Governance & Compliance: The changing nature of cyberattacks and cyber regulation

Will Chalk:
Hello and welcome to Ashurst Legal Outlook, the latest in our series of Governance and Compliance-focused podcasts. My name's Will Chalk and I'm a partner in Ashurst's Corporate Transactions practice focusing on governance.

You're listening to a special series tackling our view of the top risk-related priorities for boards in 2026. In each episode, we explore a major risk, trend, or opportunity, commanding attention when setting board agendas this year. And our first topic is ever more frequently the subject of not just legal, but national news: cybersecurity and preparedness.

To help unpick those issues, we've got the principal authors of our cyber readiness Board Priority. Specifically, we've got John Macpherson. John, do you want to introduce yourself?

John Macpherson:
Hi, everyone. Great to be here with you all. I am a partner at our risk advisory business in charge of cyber, and I tend to spend my days either helping leadership teams and boards preparing for catastrophic cyber attacks or holding their hands in the middle of battle as they work through response and recovery to high impact cyber incidents.

Will Chalk:
We've also got Rhiannon Webster.

Rhiannon Webster:
Hi there. So I head up the UK Cyber Response and the Data Protection Team. I'm a data privacy lawyer by background, but more and more now help organisations in times of cyber crisis.

Will Chalk:
And last but by no means least, we've got Matt Worsfold.

Matt Worsfold:
Thanks, Will. Great to be here today. So Matt Worsfold, Partner in the Ashurst Risk Advisory team here in London. I lead our data analytics practice, so that's helping a lot of businesses identify and understand their critical data sets and protect those, and then helping unpick the aftermath of cyber breaches in terms of data that could have been lost or stolen.

Will Chalk:
Okay. Let's jump in. John, it seems to be an issue that almost doesn't need any scene setting given the amount of coverage it gets, but particularly with the advent of GenAI and a fractured geopolitical landscape, it's an issue that seems to get ever more concerning.

John Macpherson:
You're starting with the easy questions, Will. I thought I'd start by looking at some of the highlights from 2025 and then thinking about what might be ahead of us in 2026.

Last year was another big year in cyber. We saw a real concentration of sectors being attacked. We saw that in retail. We saw it in aviation. We saw it in superannuation or the pension fund sector. We also saw, again, third parties being a key vector for attacks. And last year, particularly the SaaS providers being the vehicle through which organisations were attacked.

We saw some arrests quite notably, particularly in the UK, also in Australia, and they tended to be quite young cyber threat actors, recruited by networks of global threat actors.

And we saw data still being a focus, data theft still being a focus, but a feature of last year was a reminder that really large disruption can be very costly. And I think if you take one thing away from the cyber landscape last year, and what we might need to make sure we're prepared for this year is large disruptions are very costly. And we think about the most notable incidents of Jaguar Land Rover, of the retail organisations in the UK, amounts in the hundreds of millions of pounds, and supply chains up and downstream being significantly impacted as well. So much so that in the last Bank of England report that came out at the end of 2025, they noted that the Jaguar Land Rover attack had negatively shifted UK GDP.

Will Chalk:
And am I right in thinking, John, that we also saw, and maybe this isn't new, but we also saw an online threat to organisations actually turn into a real physical threat as well?

John Macpherson:
Yeah, we've also, particularly in the US, begun to see extortive threats, which are usually quite scary to go through, but don't have a physical security element. We've seen those morph into physical threats in some instances where threat actors, if you don't respond, call law enforcement, pretending to be someone from a business or your place of residence, claim that you're under attack and you have a SWAT team turn up. They're called SWAT attacks. So we see ever-evolving tactics in order to coerce and convince victims to pay ransoms and play ball with threat actors.

I think last year was also a reminder that because it is so costly, regulators are going to continue to focus on cyber, and that more than ever makes it a board issue.

And I think last year was also a reminder that one thing remains constant, and that is the root cause of all these large, front page cyber attacks is generally a small lapse in security. And when we do root cause analysis and post-incident reviews, we continue to find, regardless of how effective the response might be, at the start of an attack, it was a known issue and a fairly simple technical issue. It might be a multifactor authentication that hasn't been applied correctly. It might be passwords that have been stolen and misused. It might be simple control failures that are already known to the organisation because the internal or external audit team have already found them, and those issues continue to be at the heart of most of the cyber attacks we see.

And I think for boards, that is problematic because you know the risk, you now know how costly it can be to the balance sheet, and you also know the root cause because they're staring you in the face, they're on audit reports, your IT teams already know what they are. And that I think will drive the need for boards to, again and again, really dig deep, understand cyber risk and be prepared in 2026.

Will Chalk:
So an unsurprisingly rather sobering picture. So Rhiannon, turning to you. As we always say, law and regulation is struggling to keep pace, but that doesn't mean it's not moving fast in and of itself, particularly in the EU and UK. What would you put on a board agenda from that perspective this year?

Rhiannon Webster:
Well, we've seen, as per usual, actually with the ICO in the UK, a willingness to fine for security breaches. So we've had some big fines this year. We've had advanced software, 23andMe, Capita, which I think lots of people will have heard of, and LastPass most recently, all in multimillion pound fines. But of course it's reputational impacts, which can really affect the company too.
And then we've also got changes of legislation. So in the EU, we've had NIS " too. So NIS is a security law which governs critical national infrastructure. We've already had NIS 1 that came in the same time as the GDPR, and it covered certain sectors. So it was energy, transport, water, health, digital, infrastructure.

So a couple of years ago, Europe went ahead with NIS 2 and widened that out from a sector-specific perspective. And now in the UK, we are producing our own cyber laws, which are going to cover that national critical infrastructure in the form of the Cyber Resilience Bill.

And that in the UK is looking down the supply chain just as much as widening out the sectors. So it's looking at data centres and managed service providers. So managed service providers are new when it comes to being governed by this cybersecurity law. And it's when you have a medium or large business who's offering ongoing management of IT systems to a third party customer, and part of that service is access or connection to the network or information systems. So lots more companies are going to be in scope of this specific cybersecurity regulation. So yes, Will, the law is constantly struggling to keep up, but it's a real government priority at the moment.

Will Chalk:
And in some ways that feels unfair because it's an outside threat, or perhaps even an inside threat, but nevertheless, it almost seems unfair. Well, at one point a few years ago, it felt unfair to punish companies for this, but nevertheless, that sentiment seems to have shifted.

Rhiannon Webster:
Absolutely. And I think they want to also give regulators both more power to find and more resources to do so. So that critical national infrastructure legislation is regulated not just by the ICO, although they are one of the regulators, but each of those sectors has got its own regulators, so be it OFCOM or OFGEM or the Department for Transport for the transport sectors. And part of the new Cyber Resilience Bill provisions is that the regulators will be empowered to recover from regulated entities reasonable costs, including for enforcement, supervision, and guidance. So it's all about giving regulators more money and resources to be able to enforce in this area.

Will Chalk:
And as you and I have discussed in the past, we've also got this, if you like, legislation by the backdoor. I mean, it's a code of practice for directors, the Cyber Code of Practice, which was published in final form by DCIT in the middle of last year, but that has clear implications for directors themselves in terms of upskilling, in terms of creating and testing a strategy, making sure there's proper accountability for it within management, making sure that there's internal controls and assurance that go around it. And perhaps as importantly as anything else, creating a cyber aware, risk-averse culture within an organisation, which as we all know, requires real tone from the top, as well as of course, an up-to-date and well-rehearsed cyber response plan, but I'm sure we'll come back to that.
Matt, many people think about data breaches when they think about a cyber attack, but is that all people should be worried about?

Matt Worsfold:
Yeah, I think for a long time, the theft of data has been the primary concern for a lot of businesses, and therefore a lot of time and attention has been going in around identifying data sets, what's sensitive, what's critical, and trying to protect that data. But I think as John pointed out earlier on in the podcast, the focus is now broadening quite significantly. And over the last year, we've seen some really notable attacks. And those attacks have been really on what we would call critical assets, not from a data standpoint, but an operational standpoint. We look at things like Jaguar Land Rover, which we mentioned, and others who are in almost that manufacturing supply chain, and that is where a lot of the cyber activity has been focused. And what that shows is now, yes, critical data and sensitive data is absolutely important and people should be worried about protecting that data, but it's this shift now to, well, how do we protect critical assets from an operational standpoint? How do we keep the business standing?

Because for a lot of threat actors now, it's about mass disruption. And things like ransomware, for example, now become less about do I or do I not pay a ransom to get data back? It's a question about, well, ransomware from the perspective of, well, can I get my systems back online? Can I get the business back up and running when those critical systems go down? And as Rhiannon touched on as well in terms of the regulatory developments, what we can see is things like NIS really now focusing on identification of those critical assets.

So can they be identified, mapped, risk-assessed? And these critical assets, they could be systems containing data, absolutely, but they could also be broader than just systems containing data into those that, as I say, sustain some of those critical operations as part of a business. And depending on what you do as a business in your sector, that could look and feel like very different things. If you're financial services, it might be some of your systems that sustain some of those financial transactional processing. If you're in manufacturing, it could be your manufacturing process or even your supply chain. So the threat does vary.

And now what this means for businesses is that for a long time, for many businesses that were consumer-facing, B2C holding large quantities of customer data, those were always seen as traditional targets. Now there are a lot of businesses who are B2B, in supply chains, and they might not be that focused on processing heavy sets of customer data or very sensitive customer data, but they now need to be really alive to the very real cyber risk that they're facing.

Will Chalk:
And of course, it's also, as you and I have reflected on in the eye of several responses, it's about seeing what data you've got and then cleansing it as much as you possibly can, getting rid of the stuff that you just think, why are we keeping this for this amount of time? Because when you're sifting through those metaphorical skips full of information on the dark web, spending a lot of money doing so, as we have on behalf of various clients reflecting on, we didn't really need to have this, we should have had better management around that. Is there a trend towards doing more of that or is that steady state?

Matt Worsfold:
Yeah, much greater focus on data retention, data deletion activities. A lot of what you were talking about there, Will, is avoidable in terms of just having better data hygiene. So understanding the data that's out there where it sits, but should we still be retaining it and do we have any need to? Are we being too risk-averse in terms of holding onto some of that data? And again, as I say, it could be customer data where a lot of the focus has been, but increasingly we are seeing corporate data, HR information, personnel information. There's a lot of sensitive data that any business holds, as I said, regardless of whether you're B2C or B2B, that people need to be looking at themselves going, well, do we need to be holding onto this? Historic personnel, HR records, medical records, it's incredibly sensitive.

So those exercises around cleaning up data, undertaking big deletion activities and doing them justifiably is still a massive focus for businesses and is really where some of the attention should be to mitigate some of the damage should the worst happen.

Will Chalk:
So that's a couple of really important takeaways. John, what other practicalities should boards be focused on this year?

John Macpherson:
So if we think about the year ahead, the best case is going to be more of the same. More large high profile attacks that are highly disruptive, steal a lot of data and aim to do maximum damage. If we think about the worst case

Will Chalk:
That's best case.

John Macpherson:
... it means a lot more of the same, and no matter which way you look at it's a pretty grim picture. And that drives, as Rhiannon and Matt have said, it drives regulators to really look under the hood very carefully. And normally that happens with financial services a lot and it happens post-incident. And I think what we're going to see is regulators across all critical infrastructure sectors really beginning to inspect and audit and review companies before incident now, as well as after incident.

So the two practical things I think boards should focus on in this area: the first is asking the question, are we doing everything that is reasonable and practical to defend and protect ourselves from the cyber attacks that we know are going to happen? And I think that question of reasonableness or practically what can we do, is not a question that boards tend to ask themselves when they review their cyber programme, but it's a really useful both risk and legal test to ask yourselves. And it does require boards to, at least several times throughout the year, take a slightly more operational view than you're probably comfortable doing, but really get close to what are your assets? What is your data? What controls do you have in place? How are your people being trained? What's your third party risk? And take a really good look at those. No one expects you to be perfect, but are you doing everything that is reasonable and practical for your type of organisation? So that's the first thing.

The second thing is really asking with a hard lens, are we ready for a high impact cyber attack across the entire organisation? And if your test of readiness is you've got a cyber incident response plan and a couple of media holding statements, it is a long way from where you really need to be. So look hard at the questions of, are you ready? Do some really hard simulations. If the leadership team and the board walk out of a simulation and don't have what I call sweaty armpits, it hasn't really been an effective test and you really need to stress test how the organisation will respond in the event of a high impact incident.

So they're the two key takeaways. Are we doing everything reasonably practical that we can and diving into the detail of that? And are we ready for a catastrophic cyber attack?

Will Chalk:
And for boards that are less familiar with this or directors that are, I think, an absolute non-negotiable is looking at that Cyber Code of Practice, doing a very good training that sits alongside it, both from DCIT and the NCSC and revisiting that periodically to make sure that they're discharging that base level of knowledge, which I think we can all agree, all regulators will expect of directors when it comes to cyber literacy. And in turn, to your point, John, will make those rehearsals for a cyber incident that much more meaningful because directors will be able to interrogate and understand what's going on in the wider organization that much more readily.

Rhiannon, final practical reflection from you?

Rhiannon Webster:
Yeah, so I think in Europe at least, through NIS 2, we've seen actual obligations and accountability being placed on management bodies for cybersecurity, governance and oversight. So it's taken it one step further than the code that you mentioned, and it's actually embedded in legislation. We haven't got that yet in the Cybersecurity Bill in the UK, but I can't see it being far off coming.

Will Chalk:
Rhiannon, Matt, John, thank you so much, and thank you for listening to this episode of Ashurst Legal Outlook. To listen to more episodes in this Board Priorities miniseries, just search for Ashurst Legal Outlook on Apple Podcasts, Spotify, or your favourite podcast player, and please visit our Board Priorities homepage to read more about our top priorities for boards in 2026. You can also find our contact details there too. Please do feel free to get in touch.

To receive news and alerts on the kinds of issues raised in this miniseries, subscribe to our regular governance and compliance updates via ashurst.com. I'll be back soon with the next episode in this Board Priorities miniseries. Until then, this is me, Will Chalk, saying thank you very much for listening and goodbye for now.