Board Cyber Warning

Auto Breakdown

The attack, blamed on a ransomware group called Scattered Lapsus$ Hunters, also known as ‘Trinity of Chaos’, halted manufacturing at JLR’s UK plants (Solihull, Halewood, Wolverhampton) and hit worldwide operations.

The car giant may have borne the brunt of the devastating hack, but it was also estimated to have cost the wider UK economy up to £1.9bn, and was blamed by the government for dragging down quarterly GDP growth figures.

JLR’s woes form an unwelcome backdrop for the government’s latest warning on the growing cyber threat of AI. Recently on April 15^th, Liz Kendall, Secretary of State for Science, Innovation and Technology, and Dan Jarvis, Security Minister in the Cabinet Office and Home Office, issued an open letter to business leaders informing them of a more dangerous threat to companies in cyber space.

“For years, the most serious cyber attacks have relied on a small number of highly skilled criminals. That is now shifting. A new generation of AI models are becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago,” the letter said.

Hot on the heels of the open letter, the government hosted its flagship cyber security event, Cyber UK, in Glasgow. The event also marked the 10th anniversary of the National Cyber Security Centre and brought together those from across the sector. They heard from Jarvis who called on AI companies to work with the government to “co-develop AI for national cyber defence”. It was also announced that there would be a new £90m investment to provide targeted and practical support to help SMEs with strengthening their cyber resilience.

Growing cyber fears are being felt by the IoD’s own membership. In our November 2025 Policy Voice Survey, the number of respondents who said they worried about cyber security risks rose on the year by 15% to 58.4%. Concerns over cyber threats were second only to a global economic slowdown (58.8%) and scored the largest percentage increase.

Next Level

Anthropic, a US-based AI company, recently revealed a new model called Mythos, focused on cyber security. Unusually, the tech firm said that it was not releasing Mythos because it was so effective at finding flaws in software.

Instead, Anthropic handed it to 40 US technology companies so they could boost their cyber-defences.

The move also caught the attention of British banks, including Barclays, Lloyds and NatWest, which are in contact with Anthropic about gaining access to the model.

Andrew Bailey, governor of the Bank of England, said that Anthropic may have “found a way to crack the whole cyber-risk world open”.

The UK’s AI Security Institute (AISI), one of the few institutions outside the US to test Mythos, found it to be “substantially more capable at cyber offence than any model we have previously assessed”.

The Institute noted that AI cyber capabilities are accelerating even faster than had been previously envisaged. It said that frontier model capabilities are doubling every four months, compared with every eight months previously.

OpenAI, the US tech giant behind ChatGPT, recently announced it is scaling up its Trusted Access for Cyber programme, showing that AI’s accelerating impact on cyber is not isolated to a single company. More are expected to follow.

The ministers’ open letter added: “This finding is significant both for what it means today, but also because it highlights the speed at which AI capabilities are increasing and the threats they potentially pose.

“The trajectory is clear and therefore it is vital that we are prepared for frontier AI model capabilities to rapidly increase over the next year, and plan accordingly for that outcome.”

Defensive Action

In response, the UK is strengthening its national cyber resilience through the AI Security Institute, the National Cyber Security Centre (NCSC), forthcoming Cyber Security and Resilience legislation, and a new National Cyber Action Plan.

However, the ‘open letter’ stressed that government action alone would not be enough. It has urged every business in the UK to also play their part. Kendall and Jarvis noted that criminals will not just target government systems and critical infrastructure. They will hit ordinary companies, of every size, in every sector – particularly where defences are weakest.

In response to the growing threat, the government recently announced its Cyber Resilience Pledge, which urged organisations to make a commitment to strengthen their cyber resilience by taking three practical actions:

1. Take cyber security seriously, at the very top of the organisation. Make it a board responsibility – if the board has not recently discussed cyber risk, do so at the next meeting and then regularly. It is not an issue to delegate to the company’s IT team and forget about. Directors were also urged to use the Cyber Governance Code of Practice alongside the AI Cyber Security Code of Practice to ensure organisations are sufficiently protected. Smaller businesses are advised to use the NCSC’s Cyber Action Toolkit and Cyber Security Toolkit for Boards to help them build their cyber protection. This means looking at how cyber insurance can support response and recovery. Free cyber insurance is available to small organisations that obtain Cyber Essentials.
2. Get the basics right with Cyber Essentials. Most successful cyber attacks exploit simple weaknesses: outdated software, weak passwords, missing backups. Cyber Essentials is the government-backed certification scheme that protects against the most common attacks. Organisations that hold it are significantly less likely to suffer a damaging cyber incident.
3. Sign up to the NCSC’s Early Warning Service. The National Cyber Security Centre provides free, practical advice, training and guidance for organisations of every size. The service informs organisations of potential cyber attacks and gives invaluable time to act before an incident escalates.

Conclusion

The letter from Kendall and Jarvis warned that Britain is entering a period in which the pace of technological change may ‘test every institution in the country’.

“The businesses that act now – that treat cyber security as an essential part of running a modern company, not an optional extra – will be the ones best placed to thrive through it and seize its advantages. We urge you to be among them,” it said.

The IoD is taking action, led by Dr Erin Young, Head of Innovation and Technology Policy. She engages regularly with the NCSC, as well as with the Cyber Hub within the Department for Business and Trade alongside other key business organisations to discuss and help influence the government’s thinking on increasing cyber resilience in business, including on shaping the Cyber Security and Resilience (Network and Information Systems) Bill.

The NCSC has developed its Cyber Governance Training to help boards and directors strengthen their understanding of why and how to govern cybersecurity risks. The IoD has partnered with the organisation to make the training accessible on our Digital Academy. It is available online and is free to all IoD members.

The course objective is to strengthen board oversight and governance of organisational cyber risk, helping members to thrive, not just survive, in the face of increasing cyber threats.