We asked a room full of GCs at Juro’s Scaleup GC two simple questions. Firstly, who’s experienced a cyber breach? This was met with a roomful of hands going up. And secondly, who feels confident they have a plan in place if they were breached tomorrow? This time, one, maybe two hands rose.
That gap between awareness and preparedness is the reason we hosted a panel bringing together three perspectives you’d want in the room when things go wrong, an in-house GC at an AI company, a leading external cyber counsel, and one of the UK’s most experienced cyber underwriters. Here’s what you need to know.
The threat has changed
Cyber’s the number one risk facing technology businesses today, with the average UK data breach now costing £3.6m, which many businesses never recover from. AI is accelerating this threat, not just by enabling smarter attacks but also making the consequences more severe, and because of this regulators are already factoring AI into their sanctions decisions, as stolen data can now be mined and exploited far more effectively than before.
But it's not all headline-grabbing ransomware. From an underwriting perspective, the majority of claims hitting scale-ups are attritional, covering business email compromises and fund transfer fraud. These are relatively low value, but constant and stressful to deal with. We see the catastrophic incidents get loads of attention, but it's the steady stream of smaller incidents that wears teams down.
Preparation beats perfection
The strongest advice from the panel was simple. From an in-house perspective, the single most important thing a GC can do is build relationships with their technical team before an incident happens. Take your technical lead for coffee and understand what they do, what they’re seeing, and how they’d respond. That relationship’s everything when the clock starts ticking.
From a claims perspective, the practical equivalent is a “Break Glass” document. This is where you map your key contacts - outside counsel, lead investors, your cyber insurer’s claims team etc. to know what happens in the first 24 hours of a breach. The responsibility sits with the GC, and if no one else is doing it, you definitely need to.
From an external counsel standpoint, the message was the simplest and most important, practice! Run a drill, it’s only a matter of when it happens, not if. No one should face a crisis alone and unprepared.
The board is watching
From our work auditing portfolios across 30+ VC funds, we know that 34% of portfolio companies lack cyber insurance entirely. Investors are now waking up to this, and they’re increasingly expecting GCs to own the conversation.
The framing that works with boards is highlighting the existential risk. For a scale-up, a major breach isn’t only a technology problem, it’s potentially company-ending. Risk registers with clear severity and probability ratings help, but ultimately it’s about having the conversation early, making sure any obligations you take on are proportionate to your actual risk profile, and educating your board about what you’re trying to cover.
You don’t need all the answers, but you do need a plan, the right relationships and the confidence to own the room when it matters most.
If you want to review your cyber insurance or check your own readiness, get in touch!
Panel hosted by Capsule Insurance at Scaleup GC 2026. Panellists: Imogen Armstrong (CLO, Stelia), Tom Draper (MD, Coalition), Laura Brodahl (Of Counsel, Wilson Sonsini).