In 2021, 38% of UK boards had a named director accountable for cyber.
In 2025, that figure was 27%.
In the same period, nationally significant cyber incidents reached a record 204.
That’s one every 1.8 days.
A 130% increase year on year.
The government was sufficiently alarmed that it wrote personally to the top 350 FTSE companies in October 2025.
Urging board-level oversight.
Think about that for a moment.
The government writing letters to FTSE boards about basic governance.
The Cyber Security and Resilience Bill, introduced in November 2025, isn’t optional; fines of up to £17 million or 4% of global turnover, daily penalties of £100,000 for failing to act on known threats.
Here’s what makes this particularly dangerous.
93% of UK organisations raised their cyber budget by at least 10% last year. 70% remain stuck at beginner maturity stages.
More money. Same risk.
The problem isn’t funding.
It’s fragmented investment spread across dozens of vendors that slows detection rather than improving it.
And the CEO-CISO disconnect is making it worse. CEOs now rank cyber-enabled fraud as their number one concern. CISOs are still focused on ransomware.
Different priorities. Different investment decisions. Same organisation.
There’s one data point that should worry every board member reading this.
Organisations that use AI extensively in their security response cut breach lifecycle by 80 days.
That’s $1.9 million saved per incident.
The businesses that get this right aren’t spending more. They’re thinking differently.
Is cybersecurity on your board agenda- or delegated entirely to IT?
