📈 Markets | London, Edinburgh, Cardiff

MARKET PULSE UK

Decoding Markets for Everyone


UK Cyber Resilience Pledge launches as attacks cost firms £14.7bn

Cyber risk has moved another step into the boardroom this week. More than 60 organisations have signed the government's new Cyber Resilience Pledge ahead of its launch at 10 Downing Street on Tuesday 7 July, with founding names including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Accenture and Vodafone. For business readers, the important point is not the reception in Westminster but what it signals. Ministers are trying to recast cyber security from a technology overhead into an operational and financial risk, one that affects revenue, customer trust, procurement and insurance just as much as it affects IT teams.

According to the National Cyber Security Centre's Annual Review 2025, more than 5 million cyber crimes were committed against UK firms last year, which works out at roughly one every six seconds. The NCSC also handled 204 nationally significant incidents in the year to September, up from 89 the year before. Separate government-published research puts the average cost of a significant attack on an individual UK business at almost £195,000, while the annual cost to organisations is estimated at £14.7 billion. Those figures help explain why this is now being pitched as a business issue first. For a large retailer, a serious incident can mean failed payments, delayed orders and empty shelves. For a mid-sized company, the same shock can wipe out planned investment, force emergency spending and turn a manageable quarter into a very expensive one.

The pledge itself is voluntary, but the asks are practical. Signatories are being asked to make cyber security a board-level responsibility by adopting the Cyber Governance Code of Practice and ensuring directors complete NCSC governance training. They are also being asked to sign up to the NCSC's free Early Warning service, which flags suspicious activity linked to their networks, and to take a risk-based approach to pushing Cyber Essentials certification through their supply chains. None of this is especially flashy, and that is partly the point. The government's message is that better resilience is more likely to come from governance, visibility and supplier discipline than from a rush to buy another security product after the latest headline breach.

The timing also reflects a change in the threat itself. Ministers and NCSC officials say artificial intelligence is making attacks easier to launch, quicker to scale and simpler to tailor. AI can help defenders spot anomalies and respond faster, but it can also help attackers identify weak points, automate phishing campaigns and produce exploit code at a pace that was far harder even a year ago. That leaves supply chains higher up the risk register. A business can tighten its own internal controls and still be exposed through a software vendor, logistics partner or outsourced service provider. For finance directors and SME owners, this is the uncomfortable part of the story: cyber risk increasingly sits beyond the business itself, but the cost still returns to the same profit and loss account.

The Department for Science, Innovation and Technology says the pledge is a central part of its wider National Cyber Action Plan. Alongside it, officials have been developing a Cyber Charter with 39 strategic suppliers to government, and more than 20 of those suppliers are already in this first cohort of signatories. That matters because procurement often changes behaviour faster than guidance alone. Once major customers start asking suppliers about board training, monitoring and baseline certification, what begins as a voluntary pledge can quickly become a commercial expectation. For smaller firms hoping to win or keep large contracts, cyber readiness is increasingly part of the pitch.

Technology Secretary Liz Kendall has framed the move as a warning that cyber resilience can no longer be treated as an IT issue in isolation. Corporate backers are making a similar case. Microsoft UK has pointed to stronger board accountability and tougher supply-chain controls, while Nationwide has described a stronger national cyber posture as a shared effort rather than something any one company can solve on its own. The real test now is delivery. Signatories are expected to publish a signed pledge letter on their own websites and provide annual updates on progress, which gives customers, investors and partners something more tangible to assess. For firms still treating cyber as a secondary operational issue, the numbers in the NCSC data make the argument plainly enough: the cheaper moment to act is before the incident, not after it.

← Back to Articles