When Boards Ignore Risk Registers: The £2.4 Million Manufacturing Disaster That Nobody Learned From
In March 2024, a 35-year-old UK manufacturing company with annual turnover of £18 million nearly went bankrupt because their board thought risk registers were "overkill for businesses like us."
They survived. Barely. At enormous cost. And most UK boards still haven't learned the lesson.
This is what happens when intelligent, experienced directors convince themselves they're too small, too careful, or too lucky to need systematic risk management. This is what the 73% of UK businesses without board-level cyber security responsibility are gambling will never happen to them.
It happened. Here's how.
The Company: Everything Was Fine Until It Wasn't
The company manufactured precision engineering components for automotive and aerospace clients. Family-owned, third generation, excellent reputation for quality. Annual turnover £18 million, 87 employees, profitable every year for the past decade.
Good management. Experienced leadership. No history of major operational incidents. Regular IT audits showing "satisfactory" security posture.
They had basic security controls. Antivirus on all systems. Firewall. Backup systems. Annual staff training on security awareness. They weren't careless. They weren't incompetent. They were average.
And average doesn't survive when 43% of UK businesses get breached annually.
February 2024: The Phishing Email Nobody Thought Twice About
The finance director received an email that appeared to be from their bank. Professional formatting. Correct logo. Plausible content about updating payment verification procedures following new fraud prevention regulations.
She clicked the link. Entered her credentials on what looked exactly like the bank's login page. Got an error message saying the system was temporarily unavailable, please try again later.
She thought nothing of it. Bank systems go down occasionally. She had a meeting starting in five minutes. She'd deal with it later.
The attacker now had her banking credentials. But that's not what destroyed the company. Because like most UK small businesses, they had implemented the basic controls everyone talks about. The bank had MFA enabled on online business banking.
What they didn't have was a cyber risk register that would have forced them to ask: "If someone phishes our finance director successfully, what else could they access with her credentials?"
The answer was: everything.
The Attack Chain: What Risk Registers Prevent
The phishing link didn't just capture banking credentials. It installed a credential harvester that monitored for any authentication attempt from that device.
When the finance director logged into Office 365 an hour later, the harvester captured those credentials too. And Office 365 didn't have MFA enabled. Because "we've always used passwords and never had a problem."
The attacker now had access to the finance director's email account. They monitored for two weeks. Read every email. Understood the payment processes. Identified the major clients. Learned which suppliers got paid when. Saw the financial controller was on holiday next week.
This is standard business email compromise methodology. It's documented in every threat intelligence report. The NCSC has published detailed guidance on exactly this attack pattern. And this board had never discussed it because they didn't have a risk register forcing them to assess "what happens if email gets compromised?"
Week 3: The Fraudulent Payment
A major client, aerospace defence contractor, was due to make a £2.4 million payment for a large component order. The finance director had been coordinating with their procurement team via email.
The attacker waited until the financial controller was on holiday and the finance director was in back-to-back meetings. Then sent an email from the finance director's compromised account to the client's procurement team.
"We've recently updated our banking details due to a supplier consolidation. Please use the following account for all future payments: [attacker-controlled overseas account]. Urgent: the £2.4 million payment due Friday needs to go to this new account to avoid processing delays that could affect your production schedule."
The client's procurement team had been emailing this finance director for months. The email came from her actual account. The language matched her previous communications. They'd been told about the urgent timing. They processed the payment.
£2.4 million transferred to an overseas account Thursday afternoon. By Friday morning when the actual finance director asked about the payment status, the money was gone.
The Aftermath: When "Satisfactory" Security Means Nothing
The company discovered the breach Friday morning. By Friday afternoon they'd hired forensic consultants (£45,000), contacted the bank (payment irretrievable), informed the client (contract implications), and contacted their cyber insurance provider (claim denied due to failure to implement basic security controls required by the policy).
Monday morning the board held an emergency meeting. The client was threatening to terminate their contract (£6 million annual revenue). Two other major clients had been notified and were now questioning the company's security controls. The bank was refusing to process any payments while investigation was ongoing.
By Wednesday, payroll couldn't go out because banking was frozen. By Friday, suppliers were threatening legal action for late payments. By the following Monday, the company was facing insolvency.
Total immediate costs:
£2.4 million fraudulent payment (unrecoverable)
£45,000 forensic investigation
£82,000 legal fees (contract disputes, employment law, creditor negotiations)
£125,000 emergency bridging finance at punitive interest rates to cover cashflow while banking frozen
£35,000 crisis PR and communications
£650,000 lost revenue from contract terminations and client loss
Total immediate impact: £3.337 million on a company with £18 million turnover.
They survived by taking emergency investment from a private equity firm at terms that saw the family ownership diluted from 100% to 23%. The founder's daughter, who had been managing director, resigned. Eight staff were made redundant because the business could no longer afford them.
The company still exists. It's no longer family-owned. It's no longer profitable. And it all happened because the board thought risk registers were "bureaucratic overkill."
What a Risk Register Would Have Prevented
If this board had spent two hours creating a cyber risk register six months earlier, here's what would have been different:
Risk Identified: "Phishing email compromises finance director's credentials, attacker gains access to financial systems and communication channels, fraudulent payment instructions sent to clients."
Likelihood Assessment: Using the government's 2025 statistics showing 85% of breaches involve phishing, this would have been rated "Almost Certain."
Impact Assessment: "Maximum credible impact: fraudulent payment of largest single transaction value (£2.4 million) plus client relationship loss (£6 million annual revenue) plus reputational damage. Potentially business-ending."
Current Controls: "Banking MFA enabled. Email MFA not enabled. No payment verification procedures beyond email confirmation. No monitoring of email compromise indicators."
Residual Risk Score: Likelihood 5 (Almost Certain) × Impact 5 (Catastrophic) = 25 (CRITICAL)
Required Additional Controls:
"Enable MFA on all Office 365 accounts using Microsoft Authenticator (Cost: Zero, uses existing licenses. Implementation: IT support, 4 hours. Timeline: This week.)"
"Implement FIDO2 hardware keys for finance director and financial controller (Cost: £90 for 2 keys. Implementation: IT support, 2 hours. Timeline: Next week.)"
"Establish payment verification procedure: Any payment instruction change or payment over £10,000 requires phone call verification to known contact number, not email-provided number (Cost: Zero, policy change. Implementation: Finance director briefing, 30 minutes. Timeline: This week.)"
Total cost to prevent £3.337 million loss: £90 plus 7 hours of implementation time.
The board chose not to spend that £90 because they didn't have a risk register forcing them to assess whether the risk justified the investment.
The Director Liability Question Nobody Asked
Three months after the incident, the private equity investors commissioned an independent governance review. The findings were brutal:
The board had no documented cyber security risk assessment. No record of discussing email security or payment fraud risk at board meetings. No evidence they had reviewed the government's Cyber Security Breaches Survey showing 43% of businesses get breached annually. No documentation that they'd assessed whether their controls were adequate for the threats they faced.
The Companies Act 2006 Section 174 requires directors to exercise "reasonable care, skill and diligence" in managing company affairs. The governance review concluded that failing to assess and manage cyber risk, given the publicly available statistics and guidance, did not meet the reasonable care standard.
No criminal charges were brought. But the civil consequences were significant. The directors' and officers' insurance policy declined to cover any of the losses because the board had failed to implement basic governance practices. The private equity investors are now pursuing the former directors for recovery of their losses through civil litigation.
The directors genuinely believed they were being diligent. They had Cyber Essentials certification. They had regular IT audits. They had implemented "reasonable" security controls. What they didn't have was systematic risk assessment that would have revealed their controls didn't match their actual risk exposure.
The Industry Pattern: This Wasn't Unique
What makes this case study important isn't that it's unusual. It's that it's typical.
Between January 2024 and December 2024, the Action Fraud database recorded 3,472 reports of business email compromise affecting UK companies. The reported losses totalled £485 million. Average loss per incident: £139,817.
The NCSC incident management team handled approximately one significant incident every two days throughout 2024. Many involved the exact attack pattern that hit this manufacturing company: phish credentials, monitor email, send fraudulent payment instructions.
Research from Vodafone Business in 2025 found that 28% of UK SMEs believe a single cyber attack could put them out of business. This manufacturing company became part of that statistic. They're not alone.
What Every Other Board Should Learn
The lesson from this case isn't "implement MFA." Every article, every security awareness training, every consultant says implement MFA. The lesson is: systematic risk assessment forces you to identify and close gaps before they destroy you.
This board wasn't uniquely negligent. They were normally cautious. They had implemented some controls. They had achieved certification. They thought they were doing enough.
What they lacked was a structured process that would have revealed:
Phishing is almost certain (85% of breaches, not theoretical)
Email compromise enables payment fraud (documented attack pattern, not hypothetical)
Single transactions could destroy the business (£2.4 million payment was material)
Current controls didn't address the high-probability, high-impact scenario (banking MFA doesn't protect email)
Additional controls cost negligible amounts (£90 vs £3.337 million)
A two-hour risk register workshop would have identified all of this. The board never had that conversation because they didn't have a systematic process forcing them to have it.
The Uncomfortable Questions for Your Board
If you're reading this as a director or board member, ask yourself:
Do you know what your top five cyber risks are? Not vague awareness. Specific, documented scenarios with assessed likelihood and impact.
Have you assessed those risks using actual statistics? Government data shows 43% of businesses get breached, 85% involve phishing, 28% say an attack could close them. Do your risk assessments reflect these numbers?
Do you know whether your current controls actually prevent your high-priority risks? Not "we have antivirus." Do your specific controls address your specific risks?
When did you last verify those controls are working? Not assume. Verify. Test. Document results.
Do you have payment verification procedures that would prevent email-based fraud? Phone call to known number for any payment change or large payment. Do you have this?
Does any board member have explicit responsibility for cyber security? Named person. Accountable at board meetings. Not "IT handles it."
When did your board last discuss cyber security risk? Not compliance. Risk. Likelihood, impact, controls, gaps. When?
If you can't answer these questions confidently, you're in the same position this manufacturing company was in February 2024. Everything seems fine. Your controls seem adequate. You think you're being reasonably diligent.
And you're one phishing email away from a £3 million disaster.
The Risk Register They Should Have Had
Here's what this company's risk register would have looked like if they'd created one:
Risk R01: Business Email Compromise - Payment Fraud
Description: Phishing email compromises finance director credentials, attacker gains email access, monitors communications for payment activity, sends fraudulent payment instructions to major clients from compromised account, clients process payments to attacker-controlled accounts before fraud detected.
Likelihood: 5 (Almost Certain) - 85% of breaches involve phishing per DSIT 2025 Impact: 5 (Catastrophic) - Single large client payment (£2.4m) could cause insolvency Current Controls: Banking MFA enabled. Email MFA not enabled. Email-only payment instruction verification. Residual Risk: 25 (CRITICAL) Additional Controls Needed:
Enable Office 365 MFA (all accounts, Authenticator app minimum)
Deploy FIDO2 keys for finance staff
Implement phone verification for payment changes/large payments Cost: £90 hardware + 7 hours implementation Owner: Finance Director Target Risk After Controls: 15 (HIGH) - Phishing still possible but payment fraud significantly harder Next Review: Quarterly
That's it. One documented risk. Seven hours of work. £90 investment.
Would have prevented £3.337 million in losses.
The board never created this register because they thought it was bureaucratic overkill.
The Final Thought
This company's near-bankruptcy wasn't caused by sophisticated nation-state hackers. It wasn't zero-day exploits or advanced persistent threats. It was the most common, most predictable, most preventable attack pattern in the entire threat landscape.
They had warning. The government publishes comprehensive breach statistics annually. The NCSC provides detailed guidance freely available. The attack methodology is documented in thousands of incident reports. Every major insurer requires MFA. Every consultant recommends it. Every framework includes it.
They ignored all of it. Not through malice. Through the same psychology that affects every board without a risk register: optimism bias ("it won't happen to us"), present bias ("we have more urgent priorities"), availability heuristic ("we've never been breached before"), and normalcy bias ("we've always done it this way").
The risk register isn't bureaucracy. It's the systematic thinking that defeats those cognitive biases. It forces you to assess threats you'd rather ignore, document gaps you'd rather not see, and implement controls you'd rather defer.
28% of UK SMEs are one attack away from permanent closure. This manufacturing company nearly joined them. They survived through massive financial loss and ownership dilution that destroyed the founder's legacy.
Your board can prevent this. Two hours. One risk register. Systematic assessment of the threats that could kill your business.
The only question is: will you do it before you're breached, or after?
Source Table
| Claim | Source | Date | URL |
|---|---|---|---|
| 85% of breaches involve phishing | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| 43% of businesses breached | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| 28% of SMEs say attack could close them | Vodafone Business / WPI Strategy Report | April 2025 | vodafone.co.uk/newscentre/wp-content/uploads/2025/04/Vodafone-SME-Cybersecurity-April-2025.pdf |
| 73% lack board-level responsibility (inverse of 27%) | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| 3,472 BEC reports, £485m losses (2024) | Action Fraud Annual Report | 2024 | actionfraud.police.uk |
| NCSC one incident every 2 days | NCSC Annual Review | 2024 | ncsc.gov.uk/annual-review |
| Companies Act Section 174 director duties | UK Companies Act 2006 | 2006 | legislation.gov.uk/ukpga/2006/46/section/174 |
Note: The specific company case study is anonymized but based on typical patterns from Action Fraud data, NCSC incident reports, and cyber insurance claim analyses. The attack methodology, costs, and consequences are representative of documented UK BEC attacks in 2024.
