Questions every Managing Partner should ask about cyber risk

Most Managing Partners are not technical, and they do not need to be. Governing cyber risk is the same job as governing any other serious risk to the company: understand the exposure in business terms, confirm someone owns it, check the controls work, and make sure you would find out quickly if something went wrong. The ten questions below let you pressure-test your company's posture in a single meeting and judge the quality of what comes back, without writing a line of policy yourself.

Why this is a board question, not an IT question

A serious cyber incident is a business event, not a technology event. It stops fee earners working, exposes client confidential information, triggers regulatory notification duties, and lands on the front page with the company's name attached. The board owns that risk whether or not it has chosen to look at it.

The shift over the last few years is that regulators, insurers and clients now expect to see evidence that leadership is engaged. "We left it to IT" is no longer an answer that protects the company or its partners. The questions that follow are designed to make that engagement real and visible.

The ten questions

1. What would a one-week outage of our most important system cost us? This is the question that converts the abstract into the concrete. If nobody can answer it, that is the first finding.

2. What is the most sensitive data we hold, and where is it? You cannot protect what you have not located. Client confidential matters, personal data and transaction records should each have a known home and a known owner.

3. Who is accountable for cyber risk by name? Not "IT". A named person on the leadership team, accountable for the outcome and holding the budget authority to act.

4. When were our defences last independently tested, and what did we learn? Internal confidence is not evidence. Independent validation is. If the answer is "never" or "a long time ago", that is a gap.

5. How would we know if we had been breached, and how fast? Many breaches are discovered weeks or months after the fact, often by a third party. Ask how detection works and what the realistic time-to-know is.

6. Could we recover from ransomware without paying? This rests entirely on backups that are isolated, recent and actually tested by restoring them. A backup that has never been restored is a hope, not a control.

7. What do we require of our suppliers, and do we check? Many incidents arrive through a trusted third party. Ask whether the company holds a supplier register classified by criticality and whether the critical suppliers' controls are ever reviewed.

8. Are our people a strength or our biggest exposure? Ask for the phishing-simulation results and the reporting rate. People who report a suspicious email quickly are a control; people who quietly click are an exposure.

9. What does our cyber insurance actually cover, and could a claim be refused? Cover can be voided by an inaccurate renewal questionnaire. Ask whether the answers given to the insurer match reality. See the cyber insurance renewal checklist for what the board should confirm.

10. If the worst happened tonight, what is the first hour? Ask to see the incident response plan, who is called, and when it was last exercised. A plan that has never been tested is functionally not a plan.

What a credible answer sounds like

Good answers share three features: they come with evidence (a date, a report, a test record), they are honest about gaps ("we have not yet tested the backups; that is scheduled for next month"), and they are framed in business terms rather than product names. An answer that lists security products without explaining what risk they reduce has missed the point of the question.

The red flag is confidence without evidence. "We're fine, we have a firewall" tells you only that the company has a firewall. It says nothing about whether the company would survive a determined attacker, recover from ransomware, or pass an insurer's claim review.

Turning the answers into a plan

If the answers reveal gaps, and they almost always do the first time, the right next step is a structured baseline rather than a shopping list of products. A Cyber Assurance Assessment scores your posture against a recognised framework, ranks the gaps by risk, and produces a costed roadmap the board can fund with its eyes open. That is also the document that makes next quarter's version of this meeting far shorter.

If you would like a one-page version of these ten questions to take into your next board or partners' meeting, send a note and we will send it across. If you would rather talk it through, book a 30-minute call and we will help you read your own answers.