The UK's Senior Managers Regime seeks to formalise responsibility for risk, yet the threat of cyber attack sits outside of traditional risk governance standards, and means that protecting against such attacks will require a rethink of the traditional 'three lines of defence' model.