Why boards should be obsessed with their most ‘boring’ systems
Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks. The Jaguar Land Rover (JLR), incident in Sept. 2025 illustrates the severe consequences of such attacks. The cyberattack forced JLR to halt production for six weeks, making it the costliest cyberattack in Britain’s history. The company’s revenue declined 24 percent that quarter, accounting for potentially over a $1.2 billion drop in earnings, and subsequently reported a 43.3% wholesale sales volume drop the following quarter.
For decades, organizations have treated ERP systems like SAP as back-office workhorses. However, the JLR incident—carried out by executed by the cybercrime group ShinyHunters —has thrust ERP systems into the spotlight. That shift in attention is critical: today, 90% of the Fortune 500 use SAP, making these systems “crown jewel” assets that require the highest level of protection.
The threat is escalating. A recent Google Cloud Security report forecasts that ransomware operations specifically designed to target critical enterprise applications such as ERP systems will emerge in 2026, forcing organizations to make quick ransom payments and sacrifice business resilience.
In our roles as board members, advisers, and cybersecurity CEOs, we’re witnessing a fundamental shift in how organizations approach ERP security: the conversation has moved from compliance to survival. Organizations are grappling with critical question: Who owns the risk? What is our recovery time? Can we patch critical ERP vulnerabilities within 72 hours? Do we have visibility inside the application?
ERP risks are an existential threat
To understand the severity of ERP security risks, the C-suite must first recognize how critical these sytems are. ERP systems are the operating system of modern businesses: They process invoices, manage supply chains, record revenue, pay employees, ship products, and more. The scale is staggering: SAP’s customers alone are responsible for 84% of the world’s commerce. – Given this ubiquity, if your organization’s leadership can’t confirm whether you’re using SAP, you almost certainly are.
In 2025, more than 500 companies fell victim to the SAP NetWeaver zero-day vulnerability. This attack underscores what many security practitioners have warned: ERP application security has evolved from a ‘nice to have’ to a business-critical necessity.
When Stoli Group’s US subsidiaries filed for bankruptcy in 2024 following a ransomware attack on its ERP system, it demonstrated a stark reality: losing these system can lead to a company shutting its doors. When an organization’s central nervous system goes offline, the entire business stops functioning.
Unfortunately, the adversaries understand this inherent leverage better than we do. According to Onapsis research, SAP vulnerabilities grew by 39 percent in 2025. The cybercriminal marketplace price for SAP exploits has grown 400% (to more than $250,000) since 2020, which reflects the immense ROI of holding a Fortune 500 company’s operational capacity hostage.
The timeline for defense has become critically compressed. In 2025, threat actors are exploiting SAP security vulnerabilities within 72 hours of patch releases. Unprotected ERP systems deployed in the cloud are discovered and compromised in less than 3 hours. Meanwhile, the average enterprise patch cycle takes weeks or even months due to the rigorous testing required for complex, customized ERP environments. This mismatch creates a dangerous window of vulnerability.
The regulatory compliance vise
Boards face mounting pressure from an increasingly stringent global regulatory environment focused on securing critical data and infrastructure. ERP systems house multiple types of highly regulated data simultaneously—including financial records, personal employee information, customer data, and supply chain details—making them a focal point for regulatory scrutiny.
For public companies in the United States, Sarbanes-Oxley (SOX) requires attestation of financial reporting. The security of ERP systems is a SOX control issue because a breach could cause the efficacy of these systems to be compromised.
In the European Union (EU), GDPR regulations penalize companies that fail to protect personally identifiable information (PII). ERP systems house the vast majority of employee and customer data.
SEC disclosure rules in the United States and two other EU regulations, NIS2 and DORA, have introduced personal liability for board members and executives who fail to oversee their cybersecurity risks. A director can no longer say, “I didn’t understand the technical details.” Ignorance is now a legal liability.
A boardroom playbook for ERP resilience
As board members and advisors to multiple companies and audit committees, we have three key expectations for how organizations should approach ERP security.
First, boards need risk presented in dollar terms. Instead of asking for money to “patch technical vulnerabilities,” CISOs should tell the board exactly how much revenue is at risk. When requesting budget to secure SAP, frame it as an investment to protect specific revenue streams. This helps boards understand what they stand to lose, not just what they need to spend.
Second, stop treating security and productivity as opposing forces. Yes, patching systems might cause a brief disruption. But that minor inconvenience is nothing compared to the catastrophic impact of a total system lockout like the one ShinyHunters executed against JLR. CISOs should partner with CIOs to deploy automated monitoring tools that can detect potential exploits and prioritize patches for the most critical ERP vulnerabilities.
Third, someone must own responsibility for protecting these “crown jewel” systems. Too often, there’s a gray area between the CISO (who sets security policy), the CIO (who manages the technology infrastructure), and the ERP vendor. Boards must demand a clear shared responsibility model that defines who is accountable for what. It’s important to note that ERP vendors are not responsible for securing the application and data once deployed—which makes clear internal ownership even more critical.
Board members should be demanding answers to these questions: Do we have visibility into our ERP risk? Would we have visibility into an active attack?
We must assume a breach will happen. The only way to validate resilience is to test it. Boards should mandate tabletop exercises specifically designed around an ERP ransomware scenario, asking further questions like, “How do we communicate with suppliers?,” “How do we build and ship our products?,” “How do we make payroll?,” and “How do we restore from immutable backups if the primary data is compromised?” Organizations must test their resilience before a crisis strikes, not during one.
A license to operate
The Jaguar Land Rover compromise was a watershed moment because it stripped away the illusion that our core systems are safe behind firewalls. Attackers have shifted their focus to critical business systems. They’ve professionalized their operations and dramatically increased the speed of their attacks.
For the C-suite and boards, the era of plausible deniability is over. Security is no longer just an IT expense; it’s what keeps your doors open. If you cannot protect the integrity of your financial data and the continuity of your supply chain, you do not have a viable business.
Just as boards have visibility into risk, CISOs should have visibility into all ERP instances. Organizations require four critical capabilities: discovery (identifying all ERP systems), assessment (finding vulnerabilities such as missing patches, weak configurations, and insecure custom code), real-time monitoring (detecting suspicious activity that may indicate an attack), and incident response (being able to quickly investigate and contain an ERP incident).
The decisions made in the boardroom today will affect the outcomes tomorrow. The next JLR-like event is most likely already unfolding. The only variable is whether your organization will be the next cautionary tale or the defender that held the line.
