Table of contents

1 Chapter 1 : Introduction

2 Chapter 2

2.1 Why Top-Down Governance Is Not Optional

Why Top-Down Governance Is Not Optional

Cybersecurity is not a technology problem. It is a governance problem. This first section establishes why the board is legally accountable — and what that means in practice.

1.1 The Systemic Nature of Cybersecurity

A firewall does not decide how much to spend on security. A SIEM does not decide whether to invest in staff training. A patch management system does not decide whether legacy OT systems will be replaced. These are governance decisions — made by the board. And the board is now legally accountable for them.

Core Principle

The board sets risk appetite. If the board has not been adequately briefed on cyber risk — in terms it can understand and act on — then the risk appetite it sets is uninformed. Uninformed risk appetite is not a defence. It is a governance failure.

The Three Failure Modes of Board Cyber Governance
Delegation without accountability

"We have a CISO — it's their job." The CISO implements; the board defines risk appetite, approves the programme, verifies its effectiveness, and holds the CISO accountable.

Budget without understanding

Approving a cybersecurity budget without understanding what it buys and what risks remain is not governance — it is a blank cheque that creates liability without assurance.

Policy without proof

Excellent policies on paper that are never verified. A policy that says "all data is encrypted" means nothing if no one has checked whether it is actually encrypted.

2.2 The Major Threat Actors

The Major Threat Actors

Understanding who attacks organisations — and why — is the foundation of informed board-level risk decisions.

1.2 Nation-State Actors

State-sponsored groups from Russia, China, North Korea, and Iran conduct attacks for geopolitical intelligence, industrial espionage, and critical infrastructure disruption. These actors operate with unlimited time, resources, and legal impunity in their home jurisdictions.

  • China's Volt Typhoon: pre-positioned inside US and European critical infrastructure for years, waiting for geopolitical triggers. Pharmaceutical, energy, and semiconductor organisations are priority targets.
  • Russia's Sandworm: responsible for NotPetya (2017) — $10B+ global damage, including $300M to Maersk and $870M to Merck. Classified by insurers as an 'act of war'.
  • North Korea's Lazarus Group: conducts ransomware and cryptocurrency theft to fund state programmes. Responsible for WannaCry (2017) — $4B+ global damage, 80,000 NHS devices encrypted.
Organised Criminal Ransomware Groups (RaaS)

Ransomware-as-a-Service has industrialised cybercrime. Groups like LockBit, BlackCat/ALPHV, Cl0p, and Royal operate with affiliate models — recruiting technical specialists, negotiators, and money laundering networks.

  • Average enterprise ransom demand (2024): $5M–$50M+. Average total incident cost: $4.5M for mid-size firms, $30M+ for large enterprises.
  • Double extortion: data encrypted AND exfiltrated. Victims face both operational shutdown and threatened public release of sensitive data.
  • Triple extortion: attackers directly contact customers, partners, regulators, and media — creating pressure independent of the organisation's response.
  • The RaaS model means attacks are now accessible to low-skill actors — any criminal can rent the infrastructure.

2.3 Video : Summary

2.4 Widget : Ransomware Financial Impact Calculator

3 Chapter 3

3.1 Five Majors Case Studies

Five Major Case Studies

Real incidents that shaped current regulation. Each one contains a direct lesson for board-level governance.

1.3 What Happened — And What It Means for Your Board
Case 1 — Jaguar Land Rover: Production Shutdown (2022)

Ransomware encrypted operational technology (OT) systems connected to manufacturing lines, halting production at multiple facilities for several weeks. Financial impact: hundreds of millions. Key lesson: the 'air gap' between IT and OT systems is largely a myth in modern connected manufacturing. A cyber attack stopped physical production lines.

Board Question

Does your organisation have a documented, tested OT/IT separation policy? Has the board received a briefing on which physical operations could be halted by a cyber incident?

Case 2 — British Airways: Data Theft, £20M GDPR Fine (2018)

Malicious JavaScript silently exfiltrated payment and personal data of ~500,000 customers for 62 days undetected. The attack vector was a compromised third-party supplier — but BA bore the full regulatory penalty. Key lesson: third-party liability is your liability.

Case 3 — MOVEit Global Supply Chain Attack (Cl0p, 2023)

Zero-day vulnerability in MOVEit file transfer software. 2,500+ organisations affected, 83 million records exposed. BBC, British Airways, Shell, Boots, US federal agencies all compromised simultaneously. Triggered 72-hour notification obligations across dozens of jurisdictions at once.

Case 4 — MGM Resorts: Social Engineering, $100M+ Loss (2023)

Attackers called the IT helpdesk, impersonated an employee identified via LinkedIn, and requested an MFA reset. The entire MGM technology infrastructure — slot machines, hotel key cards, restaurant POS, reservations — was taken offline for 10+ days. No sophisticated technical exploit. A phone call defeated the entire security stack.

Case 5 — SolarWinds: Nation-State Supply Chain (2020)

Russian state actor APT29 compromised the SolarWinds Orion software build pipeline, pushing malware to 18,000 organisations including the US Treasury, DHS, and Microsoft. The attack went undetected for 9 months. The most sophisticated known supply chain attack in history — targeting the software development process itself.

3.2 Widget 2 : Board Cyber Governance Maturity Scorecard

3.3 Widget 3 : Threat Actor Intelligence Explorer

4 Conclusion