Welcome to the latest edition of our quarterly Fraud and Cyber Newsletter, where we explore the critical challenges and developments in cyber security, data governance, and fraud prevention.
As cyber threats continue to evolve and regulatory frameworks tighten, organisations face unprecedented pressure to strengthen their defences and governance structures. This edition provides expert insights and practical guidance to help organisations navigate the increasingly complex landscape of cyber and fraud-related risks.
Our feature articles examine landmark regulatory enforcement and emerging legislative requirements that are reshaping the compliance landscape. We analyse the first UK GDPR fine against a data processor through the Advanced Computer Software case, explore the upcoming failure to prevent fraud offence affecting large charities, and examine the UK government's new Cyber Governance Code of Practice. We also delve into the implications of the EU's NIS2 Directive for UK organisations and review key findings from the government's annual Cyber Security Breaches Survey, which reveals concerning trends in board-level accountability.
Additionally, we examine the recent cyber-attack on the UK's Legal Aid Agency as a stark reminder of the costs of digital neglect, highlighting the critical importance of proactive cybersecurity investment and robust incident response planning. Throughout this edition, we emphasise the growing need for senior leadership engagement, comprehensive risk management, and strategic alignment of cyber security with organisational objectives.
If you have any suggestions or requests for future editions of the Trowers Fraud and Cyber Insight, please get in touch with one of the team.
Click the links below to view our latest insights:
Advanced Computer Software Group Ltd faces £3.07m fine for data breach: lessons in cybersecurity
This article examines the landmark £3.07 million ICO fine imposed on Advanced Computer Software Group Ltd—the first UK GDPR penalty targeting a data processor. A ransomware attack in August 2022 compromised over 79,000 individuals' data and disrupted NHS services due to inadequate security measures, particularly absent multi-factor authentication. The precedent-setting fine underscores the critical need for robust cybersecurity measures and supply chain due diligence to protect sensitive data and maintain operational resilience.
The Countdown is on: Failure to Prevent Fraud Offence will come into force on 1 September 2025
This article examines the upcoming failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023, effective 1 September 2025. Large charities meeting specific thresholds (250+ employees, £36m+ turnover, or £18m+ assets) face criminal liability when "associated persons" commit fraud intending to benefit the organisation. The legislation requires reasonable fraud prevention procedures as a defence, based on six key principles including top-level commitment, risk assessment, and proportionate prevention measures. With fraud prevalent in the charity sector, organisations must use the remaining time to establish robust prevention strategies and anti-fraud cultures to avoid potential criminal liability.
Cyber Governance Code of Practice: A New Era for Cyber Security in the UK
This article examines the UK government's new Cyber Governance Code of Practice, providing boards and directors with a structured framework across five key areas: risk management, strategy, people, incident response, and assurance. Addressing the gap where only 27% of businesses have board-level cyber security responsibility despite widespread threats, the Code targets medium and large organisations. With 50% of businesses reporting cyber breaches in the past year, it emphasises leadership-driven cyber security and strategic alignment to enhance organisational resilience against evolving threats.
NIS2 and you: what do you need to know?
We examine the EU's NIS2 Directive and its stricter cybersecurity obligations affecting UK organisations operating in the EU, despite Brexit. We set out how entities are categorised as "Essential" or "Important" with penalties up to €10 million or 2% of turnover. Key requirements include 24-hour incident reporting, senior management accountability, and supply chain security. We outline how organisations must conduct gap analyses and implement robust governance strategies to ensure compliance against evolving cyber threats.
Cyber Security Breaches Survey 2025
We analyse the Department for Science, Innovation & Technology's annual Cyber Security Breaches Survey, revealing 43% of businesses and 30% of charities experienced cyber breaches in the past year. Key concerns include declining board-level cyber responsibility (down from 38% to 27% since 2021) and inadequate supply chain risk management. While small businesses increased cyber hygiene practices, high-income charities reduced these activities due to budget constraints. Our cyber team provides practical recommendations to help organisations enhance their security measures against evolving threats.
A wakeup call cyber-attack on the UK's Legal Aid agency and the cost of digital neglect
We examine the recent cyber-attack on the UK's Legal Aid Agency, which compromised sensitive personal data dating back to 2010. The breach, attributed to outdated IT infrastructure, underscores the critical need for robust cybersecurity measures. We highlight the potential consequences for affected individuals and emphasise the importance of proactive cybersecurity strategies, including system upgrades, regular training, and executive-level accountability. Our analysis stresses the need for comprehensive cybersecurity frameworks, including real-time threat detection and incident response planning.