Inference is not enough
Until recently, the answer to that question could be inferred from an array of data and metrics, confidently presented, and a reasonable person could conclude things were under control. However, the UK Corporate Governance Code now asks listed boards for a declaration on the effectiveness of their material controls, and whether that includes cyber is a board's own judgement call. Across financial services, enhanced standards for operational resilience all point in the same direction, from the UK regime to DORA in Europe, reaching into the delegated and outsourced arrangements, the suppliers and technology vendors that the business depends on. The Senior Managers regime in the UK also holds named individuals in regulated firms personally to account.
Shareholders are also watching closely. Cyber incidents now move operating profit and appear in results statements, and the declaration itself lands in the annual report, addressed to the company's owners and investors.
Ordonis, an independent advisory practice, was built to help the people accountable, on both sides of that scrutiny, answer the question and stand behind the answer.