Gavin Wood

The UK is seeing a sharp rise in major cyber incidents. The National Cyber Security Centre (NCSC) revealed a 130% increase in “nationally significant” cyber incidents in the past year. In 2024-25, nearly half of the incidents NCSC handled were deemed nationally significant. With the escalating threat landscape in mind, I attended the UK Parliament and Cyber Conference 2025 to see what the UK Gov has planned.

The event brought together lawmakers, industry leaders, and cyber security experts to openly discuss Britain’s cyber resilience. As CEO of CyberLab, I found it both informative and energising. One message came through loud and clear: the UK is raising the bar on cyber security and the upcoming Cyber Security and Resilience Bill is at the heart of this effort.

Below, I share my key takeaways from the conference.

At the conference, the Cyber Security and Resilience Bill was the headline topic. This proposed law is designed to raise the minimum cyber security baseline across UK businesses, especially those providing essential digital services.

It’s essentially the UK’s answer to evolving threats and to international moves like the EU’s NIS2 directive.

What does the Bill do?

In short, it will expand the scope of who is considered “critical” or “essential” and therefore subject to stringent cyber regulations. Currently, only certain sectors (like critical national infrastructure and digital service providers) have mandatory cyber obligations.

From what we heard, the Bill also strengthens incident reporting and regulators’ powers. Today, many cyber incidents aren’t reported unless they reach a high threshold of impact. Under the new rules, if passed, any operator in scope will have to notify regulators within 24 hours of becoming aware of an incident, even if the attack hasn’t fully played out yet.

A full report would follow within a short timeframe (possibly 72 hours), and customers might have to be informed if they could be affected. The Bill will empower regulators to impose bigger fines for non-compliance and allow the government to set common objectives across regulators.

The message: transparency and accountability are increasing. Companies will be expected to be on top of cyber threats and to promptly raise the alarm when something goes wrong.

Another strong theme from the conference was the human element of governance: specifically, the role of company boards and executives in managing cyber risk.

The UK government’s stance here is uncompromising. It was stated in plain terms that a board which isn’t taking cyber security seriously today is not doing its job. Cyber security is no longer just an IT issue; it’s squarely a boardroom issue. 

At the conference, there was talk that cyber security oversight might soon be mandated for boards. Just as UK companies must legally have health & safety governance, we could see formal requirements for cyber risk governance. Whether through the upcoming Bill or other mechanisms, the direction is clear: boards will be held accountable for cyber resilience.

As a CEO, I take this to heart. At CyberLab’s own board meetings, cyber risk is and always has been a standing agenda item. We’ll also be engaging our Board with the Cyber Governance Code checklist to ensure we’re following best practices.

And for our clients, this government emphasis reinforces the advice we’ve been giving: executive leadership must treat cyber threats as a core strategic risk. We plan to help client boards understand their responsibilities under the new landscape, perhaps by offering briefing sessions or workshops for executives on cyber governance. The era of leaving cyber to the IT department is over; informed, proactive oversight from the top is the new normal.

While high-level policy and statistics set the stage, the conference also drilled down into practical measures organisations should take to boost cyber resilience. A lot of this wasn’t flashy new tech, but rather reinforcing known best practices. A few stood out:

Cyber Essentials (CE) as a Baseline

Cyber Essentials, the government-backed basic security certification, got significant attention. The recent government letter to CEOs explicitly calls Cyber Essentials “the minimum cyber security standard” businesses should achieve. Organisations with CE certification are 92% less likely to make a cyber insurance claim. That’s a compelling statistic to share with any business owner questioning the value of baseline controls.

Shockingly, only about 14% of UK businesses currently assess their suppliers’ cyber risks, and an even smaller fraction ensure those suppliers have CE. That’s a gap that needs closing. The advice was clear: if you haven’t achieved Cyber Essentials, do it now and encourage your partners to do the same.

At CyberLab, we’ve long advocated Cyber Essentials, through maintaining our own certification and help clients get theirs. It was validating to hear that CE is still seen by industry leaders and policymakers as a crucial foundation.

NCSC Early Warning Service

Another very actionable takeaway: sign up for threat alerts. The NCSC’s Early Warning service was highlighted as a no-brainer.

It’s a free tool where NCSC will notify your organisation if they detect possible signs of compromise or known threats targeting you. This might include spotting your IP or domain in threat feeds, etc.

In essence, it taps into the government’s visibility to give you a heads-up, potentially before you notice an attack yourself. The recommendation was that both we and our suppliers enrol in this service.

Supply Chain Security is Crucial

Modern businesses don’t operate in isolation; their resilience is only as strong as that of their supply chain.

A recurring point was that big companies and critical sectors often have hundreds of suppliers, contractors, and service providers, and attackers know this. Targeting weaker links in the chain (an IT vendor, a third-party data processor, etc.) is a common tactic to compromise larger targets.

We’ve all seen the headlines – big companies losing millions because of supply chain.

Organisations need to ensure their supply chain is taking cyber security seriously too.

The bottom line: trust needs to be earned and verified when it comes to partners handling your data or systems.

Proactively manage your third-party risk, monitor vendor posture, and strengthen your supply chain security with HackRisk’s Supply Chain Security tools.

Practice Makes Perfect: Incident Drills at Board Level

Perhaps one of the most resonant pieces of advice: prepare for the worst, in advance.

Organisations that plan and rehearse their response to a major cyber incident fare far better when one strikes.

Table-top exercises (TTXs) and simulated breaches for the executive team were cited as essential. If the first time your leadership discusses how to handle a ransomware attack is when you’re in the middle of one, you’re already in trouble.

The conference hammered home that business continuity and disaster recovery plans must include cyber scenarios, and these should be walked through regularly at the highest levels.

As the government letter put it: “not all cyber attacks can be prevented… please plan and exercise how you would continue operations and rebuild following a destructive cyber incident”

This struck a chord with me. We at CyberLab conduct periodic incident response drills internally, but there’s always room to up our game. I’ll be ensuring our senior leadership and technical teams schedule a high-intensity cyber crisis exercise in the coming weeks, to test our readiness against, say, a coordinated ransomware outbreak.

The Parliament and Cyber Conference 2025 was a timely reminder that cyber resilience has become a national priority.

The UK Cyber Security Resilience Bill encapsulates this shift: it will compel higher standards and accountability, especially for those of us in the business of providing digital services. But beyond any single law, there is a broader mandate emerging: treat cyber threats with the urgency and importance they demand.

From my perspective as CEO of CyberLab, the path forward is clear. We will lead by example in embracing these changes, strengthening our own defences, and continuing to aligning with best practices.

For our clients and the wider community, we will double down on our mission to help organisations large and small build true cyber resilience. Whether it’s navigating new compliance requirements, training leadership in incident response, or fending off the latest threats, we’re ready to support.

It was inspiring to see policymakers and industry experts united in a common purpose at this conference. The challenges in cyber security are undeniable, but so is our collective resolve to meet them.

The key takeaway I brought home is this: improving cyber resilience is a shared responsibility. Government, businesses, and service providers each have a role to play. CyberLab is more committed than ever to play its part, working hand-in-hand with partners and clients to raise the bar on security.

In the end, stronger cyber resilience doesn’t just protect organisations like ours or our clients, it safeguards our whole economy and society. That sense of bigger purpose is what stays with me.

As we head into 2026, I’m optimistic that, together, we can turn the insights from Parliament and Cyber 2025 into concrete actions that make the UK a safer place online for everyone.