Skip to main content

Cyber resilience gets a P&L: Treasury reframes the board conversation

HM Treasury has published evidence positioning cyber resilience as a driver of financial performance and growth, not a compliance cost. For boards, it shifts the internal argument from risk avoidance to capital allocation, with implications for how CROs, CFOs and CEOs frame investment cases.

HM Treasury has recast the cyber resilience debate. Its new report, The Value of Resilience: Cyber Resilience in Financial Services, published on 8 July 2026, argues that resilience should be treated as a strategic enabler of growth and stability, rather than solely as a compliance cost (HM Treasury). The document, developed with Accenture, KPMG, FreedomPay, Retail Economics, Resilience and the Association of British Insurers, sets out evidence that stronger resilience reduces the likelihood and impact of disruptions, supports faster recovery, and improves financial performance (HM Treasury). The framing matters more than the findings.

For years, cyber has sat awkwardly on board agendas: too technical for strategy discussions, too consequential to delegate. Treasury's intervention gives CFOs and CEOs a sanctioned vocabulary to move cyber spend out of the compliance column and into the growth column. That is a meaningful shift in stakeholder dynamics. CISOs and operational resilience leads have long struggled to compete for capital against revenue-generating initiatives. A government-backed evidence base, co-authored with two of the big four and the ABI, changes the internal bargaining position. Expect resilience business cases to be rewritten this autumn with explicit references to the report's growth and recovery arguments.

The timing is not accidental. The Financial Policy Committee's July record noted that recent rapid advances in frontier AI capabilities have increased financial stability risks related to cyber and operational resilience (Bank of England). The FPC also flagged that vulnerabilities across risky asset valuations, sovereign debt, and private credit have become more pronounced since December 2025, with a substantial increase in equity market leverage (Bank of England). Sarah Pritchard, FCA deputy chief executive, used her 8 July speech at the Whitehall Industry Group to reinforce that markets shift faster with AI, and that good regulation means being both principled and agile (FCA). Three arms of the official family, Treasury, the Bank and the FCA, are aligning around the same message: operational fragility is now a first-order financial stability question, and firms that treat it as back-office hygiene will be exposed.

The stakeholder implication cuts in two directions. Internally, resilience leaders have new leverage in capital allocation debates, but they also inherit a higher burden of proof. If cyber investment is a growth story, boards will want returns modelled, not just risk registers updated. Externally, insurers, auditors and rating agencies now have a Treasury-endorsed framework for pricing resilience into their assessments. The ABI's involvement in the report signals that cyber insurance underwriting standards will tighten around the evidence base it establishes. Firms that cannot demonstrate the recovery metrics Treasury highlights should expect harder conversations at renewal.

Senior leaders should read the report not as guidance but as a repositioning. The compliance framing that has dominated cyber governance since the operational resilience rules took effect is being retired in favour of a performance framing. That changes who owns the conversation at board level: less the CRO alone, more the CFO and COO jointly. The firms that adjust their governance and disclosure to match will find capital, insurance and regulatory goodwill easier to secure. Those that do not will be defending yesterday's argument.

Polar Insight helps senior leaders in financial services understand what their key stakeholders actually think before significant decisions are made.

Book a conversation