Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
20 Mar 2025
Insight
Global
10m read
The significance and economic footprint of the cyber security sector in the UK were highlighted in the Cyber Security Sectoral Analysis 2024. With an annual revenue of £11.9 billion and £271 million raised in investments, cyber security continues to be a substantial industry.
Herbert Smith Freehills recently surveyed a number of its UK and global clients on their approach to cyber security. Responses received were generally consistent with global trends and suggested an ever-increasing awareness of cyber security threats among corporates. They also highlighted a need for:
Respondents were asked in the survey to identify key risks associated with cyber security, as well as their cyber-related priorities for the next 12 months.
The top 5 risks and top 5 priorities identified by respondents were:
Reducing data footprint
All survey participants reported that they manage their data footprint through retention policies, with some also implementing review of their security systems and reducing data collection as part of data-risk management efforts. Further, more than two thirds of respondents reported a focus on reviewing the security or privilege settings applied to important or sensitive data.
Any organisation that has suffered a cyber attack/data breach will tell you that it throws a spotlight on the organisation’s data footprint. Document retention and destruction policies are vital to appropriately mitigate cyber risk and data loss.
Miriam Everett
Partner, Global Head of Data and Privacy
Reducing cyber risks
The survey demonstrates an increased sense of cyber risk among the participants, with most believing the risk has increased somewhat or materially compared to twelve months ago. Cyber risk, therefore, continues to be a key business risk, even though the vast majority of respondents confirmed that they had not been the direct target of a cyber extortion incident in the past 5 years.
All survey respondents reported having cyber specific insurance as a key risk mitigator. However, whilst the UK National Cyber Security Centre (”NCSC”) and Information Commissioner's Office (”ICO”) recognise insurance has a role in mitigating business impact, the NCSC emphasises that this is not a substitute for robust preventative measures and recommends a combination of technical and non-technical measures such as:
Cyber risk escalates but Boards remain unprepared…
Most survey participants perceived that the cyber risk has at least somewhat increased. While more than half of the respondents indicated that their Boards had been educated about cyber risk, there remains a perception that there is an experience/skills gap at the Board level. Only 20% of respondents stated that they had a Board member with specific cyber expertise.
Many organisations will have incident response and crisis management plans in place that recognise the support that legal teams will need to provide during incidents and that they will need to have a seat at the table. But in many cases, that's where it ends. The question then is whether the legal teams themselves know what they'll need to do. We are increasingly being asked to prepare legal specific cyber incident response plans, as many of the questions the legal team will be asked during incidents can be anticipated in advance.
Andrew Moir
Partner, Global Head of Cyber and Data Security
Insights from the NCSC
The NCSC has also identified a ‘skills gap’ in how cyber security risk is managed at the Board level. A study commissioned (with Social Machines) found that 80% of the participants were unsure of where accountability for cyber resided within their organisations. Another finding was that the Chief Information Security Officer (“CISO”), or equivalent role, often thought that the Board was accountable, whilst the Board believed it was the CISO.
Although most Board members are reported to have limited cyber security knowledge, cyber security leaders, such as the CISO, have the necessary subject matter expertise. The challenge lies in communicating technical issues to the Board or senior executive teams. As CISOs and others in similar roles are well-positioned to bridge this ‘communication gap’, they are instrumental in driving better cyber security outcomes.
The role of legal in cyber incident response
More than two thirds of survey respondents reported that they rely heavily on their legal teams in times of cyber crisis, making them a central part of the crisis response efforts. Yet, most organisations did not have a specific legal cyber incident response plan.
According to the NCSC, risk management is an essential aspect of operations, but risk itself cannot be entirely eradicated. However, it can be identified and managed to either avoid, accept, treat, or transfer the risk. The NCSC further warns that treating compliance as equivalent to effective security can mask weak security practices and lead to 'defensive risk management’. It advises organisations to understand the limitations of compliance-focused risk management, implement measures to address these gaps, and align compliance objectives with broader organisational goals. The NCSC emphasises that managing compliance-related risks is just as crucial as any other risk – which will often involve support from in-house and external legal teams.
Survey respondents highlighted that there is a need for more support or better-directed initiatives from regulators.
The UK's cyber security is governed by a wide array of primary and secondary legislation covering different sectors and focusing on different areas of risk, including IT systems, internet-connected products, and personal data.
At the policy level, the approach in the UK is managed by several government departments, including the Cabinet Office, the Department for Science, Innovation and Technology (“DSIT”), and the Home Office, as well as non-departmental public bodies such as the NCSC.
The cyber policy of the UK is further outlined in the National Cyber Strategy 2022. The strategy aims to shift the burden of cyber security from individual citizens to organisations that are better equipped to manage cyber risks. It advocates for improved uptake of the NCSC’s cyber security guidance, incentives for investment in cyber security measures, an increased count of skilled cyber professionals, and the strengthening of statutory cyber security responsibilities.
The Home Office launched a consultation on a series of proposals in response to the surging volume of ransomware incidents. The Home Office announced a series of proposals on 14 January 2025 covering everything from a targeted ban on ransomware payments, through to a ransomware payment prevention and disclosure regime to a mandatory reporting regime for ransomware incidents. The Government is also considering criminal sanctions for non-compliance.
When it comes to an organisation's security strategy, regulators emphasise that it is critical for the Board to take responsibility for key decisions surrounding posture and strategy. Regulators expect to see active engagement from Boards on cyber security strategy and governance. Legal teams should ensure that the Board regularly receives cyber and regulatory briefings, and is pro-active in setting the strategic direction of the organisation in relation to its cyber and data security posture. Then the Board needs to have sufficient oversight to ensure it is effectively implemented throughout the organisation.
Peter Dalton
Partner, Cyber and Data Security
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2025