A director is accountable for cyber risk they have no independent way to test
A director carries personal accountability for the oversight of cyber risk. The duty of reasonable care, skill and diligence expects a director to take reasonable steps to be informed and to challenge, and the Senior Managers regime ties that expectation to named individuals in regulated firms. For listed boards, Provision 29 of the 2024 UK Corporate Governance Code adds a declaration on the effectiveness of material controls, made in the annual report, in the board's name.
Yet the reporting a director relies on to discharge that duty is produced by the same executives whose performance it describes. When the reporting is confident and the subject is technical, challenge is hard to mount and a reassuring report can go untested, and the oversight a director is accountable for becomes a sign-off.