A finance director at a Cork engineering consultancy received a call from the company's solicitor six days after a ransomware attack had locked the firm out of its systems. The solicitor wanted to know what the board had known about the company's cybersecurity posture before the incident, and when they had known it. The FD, who had approved the annual IT budget without asking any specific security questions, found she had very little to say. The company's cyber insurance claim was later disputed by the insurer on the grounds that documented controls required by the policy had not been in place. The personal and professional consequences for the director took months to resolve.
Cybersecurity is no longer solely the IT department's problem. For finance directors at Irish companies — whether you are sitting on the board of a forty-person professional services firm in Dublin or a regional manufacturer in Donegal — your personal exposure under Irish and European law has increased materially in the past two years. This guide explains what you are actually responsible for, what your cyber insurance probably does and does not cover, and the questions you should be asking your IT team right now.
WHAT: Your Legal Exposure as an FD
Three overlapping frameworks create legal obligations that finance directors cannot treat as someone else's problem.
The first is the Companies Act 2014, which requires directors to exercise reasonable care, skill, and diligence in the management of the company. Cybersecurity risk is now a recognised category of business risk. A director who cannot demonstrate that they understood the company's cyber risk profile, and that they took steps to address material gaps, may be found to have breached their duty of care if a significant incident causes loss to the company.
The second is GDPR, enforced in Ireland by the Data Protection Commission. Under GDPR, the organisation as a data controller is responsible for implementing appropriate technical and organisational measures to protect personal data. Where a director has governance oversight of data protection — which is often the FD, given the intersection with financial data and payroll — they carry accountability for whether those measures are actually in place and working.[^3]
The third is NIS2. Ireland transposed the NIS2 Directive, which expands mandatory cybersecurity requirements to a broader range of sectors and organisations. For companies directly in scope, NIS2 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, and receive regular training on cyber risk. The liability provisions of NIS2 include the possibility of personal liability for management where failures are attributable to negligence.[^1]
WHAT NOW: Cyber Insurance — What It Covers and What It Does Not
Most finance directors have a reasonable understanding of what general liability and professional indemnity insurance cover. Cyber insurance is less well understood, and the gaps in coverage are often where Irish businesses get hurt.
A standard cyber insurance policy typically covers incident response costs, forensic investigation, legal fees, regulatory notification costs (including costs associated with DPC notifications), and some element of business interruption loss. These are genuine and valuable protections. What is less often appreciated is the list of conditions and exclusions that can void coverage or reduce a payout.
Do you know whether your current cyber insurance policy would pay out if you had a ransomware attack this week? Book a free 20-minute strategy call — we will review your policy and tell you exactly where the gaps are, in plain English, with no sales pressure.
Common exclusions include losses arising from failure to maintain documented security controls — MFA, patching, backup testing — that the policy requires. If your policy lists multi-factor authentication as a required control and your organisation is not using it across all systems, you may find the insurer declines the claim. Social engineering losses — where an employee is tricked into authorising a fraudulent payment — are often excluded from standard cyber policies or covered only up to a sublimit. This matters because business email compromise fraud is one of the most common and financially damaging attacks affecting Irish businesses, according to the Garda National Cyber Crime Bureau.[^2]
Premium costs have also risen sharply. Irish insurers are increasingly requiring businesses to complete detailed security questionnaires before renewal, and the answers to those questionnaires — whether MFA is enforced, whether backups are tested, whether there is an incident response plan — directly affect both the premium and the scope of coverage. Finance directors who cannot answer these questions accurately at renewal are flying blind.
WHY IT MATTERS: The Board Reporting Obligation
NIS2 requires management bodies to be informed about and oversee cybersecurity risk on an ongoing basis. For Irish companies in scope, this means cyber risk needs to be a standing item in board reporting, not an occasional agenda point. Even for companies that are not directly in scope, the Companies Act duty of care means that a well-governed organisation should be receiving regular reports on its cyber risk posture.
What does good cyber risk reporting to a board or finance director look like? At minimum, it should cover the current status of critical controls, any incidents or near-misses in the reporting period, the status of any open vulnerabilities or remediation actions, and an update on regulatory compliance. It should be presented in business risk terms — exposure, likelihood, consequence — rather than technical jargon. If your current IT team or provider cannot produce a report in those terms, that is itself useful information.
The Data Protection Commission expects that senior management in Irish organisations has genuine oversight of data protection compliance, not just nominal responsibility.[^3] Following several high-profile enforcement actions, the DPC has been explicit that appointing a DPO or data protection officer does not transfer the board's governance obligations. Finance directors with oversight of financial data — payment processing, payroll, supplier records — should be asking specific questions about how that data is protected and what would happen in the event of a breach.
WHAT NEXT: Five Questions to Ask Your IT Team This Month
Most finance directors are not and should not need to be cybersecurity experts. But you need to be able to ask the right questions and understand the answers well enough to exercise genuine oversight.
Ask your IT team or provider to confirm, in writing, that multi-factor authentication is enforced across all systems handling financial data, email, and cloud services. Ask for evidence that backups are tested and that a restoration has been successfully completed in the last three months. Ask whether the company has a documented incident response plan, and whether anyone has practised it.
Ask specifically what your cyber insurance policy requires in terms of controls, and whether your IT team can confirm that each requirement is met and documented. This is the question most FDs have not asked — and the answer is sometimes uncomfortable.
Finally, ask what the process is if a significant cyber incident happens overnight or at a weekend. Who gets called? Who decides whether to notify the DPC within the 72-hour window? Who authorises spending on emergency incident response? These are governance questions, not technical ones, and they belong in the finance director's domain.
The finance directors who are best prepared for a cyber incident are the ones who asked the difficult questions before it happened. Book a free 20-minute strategy call — we work with FDs and boards at Irish businesses to build cyber governance that is proportionate, practical, and board-ready.
The Cork FD's experience at the start of this post is not unusual. The combination of a disputed insurance claim, regulatory scrutiny, and the reputational damage of a significant incident creates a pressure that no director wants to face. The good news is that the governance questions — understanding your exposure, verifying your controls, reporting to the board — are not technically complex. They require attention and commitment, but they do not require a computer science degree.
Related Reading
- Director Liability Under NIS2 and GDPR: A Briefing for Irish Company Directors
- Cyber Insurance for Irish SMEs: What Your Policy Probably Does Not Cover
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána: https://www.garda.ie/en/crime/cyber-crime/ [^3]: DPC: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.