For years insurers have sold cyber cover like most insurance, agreed payouts in the case of certain scenarios. But perhaps the operational recovery of a business is more valuable than anything else? Here’s the word;
UK CEOs have unrealistic expectations about the speed of recovery from cyberattacks, with 67% expecting to be notified of a breach within less than 30 minutes and over half (52%) anticipating resuming basic business operations within a day.
Failing to recover quickly has direct career consequences. Over 80% of CEOs agree that the position of the person responsible would be at risk, if they failed to deliver fast and secure recovery or manage the long-term consequences of a cyberattack. CEOs also clearly recognise their own job vulnerability in this, with the CEO role itself viewed most often (20%) as being responsible for long term business impact.
These findings come from new research from the leader in AI data security, Cohesity, and OnePoll, revealing that despite the high expectations, there is no clear consensus on who owns key decisions in the incident response “war room”.
In the immediate aftermath of a cyberattack, decision-making sprawl driven by a lack of clear ownership of roles and responsibilities can cause delays and confusion at a time when rapid, coordinated decisions are critical.
CEOs expect speed: from notification to recovery
On average, CEOs expect to be made aware of a cyberattack within less than an hour:
Notification of a cyberattack
-
67% within 30 minutes
-
26% within 5–15 minutes
-
23% within 16–30 minutes
-
19% under five minutes.
They also expect rapid recovery when it comes to resuming basic business operations after a cyberattack.
Resuming basic business operations
-
14% within 1 hour
-
38% within a day
-
28% within a few days
-
11% within a week
But expectations drop sharply when asked about becoming fully operational.
Becoming fully operational after a cyberattack
-
14% expect to be fully operational within a day
-
30% expecting to be fully operational within a few days
-
21% within a week
-
15% within a few weeks
However, even these expectations are misaligned with the many high-profile examples showing security breaches very often take months of recovery time.
Lack of clarity of who leads the cyberattack incident response ‘war room’ is unclear
Despite the expectation of fast notification and recovery, CEOs don’t point to a single default “first call” owner. In the event of a cyberattack, some CEOs expect to hear first from the Security Advisory Board (25%), others from the CTO (21%) or the CISO (21%). That fragmentation matters because the first hour determines escalation speed, decision quality and whether recovery is coordinated.
The same pattern appears when CEOs are asked who decides what gets restored first in order to resume basic business operations. Responsibility is spread across the Entire Board (23%), the CTO (21%), the CEO personally (20%) and the Security Advisory Board (14%).
“CEOs are signalling that cyber incidents now come with performance consequences. With expectations this high, organisations need a clear chain of command in place, so decisions are made quickly and confidently,” said Fraser Hutchison, VP UKI at Cohesity.
“Cyberattack recovery is now a board-level issue. CEOs expect to restore basic business operations fast, but many organisations still haven’t defined who alerts leadership, who decides what ‘minimum viable’ means, or what gets restored first. Without a clear plan agreed in advance, those crucial decisions can be contested in the heat of the moment, slowing recovery,” added Fraser Hutchison.
Who is responsible for managing AI risk?
The recovery decision-making process is further complicated by the fractured state of AI governance across large UK businesses. With AI now embedded in core operations, any ransomware attack will inevitably implicate AI-dependent systems, yet the survey reveals that ownership of AI security is distributed across as many as five different executive roles. The CTO is most commonly identified as responsible for AI cybersecurity, cited by 41% of respondents, followed by the CISO (31%), CIO (29%), CSO (26%) and CAIO (22%). In many organisations, that means multiple executives hold a partial stake in AI security with no single owner.
The disconnect is compounded by a parallel finding on AI policy integration more broadly: the CIO leads on AI policy at 30% of businesses, while the CTO leads AI cybersecurity at 41%, meaning the executive responsible for restoring AI systems after an attack is frequently not the same person who governs them day to day. A further 20% of businesses have had to create an entirely new role to own AI policy at all, and 11% have no owner or are unsure.
“AI is accelerating how organisations run, and it’s raising expectations for speed everywhere including recovery from a cyberattack. But speed without clear ownership, and confidence in what you’re restoring can turn a cyber incident into a prolonged business crisis. The organisations that recover best are the ones that define Minimum Viable Company upfront, assign clear decision rights, and rehearse recovery as an operational discipline, not just a technical process,” said James Blake, Global Vice President of Cyber Resilience and Consultancy Strategy at Cohesity.
The research was carried out by OnePoll between 20th May and 10th June 2026 among UK CEOs at companies with 500+ employees.
Be the first to comment