Board Guide to Cyber Governance
Directors face increasing personal liability for cyber governance failures. This guide translates technical security concepts into the governance language that boards understand, and explains why physical controls matter for director-level accountability.
Why This Is Now a Board Issue
The UK Corporate Governance Code, the Companies Act 2006, and upcoming legislation including the Cyber Security and Resilience Bill are making cyber governance an explicit board responsibility. Directors who cannot demonstrate they understood and governed cyber risk face personal liability.
This is not about understanding firewalls or endpoint detection. It is about three questions every director must be able to answer:
- What are our most critical digital assets, and how are they protected?
- If we suffered a major cyber incident tomorrow, can we recover?
- What evidence exists that we have exercised appropriate governance?
The Governance Gap
Most boards receive quarterly security reports that focus on prevention: how many threats were blocked, how many vulnerabilities were patched, how many employees completed awareness training. Prevention metrics are important, but they answer the wrong question.
The question boards should be asking is not "how well are we preventing attacks?" but "what happens when prevention fails?" Because prevention will fail. The NCSC, the ICO, and every credible security authority acknowledges this. The measure of an organisation's cyber maturity is not whether it can prevent every attack, but whether it can recover from one.
What "Appropriate Measures" Means for Directors
UK GDPR Article 32 requires "appropriate technical and organisational measures" for data protection. The standard is proportionality: measures should be appropriate to the risk. For an organisation's most critical assets, physical controls represent the highest standard of appropriateness.
Physical controls are:
- Demonstrable. Unlike software configurations that require technical expertise to verify, physical disconnection is self-evident.
- Tamper-evident. Physical access logs provide audit trails that software logs cannot match for integrity.
- Comprehensible. Directors can understand and explain physical controls to regulators, insurers, and shareholders without technical translation.
The Five Things Every Board Should Govern
1. The Crown Jewels Register
A documented list of the organisation's most critical digital assets, with clear ownership and protection standards for each. The board should review this annually.
2. Recovery Capability
Evidence that the organisation can recover from a major cyber incident without depending on systems that might themselves be compromised. This includes offline storage of recovery credentials and procedures.
3. Incident Response Readiness
A practised incident response capability, tested at least annually, with documented results reported to the board. Tabletop exercises should include scenarios where primary systems are unavailable.
4. Regulatory Compliance Posture
Demonstrable compliance with applicable regulations, with evidence that goes beyond checkbox compliance to reflect genuine governance commitment.
5. Insurance Alignment
Confirmation that cyber insurance coverage aligns with actual risk exposure, and that policy conditions (including security requirements) are being met.
How OSS Supports Board Governance
Offline secure storage directly addresses the governance requirements that boards face:
- Evidence of appropriate measures: Physical controls for the organisation's most critical assets demonstrate proportionate protection.
- Recovery assurance: Physically disconnected recovery credentials provide the certainty that recovery is possible regardless of attack sophistication.
- Audit trail integrity: Tamper-evident access logs provide the governance evidence that regulators and insurers expect.
- Director accountability: Documented physical controls demonstrate that directors exercised reasonable care in governing cyber risk.
Questions Directors Should Ask
- Where are our recovery credentials stored? Could they be encrypted by the same attack we are trying to recover from?
- Have we identified our crown jewels? Are they protected with measures proportionate to their value?
- When did we last test our ability to recover from a major incident? What were the results?
- What physical controls exist for our most critical data? Can we demonstrate these to a regulator?
- Does our cyber insurance policy specifically require or reward physical security controls?
Conclusion
Cyber governance is no longer optional for directors. Physical controls through offline secure storage provide the demonstrable, comprehensible, and auditable governance that directors need to fulfil their responsibilities and protect both the organisation and themselves.
Related Reading
You may also find these useful
CI Fortify from CISA recommends that the operators of critical infrastructure must prepare themselves for forced isolation and quick recovery
Insights from Mark Fermor on OT, ICS, and the underlying storage layer.
Offline Secure Storage for Operational Technology
Offline secure storage for operational technology reduces exposure to cyber attack, protects critical system data, and supports recovery when connected defences fail.
500,000 Volunteers Breached Through Authorised Access: A Controlled Access Buyer's Guide
In April 2026, approved researchers exfiltrated the health records, genetic data, and medical histories of 500,000 UK Biobank volunteers through authorised access channels, then listed the data for sale on Alibaba. The breach was not caused by a hack. It was caused by a model that assumes licence agreements can prevent data theft. This guide covers why that model fails and what physical controls replace it.
Put this guide into practice
Ready to apply what you have learned? Explore how Firevault delivers the offline protection covered in this guide.
Takes about 2 minutes. No account needed.