2025 proved to be an extremely eventful year from a cyber perspective. In the UK the attacks on M&S, the Co-Op and Jaguar Land Rover seized the headlines. M&S experienced an attack in April/May 2025 in which social engineering techniques appear to have been used to gain access to their systems following which ransomware was deployed. This ultimately led to a £300 million profit warning. The Co-Op were also attacked at about the same time, suffering system failures and supply chain breakdowns with an attack affecting the personal data of all 6.5 million of their members. The total cost to the business is estimated to exceed £200m. Jaguar Land Rover suffered an attack at the end of August 2025 which forced a shutdown which affected their supply chain resulting in a first quarter loss which is estimated to have exceeded £300 million.
AI attacks
As we anticipated last year, there appears to have been a significant increase in AI-driven attacks involving ransomware, phishing and social engineering. There is increasing concern about the use of deepfakes (with a successful CEO scam reported in Singapore). We expect these high-profile attacks to lead to many businesses reviewing their IT security as well as their cyber insurance. We expect cyber insurers to take a measured approach to any increase of interest in their products given the very clear exposures. In the circumstances, we would expect premium incomes to increase but with cyber insurers pressing for increased IT security/imposing more robust conditions/warranties and asking questions surrounding organisations' use of AI and their vulnerability to AI-enhanced attacks.
Cyber Security and Resilience Bill
Cyber will also be an area of increased interest for the UK Government. As expected, the Cyber Security and Resilience Bill has progressed, receiving its first reading in Parliament on 12 November 2025. The intention is that it will enhance the scope and effectiveness of the Network and Information Systems Regulations 2018 and will increase the UK's defences against cyber-attacks. The Bill will extend the scope of the Regulations from core services such as the NHS, transport and energy to data services and designated critical suppliers. There will also be enhanced notification obligations for organisations falling within the scope of the Bill. In the meantime, discussions are likely to continue around such sensitive issues as the banning of ransom payments. This topic remains controversial as there will be times when the only way to restore a system is by making a payment. If different sectors of the economy are treated differently this may only encourage criminal groups to target sectors where ransoms are not banned. It also remains to be seen what would happen in a situation where political pressure is put on an organisation not to pay a ransom where that might not be in the best interest of shareholders.
Once again, technological developments are likely to play a major role in this area. As with AI, these are likely to both have potential security benefits and also to be weaponised by state and criminal groups to increase the effectiveness of cyber-attacks.
