Sam Lascelles, digital trust and cybersecurity expert, PA Consulting discusses cyber-simulations and the Cyber Security and Resilience Bill and the industries shift from reluctant compliance to an obligatory priority.
As the UK prepares to enact its new Cyber Security and Resilience Bill – and as recent high-profile attacks show – it’s not enough for boards to merely aim for cybersecurity compliance. They must take the lead on resilience.
This legislation signals a shift in expectations: Cyber-risk management is no longer a technical function buried in IT departments, but a strategic boardroom priority.
One of the most effective ways for boards to demonstrate leadership is by embedding cyber-simulations into their regular governance and risk oversight activities.
As the cyber-threat grows in scale and complexity, cyber-simulations offer a vital opportunity to practice responses under realistic conditions, before a real crisis strikes.
When done well, they are far more than IT drills. They test decision-making, stress-test operational resilience and prepare organisations for the reputational volatility that follows any significant incident.
Crucially, cyber-simulations expose the friction points that can derail a response.
They highlight gaps in decision-making, breakdowns in communication and unclear escalation paths.
To be effective, the exercise should recreate the intensity of a live incident with real-time scenarios where cyber and technology teams are challenged to respond technically, while senior executives simultaneously face difficult decisions.
Should we pay a ransom? Should we isolate systems? How do we communicate with the public?
In practice, cyber-simulations present leaders with staged dilemmas based on real-world threat actor tactics.
For example, a mock ransomware note may be delivered as part of the exercise, forcing executives to decide whether to engage with the attackers, involve law enforcement or activate business continuity plans.
Leaders are required to work with incomplete data, under strict time pressure and simulate decisions on issues such as taking systems offline to contain spread, balancing operational disruption with technical containment.
Sophisticated cyber-simulations can also expose false confidence in back-up systems, which are often assumed to be intact but prove incomplete or improperly segregated in realistic scenarios.
These are not theoretical choices, they are the decisions boards may be forced to make, often under immense pressure and without full information.
One often overlooked dimension is the media and stakeholder environment that unfolds during a cyber-incident.
Real-world events do not play out in a vacuum.
Social media storms, speculative press coverage and mounting pressure from customers and investors all add urgency and reputational risk to already complex technical challenges.
The best cyber-simulations integrate mock media feeds, simulated press conferences and crisis communication scenarios to mirror this reality.
The goal is not only to test what the organisation does, but how and how fast, it says the right things to the right people, as well as determining who the key communicators should be.
Boards should evaluate how communications protocols function under pressure and whether executive spokespeople are adequately prepared and supported.
Cyber-simulations are also an opportunity to bring together key disciplines: Cybersecurity, communications, operations, legal and risk management, to develop a single cohesive response.
Misalignment between these functions is often what turns a manageable event into a full-blown crisis.
For example, in a typical simulation, legal teams may advocate delaying notifications to regulators until there is greater certainty, while the communications function may want a holding statement for immediate release.
Without clear alignment on timing and messaging, these conflicting approaches can lead to confusion or even reputational damage, highlighting the need for clearly defined protocols and cross-functional coordination under pressure.
Running joined-up scenarios help teams identify where policies clash, where assumptions differ and where decision-making lags.
Boards should encourage the inclusion of these diverse functions in cyber-simulations and should receive assurance that learnings are not siloed but shared across business units.
Importantly, cyber-simulations should not be one-off events.
They need to be integrated into business calendars, updated regularly to reflect new threats, system changes and lessons learned from real incidents.
The best cyber-simulations evolve, just as attackers do.
They reflect not only technical shifts but also business context, supply chain dependencies and emerging stakeholder expectations.
An organisation moving all of its digital services to the cloud, for example, will need to shift its exercises from simulating the loss of a data centre to simulating the outage of a cloud service provider or loss of internet connectivity.
Boards should expect to see a multi-year simulation roadmap that reflects the current environment their business operates in.
For board members, attendance at these sessions can be eye-opening.
They provide a rare chance to experience the tempo and intensity of a real incident, to test strategic thinking under stress and to engage meaningfully with the challenge of organisational resilience.
They force leaders to confront ambiguity, test crisis roles and responsibilities and understand where the organisation is most vulnerable – not just technically, but operationally and reputationally.
Boards and executives then have the chance to rehearse responses in a safe, controlled setting, building muscle memory that can be relied upon in future.
They can also help boards define their risk appetite, clarify thresholds for decision-making and ensure the organisation’s values are reflected in its crisis response.
In some cyber-simulations, organisations find that their stated values, such as a public commitment to transparency, demand faster or more proactive communication than legal or regulatory requirements alone would dictate.
This can prompt a reassessment of internal escalation thresholds, decision-making authority and response timelines to ensure that crisis actions align with corporate principles, not just compliance standards.
The need for this has never been clearer. As recent events with leading retailers have shown, major incidents are no longer rare: They are business realities.
How a board leads before, during and after such events is a matter of public and regulatory scrutiny.
In today’s environment, preparedness is a key performance issue. It’s about protecting value, trust and reputation.
That’s why leading organisations are moving beyond checkbox compliance and embracing these kinds of proactive approaches to readiness.
