The CFO’s Guide to Cybersecurity Risk

Why has cybersecurity risk moved from being a purely technology and information security concern into a substantive Chief Financial Officer responsibility, what specific dimensions of cyber risk does the modern UK CFO need to engage with substantively rather than delegate entirely to the Chief Information Security Officer or IT leadership team, what does the UK regulatory framework — including UK GDPR and the Data Protection Act 2018, the Information Commissioner’s Office breach notification regime, the Network and Information Systems Regulations, the FCA’s operational resilience expectations, and the EU’s Digital Operational Resilience Act for UK firms with EU operations — actually require of CFOs in their financial leadership role, and how should boards and finance leaders think about cyber insurance, the financial provisions for cyber incidents, and the substantive integration of cyber risk into the firm’s financial risk management framework?

Cybersecurity has moved from a purely technology concern into one of the central financial risk categories that modern UK CFOs must engage with substantively. The shift has been driven by a combination of factors: the financial scale of cyber incidents has grown materially, with major incidents now routinely producing direct costs in the tens of millions and indirect costs (business interruption, reputational damage, regulatory penalties, customer attrition) that frequently exceed the direct costs by significant multiples; the regulatory landscape has expanded substantially, with UK GDPR breach notification under Article 33, the Network and Information Systems Regulations, FCA operational resilience expectations under SYSC 15A, and for cross-border firms the EU’s DORA framework all imposing specific obligations that engage senior finance leadership; cyber insurance has become both more important and more complex, with hardening markets, growing exclusions, and pre-condition requirements that affect financial risk transfer in material ways; and the integration of cyber considerations into M&A processes has become standard, with cyber due diligence now a routine workstream that CFOs lead alongside financial diligence.

The CFO’s specific role in cyber risk management is distinct from but adjacent to the CISO’s operational responsibility for security itself. CFOs do not run security operations centres, design network architectures, manage endpoint detection and response platforms, or conduct penetration testing — that work belongs properly to the CISO and the broader security function. What CFOs do — or should do — is engage substantively with the financial dimensions of cyber risk: the integration of cyber into the financial risk framework, the budget and investment decisions that fund cyber capability, the procurement and renewal of cyber insurance, the financial response when incidents occur, the reporting of cyber matters to the board and to investors, and the engagement with auditors on IT and cyber controls. The boundary between CFO and CISO responsibility is not always cleanly drawn, and effective firms typically have substantive working relationships between the two roles that bridge the financial and operational dimensions.

This article sets out why cybersecurity has become a substantive CFO concern, the financial dimensions of cyber risk that warrant CFO engagement, the UK regulatory framework affecting CFOs in cyber matters, the specific responsibilities the CFO role increasingly carries, the substantive working relationship between the CFO and the CISO, the cyber insurance market and what UK CFOs should understand about it, the cyber dimension of M&A processes, the common mistakes finance leaders make in cyber engagement, and the recruitment considerations for boards seeking CFOs with substantive cyber capability. It is written for current and aspiring CFOs of UK growth businesses, board members and audit committee chairs assessing the firm’s cyber governance, and senior finance leaders building portfolios that increasingly require cyber fluency.

It is written from the perspective of FD Capital’s team — a specialist senior finance recruitment firm placing CFOs, FDs, and senior finance leaders into UK growth businesses since 2018, with substantive engagement supporting recruitment of CFOs whose role specifications increasingly include cyber risk responsibility alongside traditional financial leadership.

Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss CFO recruitment for businesses with substantive cyber risk responsibilities.

---

Why Cybersecurity Has Become a CFO Concern

The transition of cybersecurity from a purely technology concern into a substantive CFO responsibility has been driven by five specific developments over the period from approximately 2015 to 2026, with the trajectory continuing.

The financial scale of cyber incidents has grown materially. Major UK and international cyber incidents now routinely produce direct costs in the tens of millions of pounds — incident response, forensic investigation, system rebuilding, customer notification, regulatory engagement — and indirect costs (business interruption, reputational damage, customer attrition, future revenue impact) that frequently exceed the direct costs by significant multiples. The financial scale has reached the point where cyber risk must be treated within the firm’s financial risk framework rather than as a contained technology issue, and the integration is appropriately led by the CFO.

The regulatory landscape has expanded. UK GDPR and the Data Protection Act 2018 created the 72-hour breach notification window to the Information Commissioner’s Office, with material penalties for non-compliance. The Network and Information Systems Regulations 2018 introduced sector-specific cyber requirements for operators of essential services and digital service providers. The FCA’s operational resilience framework under SYSC 15A engages cyber substantively as one of the principal threats to important business services. For UK firms with EU operations, the EU’s Digital Operational Resilience Act adds further requirements engaging cyber directly through the ICT risk management pillar. The cumulative regulatory landscape requires senior finance leadership engagement that purely technology-led approaches cannot provide.

Cyber insurance has become more important and more complex. The cyber insurance market has hardened materially since 2020, with premium increases in the multiples, capacity reductions in many sectors, expanding exclusions (particularly for state-sponsored attacks), and increasingly demanding pre-conditions for cover (multi-factor authentication, endpoint detection and response, backup arrangements, security awareness training, incident response capability). Cyber insurance procurement and renewal has become a substantive CFO matter requiring annual engagement of meaningful sophistication, distinct from the broader insurance programme oversight that CFOs have traditionally conducted.

M&A cyber due diligence has become standard. Acquirer due diligence now routinely includes cyber assessment as a distinct workstream, with material cyber issues affecting deal pricing, structure, and sometimes deal viability. CFOs leading M&A workstreams must engage substantively with cyber diligence findings, the financial implications, and the ongoing integration considerations.

Investor and board expectations have evolved. Sophisticated investors now expect substantive board-level cyber governance, with regular reporting on cyber risk, cyber investment, cyber incidents, and cyber maturity. The audit committee chair frequently engages with cyber as part of the broader operational risk oversight, and the CFO is typically the senior finance leader supporting that engagement.

---

The Financial Dimensions of Cyber Risk

Effective CFO engagement with cyber risk depends on understanding the specific financial dimensions where senior finance leadership genuinely adds value, distinct from the operational security dimensions appropriately led by the CISO.

Direct cost exposure. The direct financial cost of a cyber incident includes incident response costs (typically including external forensic specialists, legal advisors, communications support, and specialist negotiators where ransom demands are involved), system rebuilding and data restoration costs, customer and regulator notification costs, additional security investment in the immediate post-incident period, and the costs of meeting any specific regulatory remediation requirements. For major incidents, direct costs typically run in the millions to tens of millions of pounds before indirect costs are considered.

Indirect cost exposure. Business interruption losses, customer attrition, reputational damage affecting future revenues, regulatory penalties, civil litigation exposure (particularly under UK GDPR Article 82 which provides for compensation claims by data subjects), and the longer-term effect on the firm’s competitive position. Indirect costs are harder to quantify than direct costs but typically dwarf them in major incidents.

Insurance recovery and gaps. The mismatch between the firm’s actual cyber loss profile and the cyber insurance recovery is one of the central financial questions in cyber risk. Cyber insurance has typically not paid out in full on major incidents, with sub-limits, deductibles, exclusions, and policy interpretation disputes routinely producing recoveries materially below gross losses. Strong CFOs understand the firm’s specific cover, the realistic recovery expectation in different incident scenarios, and the residual financial exposure the firm carries.

Investment decisions. Cyber capability investment is typically substantial — in larger firms, the cyber budget reaches several percent of total IT spend, with the trajectory continuing to grow. The CFO’s engagement with these investment decisions includes substantive challenge to proposed investment, comparison against benchmarks, prioritisation across competing security needs, and the broader question of whether cyber investment is delivering the protection the firm requires. The work parallels other capital allocation decisions but engages with technical content that requires substantive CISO partnership.

Capital and liquidity reserves for cyber events. Major cyber incidents produce immediate cash demands that the firm must be able to meet. CFOs increasingly engage with the question of whether the firm’s cash and liquidity arrangements support the financial response to a major cyber event, including the working capital impact of a multi-week or multi-month operational disruption.

Disclosure and reporting. Cyber incidents typically engage disclosure obligations to regulators, customers, investors, and other stakeholders. The financial reporting dimensions — particularly accounting for incident costs, recognition of contingent liabilities, disclosure in financial reports — are CFO responsibilities that require substantive engagement during and after incidents.

---

The UK Regulatory Framework Affecting CFOs

UK GDPR and the Data Protection Act 2018

UK GDPR, as the assimilated successor to EU GDPR following Brexit, remains the foundational UK data protection framework alongside the Data Protection Act 2018. The financial implications for CFOs include: the breach notification obligations under UK GDPR Article 33, which require notification to the Information Commissioner’s Office within 72 hours of a personal data breach unless the breach is unlikely to result in risk to individuals’ rights; the data subject notification obligations under Article 34 where the breach is likely to result in high risk; the substantial penalty regime, with maximum penalties of the greater of £17.5 million or 4% of global annual turnover for the most serious infringements; and the civil liability regime under Article 82, which has produced material litigation activity in UK courts.

The Network and Information Systems Regulations

The Network and Information Systems Regulations 2018 (NIS Regulations) implement the EU NIS Directive in UK law and apply to operators of essential services (in sectors including energy, transport, banking, financial market infrastructures, healthcare, drinking water, and digital infrastructure) and to digital service providers (cloud computing services, online marketplaces, and online search engines). The Regulations impose specific cyber security and incident notification requirements with material penalties for non-compliance. The UK government has consulted on updating the framework — equivalent in some respects to the EU’s NIS2 Directive but distinct in detail — and CFOs in affected sectors should track developments. The National Cyber Security Centre publishes substantial guidance on the framework.

FCA Operational Resilience Framework

For FCA and PRA-regulated firms, the operational resilience framework under SYSC 15A and the PRA’s Supervisory Statement SS1/21 engages cyber substantively as one of the principal threats to important business services. The framework requires firms to identify important business services, set impact tolerances for disruption to those services, map the resources (including the technology and cyber dimensions) supporting those services, and test resilience under severe but plausible scenarios that typically include cyber attacks. The CFO’s engagement supports the broader board-level oversight of the framework. Read more in our Operational Resilience Complete UK Guide.

EU DORA for UK Firms with EU Operations

The EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554), which entered into application on 17 January 2025, applies to UK firms with EU operations through several routes — EU subsidiaries or branches, service provision to EU financial entities, and potential designation as Critical ICT Third-Party Service Providers. DORA’s five operational pillars include extensive cyber-relevant provisions across ICT risk management, ICT-related incident management and reporting (with compressed reporting timelines), digital operational resilience testing including Threat-Led Penetration Testing, third-party risk management, and information sharing arrangements. UK CFOs at cross-border firms typically engage with DORA compliance alongside UK operational resilience framework compliance. Read more in our DORA Complete UK Guide.

The National Cyber Security Centre and the Cyber Assessment Framework

The National Cyber Security Centre (NCSC) is the UK government’s authoritative source on cyber security and provides substantial guidance for UK organisations. The NCSC’s Cyber Assessment Framework (CAF) is the principal UK government framework for assessing cyber resilience, particularly for organisations within the NIS Regulations scope and for broader public sector and critical national infrastructure organisations. Cyber Essentials and Cyber Essentials Plus, also maintained by the NCSC, provide accessible certification frameworks that many UK businesses adopt as baseline cyber maturity demonstration.

Sector-Specific Frameworks

Specific sectors have additional cyber-relevant frameworks. Healthcare engages the NHS Data Security and Protection Toolkit. Telecommunications engages the Telecommunications (Security) Act 2021 and supporting regulations. Financial services engages the FCA expectations alongside the broader operational resilience framework. Energy engages sector-specific resilience requirements. CFOs in regulated sectors should understand the specific frameworks affecting their business.

---

CFO-Specific Responsibilities in Cyber Risk

The substantive responsibilities CFOs increasingly carry in cyber risk fall across six principal areas.

Integration of cyber into the financial risk framework. The firm’s enterprise risk management framework should integrate cyber as one of the principal financial risk categories, with appropriate measurement, reporting, and oversight. The CFO typically owns the broader risk framework with cyber as one substantial component, working with the CISO on the cyber-specific content while maintaining the broader integration with operational risk, financial risk, and strategic risk dimensions.

Cyber budget and investment decisions. The CFO engages with cyber capability investment as a substantive capital allocation decision. Specific work includes: review of proposed cyber investment against the firm’s overall capital allocation framework; benchmarking against comparable firms (typically using industry surveys and frameworks like NIST or NCSC CAF as reference points); challenge to proposed investment that does not produce demonstrable risk reduction; engagement with the broader trade-offs between cyber investment and other security or business priorities; and ongoing review of cyber investment effectiveness against expected outcomes.

Cyber insurance procurement and renewal. Cyber insurance is typically a CFO-owned matter, working with the firm’s broker and the CISO on the technical inputs. Specific work includes: annual review of the cover scope, sub-limits, deductibles, and exclusions; assessment of the underwriter’s pre-condition requirements and the firm’s compliance with them; benchmarking premium and cover against the market; consideration of stand-alone cyber cover versus integrated insurance arrangements; and engagement with the broader insurance programme to ensure appropriate integration. Detail on cyber insurance specifically follows in a later section.

Incident financial response. When cyber incidents occur, the CFO typically leads the financial response. Specific work includes: management of incident response costs as they accumulate; engagement with insurers on coverage assessment and claims notification; financial reporting decisions on incident costs and contingent liabilities; cash management to support the response without straining liquidity; and the longer-term financial reporting and disclosure of the incident.

Board reporting on cyber. The CFO typically owns or co-owns (with the CISO) the cyber reporting that goes to the board, with the audit committee chair frequently the senior NED most engaged. Effective board reporting addresses cyber risk position, control effectiveness, residual risk, investment decisions, incident activity, regulatory engagement, and forward-looking risk considerations. Reporting that consists of operational metrics without strategic and financial framing typically does not give the board what it needs for effective oversight.

Auditor engagement on IT and cyber controls. External auditors increasingly engage with cyber-relevant controls during financial statement audits, particularly controls supporting financial reporting integrity, controls over information that affects accounting estimates, and broader IT general controls. The CFO and audit committee chair typically engage with the auditor on these matters, supported by the CISO and IT leadership.

---

The CFO-CISO Working Relationship

The substantive working relationship between the CFO and the CISO is one of the most important dimensions of effective cyber governance. The boundary between the two roles is not always cleanly drawn, but the principles that underlie effective collaboration are consistent.

The CISO owns the operational dimension of cyber security: the security operations centre, the technical architecture, the incident response capability, the security awareness programme, the technical assessment and testing, and the day-to-day security management. The CFO owns the financial and governance dimension: the budget framework, the integration into financial risk management, the cyber insurance, the financial response to incidents, and the board reporting framework. Effective firms typically have substantive collaboration between the two roles, with the CFO providing financial framework and challenge while relying on the CISO’s technical judgement on operational security questions.

The reporting relationship of the CISO varies across firms. In some firms, the CISO reports to the CIO with dotted-line engagement to the CFO and risk leadership. In other firms, the CISO reports to the Chief Risk Officer or directly to the CEO, with CFO partnership rather than reporting hierarchy. In FCA-regulated firms with substantial cyber risk profile, the CISO frequently has direct board engagement (often through audit committee or risk committee) alongside the executive reporting line. The specific structure matters less than ensuring the CFO has substantive visibility and influence on cyber matters regardless of the hierarchical arrangements.

Smaller growth businesses sometimes lack a dedicated CISO, with cyber responsibility distributed across the IT leadership, the CFO, and external advisors. The arrangement can work for less complex businesses but typically requires deliberate structuring rather than implicit assumption that responsibility is being properly discharged. CFOs in these contexts should ensure that cyber accountability is clearly allocated and that the firm has access to substantive cyber expertise either internally or through advisors.

---

Cyber Insurance — What UK CFOs Should Understand

Cyber insurance has become both more important and more complex over the period from 2020 to 2026. CFOs procuring or renewing cover should understand the principal dynamics shaping the market.

Coverage scope. Standard cyber policies typically cover incident response costs (including external forensics, legal counsel, communications support, customer notification), business interruption losses arising from cyber events, data restoration costs, third-party liability arising from data breaches, regulatory defence costs (sometimes also covering regulatory penalties where insurable), and ransom and extortion costs (subject to specific conditions). Policy structures vary materially across insurers, and detailed comparison of competing policies during procurement is genuinely substantive work.

Sub-limits and deductibles. Cyber policies typically include sub-limits on specific cover categories (often substantially below the headline policy limit) and deductibles that affect the loss range over which the policy responds. The interaction between sub-limits, deductibles, and the firm’s actual loss profile determines the realistic recovery expectation, and is materially more important than the headline policy limit.

Pre-condition requirements. Cyber underwriters increasingly require specific cyber security measures as conditions of cover. Common requirements include multi-factor authentication on remote access and privileged accounts, endpoint detection and response (EDR) deployment, robust backup arrangements with offline or immutable backups, security awareness training for staff, incident response planning and testing, vulnerability management programmes, and limitations on certain risky technologies. The firm’s compliance with these conditions is verified during underwriting and on claim. CFOs should ensure the firm meets the conditions throughout the policy period, not just at inception.

Exclusions. Cyber policy exclusions have expanded over recent years, with state-sponsored attack exclusions becoming particularly significant following major incidents attributed to state actors. Other common exclusions include certain categories of fraud, wartime acts, infrastructure failure not attributable to cyber attack, and prior known issues. Detailed understanding of policy exclusions is essential for realistic loss exposure assessment.

Premium and capacity dynamics. The cyber insurance market hardened materially from 2020 through 2022, with premium increases of multiples, capacity reductions, and tighter underwriting. The market has stabilised somewhat through 2024-2025, but premium and capacity remain materially less favourable than the pre-2020 position. CFOs should expect cyber insurance to be a substantive ongoing cost requiring annual engagement rather than a routine administrative renewal.

Standalone versus integrated cover. The decision between standalone cyber policies and integrated policies (where cyber sits within a broader management liability or property programme) has financial and operational implications that CFOs should engage with substantively. Standalone cover typically provides clearer scope and dedicated underwriter expertise; integrated cover may offer cost efficiencies but with potential coverage gaps at the boundaries.

Claims handling experience. The insurer’s claims handling capability is materially important and varies across underwriters. Specialised cyber insurers with dedicated claims teams and pre-vetted incident response panels typically deliver better claim outcomes than generalist insurers handling cyber claims through their broader claims function.

---

Cyber in M&A Context

Cyber due diligence has become a standard workstream in UK M&A processes, with material cyber issues affecting deal pricing, structure, and sometimes deal viability. The CFO’s engagement with cyber diligence, alongside the broader financial diligence the audit committee oversees, has become a substantive part of M&A leadership.

Buy-side cyber due diligence typically includes: assessment of the target’s cyber risk profile and historical incident experience; review of the target’s cyber security governance, technical controls, and operational practices; assessment of the cyber dimension of the target’s third-party arrangements; review of the target’s cyber insurance arrangements and historical claims experience; and identification of cyber-relevant warranty representations the buyer should require in the deal documentation. Material cyber findings during diligence can produce price adjustments, specific indemnity arrangements, conditions precedent requiring remediation before completion, or in extreme cases withdrawal from the transaction.

Sell-side cyber preparation increasingly forms part of vendor due diligence and broader exit preparation. Sellers preparing for sale typically commission cyber assessments to identify and remediate material issues before they emerge in buyer diligence, with the broader objective of avoiding price reduction or transaction friction. Read more on M&A processes in our Financial Due Diligence Guide and Vendor Due Diligence Guide.

Post-completion cyber integration is typically a substantive workstream alongside the broader business integration. The integration challenges include reconciling different cyber security policies and standards, integrating identity management across the merged entity, addressing the cyber risk created by the integration period itself (which is typically a period of elevated vulnerability), and the longer-term harmonisation of the combined cyber programme.

---

Common Mistakes in CFO Cyber Engagement

Mistake one: Delegating cyber entirely to the CISO and IT leadership. Some CFOs treat cyber as a contained technology issue and delegate engagement entirely to the technical leadership. The pattern typically produces gaps in financial framework integration, weaker insurance procurement, less effective board reporting, and inadequate financial response capability when incidents occur. Effective CFOs maintain substantive engagement with cyber risk while respecting the CISO’s operational ownership.

Mistake two: Treating cyber insurance as a routine administrative renewal. Some firms approach cyber insurance renewal each year as administrative process, accepting whatever cover the broker presents without substantive engagement with the policy structure, sub-limits, exclusions, and pre-condition requirements. Given the materiality of cyber insurance to the firm’s financial loss exposure, the renewal warrants substantive CFO engagement annually.

Mistake three: Inadequate financial provisions for cyber events. Some firms have inadequate cash and liquidity buffers to support the financial response to a major cyber event. Strong CFOs explicitly assess the financial response capacity required for plausible cyber incident scenarios and ensure the firm’s arrangements support that capacity.

Mistake four: Operational metrics in board reporting without strategic framing. Cyber board reports that consist of operational metrics (vulnerabilities patched, training completed, incidents detected) without strategic framing fail to give the board what it needs for effective oversight. Effective reporting addresses risk position, control effectiveness, residual risk, investment decisions, and forward-looking considerations alongside the operational metrics.

Mistake five: Cyber considerations missing from M&A processes. Some firms continue to run M&A processes without substantive cyber due diligence, particularly in mid-market and smaller transactions. The omission can produce material post-completion surprise as cyber issues at the acquired entity emerge. Cyber diligence should be standard, calibrated to the specific transaction.

Mistake six: Underinvestment in cyber response capability. Some firms invest substantially in cyber prevention without commensurate investment in detection and response capability. The pattern typically produces substantial direct costs when incidents inevitably occur because the response capability is inadequate. Strong cyber programmes balance prevention, detection, and response across the broader cyber lifecycle.

Mistake seven: Inadequate engagement with third-party cyber risk. The cyber risk arising from third-party relationships — cloud providers, SaaS vendors, technology operations partners, payment networks — is now a material element of total cyber risk for most firms. Inadequate engagement with third-party cyber risk produces exposures that internal cyber programmes cannot address. Read more on third-party risk in our Third-Party Risk Management Guide.

---

How FD Capital Recruits CFOs with Cyber Capability

FD Capital has placed senior finance leaders into UK growth businesses since 2018, including substantive engagement with CFO recruitment for businesses where cyber risk responsibility forms a significant element of the role specification. Our network includes senior CFOs with substantive prior engagement with cyber risk frameworks, cyber insurance procurement and renewal, incident financial response, and the substantive working relationship with CISO and security leadership.

Adrian Lawrence FCA personally screens senior CFO candidates given the technical complexity of the cyber risk dimension and the importance of getting senior finance hires right at firms with material cyber risk profile. Initial introduction to specific named candidates within 48 hours where the requirement is urgent. Full shortlist within five to ten working days. Appointment typically completing within 35 to 56 days for senior permanent CFO roles.

Initial consultation is confidential and at no charge. Call 020 3287 9501 for an immediate CFO requirement, or email recruitment@fdcapital.co.uk.

---

Related Reading

• The CFO and Risk and Compliance — broader CFO engagement with risk frameworks
• The CFO and Digital Transformation — adjacent technology context
• The Modern CFO: Strategic Leadership Beyond the Numbers — broader strategic CFO context
• CFO and FD Boardroom Influence — how senior finance leaders contribute to board oversight including cyber risk
• Operational Resilience: A Complete UK Guide — UK SS1/21 and SYSC 15A operational resilience framework
• DORA: A Complete UK Guide — EU Digital Operational Resilience Act for cross-border firms
• Third-Party Risk Management: A Complete UK Guide — third-party cyber risk dimension
• Financial Due Diligence Guide — M&A diligence context for cyber due diligence
• NEDs on Audit Committees — audit committee oversight of cyber matters
• NEDs in Crisis and Volatile Markets — crisis governance including cyber incidents

FD Capital Recruitment Services

• Hire an FD or CFO — senior finance recruitment including cyber-capable candidates
• Chief Risk Officer Recruitment — CRO recruitment with cyber risk dimension
• Operational Resilience Recruitment — operational resilience leadership including cyber dimension
• DORA Compliance Recruitment — DORA Compliance Officers and ICT Risk leadership
• Third-Party Risk Recruitment — Heads of Third-Party Risk including cyber third-party dimension
• FCA-Regulated Firms Recruitment — specialist FCA-regulated firms practice
• NED Recruitment — Non-Executive Director recruitment including audit committee and risk committee appointments

External References

• National Cyber Security Centre (NCSC) — UK government authority on cyber security
• NCSC Cyber Assessment Framework (CAF) — principal UK cyber resilience framework
• Cyber Essentials — accessible UK cyber certification scheme
• Information Commissioner’s Office (ICO) — UK data protection regulator including cyber breach notification
• Data Protection Act 2018 — UK data protection framework alongside UK GDPR
• Network and Information Systems Regulations 2018 — UK NIS framework
• Telecommunications (Security) Act 2021 — sector-specific cyber framework
• ICAEW Technology Faculty — professional resources on technology and cyber risk
• ICAEW — professional body for Chartered Accountants

---