UK Retailers targeted by Ransomware Gang
If It Can Happen to Marks & Spencer… When a household name like Marks & Spencer is victim to a cyberattack, it forces us to confront an uncomfortable truth: no business is immune. Three of
8 May 2025
Get the latest cyber news and updates straight to your inbox.
New UK legislation is about to turn cyber resilience from guidance into enforceable law. While financial services firms remain regulated by the Financial Conduct Authority and Prudential Regulation Authority, the Cyber Security and Resilience Bill will impose strict obligations on the suppliers you depend on — from MSPs to data centres. For COOs, this is a critical moment to strengthen supply-chain oversight, incident readiness, and executive accountability before the rules take effect in 2026.
In 2023–25, the UK Department for Science, Innovation and Technology (DSIT) published voluntary codes of practice around cyber governance and software security. Many firms treated these as best-practice guidelines, but now the government is turning those principles into binding law.
The Cyber Security and Resilience Bill is the legislative step that follows those codes. It introduces formal compliance requirements, sector-specific enforcement powers, and major financial penalties. It’s expected to pass into law by Spring 2026.
This update explains what’s changing, how the bill affects financial services companies, and provides practical implementation steps COOs should take to protect operations and ensure regulatory readiness.
The Bill modernises and strengthens the UK’s Network and Information Systems (NIS) Regulations to address the growing threat of cyberattacks. It brings more sectors into scope and gives regulators greater powers to enforce mandatory security requirements.
What it means in practice:
Status: Primary legislation, expected to become law by Spring 2026
Predecessors to the UK Cyber Security and Resilience Bill, three cyber experts share how actions you can take today to comply.
Financial services firms are not directly regulated under the Bill, as you’re already covered under existing FCA/PRA resilience rules. This is ultimately a good outcome. Your regulatory burden doesn’t increase, but your suppliers now face higher security obligations. That means less risk across your supply chain, with no additional overhead for you.
A quick reference tool to view the key areas covered by the DSIT Software Security & Cyber Governance Codes of Practice, and how to operationalize for alignment today.
Larger MSPs and hosting providers must now prove compliance, but smaller ones are out of scope of the new regulations – you may want to review those smaller suppliers to ensure they are managing risk appropriately.
In-scope companies will have:
This sets incident response expectations from the UK Government and aligns closely with existing data protection regulations. Even if not your organisation is not in-scope of the Resilience Bill, this is the likely expectation in the future.
In a national-level incident, the government may intervene directly.
Cyber risk is no longer just a technical issue, regulators expect to see named executive accountability and formal oversight.
FoxTech supports UK financial services firms in building real, regulator-ready resilience, whether you’re preparing for a compliance audit, coordinating with your CTO/CISO on technical readiness, or strengthening supplier oversight.
Threat Detection and Breach Monitoring
The CS&R Bill (building on the NIS framework) requires in-scope organisations to monitor for anomalous behaviour and potential data breaches in a timely manner. FoxTech’s SOC provides real-time visibility and alerts, enabling prompt detection of threats and anomalous activity across a wide range of technologies – not just your typical endpoint devices.
The CS&R Bill requires that in-scope organisations not only report incidents quickly (24 hours for initial notice and 72 hours for a full impact report) but also understand the scope, nature, and user impact of a breach. FoxTech’s incident responders use one year of retained telemetry to investigate and document exactly what happened, who was affected, and how your organisation responded — so you can meet your obligations with confidence and speed.
Regulators expect organisations to prove that their defences are effective. FoxTech can help you meet this standard with regular penetration testing, validation of remediation, and full audit trails — aligned to NCSC’s Cyber Assessment Framework (CAF) and DSIT guidance.
Built-In Compliance, Not Bolt-On
If FoxTech is your MSP, you already benefit from a CAF-aligned security posture, including real-time monitoring, documented response plans, and evidence-based reporting. We’re built to meet the standards the Bill is enforcing.
If It Can Happen to Marks & Spencer… When a household name like Marks & Spencer is victim to a cyberattack, it forces us to confront an uncomfortable truth: no business is immune. Three of
Security Information and Event Management (SIEM) is an essential tool for organisations to protect their IT infrastructure from Cyber threats.
Cyber governance is no longer a “nice to have”. It’s a board-level imperative.
The UK’s new Cyber Governance Code of Practice outlines the minimum standards that regulators, clients, and insurers expect from boardrooms in