Escalating UK cyber-attacks and a shifting legislative landscape: what organisations need to know

Insight

30.10.2025

"It's time to act". That's the message from GCHQ's National Cyber Security Centre (NCSC) in its latest annual review published in October 2025. [1] The report paints a stark picture: cyber threats facing the UK, whether through espionage, ransomware, or disruptive processes, are escalating at an alarming pace.

The NCSC dealt with a record 204 'nationally significant' cyber-attacks over the past year, up from 89 the year before – rising to an average of four every week. A substantial portion of these incidents were linked to sophisticated criminal gangs or nation state actors.

Recent high-profile attacks on Marks & Spencer, the Co-op Group and Jaguar Land Rover illustrate the ubiquity and impact of these attacks. The ransomware attack on Marks & Spencer is estimated to have cost upwards of £300 million, data from 6.5 million Co-op members was stolen by the DragonForce ransomware group, and the Jaguar Land Rover hack is estimated to have cost the UK economy £1.9 billion. With empty shelves and stalled production lines – the societal impact is tangible.

What does this mean for organisations?

The three headline attacks above might indicate that this is only a problem for very large companies. However, cyber incidents threaten all types of organisations from family businesses to educational institutions and not-for-profits.

Many cyber incidents also now involve outsourced suppliers who underpin a very wide range of organisations. Recent supply chain attacks include those on Zellis (Human Resources data) and Capita (pension schemes) (for which Capita has just been fined £14 million by the Information Commissioner). When those suppliers are attacked it can impact hundreds of other companies who rely on them.

The main takeaway from the report is to make cyber security a priority for senior personnel in organisations. As cyber incidents can cause significant financial loss, damage to reputation, and lead to widescale service disruption, CEOs and other leaders must take responsibility.

Organisations should:

Understand their exposure and build defences. At a basic level this can include implementing multi-factor authentication and enforcing mandatory cyber awareness training. Organisations can also register for NCSC's free Early Warning [2] service (designed to inform organisations of potential attacks on their network), and their Cyber Action Toolkit [3], which provides tailored step-by-step guidance to help businesses put foundations in place to prevent common threats.
Develop and test both continuity and recovery plans. Organisations must have a plan for how they would continue to operate without their IT and how to rapidly restore their IT if an attack were to take place. Especially now that AI is enhancing and scaling existing threats, cyber security is no longer an awareness issue – it’s a core component of operational and regulatory compliance.
Ensure that suppliers and third parties have equivalent standards to ensure supply chain security. The Government is calling on large organisations to better address supply chain security risk by adopting the Cyber Essentials Scheme [4] across their supply chains. The scheme offers a recognised standard of cyber awareness and free cyber insurance coverage. Organisations certified under the scheme are 92% less likely to make an insurance claim following a cyber incident.

A legal turning point: proposed legislation

In response to the accelerating threat, the UK Government outlined a three-stage legislative strategy in July 2025 following their 12-week consultation. [5] These proposals deal explicitly with ransomware – now regarded as one of the most serious organised crime threats facing the UK.

Currently paying a ransom is not expressly prohibited under laws in England and Wales, but payments are constrained by anti-money laundering, sanctions, and terrorism financing regulations. The proposals aim to curb ransomware payments and enhance mandatory reporting across both the public and private sectors, mirroring developments in Australia and the US.

1. Targeted ban on ransomware payments

A ban would apply to public sector bodies and operations of critical national significance, particularly at risk of ransomware attacks given the sensitivity of data being stored, the importance of their operation, and the scale of possible disruption. The aim of this proposal is to reduce the profitability of ransomware attacks and align public organisations with best practice.

2. Payment prevention regime

Before any ransom payment is made, organisations would be required to notify UK authorities, allowing for assessment of potential sanctions or terrorism-financing risks. This is intended to enhance intelligence sharing to disrupt criminal funding streams and prevent inadvertent sanctions breaches.

3. Mandatory incident reporting

All UK organisations would face statutory reporting obligations, with an initial report due within 72 hours and a full report within 28 days. The goal: strengthening national threat intelligence and enabling faster, more coordinated law enforcement responses.

Regarding next steps, the Government is currently reviewing consultation responses to the proposals and intends to refine these proposals in collaboration with industry stakeholders. These proposals form part of the wider legislative shift with the forthcoming Cybersecurity and Resilience Bill due to come into effect this year. [6] This Bill will expand the remit of regulation to protect more digital services and supply chains and similarly mandate increased incident reporting.

How can Farrer & Co help?

Our technology and data protection cross-sector team advises organisations on:

Cyber risk management and governance
Data breach response and regulatory compliance
Reputational damage and crisis management
Contractual risk mitigation

If your business handles customer data or relies on digital systems – now is the time to act. Contact Ian De Freitas, Thomas Rudkin, Owen O'Rorke or Alan Baker if you need any support.