When we brought together colleagues, clients and partners for our recent cybersecurity and resilience conference, co‑hosted with SCC, I spoke towards the start of the day and shared that I thought it would be insightful – and perhaps slightly worrying.

Having now had time to reflect, that still feels like the right description. The discussions were wide ranging, sometimes uncomfortable, but ultimately constructive. What stayed with me most is not just the scale of the challenge we face, but the clarity emerging around what really matters: resilience, trust and shared accountability.

I have spent all my career in banking, and long enough to remember when physical security was core to our risks. Cash, branches and armed robberies were the tangible threats. Today, that world has largely disappeared. We hold very little cash in our branches, and organised crime no longer needs to be local or visible. Cybercrime now operates at scale, remotely and with extraordinary speed and sophistication. One of the most sobering facts shared during the conference was how dramatically the timeline for exploiting vulnerabilities has shortened – from years to days, sometimes hours. That single shift changes everything. Cybersecurity is no longer a technical issue; it is a business‑critical discipline and, increasingly, a leadership responsibility.

One theme that surfaced repeatedly throughout the day was the shift from protection to assurance. Boards, investors, regulators, and customers are no longer satisfied with asking whether organisations are “secure”. They are asking how decisions are made, how risks are prioritised, and whether leadership can stand behind those decisions when something goes wrong. This applies just as much to manufacturers, logistics firms and defence suppliers as it does to financial institutions.

I was struck by how clearly this came through in discussions about supply chains. Increasingly, the point of vulnerability is not within an organisation itself, but somewhere in its ecosystem: a smaller supplier, an overlooked partner or an individual user. From an attacker’s perspective, this is simply rational. Why target the most fortified organisation when access can be achieved through a weaker link?

This matters because modern economies – and certainly the UK economy – are deeply interconnected. A cyber incident at one firm does not remain isolated; it ripples through customers, suppliers and counterparties. Cyber resilience, therefore, is not just about individual organisations doing the right thing; it is about collective resilience across sectors.

Another powerful insight from the conference was how closely cybersecurity is now tied to national resilience and defence. Cyber risk sits alongside energy security, critical infrastructure and geopolitical stability. As was articulated very clearly during the day, data‑centric digital technology has become a battleground in its own right.

What resonated strongly with me was the reminder that defence is not only about protection, but also about economic growth. In the UK, defence supports hundreds of thousands of jobs and underpins innovation across manufacturing, engineering, digital and space technologies. Many of the businesses NatWest supports – particularly SMEs and mid‑market companies – operate somewhere along this defence and security value chain, often without seeing themselves as “defence companies” at all.

That creates a challenge. Regulatory requirements and emerging cyber standards are raising the bar. For many smaller firms, navigating this landscape can feel overwhelming. Yet ignoring it is no longer an option. The discussion reinforced for me that the role of institutions like ours is not to dictate technical solutions, but to help clients understand the journey, the trade‑offs and the priorities.

The pace of technological change is not slowing; if anything, it is accelerating. Artificial intelligence, automation and, in time, quantum computing will continue to reshape the risk landscape. As we heard, quantum is no longer a distant theoretical problem. Decisions taken today about encryption, data retention and trust will still matter a decade from now.

What concerns me most is not the technology itself, but how organisations respond to it. Cyber risk cannot be delegated entirely to specialists. If leadership does not engage, the organisation is exposed.

At the same time, alarmism can be just as damaging as complacency. One comment from Lieutenant General Sir Tom Copinger‑Symes captured this tension perfectly: “We want you in calculated response mode, not analysis paralysis.” That feels like the right framing. Awareness is essential, but it must translate into proportionate, timely action.

Another area that prompted thoughtful discussion was the evolving role of insurance in cyber resilience. The conversation moved beyond individual organisational risk and towards a far broader concern around systemic exposure and interconnected failure.

As Irene Phillips from DNK observed, “We are not worried about the individual organisational failure or risk. We are concerned about what is called systemic risk or aggregation and the convergence of risks.” In a digitally connected economy, the same event can trigger losses across multiple sectors, geographies and balance sheets at once.

The discussion also highlighted the limits of historical precedent. “When it comes to war insurance, loss history has no value whatsoever,” Irene noted. “What happened 50 years ago is not going to happen again.” That insight applies far beyond insurance. In fast‑moving cyber and geopolitical environments, relying too heavily on backward‑looking assumptions can create false comfort.

For businesses, this reinforces an important point: insurance is a vital part of resilience, but it is not a substitute for preparedness, governance and informed decision‑making.

A recurring question during the panel discussion was how smaller businesses should respond. Many SMEs feel intimidated by cyber language and complexity, and as a result do nothing. That is understandable, but risky. The most sensible advice offered during the day was also the simplest: start with the basics and build from there.

Cyber resilience is not achieved through a single product or certification. It comes from consistent hygiene, basic controls, awareness of people risk and clear escalation paths when things go wrong. As businesses grow, their approach must mature, but no organisation needs to solve everything at once.

From a banking perspective, this reinforces the importance of access to advice and trusted partners. For many small firms, their bank and accountant are the first – and sometimes only – places they turn to for guidance. That places a responsibility on us to engage constructively, without imposing unnecessary burden or pretending to be something we are not.

If there was one word that threaded through the entire event, it was trust. Trust between organisations and their customers. Trust across supply chains. Trust between the public and institutions. And trust between nations.

Trust is hard won and easily lost. In a world where breaches are increasingly inevitable, what matters most is not pretending they will never happen, but how organisations respond when they do. Transparency, speed, accountability and collaboration are what preserve trust in difficult moments.

I was particularly struck by the observation that “Made in Britain” remains a powerful quality mark internationally, even if we sometimes underestimate it at home. Trust, reputation and reliability are assets – not just commercial ones, but national ones. In a fragmented and uncertain global environment, these qualities matter more, not less.

The conference did not offer simple answers – and that is no bad thing. What it did offer was a shared understanding that cybersecurity, resilience and trust are now inseparable. They cut across technology, strategy, regulation and culture.

For us at NatWest, the takeaway is clear. Supporting customers in this environment is not about selling certainty. It is about helping them ask better questions, make informed decisions and build resilience over time. Cyber risk will remain with us, but how we manage it – together – will define our ability to grow, invest and compete in the years ahead.

I left the event encouraged. Not because the challenges are small, but because the willingness to engage with them openly is growing. In my view, that is where progress really begins.