stability and client trust are paramount, the necessity of robust cyber resilience is not merely a commercial concern but a core regulatory expectation from bodies such as the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA).
In a recent, highly informative briefing run by MHA, the UK member of the global Baker Tilly network and chaired by Independent Non-Executive Director Sundeep Bhandari, a cohort of Non-Executive Directors and Chief Financial Officers from leading banks and specialist lenders convened to address this critical issue. The discussion featured insights from Toby Lewis, Head of Threat Analysis at Darktrace, and Will White, Public Relations Specialist at Omnia Partners, focusing on the current threat environment, regulatory focus, and the right way to manage a crisis.
The new regulatory and threat environment
The PRA and FCA have consistently reinforced the need for firms to build resilience against operational shocks, with cyber risk being a primary focus. Recent guidance, including the Operational Resilience framework, establishes a clear mandate: it is no longer a question of ‘if’ an attack will occur, but ‘when’. This position reflects the grim reality that no sector, from the largest banks to small charities, appears immune.
Toby Lewis underlined this severity, emphasising that ransomware has become the “weapon of choice” for cyber attackers.
Delegates questioned the PRA’s directive to focus on the supply chain, a vital area where a firm’s security is only as good as its weakest link. For banks, where data and transactions are mirrored every few minutes, sophisticated back-up and mirroring systems are now standard for operational continuity. While these measures mitigate the risk of a complete lock-out from assets, Sundeep Bhandari stressed that boards must quantify the potential impact of even short-term disruption as part of a comprehensive planning process.
The ransom dilemma
The challenge of whether to pay a ransom remains one of the most fraught decisions a board can face. Although many governments, including the UK, advise against payment, a position recently reinforced by a Home Office consultation considering a prohibition for the public sector, commercial reality can often take over. The immediate need to restore critical services and protect customers frequently clashes with the ethical and security advice.
Toby Lewis offered a stark caution against succumbing to pressure, citing that an attacker’s de-encryption software often poses inherent risks, is unstable, and is not guaranteed to work, with evidence suggesting that around half of victims that pay, still fail to fully recover their data.
Some estimates even place it as low as 13% of those who are able to recover their data even after paying. Furthermore, while cyber insurance may be in place, cover is often limited, raising questions about whether adequate and significant investment in preventative defences is a condition for agreement.
Crisis management: the communications imperative
A successful attack requires not just a technical response, but a holistic crisis plan, with communications at its core. Will White offered clear, actionable advice on managing external perception and stakeholder confidence during a breach.
Do’s and Don’ts of communication
| Do’s | Don’ts |
|---|---|
| ✅ Form a small, cross-functional Cyber Response Team. | ❌ Rely on scripts; they rarely align with the reality of an incident. |
| ✅ Have external advisors (PR, legal, forensic) on speed-dial. | ❌ Over-promise on recovery timelines or outcomes. |
| ✅ Map all stakeholders and audiences for consistent messaging. | ❌ Neglect internal staff or third-party providers in your communication. |
| ✅ Revisit and tighten Service Level Agreements (SLAs) with key third parties, ensuring 24/7 availability. | ❌ Fail to conduct scenario planning to identify potential communication points. |
| ✅ Maintain a balanced communications approach. |
One delegate shared a critical learning point from a recent defence plan review: despite the organisation’s prior belief in the adequacy of its systems, a full review of all defensive areas took nearly six months. This illustrates the complexity and time investment required to validate a firm’s cyber posture.
Board leadership and global scope
The prevailing consensus was that the board must lead the cyber agenda. Sundeep Bhandari and Toby Lewis both concurred that the board’s role is to think long term, setting strategy and empowering operations to implement robust, well-funded defences. The subsequent operational experiences should then be used to gather and implement continuous learnings.
For non-technical directors seeking to embed cyber resilience, Toby recommended the National Cyber Security Centre (NCSC) which produces a Cyber Security Toolkit for Boards. This key resource is designed to foster informed discussions and ensure appropriate investment across the organisation.
Finally, the discussion turned to global institutions: the idea that subsidiaries of overseas-parented organisations might be at less risk was categorically rejected. As Mr Lewis noted, ransomware respects no boundaries, and the interconnectedness of modern IT systems means that systemic risk is pervasive. Therefore, the lessons and imperative for robust cyber governance apply to every entity within a global organisation.
The message for all financial services boards is clear: cyber security is a constant process of preparation, not a one-off project. The regulatory, financial, and reputational stakes are simply too high to approach this as anything less than a central strategic imperative.
