In our recent webinar on the Cyber Security and Resilience Bill, the panel certainly didn't sugarcoat it. Cyber threats are accelerating, the Bill is set to raise the bar, and recent events show that businesses can't afford to treat resilience as a box-ticking exercise.

The discussion showed that the era of "we'll deal with it when it happens" is over. Cybersecurity is no longer an IT issue; it's a leadership issue. And with the forthcoming Cyber Security and Resilience Bill expanding who's in scope and what's expected, every organisation needs to act now.

Rather than the dated view of lone hackers in dark rooms, attacks have become industrialised factory-level operations powered by ransomware-as-a-service (RaaS), AI-generated phishing kits, and highly targeted campaigns.

As Ed Bartlett, Co-founder of Hicomply, put it:

"It's almost a weaponisation of the threat. Even if the attack doesn't disrupt, it knocks confidence, and that trust is fragile."

Stewart Hogg, Cyber Lead at Waterstons, added that:

"Most businesses now face supply chain exposure as the biggest blind spot. Many of the headline breaches this year weren't caused by direct hacks, but through third-party suppliers. In short: your security is only as strong as your partner."

‍

What the Cyber Security and Resilience Bill Actually Means

The Bill, first announced in the King's Speech, marks the UK's first major piece of legislation with "cyber" and "resilience" in the title—which signals a clear shift from defending to enduring.

Here's what it covers:

Wider scope – Managed service providers, data centres, and suppliers to essential services will fall under new obligations. Around 1,200 organisations are expected to be in scope.

Stronger regulatory powers – Regulators like Ofgem will gain the authority to demand evidence, audit compliance, and even recover costs.

Faster government response – The Bill allows ministers to expand scope quickly to new sectors if threats emerge.

Alignment with NIS2 – It brings the UK in line with the EU's Network and Information Systems Directive (NIS2), raising the bar for everyone.

‍

Government to Business: Act Now

On 14 October 2025, the government took the unusual step of writing directly to FTSE 350 CEOs urging three immediate actions:

1. Put cyber on the boardroom agenda

It's not a tech problem—it's a strategic business risk.

2. Subscribe to NCSC's free 'Early Warning' service

Because detecting an attack early can mean the difference between a minor incident and a crisis.

3. Adopt Cyber Essentials across your supply chain

Getting the basics right (strong passwords, updates, authentication) can reduce the chance of a claim on your cyber insurance by 92% (according to NCSC's latest annual review). Those three steps alone could prevent most breaches.

‍

CAF: The Framework That's Quietly Becoming Essential

The Cyber Assessment Framework (CAF) isn't new—it's been around since 2018—but it's about to become mainstream. Originally designed for critical infrastructure, it's now being encouraged as best practice for all sectors.

CAF breaks down into four objectives:

Manage risk: Know where you're strong, where you're weak, and where to focus.
Protect: Get the right people, processes, and technology controls in place.
Detect: Monitor for suspicious activity—24/7 if possible.
Respond: Have a written incident response plan ready to go.

CAF 4.0, released in August, adds a new emphasis on threat intelligence—using real-world insights to anticipate attacks before they land.

‍

Technology Is Now the Enabler

The days of "policy shelfware" are done. Technology is making CAF and Bill compliance continuous, not annual.

Ed explained how platforms like Hicomply support continuous assurance:

"Boards get the high-level posture view. Security teams get detailed control evidence. Regulators get audit-ready data. Everyone gets what they need—without waiting for the next audit."

By embedding CAF and related frameworks into digital systems, businesses can monitor, evidence, and improve in real time—reducing risk whilst building trust.

‍

Practical First Steps

The speakers agreed: stop waiting for the Bill to land.

Here's how to get started now:

Visibility first: Build a digital asset register—you can't protect what you don't know you have.
Take a 90-day view: Plan short cycles of improvement, focusing on risk assessment, supplier review, and incident response playbooks.
Keep evidence: Track everything from helpdesk tickets to supplier SLAs—proof beats assumption.
Make it cultural: Cybersecurity is everyone's responsibility, not just IT's.
Test your plan: Because "we thought we were ready" doesn't hold up when the attack hits.

‍

Cyber Maturity and Resilience Are a Growth Lever

Customers, investors, and regulators are all asking the same question: Can we trust you with our data?

Organisations that can demonstrate certification, Cyber Essentials, ISO 27001, or CAF alignment will increasingly win that trust and the contracts that go with it.

As Stewart summarised:

"Resilience isn't just about protection, it's about adaptation. The businesses that can adapt fastest to change will be the ones that survive and thrive."

‍

Where to Turn for Help

This list isn't exhaustive, but it's a great place to start. Alongside trusted partners like Waterstons and Hicomply, which provide advisory and technology solutions aligned to CAF, ISO 27001, and the Cyber Resilience Bill, here are some other groups, bodies, and sources of information:

NCSC – Free tools, frameworks, and early-warning services.

UKC3 (UK Cyber Cluster Collaboration) – National body linking and supporting all UK regional cyber clusters, sharing intelligence and good practice.

‍

Regional Cyber Clusters

‍

Cyber Resilience Centres (CRCs)

Police-led not-for-profit partnerships offering affordable cyber resilience support to SMEs and charities across every UK region, from Scotland and Northern Ireland to the South West and London.

Because compliance doesn't have to be painful, and resilience shouldn't wait for regulation.