How to Build a Resilient Executive Communication Framework
A guide for Non-Executive Directors (NEDs) on cyber risk, crisis response, and the questions you should be asking. I am writing this from my experience of 7 NED and Chairperson roles and my work in cyber security.
You have seen the IT budget grow every year. More endpoint security. More detection tools. More compliance frameworks. More acronyms.
And yet 65% of UK organisations now believe a serious cyber attack could threaten their survival. One in four experienced a ransomware attack in the last twelve months alone.
The investment is going in. The risk isn't going away. Something isn't adding up - and as a Non-Executive Director, that gap is your problem to identify.
Your role isn't operational. But the accountability is real.
NEDs are not there to run the business. You are there to provide independent oversight, challenge executive assumptions, and ensure the board is governing risk effectively. Cyber risk sits squarely within that mandate.
Under the UK Corporate Governance Code, the board is collectively responsible for determining the nature and extent of the principal risks it is willing to take. [Certain] Cyber risk is now unambiguously a principal risk for most organisations — not a technical risk delegated to IT, but an existential business risk that belongs at board level.
The legal exposure matters too. Under the Companies Act 2006, directors have a duty to exercise reasonable care, skill and diligence. Courts and regulators are increasingly interpreting that to include having adequate oversight of material cyber risks. The ICO, the FCA, and the PRA have all published expectations that boards - not just IT functions - demonstrate active governance of cyber resilience. If a serious incident occurs and it emerges that the board had not adequately challenged management on cyber preparedness, the personal exposure for individual directors is real.
This is not a reason to become a technical expert. It is a reason to ask better questions.
The question most boards aren't asking
When the CISO or IT Director presents to the board, the conversation typically covers the threat landscape, the tools being deployed, and the compliance posture. That is necessary but insufficient.
There is a second conversation that rarely happens: what is our plan for when the defences fail?
Not if. When. The Databarracks Data Health Check 2026 - tracking UK organisational resilience since 2008 - found that cyber has been the leading cause of organisational downtime for four consecutive years. AI-driven attacks more than doubled in frequency in the last twelve months. The assumption that effective defences mean you won't be attacked is no longer defensible.
The questions that follow from that assumption are different in character, and they are the ones NEDs should be pressing:
What happens to leadership communication if our primary systems go down?
Email, Microsoft Teams, and corporate telephony typically run on the same infrastructure that an attacker will target. If those channels fail, how does the executive team reach each other? How does the board convene? How are decisions authorised.
Who has authority to make what decisions, and in what timeframe?
Paying a ransom, notifying a regulator, briefing a major customer, engaging an insurer — each of these requires clear accountability and secure communication. Does a documented decision framework exist, and has it been tested?
What are our regulatory notification obligations, and are we confident we can meet them?
Under GDPR, serious breaches must be reported to the ICO within 72 hours. Sector-specific regulators — the FCA, the PRA, the CQC — have their own requirements. Failure to notify within required windows compounds both the regulatory and reputational damage. Can the organisation reliably meet those obligations when its infrastructure is under attack?
Has anyone outside the IT team reviewed and stress-tested the incident response plan?
A plan that only IT understands is not a board-level response plan. It is an IT recovery plan with a board-shaped hole in it.
The defence/response imbalance
One of the most useful things a NED can do is ask for the budget to be presented in two columns: what is being spent on cyber defence, and what is being spent on cyber response.
Defence covers the tools designed to prevent an attack or detect it early — firewalls, endpoint protection, threat intelligence, penetration testing. This is where most cyber investment goes, and rightly so.
Response covers what happens after the defences have failed — incident response capability, crisis communications infrastructure, leadership decision-making protocols, regulatory notification processes, and business continuity. This is where most organisations are underinvested.
The Databarracks 2026 data makes this visible: only 34% of organisations have tested their crisis communications plan. 51% of respondents believe their organisation treats resilience as a box-ticking exercise. 43% say it only becomes a focus after something has already gone wrong.
That asymmetry - heavy defence investment, thin response capability - is the gap NEDs should be pressing management to close.
How to get genuine reassurance rather than reassuring presentations
The risk for any board is that cyber gets managed as a compliance exercise - the right frameworks are cited, the right tools are named, and the presentation looks credible. The organisation is not actually prepared; it has the appearance of preparation.
There are several ways to test for the difference.
Ask for a tabletop exercise to be run at board level.
Not an IT exercise - a leadership exercise. What decisions would the board need to make in the first six hours of a serious attack? Who would make them? How would they communicate? What information would they need, and from whom? Running that scenario in a room without pressure is the only way to find the gaps before they matter.
Ask what the last test of the crisis communications plan actually revealed.
If the answer is that it went well, probe further. Exercises that find no gaps are almost always exercises that weren't challenging enough.
Ask whether the organisation operates on a "assume breach" posture.
This is the security principle that accepts an attacker will eventually get in, and organises defences and response accordingly. An organisation that is still primarily focused on keeping attackers out has not made the mental shift that the current threat environment requires.
Ask how the board would be convened if email and telephony were down.
If there is no clear answer, that is a governance gap that needs to be closed before the next budget cycle, not after the next incident.
The bottom line for NEDs
Cyber risk has crossed from IT governance into corporate governance. The questions above are not technical questions - they are leadership questions. They are about decision-making authority, communication continuity, regulatory accountability, and the difference between a tested response capability and a documented assumption that things will work.
The organisations that navigate serious cyber incidents well are not always the ones with the most sophisticated defences. They are the ones whose leadership teams were able to function, communicate, and decide when everything else was failing.
As a NED, ensuring your organisation is one of those is part of the job.
02 Jul 2026