The 2025 UK cyber bloodbath, which saw JLR down for five weeks, M&S nursing a £300m hole, Co-op, Harrods, and more, all happened after the government had already spent four years consulting on cyber legislation.
And when the Cyber Security and Resilience Bill finally slouched into the House of Commons on 12 November, the reaction from the cyber sector seemed to resemble a collective shrug.
Speaking at the Commons’ Parliament and Cyber Conference on Monday, Emma Philpott, chief executive of IASME, said: “All the breaches that we have seen recently wouldn’t have been impacted by this legislation. We need more stuff”.
Indeed, none of the attacks that cost British PLC billions this year would have been stopped, slowed, or even adequately reported under the new rules.
The Bill widens the circle of those regulated (including data centres and managed service providers), tightens incident reporting to 24 hours, and allows the public sector to designate what it calls ‘critical suppliers’.
Helpful, but fundamentally reactive, and not enough to have prevented the onslaught of attacks on the retail sector we have seen in the last twelve months.
Chris Francis, director of government relations at SAP, admitted: “The Bill rather misses the areas where we see government intervention most critical”.
The recent attacks, whether on JLR or M&S, came through third-party suppliers, legacy systems and a generally catastrophic failure of basic hygiene – none of which this bill seems to seriously touch.
No such thing as ‘secure’
Yet as Jen Ellis, founder of NextJenSecurity, argued: “There are no silver bullets”.
Ellis stressed that the new legislation can’t be viewed in isolation as a standalone quick fix.
“If we take a step back and think, there are some positives. The UK government is increasingly engaged, which is very rare.”
“It’s also important to remember that what we’re talking about is really, really complex – and all the odds are against us”, she added.
She provided a vote of confidence towards the bill, dubbing it a step in moving us forward.
The reality, she told attendees, is that “there is no such thing as secure. And there is no such thing as bulletproof” when it comes to cyber safety.
Cyber hits the City
London-listed firms have just taken over £3bn of direct hits in the last twelve months alone.
Investors don’t need another consultation document; they need guardrails in place to stop the attacks from costing them money in the first place.
Share prices have tanked as a result, dividends have been slashed, and the FTSE 100’s collective cyber insurance bill is now larger than the defence research and development (R&D) budget.
Yet the Bill still treats cybersecurity as a niche compliance exercise rather than the systemic risk it has become. It expands the 2018 Network and Information Systems (NIS) regime instead of replacing it with something fit for 2025, and leaves the 5.5m SMEs that make up 99 per cent of the economy largely untouched.
It also still relies on regulators, who, as one audience member at Monday’s event pointed out, “will come in, tick boxes, walk out, and fine nobody”.
But what has moved the needle this year was market pressure. As Philpott added: “As soon as their customer says, ‘We’re not going to be your customer anymore unless you put multi-factor authentication on your account’, they do”.