Because a serious cyber incident is not a technical failure that happens to a business. It is a governance event that lands on the board.
The distinction matters because it changes who needs to be ready, and what “ready” means. When the M&S attack unfolded in spring 20251, the technical response — isolating systems, containing the breach, bringing in incident responders — was handled, as it should be, by the teams whose job it is to handle it. What the board faced was something different: a business operating under abnormal conditions, stripped of its normal instruments, requiring decisions that no system could make for it.
The cost was not primarily technical. Analysts estimated roughly £300 million of forecast lost operating profit and more than a billion pounds off market value. Those numbers are not the cost of a security failure. They are the cost of a business running in degraded mode while decisions were made — or not made — under pressure.
What “manual control” actually means
Aviation has a term for the condition a board enters in a serious cyber incident: direct law. In normal flight, the aircraft’s computers mediate between the pilot’s inputs and the control surfaces — smoothing, correcting, preventing certain errors. When a system fails severely enough, the aircraft reverts to direct law: the computers step aside, and the pilot flies with nothing between hand and wing.
It is not an emergency in itself. A well-trained crew, flying a well-prepared aircraft, can fly on direct law. The question is whether they have been trained for it, whether the aircraft was built for it, and whether they know, in the moment, exactly what they are doing.
A cyber incident puts a board in direct law. The automated systems that normally mediate the management of the business — logistics, billing, communications, reporting — become unreliable or unavailable. The board must make decisions on incomplete information, without the normal instruments, and with the clock running.
The question is not whether your board could survive a serious incident. It is whether your board has been built and trained to fly the business when the autopilot is off.
The governance gap
Most boards receive cyber risk as a technical subject. They are given dashboards of security metrics that measure the health of systems, not the health of governance. They are updated on patch rates and penetration test results. They are reassured that the CISO is “on top of it.”
None of that is governance. Governance is the capacity to make sound decisions under abnormal conditions — to know what to protect when you cannot protect everything, to understand where operational authority ends and the board’s begins, and to have the standing structures in place that make collective action possible when speed matters.
The UK Cyber Governance Code of Practice, published by DSIT and NCSC in April 2025, makes this explicit for the first time. Cyber resilience is now a board-level accountability, not a delegation to a technical function. A board that cannot govern its own cyber risk — that cannot answer the three questions every incident will force — is not meeting its obligations under the Code, or under the general duty of stewardship it holds.
What the M&S incident revealed
The M&S disruption was not primarily a story about technical security. It was a story about what a business looks like when its core operating systems are unavailable for an extended period: customers unable to place orders online; staff unable to process transactions; management unable to rely on the reporting that normally tells them how the business is performing.
Whether the board was ready to govern in those conditions — whether it had the named lead, the standing forum, the pre-agreed decision authorities, the rehearsed response — is not public information. What is public is the commercial consequence of operating in degraded mode for weeks rather than days.
The same campaign hit the Co-op in the same period. These are not outliers. Two-thirds of medium UK businesses experienced a breach or attack in the year covered by the UK Cyber Security Breaches Survey 2025. The incidents vary in severity; the governance failure that makes them worse is consistent.
The right question
Boards that have taken the Cyber Governance Code seriously tend to start with compliance: what do we need to do to demonstrate alignment with the five principles? That is a reasonable starting point, but it is not the destination.
The destination is a board that can answer three questions with confidence — not because they have been briefed on the answers, but because the governance architecture to produce those answers exists and has been tested:
What does the business protect when it cannot protect everything? Where does operational authority end and the board’s begins in a crisis? Do we monitor resilience through signals we actually understand?
If the answer to any of those is uncertain, the gap is governance. Not technology. The technology teams are not the problem; the problem is the absence of the structures that let a board govern effectively when the technology fails.
That is the question the rest of these briefings will address.