Cyber Risk Is Business Risk: Why Resilience Is a Team Sport
In April, a major UK retailer was hit by a cyber attack linked to the Scattered Spider group, part of a broader wave of high-impact intrusions1. The consequences were far-reaching: online ordering was suspended for more than six weeks, contactless payments were disrupted, and supply chains were thrown into disarray. The estimated cost? Nearly $400 million in lost operating profit, months of disruption to customers, and the departure of the firm’s chief digital and technology officer.
That level of impact is no longer theoretical. It’s happening in real time to global brands across every sector. In a digital economy, cyber resilience can no longer be siloed in IT and must be treated as a board-level business imperative.
We spoke with Bill Hoffman, Citi’s Head of Cyber Risk and Compliance, about how the threat landscape is evolving and what leadership teams need to be doing now.
How has the cyber risk landscape evolved and what should leaders understand about today’s threat environment?
The pace and boldness of today’s threats are unlike anything we’ve seen. Earlier this year, a nation-state group stole more than $1 billion in Ethereum tokens from a cryptocurrency exchange2.
The group responsible for the UK retailer breach even gave an interview to the BBC3 and complained that another target wasn’t meeting their extortion demands.
The actors aren’t new—criminal groups, geopolitical players, hacktivists, insiders—but their capabilities, velocity, and audacity have all increased. And it’s playing out against a backdrop of growing digital interdependence. The more connected we are—within firms and across industries—the more a single weak point can escalate into a full-blown business, or even sector-wide, disruption.
Cyber risk is no longer just about prevention. Leadership needs to think in terms of resilience: it’s not a question of will an incident happen, but how can we minimize disruption when it does? It’s about bending without breaking.
What are some blind spots CEOs, CFOs, or boards often overlook when it comes to cyber resilience?
One of the biggest examples is treating cyber as a technology problem. It’s not. Cyber is a cross-cutting business risk and managing it requires engagement from every level of the enterprise, not just IT.
A good resilience strategy requires an understanding of what’s most valuable to the business. That could be sensitive data, financial assets or something else. The key is to build your resilience plan according to your business priorities. That’s why business, technology, and cyber teams need to collaborate. Leadership should be asking: How does cyber risk impact our strategic objectives? And have we defined what an “acceptable” level of risk looks like across the enterprise?
What signals should leadership watch for to assess whether their organization is truly resilient?
Resilience starts with culture and basic security hygiene. People, not tools, are the biggest differentiator. You can invest in the latest technology, but if your help desk can be tricked into resetting a password for an imposter the firm will remain vulnerable.
Strong cyber hygiene is one of the best indicators of a resilient culture. That includes how teams handle passwords, email protocols, policy enforcement, which are foundational behaviors. In high-performing organizations, they aren’t just rules—they’re habits.
At the same time, security teams have a responsibility to understand the business and its strategy, and to ensure that security capabilities first and foremost enable the business’s objectives.
What does a strong resilience plan look like—and how should companies stress-test it?
A strong plan goes well beyond system restoration. The CEO shouldn’t be drafting their first public statement during a breach. Just like an earnings call or regulatory event, a cyber incident demands a rehearsed, coordinated response.
Exercises should be grounded in severe but plausible scenarios that reflect your business model, industry, and threat environment. And they should test not just your technical response, but also the role of business leaders and executives. That should include the challenge of making consequential decisions with incomplete or changing information. Leaders are used to making decisions based on comprehensive analysis, but that is not always possible during a rapidly evolving cyber incident. An exercise is a safe place for leaders to get comfortable with being outside of their comfort zone.
This is where culture comes in again. A good exercise reveals weak spots. That’s a win. But it may require a culture shift to recognize that gaps discovered during an exercise are a good thing. We should celebrate the opportunity to address them in advance of a real event.
How is AI changing the cyber defense conversation?
AI is a game-changer on both sides of the equation. It lowers the barrier for attackers while strengthening the toolkit for defenders. Threat actors are using AI for more personalized and convincing social engineering attacks that are harder to detect. They are leveraging AI to craft language for more effective lures in social engineering attacks, such as phishing, and to enable more sophisticated voice or video mimicry using deepfake technology.
But on the defense side, AI helps us detect anomalies faster, prioritize threats more intelligently, and uncover hidden patterns. For example, AI can be used to parse large data sets to find patterns that indicate a potential attack and can work alongside security personnel to increase the efficacy of their detection and response capabilities. This includes highlighting anomalies that should be analyzed with greater urgency or surfacing the playbook for a particular type of cyber incident on the screen in real time.
The net impact is that AI raises both the stakes and the potential. Organizations that proactively embrace AI—while managing its risks—will be far better positioned for today’s digital landscape.
[1]https://www.bbc.com/news/articles/c0el31nqnpvo
https://www.nytimes.com/2025/05/21/business/marks-spencer-cyberattack.html
[3]M&S and Co-Op: BBC reporter on talking to the hackers - BBC News