Risk Area | What many boards think | What actually happens | Why it matters | What you should do |
Resilience – Tested Plans | Having an incident plan means you’re ready | Only two-thirds of boards have ever tested theirs; regulators want proof | Untested controls risk penalties, lawsuits and loss of insurance cover. Rehearsing controls now is far cheaper than failing under inspection.
| Book a Cyber Crisis Workshop to stress-test your plan and document results |
Regulation – Controls & Governance | Meeting disclosure rules is enough | Regulators are fining firms for not proving controls work | | Arrange a Multi-Jurisdiction Regulatory Coverage Review to check controls and cover align with latest rules |
Fraud & Social Engineering | Only the CFO and finance teams are targets | Attacks now hit HR, payroll and tax teams too | Deepfakes and synthetic IDs are bypassing traditional controls. Payroll, HR and finance teams are being targeted, not just CFOs.
| Update social-engineering controls and train non-finance teams |
