Why board-level cyber questions matter
Under UK corporate governance (FRC Guidance on Board Effectiveness, Companies Act duties), boards are accountable for oversight of risk—including cyber risk. Regulators and insurers increasingly expect boards to ask the right questions and understand the answers, not delegate and forget. A one-pager keeps the conversation focused and repeatable.
Key questions to ask (and what good looks like)
Do we have a clear view of our critical assets and who is responsible for protecting them?
"Good" means a defined scope: key systems, data, and services that the business cannot operate without; a named owner (often IT or a risk lead) and a refresh at least annually. Weak signal: "IT looks after it" with no written scope or owner.
When did we last test our incident response plan, and who was involved?
"Good" means a documented plan, a tabletop or drill in the last 12 months (e.g. NCSC Exercise in a Box), and evidence that the right people (IT, comms, legal, exec) took part. Weak signal: a plan exists but has not been tested, or only IT was involved.
How do we know we would be notified in time if our systems were compromised?
"Good" means defined detection and escalation paths: who monitors, who gets alerted, and how the board or exec is informed (and within what timeframe). Weak signal: no defined escalation or "we'd find out when something breaks."
Are we aligned with recognised frameworks (e.g. Cyber Essentials, NCSC guidance) and can we evidence that to insurers?
"Good" means a stated alignment (certification or gap-tracked), documented controls, and the ability to produce evidence for renewal or audit. Weak signal: no framework, or "we think we're mostly there" with no evidence.
Red flags that warrant deeper review
- No one can articulate critical assets or recovery priorities (RTO/RPO).
- Incident response has never been tested with the people who would actually respond.
- Cyber or IT risk appears on the board pack only once a year or after an incident.
- Insurers or auditors have asked for evidence that cannot be produced.
Next steps
Use these questions with your IT or security lead at least twice a year. Benchmark your organisation with our StrategyOS Digital Maturity Assessment—get your score and see how you compare to your industry.