Cyber security | UK Regulatory Outlook September 2025

Home Office outlines plan to tackle cyber crime and fraud 

The Home Office has published a speech by security minister, Dan Jarvis, to the City of London Police Authority Board, outlining the government’s response to cyber crime and fraud. Citing the latest Cyber Security Breaches survey, he noted that 20% of UK businesses and 14% of charities were victims of at least one cyberattack last year.

Mr. Jarvis confirmed that the government is developing an expanded fraud strategy and a new national cyber strategy, together with legislative reforms that it intends to introduce in the coming year to protect UK businesses from ransomware and prevent proceeds being used to support organised crime. For more on the forthcoming Cyber Security and Resilience Bill, see our Insight. 

The National Cyber Security Centre (NCSC) has also responded to the high profile cyber attack affecting British automotive manufacturer JLR, publishing both a statement and a blog with recommendations for medium and large organisations to strengthen their cyber resilience. This incident is a timely reminder that supply chain cyber risk runs in both directions. While much attention in recent years has focused on vulnerabilities which suppliers might introduce into a customer’s supply chain, the JLR incident illustrates how suppliers themselves can face significant operational disruption when a large customer is affected by a cyber incident. Resilience planning should therefore consider upstream and downstream service dependencies, not just traditional third party risk. 

Against this backdrop, NCSC’s guidance underlines how such incidents can cause serious disruption to supply chains and services. It reinforces the need for organisations to plan not only their defences, but also their recovery – organisations should prioritise business continuity, establish clear routes for supplier and customer communication, and aim to run regular table-top exercises to help practice incident response. 

NCSC releases Cyber Assessment Framework v4.0 

The NCSC released v4.0 of the Cyber Assessment Framework (CAF), a tool which aims to help organisations improve their cyber security and resilience. Although primarily designed to help critical national infrastructure organisations meet legal and regulatory requirements (such as the NIS Regulations), other organisations are encouraged to use it to protect their businesses from cyber threats. 

This latest version introduces four changes: 

• a new section on improving understanding of attacker methods and motivations to inform cyber risk decisions;
• a new section on ensuring software used in essential services is securely developed and maintained;
• updates to the section on security monitoring and threat hunting to improve the detection of cyber threats; and
• improved coverage of AI-related cyber risks throughout the framework. 

Read the NCSC's blog post: CAF 4.0 released in response to growing threat.