Cybersecurity 2025

UK Trends and Developments Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

Practical considerations Cyber-attacks pose a serious and growing threat to businesses and institutions in Western coun - tries, requiring more than just compliance meas - ures to protect their assets, data and reputation. Cybersecurity must become a core operational function, with strong leadership and support from the board and senior leaders. Businesses should assess and address any gaps or weaknesses in their cybersecurity practices, seek accreditation from recognised cybersecu - rity frameworks where appropriate, and enforce cybersecurity minimum standards across their supply chains. It is critical that employees are provided with adequate cybersecurity training to protect against a successful cyber-attack and to reduce the likelihood of a cybersecurity incident caused by human error or action. Businesses should also monitor the development of new laws and guidance, as well as proactively imple - ment best practice standards as recommended by the NCSC.

That said, the ICO is clearly willing to issue fines to organisations that experience a cyber-inci - dent as a result of failing to implement appro - priate technical and organisational measures as required under the GDPR, with more than GBP19 million in fines having already being issued in this regard and a GBP6 million provi - sional fine announced in August 2024. Similarly, the ICO has recently issued reprimands in rela - tion to a variety of cyber-incidents, including a brute-force attack resulting from a known soft - ware vulnerability, as well as multiple instances of ransomware attacks, malware attacks, and unauthorised access incidents resulting from non-compliance with GDPR security require - ments. It is important to note that, according to the ICO’s data protection fining guidance (updated in March 2024), pro-active notification to the NCSC – alongside the usual notification requirements to the ICO – can be considered a mitigating factor by the ICO when deciding to issue a fine. Taking this in the round, it appears that the ICO’s preferred intervention is through the provision of advice and guidance to organisations. Its formal powers seem to be reserved for the most serious failings that lead to a cyber-incident.

342 CHAMBERS.COM

Powered by