2025 saw a marked increase in significant cyberattacks in the UK, with the National Cyber Security Centre reportedly handling four ‘nationally significant’ cyberattacks every week, revealing a 50% increase from the previous year. Most notably, business giants Co-op, Marks & Spencer (M&S), and Jaguar Land Rover (JLR) experienced large-scale cyberattacks perpetrated by a shadowy, loosely defined hacking collective. Beyond the substantial reputational and operational damage caused by the cyberattacks, it has been reported that each organisation suffered losses in revenue ranging from approximately £250m-£300m, with the JLR cyberattack being regarded as the costliest in UK history. The hacking group employed a similar modus operandi across all three cyberattacks. It used social engineering and third-party access to exploit vulnerabilities in IT networks, and once inside, it exfiltrated data and deployed malicious malware and ransomware which incapacitated core IT infrastructure. These cyberattacks demonstrate that any organisation, no matter how large, can be susceptible to cybersecurity threats from bad actors.
The consequences of a cyberattack can be severe from a financial, operational, and reputational perspective. As an added threat, cyberattacks can attract the scrutiny of regulators, particularly under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Network and Information Systems Regulations 2018 (NIS Regulations). The Government is currently planning to amend the NIS Regulations through the Cyber Security and Resilience Bill (the Bill).
The Information Commissioner’s Office can impose significant fines for data protection failures arising from cybersecurity breaches – the higher of £17.5m or 4% of total worldwide annual turnover. Separately, breaches of the NIS Regulations can attract fines of up to £17m, increasing to the higher of £17m or 4% of worldwide annual turnover once the Bill comes into force. Additionally, the Product Security and Telecommunications Infrastructure Act 2022 imposes cybersecurity obligations on manufacturers, importers, and distributors of consumer connectable products, such as smart TVs or fitness trackers. For serious breaches, the Office for Product Safety and Standards can levy a fine of the higher of £10m or 4% of global annual turnover.
It’s also worth noting that the risk presented by a cybersecurity breach isn’t solely limited to the affected organisation. Directors and other C-suite executives can face personal liability for cybersecurity failings, for example through breach of directors’ duties under the Companies Act 2006, or where such individuals are deemed to have consented to or connived in offences under the Privacy and Electronic Communications Regulations or the DPA 2018.
These risks underscore why organisations must implement robust cybersecurity practices. No organisation is immune to cyberattacks, but proactive preparation remains the best defence - both to prevent breaches and to mitigate legal exposure when they occur. With this in mind, we offer some high-level top tips to help UK organisations mitigate the legal risks presented by a cyberattack.
Top tips to mitigate the legal risks
- Develop a cyber incident response plan. This plan should identify who will be involved in responding to a cyberattack, what the initial steps to take are, who should make key decisions, and who to contact both internally and externally. This plan is instrumental in maintaining discipline at a critical stage, as the reporting obligations under the UK GDPR stipulate that a personal data breach likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware of the breach. The NIS Regulations also require notification to the relevant competent authority (which may include the ICO where personal data is affected) of a security incident that has a significant impact on the continuity of essential services without undue delay, and typically no later than 72 hours after becoming aware of it. Note that once the Bill comes into force, the reporting timescales under the NIS Regulations will be revised to include a preliminary report within 24 hours of awareness.
- Obtain professional indemnity and cyber insurance cover. It is important to consider whether insurance would cover the costs of rectifying a cybersecurity breach, especially in view of the potential impact that fines from regulators and claims from data subjects or customers can have. Coverage should also be checked to ensure that it aligns with third-party contract liability caps. Note that in many IT industries, such as cloud hosting, it is standard for liability to be limited to a multiplier of contractual monthly fees rather than insurance coverage, meaning there is often a gap between potential losses and what can be recovered from IT suppliers.
- Ensure good data protection hygiene. Organisations should maintain an accurate record of processing activities (where applicable), use data protection impact assessments for high-risk processing, train employees on data protection regularly, review data retention and minimisation procedures, and employ organisational and technical measures appropriate to the organisation and the nature of the data being processed. Good data protection hygiene is essential to reduce the risk of data exfiltration during a cyberattack and regulatory recourse after a cyberattack. In particular, implementing an effective data deletion programme ensures that less personal data is held at any given time, thereby limiting the potential impact of any breach.
- Review supplier contracts. This is a critical point, evidenced by the JLR and M&S cyberattacks, where the vulnerabilities that were exploited were largely due to third-party suppliers. Organisations should seek to review or renegotiate liability caps to ensure that they align with insurance coverage, secure minimum security standards, maintain suitable service levels, seek audit rights, and where possible, negotiate indemnities for cybersecurity and/or data protection breaches. Note that higher liability caps for data protection and cybersecurity breaches are market standard, which reflects the increased level of risk that they present.
- Review customer contracts. Customer contracts should be reviewed to ensure that they include appropriate liability caps, notification clauses, and response and resolution timescales. To avoid liability gaps, caps in customer contracts should align with those contained in supplier contracts. Additionally, response and resolution times should align with those given by suppliers.
- Conduct due diligence on key suppliers' cybersecurity practices. Third-party vulnerabilities were a key factor in the recent high-profile cyberattacks. Organisations should assess suppliers' security certifications (e.g., ISO 27001, Cyber Essentials), incident response plans, and security track record before onboarding - and review these periodically for existing suppliers. For high-risk or critical suppliers, requesting evidence of penetration testing or independent security audits can provide additional assurance.
- Document key decisions and actions taken. Organisations should document all key cybersecurity-related decisions made before, during, and after a cyberattack. This is crucial documentary evidence in the event of a regulatory investigation, and can help to mitigate losses resulting from claims.
- Consider board-level oversight of cybersecurity. Given the significant financial, operational, and reputational risks that cyberattacks pose - as well as the potential for directors' personal liability - boards should ensure cybersecurity is a standing agenda item, with regular reporting from IT and risk functions. This not only helps the organisation identify and address vulnerabilities proactively, but also demonstrates that the board has exercised reasonable skill and care under the Companies Act 2006, which can be an important mitigating factor in the event of regulatory scrutiny or shareholder claims.
For more information in relation to any of the points raised in this article, please contact Keith Dunn, Eileen McKendry-Gray, Patrick Murray or a member of our Commercial & Technology team.
Date published: 6 May 2026
