Cyber-hacks are eroding our economy – tech firms and boardrooms must bolster their defences
3 min read
A cyber-attack disrupting West London councils’ services is stifling the housing market for the capital’s most expensive properties.
While public sympathy for millionaires in Kensington and Chelsea will be muted, lost stamp duty worsens government finances. Digital insecurity is a rapidly escalating economic problem.
‘Highly significant’ cyber incidents jumped 50 per cent last year, according to the National Cyber Security Centre, and breaches affecting Jaguar Land Rover, Co-op, M&S and others, made national headlines and curbed GDP growth. Meanwhile, cyberfraud runs rampant, leading to cancelled hospital appointments and small businesses going under.
Cyber-risk is rarely like a tsunami – sudden and catastrophic – instead it is more like coastal erosion, wearing away the digital foundations of our economy. Each incident undermines our public services, weakens economic growth and damages trust in the security of technology.
Ransomware attacks against businesses frustrate growth; fraud undermines trust; and state adversaries can more easily put our critical national infrastructure at risk. Yet our national approach reflects an assumption that private markets can manage cyber-risks themselves.
They cannot. Responsibility for cybersecurity is unfairly distributed, and individual citizens too often bear the cost. A more interventionist approach is necessary.
The Cyber Security and Resilience Bill (CSRB) is welcome – largely mirroring changes made by the EU – for example, by increasing incident reporting and empowering regulators. If implemented well, the CSRB will enhance the security of UK critical national infrastructure without imposing excessive cost.
Yet the government’s own impact assessment for the bill suggests that only about 2,000 organisations will initially be covered by its scope. This means that while the bill is important for keeping the lights on and drinking water flowing, there is still an open question about government plans to improve cyber-resilience on an economy-wide scale. None of the prominent victims of cyber-attacks in 2025 – M&S, the Co-op or JLR – are in the scope of the CSRB as currently designed.
The upcoming National Cyber Action Plan, likely to be published in April, is an opportunity to set a new direction. The government should focus on a small number of priorities that improve resilience at scale. This should include tackling a technology market that does not bake security into its products. Technology vendors often avoid responsibility for poor security or faulty updates, meaning users bear the costs. Creating liability for technology vendors changes that calculus and shifts incentives.
Once considered radical, software liability has gone mainstream. In November 2025, a report by the Business and Trade Committee backed its introduction and the EU is moving to extend no-fault liability to software and connected devices.
Making cybersecurity a risk the C-suite must actively manage would force earlier investment
The National Cyber Action Plan should aim to shift boardroom thinking on cybersecurity. Corporate governance still treats it as a cost centre or compliance issue rather than a strategic business risk. Making cybersecurity a risk the C-suite must actively manage would force earlier investment and embed it alongside financial, legal and safety risks.
The current government is likely to be instinctively wary of these kinds of interventions. Ministers may be unwilling to legislate or impose cybersecurity costs on business if it’s seen in conflict with the government’s growth agenda. However, if the attacks of the last 12 months have shown us anything, it’s that growth without cyber-resilience will be built on shaky ground.
There is also a progressive case for breaking with the status quo. To fulfil its manifesto promise that “markets must be shaped, not merely served”, the Labour government could start by shifting the cost of insecure technology from UK citizens, essential services, and small businesses, towards large technology vendors and corporations.
Joseph Jarnecki and Jamie MacColl are fellows at the Royal United Services Institute (Rusi)
