The missing credential
July 2026
The law is particular about who may sign the accounts that reach an audit committee. The cyber report that reaches the same committee has nothing like that behind it, and the only people any UK regulator has ever insisted on certifying are the testers, not the people defending the firm all year round. The personal accountability for being satisfied lands where the last decade of regulation has aimed it, on named executives and boards, with no profession underneath them.