Trowers Tech News - July 2025

Welcome to the latest edition of Trowers Tech News.

This month, we turn our attention to the evolving cyber threat landscape and the growing urgency for organisations to strengthen their digital defences. From the increasing sophistication of ransomware attacks, now leveraging generative AI and triple extortion tactics, to the systemic risks posed by third-party vulnerabilities, the cyber risk outlook is more complex than ever.

We explore how businesses can build resilience through better risk prioritisation, incident response planning, and staff training. We also examine the UK government's proposed Cyber Security and Resilience Bill and its potential to reshape regulatory expectations, alongside the Home Office’s consultation on ransomware response frameworks.

Finally, we reflect on the high-profile cyber attack on M&S, a cautionary tale that underscores the reputational and operational fallout of cyber incidents, and the strategic lessons all organisations should take on board.

As always, we round up the latest legal tech developments, from AI regulation and fake citation scandals to landmark decisions on copyright and data use.

Top tech trends: The cyber risk outlook and strengthening organisational resilience

Charlotte Clayson, Partner

The cyber risk outlook (and what to do about it)

One of the key themes that has been emerging over the last few years and which is continuing to develop at pace is the prevalence of ransomware as a way of exploiting both technical and organisational vulnerabilities across a broad range of sectors. In addition to an increase in the number of attacks using ransomware, we are also seeing an increase in sophistication and complexity of these attacks, whether targeting supply chains to increase the likely "hit rate" and potential number of victims, to using Generative AI and social engineering to make phishing emails (or voicemails, videos, text messages) seem more believable and real.

Ransomware attacks have been described by the NCSC as the "biggest development in cybercrime" in the last decade, and we see the impact of these attacks can be debilitating to organisations, causing financial, operational and reputational damage, alongside the risk of litigation, regulatory investigations and fines, and an erosion of public trust.

Whilst law enforcement agencies globally have been able to take a few of the largest hacker groups and forums out of action, the evolution of ransomware "as a service" means that the barriers to entry have lowered: the ransomware code and everything else needed to make it an effective criminal enterprise can be bought off the shelf. Hackers are also becoming more targeted on organisations' key risk areas for maximum impact. So, for example, logistics and manufacturing organisations will be targeted by taking systems off-line and immediately hitting productivity and the bottom line, whereas healthcare and professional services will likely see more data exfiltration as hackers focus on organisational sensitivities such as the risk to personal, sensitive and confidential data. In fact, triple extortion is now becoming more commonplace, where hackers use three different pressure points: first, encrypting data so the organisation cannot access it; second, exfiltrating the data and threatening to release it onto the dark web; and third, pressurising the organisation in another way, either through further attacks, blackmail, or personal pressure on C-suite executives.  

With these developments in mind, and the use of ransomware continuing to evolve, cyber resilience must remain a key priority for boards and senior leadership teams across all sectors. Organisations should be taking a closer look at how their internal risk is managed and prioritised and have a clear understanding of their systems, people, key datasets and risk. Alongside technical information security risks, organisations should be continuing to look at the people element of cyber resilience, ensuring that their staff are well trained in what to look out for, where to report suspicions and where and how key decisions are made. Regular Incident Response Plan testing, to bridge the gap between technology and people, policies and procedures will be absolutely key. Awareness of the risks is certainly there, but action is sometimes trailing behind.

Joseph Hannify, Associate and Sanchita Agrawal, Associate

Modernising cybersecurity law - The UK’s response to evolving digital threats

Recent high-profile attacks have demonstrated the catastrophic impact that cyber-attacks can have and this has been coupled with increasing pressure on the UK government to update legislation and regulation to keep pace with the fast paced changes to technology and the cyber-risk landscape which allow such attacks to succeed. 

In an attempt to take swift action to address vulnerabilities and protect our digital economy, on 1 April 2025 the government laid out its plans for the Cyber Security and Resilience Bill, which intends to put the UK on a closer footing with the EU's NIS2 which has recently come into force. The detail of the Bill has yet to be published but is expected to:

• expand the remit of the regulation to protect more digital services and supply chains, by filling an immediate gap in defences of public services and help prevent attacks of the kind recently experienced by the likes of hospitals and local councils;

• put regulators on a strong footing to ensure essential cyber safety measures are being implemented, by providing necessary resources and powers to manage and proactively investigate potential vulnerabilities; and
• mandate increased incident reporting to give the government better data on cyber-attacks, including where a company has been held to ransom. This is said to improve the government's understanding of the threats present and increase awareness of the type and nature of incidents that may occur in the future.  

In January 2025, the Home Office also opened a public consultation on proposed framework for responding to ransomware attacks, following high-profile attacks on the NHS, the Guardian, and the British Library. 

The three key proposals are: 

• targeted ban on ransomware payments by public sector bodies and Critical National Infrastructure operators, potentially extending to essential suppliers, aimed at undermining criminals' business models;
• payment prevention regime requiring organisations to report intended ransom payments for official review and guidance before proceeding; and
• mandatory incident reporting for all suspected ransomware attacks, regardless of whether a ransom is to be paid, to improve government understanding of threats and to support law enforcement.

The consultation ended on 8 April and the Home Office are currently reviewing the responses. However, it seems that these proposed measures have received mixed press during the consultation process, with questions over how practical it will be to police these proposals, and how effective they would be as tools to reduce criminal profits and enhancing cyber resilience. It remains to be seen if and how this proposal will progress. For more information on these proposals, please see our article – The Home Office considers ransomware legislative proposals  

What is clear is that the government is seeking to modernise the UK's cyber defence framework, increase its visibility on the current threat landscape, and looking to create a more resilient digital infrastructure capable of withstanding evolving cyber threats.

Helen Briant, Partner

M&S Cyber attack – a cautionary tale. 

In April, M&S was the latest high-profile company to be stung by a cyber incident and the fact that it is still in the news highlights that cyber incidents do not just carry a financial implication, but enormous reputational consequences. For a company that had been doing to so tell to turn it fortunes around, it could not have come at a worse time. So why are we still talking about it months after it happened and what are the key takeaways for onlooking businesses? 

The attack on M&S was one of the most disruptive UK retail cyber incidents to date. The company lost nearly two months of online orders in its clothing and home division which has resulted in £300 million of lost profits being reported. It has been reported that 150 GB of customer data has been stolen and although most services have been restored, some areas are not expected to be fully operational until the Autumn. Given the disruption to customers, some of which is understood to be ongoing, M&S may find it difficult to restore customer confidence for a long time to come. 

Read the full article to learn how the M&S cyber attack exposed systemic vulnerabilities and what businesses can learn from it.