New legislation to protect organisations against cyber attacks
In recent weeks we have read about several high profile cyber security incidents targeted to the retail sector and seen big, trusted high street names including Marks & Spencer, Co-op and Harrods become victims of attacks. Those cyber-attacks had immediate and longer lasting impact including M&S sending several emails to customers alerting them that some personal data had been taken and keeping customers informed of the progress being made by M&S, it suspending online orders, and for a few days restricting instore payment methods. Both M&S and Co-op stores ran out of stock in their physical stores. As well as dedicating time and resources trying to work through the attack, and understand how systems might have been infiltrated and how they could be secured, as each day passed M&S experienced a loss of sales and potential reputational harm as the cyber-attack dominated headlines.
It is not just the private sector that has fallen victim to cyber criminals; there have been several sophisticated attacks on the NHS. It has also been reported that the Legal Aid Agency suffered a cyber-attack. The LAA and Ministry of Justice confirmed that information taken may include contact details and addresses of applicants, dates of birth, national ID numbers, criminal history, employment status and financial data.
Understandably for both the organisations targeted and individuals’ whose personal data might be accessed, a cyber-attack is deeply worrying.
The Cyber Security and Resilience Bill
On 1st April 2025, The Parliamentary Under-Secretary of State for Science Innovation and Technology, Feryal Clark MP, announced legislative measures designed to bolster the UK’s cyber-security and resilience. According to figures quoted by the Minister, UK businesses lost around £87 billion from cyber-attacks between 2015 and 2019.
The current legislation is the Network and Information Systems (NIS) Regulations 2018 and is the UK’s only cross sector cyber security legalisation. The NIS places security obligations on operators, but the scope is limited to certain sectors including transport, energy, drinking water, health and digital infrastructure including search engines and digital marketplaces.
At present we have only the Policy Statement, that sets out legislative proposals to tackle cyber threats to the UK. The Cyber Security and Resilience Bill will bring more entities into the regulatory framework such as supply chains and more digital services which will, according to the government, “fill an immediate gap.”
The Bill will give regulators the power to investigate potential vulnerabilities and increase incident reporting so that the government will have more data on cyber incidents. For example, when a company is victim of a ransom attack that will need to be reported.
The government appears determined to introduce the legislation this year, which may indicate how seriously cyber security is being taken in Whitehall. The proposals seek to close the gap between the cyber-attacks and threats faced and the UK’s ability to defend against those. The proposed Bill is thought to be a real opportunity to tackle cyber threats to UK critical sectors.