Cyber 2025 – an update on recent developments in a busy cyber year

2025 is shaping up to be a busy year for cyber, as discussed in our new cyber podcast series. The recent retailer headlines are a stark reminder of the devastating impact a cyber-attack can have on an organisation, but they are not the only developments we’ve seen so far this year. For example:

• The ICO has issued a number of cyber related fines:
  • IT service provider Advanced Computer Software Group was fined for its failures to patch and use MFA - the first fine we’ve seen for a data processor under the GDPR (see blog). 
  • DPP Law was also fined following a cyber attack. Its initial failure to notify the ICO highlighted the importance of understanding that not being able to access data can itself be a notifiable data breach. 
  • We’ve also recently seen a preliminary fine issued for genetics firm 23 and Me and an ICO statement commending the British Library on its openness following its 2023 cyber-attack while confirming that no further action will be taken in relation to that breach.
     
• The UK Government published a statement on the upcoming Cyber Security & Resilience Bill (CSRB) - see our blog. The CSRB is the UK’s update to the current Network and Information Systems regime, and its answer to the EU’s NIS2 (see blog). While we are still waiting to see the final bill, the UK Government did confirm in its statement that managed service providers will be brought in-scope and that there will be a new 24 hour incident notification obligation for in-scope organisations. 
   
• A new Cyber Code of Governance (Cyber Code) was published in April 2025. It was developed by DSIT and co-designed with NCSC to support boards and directors in governing cyber security risks. It is intended to help boards of medium and large organisations understand what their responsibilities are, and what actions they need to take, around cyber risk. More generally, we are seeing an increased focus on cyber corporate governance, particularly given recent changes to the main Corporate Governance Code and the accompanying guidance (with the latter now expressly mentioning cyber). See our article.
   
• Ransomware proposals were published in January 2025. The UK Government launched a consultation on three new ransomware proposals (see blog). The first proposal bans ransomware payments by certain government and critical national infrastructure organisations, the second includes a requirement to report any intention to pay a ransom, while the third requires all ransomware victims to report the attack to authorities (regardless of their intention to pay). We now await the Government’s consultation response. 

In our new cyber podcasts, I interview Richard Jeens (co-head of Slaughter and May’s cyber hub) and David Cannings (a Director in PWC’s Cyber and Forensics team) about their views on these recent cyber developments, from what lessons we can learn from the ICO fines, to the technical standards we expect to see in the CSRB.