Are You a Cyber Risk to Your Customers? The Question the New Bill Forces Boards to Ask
For years, cyber risk has been framed as something organisations suffer.
Under the UK Cyber Security and Resilience Bill, cyber risk is increasingly defined as something organisations cause.
That shift matters.
The Bill introduces a regulatory logic that focuses less on whether you are disrupted, and more on whether your failure disrupts others. For boards, this quietly forces a new and far more difficult question:
Are we a cyber risk to our customers?
From internal controls to external impact
Traditional cyber governance asks:
-
Are our systems secure?
-
Do we meet recognised standards?
-
Could we recover from an incident?
The new regime adds a different test:
-
If we fail, who else is affected?
-
How quickly would customers know?
-
How widely would disruption propagate?
-
Could regulators reasonably expect us to have foreseen that impact?
This is no longer an abstract exercise. Under the Bill, managed service providers, digital services and critical suppliers can be regulated directly because of the downstream impact of their failure.
Why boards often misjudge this risk
Most boards assess cyber risk inwardly. They look at:
-
internal resilience,
-
insurance coverage,
-
audit results,
-
and historical incident data.
What they often don’t see clearly is dependency risk:
-
how many customers rely on the same service,
-
where access, data or control is concentrated,
-
how quickly customers would be impaired if that service failed,
-
and whether customers are themselves regulated entities.
This is where many organisations underestimate exposure.
They evaluate their own importance, not the consequences of their failure for others.
When cyber incidents stop being private events
The Bill removes the comfort of quiet remediation.
Once an incident meets reporting thresholds:
-
regulators are notified within 24 hours,
-
full details follow within 72 hours,
-
affected customers must be informed,
-
and regulators may require information beyond what you already hold.
Incidents become regulated, customer-facing events, not internal technical matters.
For boards, this creates a new accountability line:
you are responsible not just for your resilience, but for the harm your failure causes downstream.
The uncomfortable reality of supply-chain risk
Many organisations now sit in roles that make them systemic without realising it:
-
MSPs supporting dozens or hundreds of clients
-
suppliers embedded in regulated or defence-adjacent chains
-
platforms or tools that create aggregation risk
-
services that are operationally hard to replace
In these cases, cyber risk is no longer bilateral.
It is propagative.
The Bill formalises that reality by allowing regulators to designate organisations based on dependency, not size or intent.
What good boards should be asking now
Boards do not need to become cyber experts — but they do need to ask better questions.
Examples include:
-
Which customers would be materially disrupted if we failed?
-
Are any of them regulated entities or critical services?
-
Where does our service create concentration or aggregation risk?
-
Could we meet customer notification obligations in practice?
-
Have we tested how incidents propagate, not just how we recover?
These are governance questions, not technical ones.
Why this is a commercial issue, not just a regulatory one
As regulation tightens, customers will increasingly ask:
-
Can this supplier be trusted under pressure?
-
Do they understand their role in our resilience?
-
Will they tell us quickly when something goes wrong?
Suppliers who can demonstrate this thinking will win trust.
Those who can’t will feel the impact through procurement friction, contract conditions and reputational risk — often before regulators ever intervene.
The board-level reframing
The Bill doesn’t just regulate cyber security.
It redefines responsibility.
The core question for boards is no longer:
“Are we compliant?”
It is:
“Are we a cyber risk to our customers — and do we understand that risk well enough to manage it?”
Call to action
If you are unsure how your organisation’s failure could affect customers, you are already exposed.
Contact Cyber Tzar to understand how your services contribute to supply-chain cyber risk — and how we can help you assess and reduce that risk now, before incidents or regulation force the conversation.
