Cyber Crisis Governance: what the board should rehearse

By Loraine Phillips & Susanne Alfs

Facing a cyber incident is a matter of when, not if. Building board-level cyber crisis governance is a practical starting point to develop an effective incident response plan. Many organisations do not have a formal cyber incident response plan. For example in the UK, only 23% of businesses and 22% of charities have a plan in place[1]. Results are only slightly better across the EU[2]. That reality matters, because you cannot rehearse decisions at pace if the basics such as roles, escalation routes, reporting triggers etc. are not written down. Testing cyber crisis governance by engaging the board in a cyber exercise is essential for a viable and dynamic incident response plan and achieves so much more, by bolstering the board’s confidence to be ready.

Exercising a plan is not the same as the board knowing how to govern in a cyber crisis:

An organisation should practise incident response in ways that are valuable for operations (walk-throughs, table-top exercises, technical simulations) and include all who need to contribute, including the board. A board focussed cyber crisis exercise is different – it is about governance under pressure:

• What gets escalated, when, and how

• Which trade-offs the organisation is willing to make and how does this align with the risk appetite

• Who has the authority to disrupt operations, approve spend or engage third parties

• How the organisation stays aligned with impact on reputation as well as legal, regulatory and customer duties

• What role the board should play in support of the executive team

The UK National Cyber Security Centre (NCSC) explicitly recognises board-level exercising as distinct: it should include business impact assessment and decision-making, regulatory reporting, and external communications[3].

Board-focused cyber crisis exercise formats that build decision confidence:

Parts of incident response require board support. This maps directly to the expectation[4] that boards must govern during a cyber crisis.

Decision-first simulations: start with imperfect information, then force decisions that cannot be delegated. Containment versus continuity, customer communications versus forensic certainty, whether to pause a supplier connection.

1. Escalation threshold rehearsal: delegation of authority must be clear. Most boards discover too late that escalation criteria were ambiguous. They discover it on the day. Practise the first escalation to understand who calls whom, what the board expects in the first briefing  and what management is authorised to do before the board convenes.

2. Stakeholder-communications clinic (including communication experts): run a short scenario where the board must steer principles and tone. Practise ‘What are we prepared to say, and when? and ‘What do we prioritise if facts are incomplete?’ Recognise that this will be a rapidly changing situation and agility is fundamental to success.

3. Recovery trade-off session: make priorities explicit and test them against mission-critical services, safety, financial exposure, and contractual obligations. Boards add value by clarifying risk appetite for disruption and agreeing what must be restored first.

A strong cyber crisis board practice session brings:

·       Escalation triggers, with a template ready for the first board briefing

·       Tested communication strategy, for customers, regulators, staff, investors, suppliers etc.

·       Documented learning with evidence based action plans

If you don’t yet have a formal incident response plan, consider starting with a board-level cyber crisis exercise. A well-designed session quickly surfaces decisions the board will be asked to make and brings clarity on the management mandate to develop a pragmatic incident response plan. Once a plan is in place, ask your executive team to schedule exercises for those who will execute the response, including the board. Ensure regular board focussed cyber crisis practice is also scheduled, to rehearse governance under pressure. Cyber4Directors can design a cyber crisis exercise tailored for your board.

[1] UK Government, Department for Science, Innovation and Technology, Cyber security breaches survey 2025, section 3.8, https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[2] Eurostat, ICT security in enterprises, 2024, https://ec.europa.eu/eurostat/statistics-explained/SEPDF/cache/9132.pdf?utm_source=chatgpt.com

[3] UK Government, The National Cyber Security Centre, 2023, Cyber Incident Exercising: Technical Standard v1.4, Paragrph 6, page 6: https://www.ncsc.gov.uk/files/Cyber-Incident-Exercising-CIE-Technical-Standard-v1-4-September-2023.pdf

[4] UK Government, Cyber Governance Code of Practice, 2025, https://www.gov.uk/government/publications/cyber-governance-code-of-practice/cyber-governance-code-of-practice