Cyber risk: a core boardroom responsibility

At two recent events for NEDs in Jersey and Guernsey, we were joined by Johnty Mongan, Global Head of Cyber Risk Management at Gallagher, and Georgia Price- Hunt, Global Head of Sales for Cyber Risk Management, who delivered an engaging session titled “Inside the mind of a hacker: Real-world cyber tactics every NED must know.”

Their session explored how cyber criminals target organisations and exploit vulnerabilities, but the wider message was clear. Cyber risk is no longer just an IT issue. It has become firmly a governance issue, where boards are expected not only to understand prevention, but also how the organisation would respond under pressure.

Top takeaways

• Cyber risk is now a board-level responsibility, not just an IT issue
• AI is accelerating the speed and complexity of attacks
• Leadership decisions during an incident can shape the overall impact
• Insurance and proactive risk management work best together
• Third-party and supplier risks are becoming harder to ignore
• Practical preparedness is more important than theoretical compliance

Faster threats are changing expectations

One of the clearest themes from the session was the speed at which threats are evolving. Artificial intelligence has reduced the time between vulnerabilities being identified and exploited from weeks to hours. Businesses can no longer rely on periodic reviews or slower response cycles. Continuous monitoring and the ability to react quickly are becoming essential parts of resilience.

This increased pace is also changing the nature of attacks themselves. Double extortion, where attackers combine system disruption with data theft, is becoming increasingly common. The impact can quickly extend beyond IT into reputation, client relationships and legal exposure, with the response often shaping the outcome
as much as the attack itself.

Leadership and governance are under greater scrutiny

As cyber incidents become more visible, so too does director accountability. Attention can quickly shift to leadership decisions, communication and whether the organisation was properly prepared in advance. This creates a direct link between cyber incidents and D&O exposure.

The session also highlighted that organisations often rely too heavily on either cyber insurance or technical controls in isolation, when in reality both are needed.

Insurance provides access to specialist support and funding, whilst proactive risk management improves readiness and reduces exposure.

Risk is extending beyond the organisation itself

Third-party risk is becoming more significant as businesses rely more heavily on external providers and cloud-based services. Failures within a supplier can still have a direct operational impact, increasing the focus on due diligence, contractual protections and understanding where responsibility sits.

Preparedness matters more than policy alone

Another key theme was the importance of practical readiness. Tabletop simulations and clear incident response plans are increasingly viewed as essential, often revealing gaps in communication and decision-making before a real incident occurs.

Frameworks such as NIST, ISO 27001 and Cyber Essentials still play an important role, but they are not complete solutions in themselves. Their value lies in helping organisations identify weaknesses and improve resilience over time.

Resilience requires ongoing ownership

Regulation and insurance continue to evolve, but not always at the same pace as the threat. Cyber insurance is maturing, with changing expectations around coverage and controls, meaning organisations cannot rely solely on external frameworks and must take ownership of their own resilience.

Taken together, the direction is clear. Cyber risk is becoming faster, broader and more closely linked to leadership decisions. Organisations that treat it as a business risk, rather than just a technical issue, are better placed to respond when it matters.

For boards, the challenge is not to become technical experts, but to ensure the organisation is prepared, informed and ready to act.

How can Gallagher help?

As risk consultants, we help businesses and individuals anticipate cyber threats and respond with confidence through expert guidance, training and tailored insurance solutions. Our Cyber Tabletop Simulation Training and Consultancy Service offers a comprehensive solution to help businesses prepare employees for potential cyberattacks. We provide customised tabletop exercises and specialist consultancy services to help companies identify their cybersecurity risks and develop effective response plans. We can also deliver this training to individual NEDs.

For more information, please do reach out to Natasha Lucock, Managing Director, Gallagher Guernsey: natasha_lucocok@ajg.com