Welcome to the latest edition of our quarterly Fraud and Cyber Newsletter.
As cyber threats grow in scale, complexity and impact, businesses are facing mounting pressure to strengthen their digital resilience, governance frameworks and legal preparedness. This edition brings together expert analysis on the lessons from 2025's most significant cyber incidents, the year's major ICO enforcement actions including Capita's record £14 million fine, and the regulatory changes on the horizon. We examine the evolving threat landscape shaped by AI-enabled attacks and analyse the forthcoming Cyber Security and Resilience Bill which promises the most significant overhaul of the UK's cybersecurity regulatory framework in recent years.
We also look at the ICO's continued collaborative approach to public sector enforcement and the practical steps organisations should be taking now to stay resilient in the face of an ever-evolving threat landscape. Finally, we examine the shifting fraud landscape for 2026, including the first full year of enforceability of the failure to prevent fraud offence, the UK Government's Anti-Corruption Strategy, the growing role of AI in fraud detection and the new powers introduced by the Public Authorities (Fraud, Error and Recovery) Act 2025.
If you have any suggestions or requests for future editions of the Trowers Fraud and Cyber Insight, please get in touch with one of the team.
Click the links below to view our latest insights:
Cyber lessons from 2025: What businesses must learn from the M&S breach and beyond
In this session, we examined the most pressing cyber issues facing organisations today, highlighting the escalation of threats driven by AI‑enabled attacks, increasingly sophisticated data breaches and the speed at which threat actors now adapt. Charlotte Clayson and Helen Briant explored the evolving landscape, and the key practical steps businesses should be taking to stay resilient to the threat.
Public listed company, Capita, fined £14m by the ICO for a data breach
We discuss the ICO's 2025 fine against Capita and its pensions subsidiary, which were handed a combined fine of £14 million by the ICO (the largest in 2025). The fine followed a 2023 cyberattack which exposed the personal data of around 6.6 million individuals after a malicious file was downloaded onto an employee’s device. Capita failed to contain the breach for 58 hours despite an early security alert. The ICO found that Capita had not implemented sufficient technical and organisational measures to protect sensitive information, and the scale of the breach has since prompted thousands of complaints and ongoing High Court claims.
Addressing new cyber risks created by AI
This article highlights how rapidly advancing AI is reshaping the cyber threat landscape, enabling attackers to automate and scale their operations, lower the barrier to entry for inexperienced criminals and create highly convincing deepfakes that are increasingly difficult for businesses to detect. Recent incidents demonstrate all to clearly how AI‑driven impersonation and social engineering tactics have amplified both the sophistication and impact of attacks. While AI offers powerful tools to strengthen detection and resilience, organisations must also recognise the new vulnerabilities it introduces, adapting their security strategies accordingly.
ICO continues public sector approach: three years of collaboration over penalties
The ICO has confirmed it will maintain its collaborative enforcement model for public sector organisations following a three‑year trial, publishing clearer definitions of the bodies that fall within scope, and when fines may still be imposed. The regulator emphasised that early engagement, guidance and improvement notices remain its primary tools in this sector, noting that the trial period resulted in only £1.2m in fines compared to a potential £23.2m under traditional methods, and reaffirming that sustainable compliance is better achieved through support rather than punitive sanctions.
A round-up of ICO enforcement in 2025
2025 saw nearly £19.4m in fines for major data breaches. In this article, we take a look at some of the largest fines handed down by the ICO in 2025, namely against Capita, Advanced Computer Software and 23andMe, and look at the key takeaways for organisations.
The cyber security and resilience bill: a new era for UK cybersecurity regulation
The Cyber Security and Resilience Bill, currently progressing through Parliament, represents the most significant overhaul of the UK's cybersecurity regulatory framework since 2018. We explore who will be caught by the expanded scope, the new incident reporting requirements, the eye-watering penalties of up to £17m or 4% of worldwide turnover, and what organisations should be doing now to prepare ahead of the Bill which is expected to come into force in 2028.
Fraud: what lies ahead for 2026
With 2026 marking the first full year of enforceability of the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023, the fraud landscape is undergoing a significant transformation. In this article, we explore the key developments shaping fraud prevention and enforcement in 2026, from the UK Government's Anti-Corruption Strategy and the consolidation of AML supervisory functions under the FCA, to the increasing deployment of AI across enforcement bodies and expanded data-sharing initiatives. We also examine the new powers granted under the Public Authorities (Fraud, Error and Recovery) Act 2025, and the practical steps organisations should be taking to ensure robust governance and regulatory readiness.
