Cyber lessons to take into 2026

Building resilience in an evolving threat landscape

As we start 2026, the cyber threat landscape continues to evolve at pace. Organisations are grappling with increasingly challenging attacks, while legislators respond with new frameworks designed to strengthen resilience and accountability. 

Looking back, what lessons can we take from last year’s busy cyber year? And looking ahead – what can organisations do now to help manage an evolving cyber risk?

Lessons we can learn from recent high profile attacks 

JLR, M&S, Co-op and Harrods grabbed the headlines but many more businesses suffered attacks in 2025. The sense of escalating threat was reinforced by statistics from the NCSC which reported a 50% increase in highly significant incidents since 2024. So what lessons can we take from these recent attacks as we move into a new year? 

  • The threat actor landscape is diverse and complex: Whether you are dealing with nation state backed actors with who are carrying out ransomware as a sideline, less predictable young hackers motivated by kudos as much as financial gain or attackers using "ransomware as a service", the threat actor landscape is multi-layered and evolving, creating new challenges for victims.  
  • Serious incidents cost real money: Last year’s attacks disrupted production, sales and general BAU activities (with some organisations reverting to pen and paper). The financial impact of such disruption was stark - reports suggest £1.9bn for Jaguar Land Rover and £300m for M&S. Cyber preparedness and operational resilience plans must factor in these potential consequences. 
  • Should you pull the plug? Co-op managed to take its systems off-line before ransomware was deployed in its systems (although data was still exfiltrated). Whether this approach reduces the impact of the attack will be fact specific, but as advisors do you understand the legal implications of taking your own systems offline and do your cyber governance plans clearly set out who has authority to make the decision?  
  • Supply chain risk works both ways: We often think of suppliers as being a risk – the weak link threat actors target to gain access to a customer’s data or systems. This remains a major risk, prompting the UK government to recently urge all major businesses to require cyber essentials certification in their supplier contracts. However, the JLR attack also showed how cyber caused business disruption can negatively impact suppliers. It is therefore important to ensure that your plans around operational resilience and cyber are viewed holistically. 

Lesson from ICO Fines 

2025 also saw a number of cyber related fines issued by the UK’s data regulator, which again provide lessons for organisations. 

  • Suppliers can be fined when acting as data processors: 2025 saw the first processor fines issued by the ICO – one for Advanced Software and one for Capita.  
  • Parent companies remain exposed: Parent company liability for group cyber breaches is a topic we are increasingly speaking to clients about given the management body liability under NIS2, Vedanta duty of care and recent ICO fines. Capita PLC was fined last year as well as the operating company that provided services to the many customers whose data was impacted by its breach. Organisations may therefore want to consider how their cyber governance operates. Who "owns cyber"? How much authority do local operating companies have around their security? Do you operate in jurisdictions with strict liability regimes that may pass cost up the group (as in the BHP case)? And which entity would lead in a regulatory investigation?  
  • Getting the security basics right is key: Whether it’s poor patching, failure to apply multi-factor authentication fully, a lack of system segregation or not sharing pen testing learnings across an organisation, the ICO’s monetary penalty notices set out the security expectations of the regulator and security benchmarks organisations should meet.  

New laws for 2026 and beyond 

Finally, when looking forward, there are new laws to consider, many of which are designed to increase cyber preparedness or tackle known cyber risks: 

  • Cyber really is a board level issue: Changes to the Corporate Governance Code (Provision 29) which came into effect at the start of this month reinforce the importance of boards understanding, and taking responsibility for, cyber governance in their organisation. This is an expectation echoed by investors, the NCSC (which has published its boardroom toolkit) and the UK government.  
  • Supply chain management is key legally and operationally: The UK’s Cyber Security and Resilience Bill, which updates the current NIS regime for critical services, was published last November and will continue through the parliamentary process this year. The proposed changes include bringing critical technology suppliers, like data centres and managed service providers, in scope.  
  • Ransomware remains the top risk: The UK is pushing forward with new plans to try to stem the tide of ransomware, particularly where it targets critical national infrastructure. It plans to introduce a targeted ransomware payment ban, ransomware prevention scheme and notification scheme which will change the way UK organisations approach ransomware demands.  
  • Increasingly complex web of regulation: Lastly, organisations are having to grapple with an increasing number of cyber and digital legislation, meaning one incident can lead to multiple notification obligations and potential claims. In recognition of this, the EU’s Digital Omnibus proposals seek to simplify reporting obligations by introducing one single entry point (i.e. one platform) for notifications under multiple regimes (GDPR, NIS2, Cyber Resilience Act, DORA etc.). The plans are also looking to change the GDPR’s breach notification timeframe, extending it from 72 to 96 hours.  

As we move into 2026, the message is simple: cyber remains one of the most significant corporate risks facing organisations. By learning from recent incidents, tightening basic security and governance controls and staying ahead of emerging technological and regulatory change, organisations can strengthen their resilience and be better prepared for this evolving cyber threat. 

EXPLORE MORE FROM HORIZON SCANNING
Digital | Article
Digital regulation: navigating diverging paths Recent years have seen a proliferation of digital regulation. The (often overlapping) regimes emerging across the globe are creating an increasingly fragmented picture internationally, with that outlook further compounded by the impact of geopolitical tensions in the digital arena, and divergent domestic policy agendas.
Capital Flows | Article
Class actions in England and Wales 2026 Class actions continue to play a prominent role in the legal landscape of England and Wales. New trends are emerging across competition, securities and ESG litigation, reshaping both opportunities and challenges for stakeholders.
Crisis Management | Article
An inflexion point for litigation funding? Litigation funding has an important but contentious role at the heart of the civil justice system. The law has tolerated its growth because it can open up access to justice for people who could not otherwise afford it.
Digital | Article
UK Corporate Governance reform – the latest instalment(s) As we move through 2026, the UK landscape for corporate governance continues to evolve. Companies are under sustained – and, in many areas, heightened - pressure to uphold robust governance standards.

See all

STAY INFORMED

We will continue to publish Horizon Scanning insights throughout the year.
Subscribe using the button below to receive the latest updates straight to your inbox.

 Subscribe

This material is provided for general information only. It does not constitute legal or other professional advice.