The cyber security bill must go further to truly protect the UK economy
4 min read
We can no longer ignore the major gap in our cyber protections.
In the Spring, M&S was hit by a major ransomware attack.
Historically, it has been easy to cast similar incidents as isolated disruptions. But when the M&S breach was followed by a spate of similar attacks on other major retailers, including the Co-Op and Harrods, it became clear we were witnessing more than just bad luck. As Cabinet Minister Pat McFadden remarked, the incidents served as a "wake-up call" to the evolving scale of cyber threats.
To cyber and risk professionals, this surge in high-profile breaches confirmed a long-standing concern: swathes of our economy remain under-protected from digital risks.
This vulnerability is only deepened by a persistent skills gap in the UK’s cyber-workforce, with many organisations struggling to recruit, train, and retain professionals with the expertise to defend against fast-moving digital threats.
The UK’s cyber regulatory model was built for an earlier era, focusing, understandably, on ‘Critical National Infrastructure’ (CNI) — power, water, defence, transport, and so on. A decade ago, this was logical, but today’s reality is different. Every major organisation now runs on digital infrastructure, handles huge volumes of sensitive data and operates sprawling IT systems. As is particularly the case in retail, many also still rely on ageing technology, making them especially vulnerable.
To its credit, the government plans to curb ransomware payments and introduce a Cyber Security and Resilience Bill, which will rightly extend the regulatory umbrella to include digital services providers, like cloud platforms and data centres.
Nonetheless, many major private sector employers will remain outside of meaningful cyber regulation. This is a gap we can no longer ignore. The UK Corporate Governance Code acts as the next line of defence for major publicly listed companies – those with significant public interest and economic footprint, like M&S. The Code merely suggests boards “have regard” to cyber threats in annual reports. In practice, this means companies face no obligation to assess or explain preparedness, nor embed cyber resilience into governance processes in a consistent, measurable way.
This lack of rigour still leaves a major gap in our national cyber defences. There must be a baseline expectation for these organisations: minimum standards of preparedness that apply proportionally and account for an organisation’s scale and economic footprint. A straightforward requirement to assess and report on their digital resilience as part of these ongoing reforms would be a vital starting point.
Fortunately, the government already has a solution ‘on file’. The 2019 Brydon Review recommended that large companies publish Resilience Statements: structured, annual disclosures outlining how they prepare for and manage material risks, including cyber threats. This proposal had broad political support at the time, including from current Cabinet ministers. Yet momentum has stalled.
Since taking office, this government has softened its language around governance reform, shifting its focus in pursuit of “economic competitiveness“. We argue these aims are not mutually exclusive. As was made clear in the Strategic Defence Review, there is a pressing need to elevate public understanding of national security and how economic growth depends on investing in resilience today.
Investors must be assured that large organisations are not only financially sound, but also digitally secure. Making cyber risk a clear part of corporate governance sends a signal that the UK is serious about protecting the foundations of its economy.
The Cyber Security and Resilience Bill is therefore a rare and timely opportunity, even if not the whole solution. The Bill should not limit itself to traditional definitions of CNI. It should recognise that many of the UK’s most visible and economically vital institutions are exposed, and this presents systemic risk. The Bill can be the vehicle to enact a concept of Resilience Statements in new and meaningful ways.
This is a chance to set a clear, modern baseline for organisations with broad public and economic significance — underlining that cyber resilience is not a niche concern, but a board-level responsibility.
To ignore this would be to miss the lesson recent events have made painfully clear. The threat is no longer theoretical. The damage is already happening and it’s time to act.
Lord Harris of Haringey is a Labour peer and Baroness Neville-Jones is a former Tory security minister.
