Cybersecurity 2025

UK Trends and Developments Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

Cyber-Resilience in the UK: An Overview Cyber-resilience is a sector-agnostic issue that is continuing to grow in importance; a cyber - security breach can have a significant financial impact on an organisation and cause untold damage to brand and reputation. As the world grows ever more dependent on technology such as AI, cybersecurity awareness and good cyber - hygiene become increasingly fundamental to the UK’s overall resilience. Consequently, cyberse - curity has been a UK government priority. Despite a change in government in 2024, the pace of cybersecurity reform remained consist - ent – with the passing and proposing of a num - ber of new laws, as well as the publication of several consultations on draft guidance. Supply chain cybersecurity resilience was a key theme and is expected to continue in 2025, likely influ - enced by the plethora of new EU cybersecu - rity laws (such as the Network and Information Security Directive 2 (“NIS2”)). Consequently, it is expected that cybersecurity legislation will remain a focus for the UK government in 2025 as the reform progresses and takes effect. Cybersecurity threats and developments The UK government’s Cyber Security Breaches Survey (the “Survey”), published in April 2024, exposed a disconcerting cybersecurity land - scape for UK businesses. Approximately 7.78 million cybercrimes were committed against UK businesses in the 12 months prior to the Survey’s publication, with half of UK businesses reporting having experienced a cyber-attack or security breach. Phishing attacks emerged as the most common (affecting 84% of businesses), where - as ransomware and denial of service attacks were the least common (affecting 2% or fewer). Nonetheless, the UK’s National Cyber Security Centre (NCSC) warned that ransomware posed

the most significant threat to UK critical national infrastructure (CNI). UK businesses and institutions also faced cyberthreats from hostile state actors – includ - ing from Russia, China, Iran, and North Korea. These countries exploited the increasingly tense geopolitical situation arising from the conflicts in Ukraine and the Middle East. The NCSC’s Annu - al Review 2024 (the “Review”) stated that China presents the most sophisticated cyberthreat to the UK, while Russia encourages non-State malicious actors to launch cyber-attacks against Western countries, alongside its own state- backed cybercampaign. Ransomware attacks are evolving and – instead of encrypting the stolen data and demanding payment for its decryption – malicious actors are now threatening to publish sensitive per - sonal data online, causing financial and reputa - tional harm to victims. This was the case in the June 2024 ransomware attack on a pathological laboratory service provider to the NHS, which disrupted NHS services and leaked data online. Global ransomware payments totalled USD1 bil - lion in 2023, according to the Review. In May 2024, the NCSC, UK Information Commission - er’s Office (ICO) and insurance industry bodies issued a joint guidance, “Guidance for Organisa - tions Considering Payment in Ransomware Inci - dents”, discouraging organisations from making ransom payments. Technological developments, particularly in AI and quantum computing, also pose a challenge to the UK’s cyber-resilience. The Review identi - fied cyber-intrusion as a growing threat in the next five years, facilitated by poor regulation in certain jurisdictions and by AI technologi - cal advances that increase the effectiveness of social engineering, vulnerability identification,

338 CHAMBERS.COM

Powered by