Westminster moved cyber risk firmly into the boardroom this month. On 12 November 2025, ministers introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament. Days later, MI5 warned MPs about active espionage approaches and the government set out a Counter Political Interference and Espionage Action Plan. On 14 October, a joint letter from ministers and security chiefs went to FTSE 100 and FTSE 250 CEOs with three immediate asks: govern cyber at board level, enrol in the NCSC’s Early Warning service, and require Cyber Essentials across supply chains.

The Bill matters because it widens who falls under UK cyber regulation and sharpens enforcement. Factsheets from the Department for Science, Innovation and Technology show new duties for data centres and relevant managed service providers, stronger incident reporting, powers to direct regulators and regulated entities, and the ability to designate critical suppliers. The Bill had its First Reading on 12 November; Second Reading is pending.

Boards aren’t starting from scratch. The government’s Cyber Governance Code of Practice, launched on 8 April 2025 and co-designed with the NCSC, sets out practical actions for directors: assign senior ownership, embed cyber into enterprise risk, define risk appetite, and insist on quarterly metrics. It is supported by training and a toolkit for boards.

The threat backdrop justifies the tone. In the past year the NCSC handled 429 incidents, with four nationally significant events a week and an estimated 50% rise in the most severe attacks. GCHQ’s director cautioned that “attacks will get through” and urged companies to plan for outage scenarios, not just prevention.

Retail and manufacturing provide the clearest P&L lessons. Jaguar Land Rover’s late‑summer outage carried an estimated weekly loss of about £50 million and a UK economic hit near £1.9 billion, while Marks & Spencer guided to a profit impact of up to £300 million after an Easter cyber incident. Co‑op reported £206 million in lost revenue and an £80 million earnings hit in H1. These are working‑capital and solvency questions, not just IT issues.

Government guidance now points to a short list of no‑regrets moves. The FTSE letter asks leaders to adopt the Cyber Governance Code, sign up to NCSC Early Warning, and require Cyber Essentials in procurement. Over 13,000 organisations already receive Early Warning alerts, and the NCSC’s Takedown Service has removed more than 1.2 million phishing campaigns.

The return on resilience is measurable. IBM’s 2025 Cost of a Data Breach study finds UK organisations using security AI and automation extensively reduced average breach costs to £3.11 million versus £3.78 million without those controls, while the global average breach cost sits near $4.44 million. For boards, that is a credible investment case rather than a discretionary spend.

A simple financier’s model helps. Take a mid‑cap manufacturer with £2 billion annual revenue. If a destructive incident halts output for two weeks, a 1% weekly revenue loss implies ~£40 million forgone sales before recovery costs. A £1–2 million annual resilience budget focused on backups, segmentation, privileged access controls and rehearsed recovery plausibly avoids or shortens that stop. Even a one‑week reduction in downtime pays for multiple years of spend. This is why we frame cyber as cashflow protection, not a technology feature.

Supply chains remain the weak link. M&S attributed access to a contractor compromise; the Bill’s factsheets allow regulators to designate critical suppliers and bring managed service providers into scope. Boards should expect tougher third‑party assurance and be ready to evidence minimum controls-starting with Cyber Essentials-in contracts.

Expect policy to harden. Ministers have proposed banning ransom payments across the public sector and critical national infrastructure, alongside faster mandatory reporting. Even where paying is not banned, early notification and coordination with authorities is becoming the norm-and a board‑level decision.

For the next 60–90 days, we’d treat three moves as non‑negotiable. First, chair‑led reviews to map critical services, recovery time objectives and manual workarounds, using the Cyber Governance Code as the template. Second, join NCSC Early Warning and conduct a live restore test from offline backups with executive oversight. Third, make Cyber Essentials a default supplier gate and brief audit committees on incident playbooks and disclosure triggers. The tone needs to shift from “if” to “when”-and from “IT response” to “whole‑firm continuity”.

There is upside. The UK cyber sector now generates about £13.2 billion in annual revenue and is central to the competitiveness of every listed company. Boards that treat resilience as a productivity project-shorter outages, cleaner asset inventories, fewer supplier failures-tend to find the savings twice: once in avoided loss, and again in smoother operations. That’s the investment story markets will reward.