Climbing Cyber Concerns: UK Government Issues Warning to Companies

15 October 2025

By Jack Grogan-Fenn

The UK’s Labour Government has sent a letter to FTSE 350 companies warning about “hostile” cyber activity which is becoming “more intense, frequent and sophisticated” and calling on them to act to help address this risk.

The letter stated that the hostile cyber activity is “causing significant financial and social harm to UK businesses and citizens” and poses “a direct and active threat to our economic and national security which requires an urgent collective response”.

“The government is taking significant action to counter the cyber threat and has developed tools to help businesses to defend themselves, but we cannot do this alone,” the letter read. “We ask you and the CEOs and chairs of other leading UK companies to take the necessary steps to protect your business and our wider economy from cyber attacks. Cyber resilience is a critical enabler of economic growth, so getting this right will promote growth and foster a stable environment for investment and innovation.”

The letter has been sent to coincide with the launch of the UK National Cyber Security Centre's (NCSC) 2025 Annual Review this week. The report from the organisation, established in 2016, revealed that this year there were 429 incidents requiring support from the NCSC Incident Management Team.

Of these incidents, 48% (204) were deemed to be “nationally significant” during 2024-2025, marking a major increase from the 89 such incidents during 2023-2024. There were 18 incidents categorised as “highly significant” in nature, meaning a 50% increase from last year and a rise in such incidents for a third consecutive year. There was only one highly significant incident in 2022 and four in 2023, illustrating the rapidly rising nature of the risk.

“Today, any syndicate of cowards hiding behind keyboards can have a devastating impact,” said Dan Jarvis, Minister for Security, speaking at the launch event for the NCSC’s 2025 Annual Review. “These people have no qualms ruining people’s lives, there is no code of conduct that they share, they are just as happy hacking the NHS and nurseries as they are multi-billion-pound companies as long as it serves their interests and as long as they get paid.”

He added that this is a “very real threat that businesses must take seriously”, pointing to the recent cases of high-profile cyber attacks at the Co-Op, Jaguar Landrover and Marks & Spencer. “Behind each of those names are hundreds of employees, thousands more in their supply chain and millions of customers that rely on those goods and services”, said Jarvis.

At the start of peak season 2025, Minerva rolled out additional research and voting guidelines to evaluate corporate disclosures against globally recognised cyber governance standards such as the OECD AI Principles and the G7 Hiroshima AI Process. These new guidelines supplemented Minerva’s existing cyber governance questions first adopted in 2016, offering investors a robust lens through which to assess board readiness with a clear focus on governance and disclosure quality, particularly in key regulatory disclosures such as annual reports, CSR disclosures, as well as corporate websites.

The letter sent to businesses details three key requests which the government states will have an “immediate positive impact” on the “resilience” of businesses to cyber attacks. These are: making cyber risk a Board-level priority using the government’s Cyber Governance Code of Practice; signing up to the NCSC’s Early Warning service; and requiring ‘Cyber Essentials’ in their supply chain.

The government’s Cyber Governance Code of Practice was developed in collaboration with industry leaders, setting out critical actions Boards and directors should take to “govern cyber risk effectively”. “Effective governance of cyber risk is fundamental to business resilience,” the letter read. “Executive and non-executive directors should prioritise this and ensure it is considered in strategic decision-making.”

Meanwhile, Cyber Essentials is a government-backed scheme which certifies that organisations have key cyber protections in place to prevent common cyber attacks, with the government saying that it is the minimum cyber security standard businesses should seek to obtain. The letter points out that despite the soar in supply chain cyber attacks just 14% of UK businesses assess the cyber risks posed by their immediate suppliers, adding that organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance.

“Strengthening our nation’s cyber resilience requires close collaboration between government and industry,” the letter stated. “We are encouraged to see that more than 90% of company boards now recognise cyber security as a critical priority. We now need to convert this priority into concrete actions to fully address vulnerabilities and enhance resilience, and invite you to work with us to protect our economy and society.”

As previously mentioned, Minerva has strengthened its research and voting guidelines responding to cybersecurity concerns, and other organisations have taken steps to try and get to grips with the issue. In August, UK pension giant Railpen launched its own AI Governance Framework, as reported by Minerva Analytics. The framework translates responsible AI principles into actionable practices across four pillars: Governance, Strategy, Risk Management, and Performance Reporting.

The framework builds on a joint report between Railpen and Royal London Asset Management, launched in January, which called on investors to acknowledge cybersecurity as a key financial risk to their portfolios which must be addressed, as reported by Minerva Analytics.

AI is a key catalyst behind the rise in cybersecurity risks, as was noted by NCSC’s annual review, which stated that AI will “almost certainly pose cyber resilience challenges to 2027 and beyond, across critical systems and economy and society”. It added that these risks will encompass an increased volume of attacks, managing an expanded attack surface and keeping pace with unpredictable advancements and proliferation of AI-cyber capability. The centre published an assessment of the impact of AI on cyber threat from now to 2027 in May.

The risks AI poses are also a priority for policymakers beyond the UK. Last month, California Governor Gavin Newsom signed a bill which aims to enhance online safety by installing commonsense guardrails on the development of frontier AI models, as reported by Minerva Analytics. The bill means that major AI companies will need to provide deeper disclosure over their safety protocols for the technology. 

AI is a key priority for investors, politicians and regulators alike, with shareholders increasingly pressing companies on various elements of AI, including governance as reported by Minerva Analytics, and Minerva Analytics’ Shareholder Proposal Voting Trends Report 2025 published last month spotlighting such resolutions during the early months of 2025.

Minerva’s blog focuses on the latest developments in ESG investing and stewardship. Minerva is a global provider of sustainable stewardship solutions with over 25 years of expertise. Minerva empowers investors by providing essential tools, including ESG research and data, enabling them to navigate the intricate landscape of stewardship and proxy voting, whilst ensuring their decisions are well-informed and aligned with sustainable principles.

You can read more of our articles by clicking here.