Cyber risk is no longer a matter that boards can afford to delegate entirely to their IT departments. With the government's recent open letter to business leaders on AI cyber threats and suite of cyber governance materials published by the National Cyber Security Centre (NCSC), the expectation for directors to engage meaningfully with cyber risk has never been clearer. These materials effectively set a benchmark for what a reasonably diligent director should be aware of and act on. In this article, we consider how these developments interact with a director's statutory duty to exercise reasonable care, skill and diligence under section 174 of the Companies Act 2006 and highlight the steps boards should be taking now.

What is the duty under section 174 of the Companies Act 2006?

Section 174 of the Companies Act 2006 (CA 2006) imposes a duty on every director to exercise reasonable care, skill and diligence. The duty is assessed using a combined objective and subjective test. Directors are judged against the standard expected of a reasonably diligent person carrying out the same role, while also taking account of the knowledge, skill and experience that the individual director actually possesses. This means that a director with specialist expertise, for example in technology or risk management, may be held to a higher standard than one without it.

The scope of section 174 has been broadened over the years through case law and the expansion of regulatory and statutory controls, such as the director disqualification regime. As the courts have reinforced, directors cannot simply bury their heads in the sand when it comes to risks affecting the company. The duty extends to taking reasonable steps to inform oneself about matters relevant to the company's business and ensuring that adequate systems and controls are in place to identify, monitor and manage risk.

What has the government said about cyber governance?

On 15 April 2026, the government issued an open letter to business leaders on AI cyber threats. The letter urges board directors to treat cyber risk as a priority, to discuss and assess it regularly at board level, and to keep it as a standing item on the board agenda. It is a clear signal from government that cyber governance is a matter of leadership responsibility, not just an operational concern.

The letter also draws attention to the materials published by the NCSC (part of GCHQ). On 8 April 2025, the NCSC launched a comprehensive suite of resources designed to help boards understand and manage cyber risk. These include:

• the Cyber Governance Code of Practice, which sets out actions and behaviours that boards should adopt to govern cyber security effectively; 

• Cyber Governance Training, aimed at equipping directors and senior leaders with the knowledge they need to oversee cyber risk; and 

• the Cyber Security Toolkit for Boards, which provides practical tools and templates to support board-level discussions and decision-making on cyber matters.

Whilst compliance with the NCSC's resources is voluntary, the open letter gives clear emphasis that all businesses should be addressing cyber risk and these materials give a clear framework for what good cyber governance looks like at board level.

How does this interact with a director's duties under section 174?

We consider the link between the government's cyber governance expectations and section 174 to be a significant one. The existence of the NCSC's materials, taken with the government's clear instruction to business leaders to pay attention to cyber risk in their recent open letter, effectively set a benchmark for what a reasonably diligent director should now be aware of and acting upon. If a board fails to engage with these materials, or to incorporate cyber risk into its governance framework, it will be hard to maintain that the directors have met the standard of care, skill and diligence required by section 174.

Consider a scenario in which a company suffers a significant cyber incident, whether a data breach, ransomware attack or disruption to critical systems, and it later emerges that the board had never discussed cyber risk, had no cyber governance framework in place and was unaware of the NCSC's guidance. In those circumstances, there would be a strong argument that the directors had failed to exercise the care, skill and diligence expected of a reasonably diligent person in their position. The existence of widely available, government-endorsed guidance that had simply not been followed would be particularly difficult to justify.

It is also worth noting that the subjective limb of the section 174 test may raise the bar further for directors who do have relevant knowledge or experience. A director who has a background in technology, information security or risk management and who nonetheless fails to raise cyber governance at board level may face even greater exposure.

What about a director's other statutory duties?

The other statutory duty that is especially relevant to the prevention of cyber incidents is a director's duty under section 172 of the CA 2006. Section 172 requires a director to act in a way they consider, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole, taking into consideration a variety of stakeholders and factors, including the likely consequences of any decision in the long term and the desirability of the company maintaining a reputation for high standards of business conduct. A board's failure to implement adequate cyber security and governance controls could be deemed to be a breach of this section 172 duty.

What steps should boards be taking?

So, what should boards be doing? For a start, cyber risk should be added as a regular item on the board agenda, not treated as a one-off discussion or something to be addressed only in the wake of an incident. The government's letter is explicit on this point.

Directors should also familiarise themselves with the NCSC's Cyber Governance Code of Practice, the associated training materials and the Toolkit for Boards. These resources are freely available and are specifically designed to be accessible to non-technical audiences. Engaging with them is one of the most straightforward steps a board can take to demonstrate that it is meeting its duty of care.

Boards should also consider whether their existing governance structures and reporting lines are adequate to ensure that cyber risk is being identified, assessed and managed effectively. This may involve reviewing the terms of reference of relevant board committees, ensuring that there is appropriate expertise available to the board (whether from within the organisation or from external advisers), and putting in place processes for regular reporting on the company's cyber risk posture.

Finally, companies should review their incident response plans to ensure that they are up-to-date and that the board understands its role in the event of a significant cyber incident. The manner in which a board responds to an incident may itself be scrutinised against the section 174 standard.

Why does this matter now?

In short, this matters now because:

• risks of cyber incidents are higher than ever before due to the acceleration of AI and technological advances;

• cyber security is high on the government's agenda, which is why it is asking businesses to address their governance as a matter of urgency; and

• directors are increasingly likely to face claims for breach of duty if they do not take action to implement an appropriate cyber governance framework.

Technology is moving quickly in this space, which has significantly increased risks to business, as described in the government's open letter:

"For years, the most serious cyber attacks have relied on a small number of highly skilled criminals. That is now shifting. A new generation of AI models are becoming capable of doing the work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago."

Cyber security is high on the government's agenda. As announced in the Kings Speech on 13 May, the Cyber Security and Resilience Bill, carried over from the previous parliamentary session, is intended to strengthen the UK's defences by updating existing legislation to protect essential services from cyber-attacks.

While there has not yet been a landmark case in which a director has been found to have breached section 174 specifically in relation to cyber governance failures, the direction of travel is clear. The materials and guidance now exist, the government has put boards on notice, and the expectations of directors to be aware of and take appropriate action in relation to their company's cyber governance are higher than they have ever been.

Final word

Boards that get ahead of this by understanding the risks impacting their business and embedding cyber governance into their regular processes will be in a far stronger position, both in terms of defending any future claim for breach of duty and, more practically, protecting their businesses from cyberattacks.

If you have any queries about the topics covered in this article, please get in touch with a member of our Corporate or Data, privacy & cyber teams.