Visible cyber fallout is everywhere. Impact to business operations (and therefore revenue) including halted production lines, emptied supermarket shelves, online payment unavailability, and patient backlogs have all brought cyber into the media and the boardroom at an alarming rate in the last year. Last week, the NCSC’s Annual Review 2025[1] showed impact climbing fast and the UK Government’s open “Ministerial letter on Cybersecurity”[2], published on the same day, urged business leaders to treat cyber as a strategic risk and rehearse for the worst. This is a call to move from awareness raising to execution, a call we very much endorse in the DLA Piper Cybersecurity practice. Below we have summarised the key takeaways from the NCSC’s Annual Review 2025 and the UK Government’s open letter to business leaders. The core messages can be summarised as follows:
- cybersecurity is a critical business resilience issue, not just an IT issue;
- plan and test to ensure that you can continue to operate your business when a cyber-attack happens;
- plan and test that you can recover to business as usual at pace; and
- make your suppliers plan and test (and share the results of those tests) to prove they can do so too.
Noting the personal liability precedent set by the EU NIS2 Directive for members of management bodies who fail to meet cyber requirements and the possibility that English law could follow suit with the planned UK Cybersecurity and Resilience Bill due to be published this year, taking action is also a critical compliance priority for your executive and board.
The NCSC Annual Review 2025 and the state of play
Severity is up, not just volumes of attacks
Over the last twelve (12) months the NCSC triaged 1,727 incident “tips” and supported 429 incidents. Nearly half (204) were nationally significant which is more than double the number recorded for the same period in the previous year (89). Of those, 18 (4%) were highly significant, a 50% increase year-on-year. Put simply: roughly four nationally significant incidents occur each week on average – a material change in impact, not just volume.
The threat landscape is driven by nation states, organised crime and hacktivists
The NCSC calls out specific nation state actors of concern driving state sponsored threats against UK targets and interests, with some being stressed as highly sophisticated or at a minimum capable and irresponsible. Geopolitics continues to be a direct driver of activity and proxy “hacktivism”. Meanwhile, ransom and extortion remains the most pervasive and commonly impactful threat – and attackers are sector-agnostic: they choose victims who are likely to pay, cannot tolerate downtime, or hold sensitive data. Disruptions of big brands have made the societal cost visible (with empty supermarket shelves and silent car production lines making global headlines in recent high-profile cases).
AI is now in the attacker’s toolkit
Threat actors are using AI (particularly LLMs) to scale what already works: automated spear-phishing, faster reconnaissance, rapid data processing and exploitation post-exfiltration, evasion, and accelerated vulnerability research and exploit development. The NCSC expects AI-assisted operations to be a critical resilience challenge through to at least 2027 as the world continues to get to grips with the unpredictability and proliferation of AI usage in cyber.
Critical national infrastructure (CNI) and its operational technology (OT) is in the crosshairs
The review warns of intensifying interest in critical national infrastructure with malicious activity against OT in particular becoming increasingly common. The effect is systemic: operations, payments, and logistics are all vulnerable to ripple effects, as recent high-profile incidents have shown. In line with the UK’s designation of data centres as CNI in 2024, the regulatory and compliance expectations for data centre owners and operators have also become more stringent.
Legacy vulnerabilities amplify impact
A small cluster of exploited Common Vulnerabilities and Exposures accounted for a notable share of severe cases (around 29) and is a reminder that failures to patch effectively across OT and IT is a material business-continuity exposure.
The core business resilience message
“It’s time to act” is the tagline of the NCSC Annual Review, but what does this mean in practice? Put simply it is a case of going beyond awareness raising and prevention to include planning and regular testing to ensure business continuity and resilience in the event of an attack.
Organisations that have well-rehearsed (and well tested) business continuity and disaster recovery plans fare materially better. As Richard Horne, CEO of the NCSC, states “Cyber security is now critical to business longevity and success.” The NCSC is working towards “resilience at scale” and stresses that boards should treat cyber as a core operational risk and hard-wire resilience before a breach. Beyond prevention (which the NCSC has numerous baseline resources to assist with) engineering your organisation to operate and recover under attack, even to points of chaos and complete loss, cannot be stressed enough.
Think beyond your immediate organisation; supply chain is the soft underbelly. NCSC data shows that only approximately 14% of UK businesses reviewed immediate supplier cyber risk in the last year, despite attackers’ preference to attack supply chains as the path of least resistance and as a rich source for exploitation given that suppliers will typically be serving multiple different organisations.
The NCSC’s Cyber Essentials standard remains a proven baseline and organisations with certification are 92% less likely to make a cyber-insurance claim according to the NCSC. However, treat that as your floor, not the ceiling.
The ministerial letter: the government’s minimum asks – and what “good” looks like
The government has written directly to UK CEOs, Chairs and business leaders (signed by Liz Kendall (Secretary of State for Science, Innovation and Technology), Rachel Reeves (Chancellor of the Exchequer), Peter Kyle (Secretary of State for Business and Trade) and Dan Jarvis (Minister for Security)) to convey there is a direct, active threat to the UK economy and national security and to request an urgent, collective response. The timing alongside the NCSC Annual Review is deliberate and should be read as a coordinated call to action.
The three concrete asks in the letter include:
- Make cyber a board-level priority using the Cyber Governance Code of Practice, and complete the NCSC supported training. Rehearse major incidents; plan to continue operations and plan to rebuild.
- Sign up to the NCSC’s Early Warning service – for you and for your suppliers.
- Require Cyber Essentials in your supply chain as a minimum security baseline.
Each is framed as urgent and practical, echoing the NCSC’s message of “it’s time to act“.
Implications for boards
We endorse the NCSC’s and the government’s message because it matches what we in the DLA Piper Cybersecurity practice are seeing every week: more (and more severe) incidents and far greater business disruption when continuity is untested. Having advised on thousands of incidents across the global DLA Piper Cybersecurity practice, the key lessons learned include:
- Preparation, readiness and practice make the difference. If a determined attacker gets through your technical controls, your human controls (clear roles, authority, decision ownership, and drilled playbooks) together with well tested business continuity and disaster recovery plans can determine whether you experience a blip or an existential crisis. Incident response and business continuity are essential leadership capabilities, not just IT tasks.
- Cyber should be managed as a key risk for the executive and the board. Put cyber on the standing executive and board agenda as a strategic risk equal to financial and legal risk. Ensure your cybersecurity framework is reviewed and tested regularly – and require assurance that you can operate without primary IT/OT and rebuild at pace (including identity and cloud control planes).
- Bad preparation = bad response = board change. A poorly run incident can have immediate personal consequences for board members.
- Think beyond your perimeter. Many crises will manifest through suppliers. Demand minimum controls for all suppliers, tier your critical third parties for deeper assurance, and exercise supplier-compromise scenarios (access revocation, data of others in your custody, joint communications etc.).
- Adopt the “when, not if” mindset. As the NCSC states, the question is no longer “if” but “when” – and that “when” could define your financial year (and potentially your personal tenure). Set measurable resilience KPIs (time-to-detect/contain/recover), make them executive-owned and test them.
- Rehearsal and testing are key. We regularly see a gap between the theory of incident response, business continuity and disaster recovery plans on the one hand, and the reality of a major cyber attack on the other. Testing plans and thinking through in detail (before you need to action in anger) how to execute tricky decisions such as (i) placing OT in island mode or taking down some (or all) IT and OT; and similarly (ii) the step-by-step process for bringing IT and OT back online again to resume business as usual activities, are stressful and complex. It is also something that your internal teams are unlikely to be familiar with, so take time to plan where you might need expert external vendor support and consider retaining key vendors now, or at least confirming their credentials.
- Insurance. While certainly not a replacement for any of the above activities, insurance is an important component of business and cyber resilience. The London market is currently “soft” presenting opportunities to secure favourable insurance coverage at competitive premiums. As always with insurance, it is important to check terms and exclusions carefully and also discuss with your brokers how promptly particular groups of insurers tend to pay out. Insurance policies have their limits. For example, there is a risk under English law that insurers would not reimburse regulatory fines imposed on insureds arising from breach of law and there is a similar risk that D&O policies would not reimburse fines imposed on individuals arising from breach of law. Nevertheless, it is generally better to have insurance than having to explain to investors, the media and other stakeholders why you do not have coverage.
If you would like to hear more about how DLA Piper is helping organisations with business and cyber resilience and incident response, please do reach out to the authors or your usual DLA Piper contact.