We Have Been Hacked: Now What? Lessons for the Boardroom

The almost daily prevalence of cyber-attacks has brought the issue of cybersecurity as a core governance responsibility to the front of mind of company boards. In 2024 alone, over 15 million cyberattacks were recorded worldwide (one-third of these in Asia). How do boards prepare for cyber-attacks and how can they embed cybersecurity oversight into their governance structures?

Now more than ever, boards should treat cybersecurity oversight as a fundamental element of their governance duties, recognizing it as a critical business risk rather than simply a technical or operational issue. To ensure cybersecurity receives high-level attention, it should be fully integrated into the organization's existing risk management and governance frameworks. This process starts with the clear allocation of oversight responsibilities, either to the full board or to a specialized committee such as audit, risk, or technology, so that accountability is well defined. However, cybersecurity governance assumes that data governance and management have been addressed already and that a full technology audit has been carried out. 

But once this is done, should boards assume the company is cyber-ready? The work does not stop at this point as boards need to ensure that management regularly assesses, monitors, and reports on cyber risks alongside other principal risks, and understands the company's most critical assets, the potential business impact of cyber incidents, and the effectiveness of the controls they have put in place. 

Boards should also ensure that cyber risk assessments comprehensively address third-party and supply chain exposures by monitoring the cybersecurity practices of all third-party service providers.

Knowledge and Expertise

Given the complexity and evolving nature of cyber threats, boards should assess whether they possess sufficient collective knowledge to provide effective oversight. This may involve recruiting independent non-executive directors with direct experience in cybersecurity, information technology, or risk management. Where such expertise is not available at board level, regular training sessions carried out by external experts may be needed to stay abreast of emerging threats, regulatory developments, and best practices. Some organisations also appoint a "cybersecurity champion" at the board level or engage external advisors to provide independent perspectives on cybersecurity.

There are also regulatory risks, as more and more jurisdictions enact cyber regulation. Depending on the industry the company is operating in, these new regulatory obligations relating to cybersecurity may need to be considered. For example, in Hong Kong, once a company is designated as a Critical Infrastructure Operator ("CIO") and thus becomes subject to the requirements under the Protection of Critical Infrastructures (Computer Systems) Ordinance (the "Cyber Ordinance")—which will come into force on 1 January 2026—the board needs to ensure that the company establishes and maintains a dedicated computer-system security management unit (either by itself or outsourced to a third-party service provider), which should be tasked with overseeing the security of critical computer systems ("CCS"), and ensuring compliance with relevant requirements under the Cyber Ordinance. The board should also ensure that the computer-system security management unit is led by an individual with adequate professional knowledge in cybersecurity. The unit's structure, roles, and reporting lines should be clearly defined and documented, with direct accountability to senior management and regular reporting to the board or its designated committee. The board should receive regular updates from the unit on the organisation's cybersecurity posture, emerging threats, and the effectiveness of controls, enabling directors to make informed decisions and provide strategic direction. 

Incident Response Plan

The first step in cyber-preparedness is to put in place an incident response plan and structure a response team that can work effectively through an incident response. Boards should require management to conduct periodic drills or tabletop exercises to test the company's cyber-readiness and clarify roles and responsibilities in the event of a cyber incident. Under new cybersecurity regulatory regimes, such as in Hong Kong, organisations that are designated as CIOs may be required to participate in a computer-system security drill conducted by regulatory authorities, in order to test the state of readiness of CIOs in responding to computer-system security incidents. CIOs may also be required to submit and implement an emergency response plan detailing the protocol for the response to computer-system security incidents. 

Notification obligations to the regulator may also be required in the event of a computer-system security incident as soon as practicable and in any event within the specified timeframe. For example, in Hong Kong, the reporting timeframe for a more serious computer-system security incident is 12 hours after the CIO becomes aware of the incident. In mainland China, the Cybersecurity Law requires organisations to report cybersecurity incidents "immediately", while the Cybersecurity Incident Reporting Management Measures—which will take effect on 1 November 2025—require Critical Information Infrastructure Operators ("CIIOs") to report "relatively serious" cybersecurity incidents within 1 hour of the CIIO becoming aware of the incident. In short, the timing for such notifications may vary from jurisdiction to jurisdiction and may also depend on the severity of the incident.

Staff Training and Culture

Boards play a critical role in setting the tone at the top and fostering a culture of cybersecurity readiness throughout the company. This involves supporting ongoing employee training and awareness programs, and ensuring that cybersecurity considerations are embedded in business decision-making at all levels.

In Hong Kong, the Cyber Ordinance essentially elevates many cybersecurity measures that were previously regarded as "best practice" into mandatory obligations for designated CIOs.

Once a company is designated as a CIO, it has to maintain an office in Hong Kong, establish and maintain a dedicated computer-system security management unit, and appoint a qualified individual to oversee it. A CIO must also ensure the timely preparation and submission of a comprehensive computer-system security management plan, conduct annual cybersecurity risk assessments, arrange for computer-system security audits every two years and/or as requested by the regulator, and develop and file detailed emergency response plans. The Cyber Ordinance also imposes strict incident notification requirements, mandating computer-system security incidents be reported to the regulatory authorities within a prescribed period.

Failure to comply with the statutory duties set out in the Cyber Ordinance exposes CIOs to criminal liability and substantial financial penalties, with the maximum fine for certain offences reaching HK$5 million. While the Cyber Ordinance does not impose direct personal liability on directors and officers, the scale of potential penalties, the risk of operational disruption, and the reputational consequences of enforcement actions substantially elevate the board's obligations in relation to cybersecurity oversight. Boards are now expected to provide proactive and informed oversight by establishing robust governance frameworks, and ensuring that security management plans, risk assessments, and audit findings are rigorously and continuously reviewed.

Aside from the regulatory obligations, boards should also re-assess their posture regarding third-party vendors. Neglecting third-party and supply chain risks is a significant governance blind spot that can leave organisations vulnerable to cyber threats originating outside their direct control. Many organisations rely on a complex network of vendors and service providers to deliver essential services and maintain operational efficiency. These external relationships can introduce hidden vulnerabilities, as attackers increasingly target less secure third parties as entry points to compromise core systems. Boards may overlook the need for rigorous technology audits, due diligence, ongoing monitoring, and contractual safeguards to ensure that third-party service providers adhere to robust cybersecurity standards. Vendor risks can be proactively managed by conducting regular assessments of vendor security practices, establishing clear incident reporting protocols, setting expectations through robust contractual provisions, and integrating third-party risks into the organisation's overall risk management framework. Tabletop exercises that involve third-party suppliers can be a good way to test responses in the event of a third-party breach. 

Another common blind spot is the board's tendency to assume that implementing technical controls alone equates to genuine resilience, while overlooking the importance of governance processes that transform these controls into ongoing and sustainable organisational practice. Boards may also fail to integrate cyber risk into an organisation-wide risk management framework. When cyber risks are treated as isolated technical or IT issues, boards may fail to appreciate how vulnerabilities in digital infrastructure can escalate to become operational, financial, legal, and reputational harm. When cyber risks are not articulated in financial and operational terms, boards struggle to assess their significance effectively, which leaves critical gaps in governance. This can be addressed by implementing integrated risk reports which link cyber risks and vulnerabilities to the organisation's business, financial, and compliance priorities.

But how can boards ensure that crisis planning and backup services meet both legal and fiduciary expectations?

Boards should require that crisis response and backup systems are well-documented and independently tested on a regular basis. This means going beyond internal reviews or checklists to include security audits and realistic simulations such as tabletop exercises and live security drills. These tests should evaluate the organisation's ability to detect, respond to, and recover from a range of cyber incidents, as well as the effectiveness and resilience of backup and recovery services under stress. These exercises allow companies to understand whether their crisis plans are practical, up-to-date, and capable of withstanding real-world threats. The results of these exercises should be reported directly to the board, with clear recommendations and action plans for addressing any identified weaknesses or gaps. 

The takeaway for boards is that crisis management and backup plans should be structured to effectively minimise operational disruption, financial loss, and reputational damage in the event of a cyber incident. This means regular reviews of the adequacy of cyber-insurance coverage to confirm it aligns with the organisation's risk profile, as well as establishing robust contractual terms (including contractual indemnities and service-level obligations) with third-party service providers. Additionally, comprehensive communication protocols must be established to guide timely and transparent engagement with both internal teams and external stakeholders during a crisis. The time to act is now!