Introduction
It has been a difficult year for UK cyber security, and by extension, the UK economy. In September 2025, a cyber attack against Jaguar Land Rover (JLR) reportedly cost the company an estimated £1.9 billion, put thousands of jobs at risk and led the government to provide a £1.5-billion loan guarantee. The Bank of England subsequently assessed that the incident contributed to a slowdown in UK GDP growth.
Attacks of this importance are merely the visible side of a much larger problem. The Department for Science, Innovation and Technology (DSIT) recently published research estimating that malicious cyber incidents cost UK businesses £14.7 billion each year. Future economic growth without cyber resilience is therefore built on shaky ground.
Despite the clear risks to the UK’s economic security, political and business leaders have failed to keep pace with the threat and address the root causes of the UK’s vulnerability. In 2025, the National Cyber Security Centre (NCSC) reported that ‘highly significant’ cyber incidents increased by 50%. Cybercriminals continue to wreak havoc and hold UK businesses and essential services to ransom, while foreign adversaries such as Russia put critical national infrastructure (CNI) at risk and attempt to undermine the integrity of UK politics.
Cyber threats to UK national and economic security demand a response in line with the true scale of their impact. Thankfully, the UK is not starting from scratch. The 2016 UK National Cyber Security Strategy established many leading governmental institutions and capabilities, including the NCSC. The UK also has a strong cyber security industry, particularly for services. UK government cyber policy and guidance is also often innovative and respected by its international peers.
The government must now go a step further and do what previous governments have been unable or unwilling to do – improve the resilience of UK organisations by shaping the market in a more direct way.
To date, the approach of successive UK governments to building economy-wide cyber resilience has prioritised voluntary guidance and standards, regulating CNI, targeted government support and avoiding additional costs for business. This approach has fallen short of meaningfully reducing harm caused by cyber risk. There is a growing recognition in Whitehall that the longstanding cyber security and resilience challenge will not be solved by self-regulated market forces. It requires a more interventionist approach – that is, carrots and sticks. The high-profile incidents of the past 12 months have increased the urgency about cyber security and given it political salience.
Leave a comment