We bought tech instead of insurance.
We didn’t finish buying insurance.
We didn’t have enough insurance.
Insurance Business has been pumping out headlines every week telling of the disastrous outcomes of not having proper cyber coverage - and possibly even enough D&O insurance for when a hack occurs. And now yet another voice has joined the push.
Britain’s cyber security agency has now warned that company bosses can no longer treat data breaches as someone else’s problem, saying leadership teams must take direct responsibility for defending their businesses. The message, delivered in the National Cyber Security Centre’s latest review, comes amid a wave of high-profile incidents and growing evidence that cyber lapses now carry personal financial consequences for those at the top.
Richard Horne, head of the NCSC, said that treating cyber risk as a purely technical matter is no longer tenable. “For too long, cyber security has been regarded as an issue predominantly for technical staff. This must change. All business leaders need to take responsibility for their organisation’s cyber resilience,” he wrote. “Any leader who fails to prepare for that scenario is jeopardising their business’s future.”
The warning follows a run of damaging attacks on major British brands, including the Co-op, Marks & Spencer and Harrods. Jaguar Land Rover’s operations were paralysed for weeks earlier this year, forcing the carmaker to secure a £1.5 billion government-backed loan to stay on track. Across the UK, the NCSC logged more than 200 “nationally significant” incidents in the year to August 2025 - up by half on the previous 12 months.
Ministers have joined the call for tighter oversight, writing to FTSE 350 boards to urge them to “take the necessary steps to protect your business and our wider economy from cyberattacks”. The letter, signed by the chancellor Rachel Reeves and business secretary Peter Kyle, reminded directors that companies “recover better from incidents when they have planned for the worst and rehearsed their business continuity and recovery”.
That pressure from Westminster echoes developments overseas. In Australia, Qantas Airways has cut senior executives’ short-term bonuses by 15% after a cyber breach exposed millions of customer records. The reduction, worth about AU$250,000 to chief executive Vanessa Hudson, was described by investors as a sign that accountability for security failures is finally reaching the boardroom. Analysts say the move may mark a turning point for governance standards globally, with directors expected to treat cyber resilience as a core financial duty rather than a compliance exercise.
Back in London, a new Cyber Security and Resilience Bill is due later this month. It will oblige regulated firms to report breaches to the NCSC within 24 hours and to strengthen controls across supply chains - increasingly the weak spot in large-scale attacks. For insurers, those reforms could offer earlier visibility on potential loss escalation, but they will also raise expectations on clients to prove that recovery plans and vendor checks are properly tested.
Industry leaders have also echoed the call for personal responsibility. In an open letter accompanying the NCSC review, Co-op chief executive Shirine Khoury-Haq wrote: “The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack.”
For underwriters, these shifts are significant. Expect closer scrutiny of how often clients run tabletop simulations, the maturity of their access-control systems and the robustness of third-party risk management. Many insurers are already tightening wordings around notification, business-interruption triggers and minimum cyber-hygiene standards.
Taken together, the message from both regulators and the markets is clear. The age of cyber as a purely IT concern is over. Boardrooms are being judged not only on how well they respond to attacks, but on whether they took their duty to prevent them seriously - and, increasingly, executives’ pay packets may hang in the balance.
