Filter articles

Assured Reacts 12.11.2025

UK’s Cyber Security and Resilience Bill Enters Parliament

The Cyber Security and Resilience Bill aims to strengthen national defences against cyber threats

Author: Eleanor Dallaway

IT firms serving key UK sectors, including the NHS and energy, water and transport networks, will face stricter cybersecurity rules under a new government bill, introduced to UK Parliament today.

The Cyber Security and Resilience Bill aims to strengthen national defences against cyber threats targeting essential services.

Ministers say the measures will help keep water flowing, lights on and transport running, amid a huge rise in cyber attacks on critical infrastructure.

The move follows a warning from the National Cyber Security Centre that hostile activity from China and Russia has driven a record surge in serious online incidents.

The Government press release announcing the Bill entering Parliament references new independent research showing the average cost of a significant cyber attack in the UK is now over £190,000, stating that amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.

What’s Assured’s take?

While it’s good to see cyber back on the government’s agenda, this Bill falls short. Recent events suggest the UK’s critical services are still exposed, and the evidence underpinning today’s announcement is seemingly weak. Following the data used by the contracted consultancies, much of the so-called ‘new research’ is outdated and based on US data, going back to 2012 in some cases. In a world where threats evolve by the hour, and where there has been an enormous surge in both ransomware and cyber insurance claims in just the past four months, we can’t rely on building resilience based on old numbers, let alone from another continent.

The Bill edges us closer to Europe’s NIS2 framework, but entire sectors – from local authorities, waste management and food production – would benefit from being in scope, which is an unfortunate omission. Cyber criminals don’t care what’s in scope and what’s not, and neither should government when it comes to a secure economy across the supply chain. If in-scope companies treat this Bill as a compliance tick-box, this will not provide resilience. Organisations must move beyond this to real risk management, due diligence, and credible cyber insurance cover, to reduce the UK’s vulnerability.

Over the last four months, there has been an enormous surge in both ransomware and cyber insurance claims, which have substantially altered the risk landscape.

Attack vectors and the impact that cyber attacks are having on businesses in 2025 are vastly different to those in 2022. It’s no longer just about data extortion, it’s about disrupting operational technology and continuity, as well as causing disruption and damage to the supply chain.

Within our own customer portfolio, we have a large number of businesses with turnovers exceeding £1 billion. In one example, a company lost £5-6m in sales as a knock-on result of a recent well-publicised cyber attack.

The £190k figure referenced only really represents a typical SME loss. It is not indicative of the much greater losses we’re seeing.

Topics

Latest articles

Weekly Cyber Briefing 10.11.2025

Weekly Cyber Briefing: 10 November 2025

Kier Group, Informa and LV hit by fresh Cl0p ransomware campaign; Cyber attack disrupts Dutch broadcaster RTV Noord, but station stays on air; Nikkei and Hyundai affiliates hit by data breaches

Read more

Be an insider. Sign up now!