Trustees should oversee cyber risk by focusing on data impact, incident readiness, and assurance, not technical detail.

Why this matters

Many breaches originate from cyber incidents, but boards should not manage firewalls.

What Trustees should ask

• What personal data is most at risk?
• How quickly would we detect a breach?
• Who decides if it’s reportable?
• What evidence would we provide?
  
  

Effective oversight includes

• Cyber risk linked to data protection risk
• Regular incident readiness reviews
• Clear escalation paths
  
  

Evidence of strong oversight

• Breach response plans tested
• Board‑level reporting on incidents and trends