Treasury's role in cyber resilience

Recent high‑profile cyber incidents underline how quickly operational disruption can create acute financial and liquidity challenges. In late 2025, Jaguar Land Rover was hit by a major cyberattack that forced production shutdowns, disrupted supply chains, and required rapid intervention to stabilise cash flows. Earlier that year, a cyber incident at Marks & Spencer caused widespread disruption to payments systems, online ordering, and gift card functionality, with immediate implications for cash management, stakeholder communications, and market disclosure. 

The spate of recent high profile incidents, together with a number of cyber related fines from the UK’s data regulator, are a reminder of the importance of good cyber preparedness. Planning for, and responding to, a cyber incident requires organisation-wide input and coordination, including from treasury. This might include supporting the board with information on liquidity, available financial resources and credit implications, as well as managing engagement with key stakeholders such as banks, insurers and rating agencies. 

Key areas of treasury involvement

Payment Continuity

An immediate priority following an attack may be continuity of payroll, tax, and key supplier systems should enterprise resource planning (ERP) or treasury management systems (TMS) be unavailable.

To prepare, properly documented fallback arrangements must be agreed with banks and tested in advance, including alternative authorisation channels, payment templates and out-of-band verification protocols. Organisations may also need to streamline payments to focus on statutory obligations, payroll, operating entity funding, debt service, hedging and paying critical suppliers.

Liquidity requirements

Boards will look to treasury for advice on liquidity position and emergency funding options. Early responses may rely on imperfect information, with treasury likely working with cash‑burn ranges, scenario modelling and limited visibility over receipts and balances, particularly if TMS, cash‑pooling or reporting tools are disrupted.

Another treasury task (in conjunction with legal support) is to check loan and facility terms to identify any utilisation constraints, drawstops, or defaults triggered by the incident or related financial stress. Initially, the priority will be to identify potential drawstops in undrawn facilities. As disruption continues, attention may shift to default risks across financing arrangements. 

Communications with financial counterparties 

Whether a cyberattack is in the public domain, or remains confidential, organisations may need to make regulatory, market, or stakeholder notifications. Calm, factual notifications can help preserve confidence. These are typically coordinated centrally to ensure consistent, strategic messaging is maintained through both internal and external channels.

Limiting external communication to pre‑approved, high‑level updates reduces the risk of unintended disclosure while investigations continue. Treasury should therefore ensure that any communications they manage are in line with this strategic approach. Examples include when engaging with lenders and other financial counterparties where payment capacity, liquidity or reporting timelines may be affected, or facilities need to be drawn, and when managing any loan agreement notification obligations arising from wider implications of the incident. 

Insurance arrangements

Cyber insurance policies typically require prompt notification of an incident and may provide advisory services (technical, ransomware negotiation etc.) as part of the policy, but they can also restrict communications and impose requirements on documentation of remediation activity. Treasury teams responsible for group insurance will need to be on top of these requirements, to ensure preferred advisors are listed on the policy and to avoid early missteps which can delay recoveries.

Treasury is often responsible for tracking insured versus uninsured costs and managing the cash‑flow mismatch between immediate outflows and delayed receipt of insurance proceeds. This mismatch can have liquidity implications even where coverage is robust, reinforcing the need for advance planning and stress‑testing. 

Analysing debt terms 

Most debt documentation does not cater specifically for the consequences of a cyber attack, so the analysis is normally focussed on general provisions that may be triggered in the context of a stress or crisis event.

In relation to loan facilities, key issues to consider include:

• Ability to pay on time: Payment delays will generally trigger a default, subject to any grace periods. General grace periods for non-payment are relatively uncommon, but LMA templates allow a grace period for non-payment in the context of systems disruption.  In either case, the applicable period is typically short, making early lender notification essential. 
   
• Disruption to information flows: Conduct of business and information undertakings are usually subject to grace periods and therefore not breached by temporary system outages. However, delays may still trigger drawstops and will need to be reviewed, particularly if financial reporting is materially affected.
   
• Financial covenant pressure: Falling revenues, rising costs and working‑capital volatility may erode covenant headroom, with real-time monitoring of covenant performance being complicated by disrupted access to TMS or underlying financial data. 
   
• Cross‑default: Payment issues under financing or hedging arrangements may trigger cross‑defaults. Understanding the interaction of grace periods, payment thresholds, and cure mechanics across the capital structure is critical.
   
• Cessation of business: Sustained disruption to trading in the ordinary course may engage cessation‑of‑business clauses.
   
• MAC and insolvency events: Initial impacts may not meet material adverse change (MAC) thresholds, particularly if disruption is expected to be temporary and the business remains solvent. However, MAC provisions, together with insolvency-related events of default, tend to come into sharper focus in light of prolonged disruption, rising remediation costs or regulatory exposure. 
   
• Lender notification obligations: Consider whether insurance claims or recoveries trigger lender‑notification obligations or restrictions under financing agreements. 

Similar considerations arise under other financing arrangements.  Under ISDA master agreements, for example, payment failures may benefit from short grace periods and force‑majeure‑type events may apply only in narrow circumstances. Even where temporary relief is available, it does not replace the need for active engagement with counterparties. Treasury should not assume contractual provisions will absorb extended disruption and will need to incorporate derivatives exposures into contingency planning.

Ransomware and sanctions 

Where a ransom demand is made against an organisation, a primary concern is to determine whether any payment would be lawful, bringing in sanctions and financial crime considerations. Specialist advisers typically lead these negotiations with technical and legal advice supporting the compliance analysis. As part of the deliberations around whether or not to pay, treasury may be asked to assess what funding is realistically available.

New financing for ransom payments is difficult due to sanctions and reputational sensitivities, so funds may need to come from existing accounts. Treasury’s relationships with banks and its understanding of payment mechanics may make it central to these discussions.

From operational involvement to strategic engagement?

Cyber risk and credit risk are increasingly interconnected, as reflected in the prevalence of risk factors relating to cyber‑risk and IT security in capital‑markets documentation and in rating‑agency recognition that investment in cyber resilience strengthens credit profiles. These factors, combined with the range of areas where treasury teams may input into cyber preparedness and incident‑response planning, suggest that cyber risk is an increasingly important area for treasury to be involved with, where appropriate at a strategic as well as an operational level.