Who Owns Cyber Risk? | Webinar Highlights & Q&A
As part of Cyber Security Awareness Month, we hosted our first ITUS Protect webinar: Who Owns Cyber Risk? What Business Leaders Need to Know. The session brought together an expert panel featuring Dr Clare Ryan (Co-Founder & CEO, ITUS Protect), Alison McMurtrie (Founder & Principal, iDunn Consulting) and moderator Suzie McAneney (Founder, Lemonade).
Designed for business leaders, start-ups and SMEs, the webinar explored what it really means to own cyber risk — from legal and financial accountability to cultural awareness and the importance of proactive management.
Below we’ve captured some of the key questions and takeaways from the discussion.
Q1. If an organisation found themselves breached tomorrow, could the directors personally find themselves in the firing line?
Clare:
It really depends on how the incident occurred and the systems you have in place. Was it a sophisticated zero-day attack, or was it caused by an internal mistake? Directors have a duty to understand and manage these risks.
If a cyber incident impacts your customers, they may hold your organisation liable, so it’s essential that directors have the right insurance cover and are prepared to respond.
Take the example of Jaguar Land Rover — when they suffered an incident, smaller suppliers down the chain couldn’t pay wages due to cash-flow issues, leading to layoffs. Even though those suppliers weren’t at fault, they sought redress from JLR. As a director, part of your role is to manage those knock-on risks and report transparently to customers and regulators.
Q2. What’s the biggest barrier to effective cyber risk management at board level?
Alison:
Time and understanding. Many SME founders are juggling everything, and cybersecurity often feels like one more task on an already long list. But with the cost of entry now much lower, there’s no real excuse for not having the basics in place.
Education is critical. Business leaders often assume that cyber-attacks only happen to large organisations, yet smaller firms are targeted every day. Even something as simple as sending a document to the wrong person is a data breach — we need to start recognising those real-world risks.
Clare:
Fear and embarrassment also play a role. People don’t want to ask what they think might be a “silly question”. We have to get over that. There are no silly questions in cybersecurity — only missed opportunities to learn.
Q3. What advice would you give to organisations outsourcing platform development overseas?
Clare:
We’ve done this ourselves, and due diligence is everything. Understand who’s on the team, where they’re based, and what their track record looks like. Avoid regions with known issues around cyber or financial crime.
Speak to existing clients, review performance, and put robust contracts in place around intellectual property — always make sure you hold the “keys to the kingdom.” Have a third-party check progress mid-way rather than waiting until the end.
If you don’t have the technical know-how, bring someone who does. Set out your security requirements clearly from the start — for example, ISO 27001 certification — and verify when and by whom it was issued. Outsourcing isn’t the problem; how you manage the associated risk is.
Watch the full webinar
This Q&A only scratches the surface.
Watch the full recording on our YouTube channel to hear the complete discussion and bonus session with strategic advisor and angel investor Jenny Ervine, who explores cyber risk ownership from an investor and board perspective.
