In October 2025, the UK government dropped a bombshell on corporate Britain: an extraordinary joint letter addressed to the CEOs and chairs of major firms. This wasn’t a polite nudge or a cordial recommendation but rather a demand for action. The cumulative message is this: the cyber threat landscape has shifted. Staying in “monitoring mode” is no longer good enough.
How big is the problem?
Recent data from the NCSC’s annual review paints a stark picture: the number of nationally significant cyber incidents has more than doubled in one year: from 89 to 204. Even more alarming, the subset labelled “highly significant” (i.e. those with severe national impact) rose from 12 to 18, nearly a 50% increase.
We’re seeing headline-grabbing knock-on effects. Jaguar Land Rover temporarily shut down UK plants in response to a cyber disruption. Retailers such as Marks & Spencer and the Co-op have confronted hacks that touch millions of consumers. In short: no business, no matter how large or (apparently) secure, is immune.
Attackers are evolving fast: from more aggressive ransomware, to supply-chain intrusions, to state-level sophistication. The UK’s digital supply chains are becoming routes of least resistance.
Why the government is calling CEOs to the front line
Traditionally, cybersecurity has been seen as “an IT problem.” That model is breaking. The new joint letter, signed by Cabinet ministers and national security heads, pushes responsibility upward, squarely toward boards and executive leadership.
Their message: cyber must move from being a “critical priority” in name to something you do, not just talk about. Boards should treat cyber risk like any major strategic risk, not a niche technical issue.
The letter lays out three immediate mandates:
- Embed cyber at board level
Use the Cyber Governance Code of Practice as a framework. Run rehearsal exercises for destructive incidents. Don’t wait for a breach to force your hand. - Sign up for NCSC’s Early Warning
This is a free service that alerts you to potential attacks targeting your network, giving precious lead time to respond. - Mandate Cyber Essentials across your supply chain
Just 14% of UK businesses currently assess cyber risk in their immediate suppliers. The government wants that to change. Cyber Essentials is a baseline security scheme: organisations certified under it are 92% less likely to make a claim on cyber insurance.
The broader backdrop: in coming regulatory reforms (such as the Cyber Security and Resilience Bill), the government plans stricter oversight, stronger incident reporting, and enforcement mechanisms.
All of this signals a shift: cyber resilience is no longer a technical back-office function. It is now a strategic, mission-critical priority.
Steps you can take today
Below is a tactical playbook you can start on immediately. These are not compliance checkboxes, they are strategic moves to ensure resilience in a volatile digital world.
Elevate cyber into your board-level agenda
-
- Put cyber risk as a standing item in board packs (not just as part of IT reports).
- Adopt a governance framework (e.g. the Cyber Governance Code) to structure oversight and decision-making.
- Plan and run “tabletop” exercises simulating catastrophic breach scenarios (e.g. supplier compromise, ransomware knocking out operations).
Subscribe to Early Warning immediately
-
- Register for the NCSC Early Warning service: it’s free and gives you early indicators of attacks on your network.
- Ensure your security operations team has defined workflows for acting on alerts (triage, escalation, containment).
Assess and strengthen your supply chain posture
-
- Catalogue your critical suppliers and map out their interconnected dependencies. Use supply chain mapping techniques.
- Issue supplier assurance questions or due-diligence questionnaires as part of vendor onboarding and review.
- Gradually require Cyber Essentials (or equivalent) from suppliers, prioritising high-risk ones.
- Embed cyber clauses in contracts (audit rights, incident coordination, liability, termination triggers).
Build or refine your incident response and crisis playbooks
-
- Prepare clear escalation paths from CISO → CEO → board in case of unfolding attacks.
- Run drills. Not just in IT, but also PR, legal, operations, supply chain, and executive leadership.
- Define communication templates, internal and external, for coordinated response.
Upgrade baseline controls and assurance
-
- Undertake internal audits or gaps assessments relative to Cyber Essentials controls (patching, access control, secure configurations, malware defense, boundary firewalls)
- If you qualify, pursue Cyber Essentials certification (or equivalent), not just for optics, but to build a baseline that insurers and partners can trust.
- Overlay technical monitoring, threat detection, and proactive posture reviews.
Bridge the “governance-technology gap”
-
- Equip the board (or executive team) with plain-English dashboards on cyber risk, trends, exposures, and “what keeps us up at night.”
- Bring in outside perspectives: independent red-teaming, scenario stress-tests, or external expert reviews.
- Invest in cyber awareness training across all levels. The weakest link is still human error.
Monitor evolving regulation and adapt
-
- Keep up with the Cyber Security and Resilience Bill as it progresses.
- Anticipate tighter incident reporting, stronger penalties, and expanded regulators’ reach.
- Adjust the minimum bar for security assurance accordingly.