The cyber bill spells it out: Risks are unavoidable. It’s cyber resilience that counts

Prevention is better than cure only if prevention is a realistic possibility. For cyber threats, it often isn’t. The government’s annual survey of cyber security breaches, published earlier this month, showed that half of businesses suffered a breach or attack in just the last 12 months.  

That trend is unlikely to improve, with increasingly sophisticated and prolific threats that include AI-enhanced attacks. A survey by the Chartered Institute of Internal Auditors late last year found cyber and security was a top five risk for 83% of chief internal auditors, and AI was identified as a critical risk. 

Threats do not come just from outside. The US government’s Cybersecurity & Infrastructure Security Agency notes that organisations face a range of “insider threats” from employees, contractors or other third parties – “any person who has or had authorised access to or knowledge of an organisation’s resources, including personnel, facilities, information, equipment, networks, and systems”.  

Damage caused by insider threats is often malicious but may be innocent. Just as new external threats challenge businesses, internal changes in systems or processes raise opportunities for errors that disrupt operations, expose data or undermine regulatory compliance.

The result is that no business can ever be completely safe, and prevention alone isn’t enough. Businesses need to be ready for the worst.  

The forthcoming Cyber Security and Resilience Bill recognises this, according to a policy paper published at the start of April 2025. It emphasises not just security but resilience, taking its cue, perhaps from the most striking recent legislative example: the Digital Operational Resilience Act (DORA). 

DORA is an EU regulation but impacts many UK finance firms and IT service suppliers and came into force at the start of 2025. It puts resilience at the centre of security for financial entities, including banks, insurance companies and investment firms, emphasising the ability to recover and “stay resilient in the event of a severe operational disruption”, as the European Insurance and Occupational Pensions Authority puts it.  

The UK’s financial regulator, the FCA, already has its own principle-based operational resilience requirements, but the forthcoming Cyber Security and Resilience Bill is broader. It addresses the UK’s essential public services and infrastructure, with about 1,000 service providers falling within its scope. 

The bill plans to “bolster the UK’s online defences, protect the public and safeguard growth”, according to the announcement. It will ensure essential IT and public services are “no longer an easy target for cyber criminals”, it adds.  

“Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable,” said the Secretary of State for Science, Innovation, and Technology, Peter Kyle, launching the policy paper. 

As with previous regulatory efforts around resilience, the Cyber Security and Resilience Bill intends to look beyond prevention to consider organisations’ capacity to withstand and recover from attacks or incidents. As the UK’s Department for Digital, Culture, Media & Sport defines it, “Cyber resilience is the ability for organisations to prepare for, respond to and recover from cyber attacks and security breaches.” 

To put it another way, cyber resilience enables organisations to detect, correct and recover from attacks or incidents:  

• Detecting intrusions, attacks or errors quickly to limit the opportunity for hackers or others to cause damages or losses  
• Correcting the situation quickly with reactive controls to secure data and systems and contain the threat
• Recovering from an incident to get back to normal operations as quickly as possible  

The ability to do this depends, in turn, on organisations’ activity before, during and after the event. 

Pre-incident planning is probably the most important aspect of resilience. It determines the tools, plans and strategies in place to detect, respond and recover when an incident occurs. 

It will also determine the risks the organisation chooses to tolerate. That’s because, not only is complete security impossible to achieve, but there will be risks organisations actively decide to allow. This may be enabling access to systems or data for insiders and even third parties that make the operation more efficient or effective, for example. 

Defining the organisation’s risk appetite is an essential step in achieving resilience. Improved resilience may even increase the risk tolerance since organisations could be more willing to allow vulnerabilities when they are confident they can effectively respond to and recover from any attempts to exploit them. However, determining the risk appetite effectively depends on understanding the organisation’s critical systems, data, assets and technology. Any resilience programme should start with a comprehensive review of these, the threats they face and potential consequences.  

This will determine the controls across people, processes and technology in place. The last will include monitoring controls to detect cyber incidents, such as security information and event management (SIEM) solutions and security orchestration, automation, and response (SOAR) software that also automates responses to contain threats and protect systems and data.  

During an incident or attack, you need a plan. An incident management playbook will determine how, and how well, the organisation responds when an incident occurs.  

It is far more likely that containment and response to an incident will go well and limit damage if the plan has been tested and decision makers and operational teams have experience and practice using it before a serious incident. A detailed, well-rehearsed incident plan allows organisations to respond more quickly and effectively. It will avoid delays that expose systems and data to attackers longer than necessary and the panicked responses that can add to the disruption and damage. 

Again, the plan will encompass people, processes and technology: With clear procedures for employees to report and react to incidents; well-defined hierarchies, communication channels and responsibilities for escalating issues and declaring incidents; and robust response strategies to lock down systems and protect critical data, processes and assets

Finally, recovery from an event has two parts. The first is the immediate post-event remediation. Organisations need to deal with the fall-out from the incident.  

Depending on the type and nature of attack, damage and losses, this may involve working with the police in case of fraud, theft or ransomware attacks; notifying and managing regulators and sometimes impacted data subjects (the people affected) in the event of personal data breaches; and employing cyber forensics teams to identify culprits and causes behind incidents.  

This stage will also include recovering critical data and systems and restoring access and functionality to bring operations and systems back to normal and making sure that they’re secured to prevent a repeat event. 

The second part of recovery is learning the lessons. It is both retrospective and forward-looking. Organisations need to learn from the incident to ensure the same cannot happen again. This will require organisations to understand the causes and what controls proved insufficient or failed. It will mean reviewing and maybe revisiting its’ risk appetite and incident management plan.  

In this way, post-event reviews then become an essential part of the pre-event planning for your next incident. Because, just as the threats to cybersecurity are ever-present, the work on building resilience is never done.