Audit reform: The key to boosting UK cyber resilience

Last month, I collaborated with the Chartered Institute of Internal Auditors on a joint letter to Rt Hon Jonathan Reynolds MP, Secretary of State for Business and Trade, urging immediate action on audit reform legislation to strengthen the UK’s digital resilience. The letter was supported by other cross-industry signatories. 

Our message was clear: cyber resilience must be a national priority and to achieve it we must expand corporate risk frameworks to include digital risk.

Since then, the urgency has only grown. A wave of major cyber incidents against leading retailers like M&S and The Co-op has highlighted just how widespread and damaging these threats have become, with severe financial, operational, and reputational fallout. 

And these are just the latest cases; DSIT’s latest Cyber Breaches Survey revealed that a staggering 43% of UK organisations suffered a breach in the past year. With new technologies fuelling the scale and sophistication of cyber attacks, every organisation is at risk. Now is the moment for the government to step up and turn intent into action.

Audit reform is a strategic necessity, but it’s facing delays

In the King’s Speech last year, the UK government pledged to introduce the Audit Reform and Corporate Governance Bill – a landmark piece of legislation that would expand corporate risk reporting to include digital threats and cybersecurity protocols. Despite its importance, however, the bill has stalled. This delay has jeopardised progress toward a more cyber-resilient business landscape.

In today’s rapidly evolving threat landscape, proactive cyber measures are key. Strong audit protocols are crucial to ensuring these defences are not only in place, but comprehensive and fit for purpose. Beyond the financial and reputational dangers facing individual businesses, the UK risks falling behind global peers like the US and EU, who are advancing mandatory cybersecurity standards. Cyber resilience can no longer be treated as an IT concern – it must be embedded in core business strategy. Legislation can enable this shift, raising operational standards and helping UK organisations stay secure and globally competitive.

Rising threats are exposing systemic gaps

Industries feel this growing need for reform. Cyber threats are escalating, and the burden on those managing them is unsustainable. ISACA’s latest State of Cyber report found that 79% of European professionals view today’s complex threat landscape as a major source of stress. AI is making attacks harder to detect, from generating convincing phishing scams to writing malicious code that can more easily bypass defences. Digital supply chains are also increasingly interlinked, meaning a single breach can ripple across multiple businesses. 

Yet many organisations remain underprepared. Within organisations, there is a distinct lack of cyber awareness which is leaving businesses vulnerable to avoidable threats. For instance, M&S has confirmed that human error created the entry point for a wider breach in their recent attack. Hackers were able to trick members of staff to change their passwords and open up an entry point for foul play.

Here, the fallout has been severe, with profit losses already exceeding £300m and huge reputational damage. More broadly, Hiscox’s latest Cyber Readiness Report shows that 47% of breached companies struggle to attract new customers after an attack, highlighting the extent of potential damage.

These aren’t just short-term setbacks, and the impacts can last for years. Too many organisations still treat cybersecurity as an isolated, secondary issue, but proactivity is essential to being resilient. For many businesses, it can be hard to know where to start, which is why legislation is essential for providing the structure and accountability needed to embed cyber awareness across entire organisations.

The current state of UK cyber legislation

While the Audit Reform and Corporate Governance Bill remains delayed, there has been progress elsewhere. In April and May, DSIT introduced two voluntary frameworks: the Cyber Governance Code of Practice, aimed at helping business leaders integrate cyber risk management into day-to-day operations, and the Software Security Code of Practice, which encourages developers to embed cybersecurity by design. Both are positive steps toward building a more security-conscious business culture. 

How businesses can improve while policy catches up

Audit reform is the next necessary step in the right direction. But until this is passed, there are still key actions businesses can take to strengthen their resilience. The DSIT Codes offer a useful starting point, particularly for organisations looking to upgrade their current cybersecurity measures. The Cyber Governance Code has been mapped to established frameworks like ISACA’s COBIT, helping businesses implement its principles quickly and effectively. 

Outside of legislation and reform, building resilience also means investing in people. Cyber risk touches every part of a business, so all employees – not just IT teams – need the awareness and skills to spot and respond to threats. Businesses should begin with upskilling across the organisation and additionally ensure their audit teams are equipped to recognise emerging cyber risks and confidently use technologies like AI to enhance audit quality, a shift supported by programmes like ISACA’s Advanced in AI Audit course. 

Recent cyber attacks like those on M&S have shown how quickly vulnerabilities can escalate into major business crises. While some organisations are starting to take action and guidance is emerging, lasting, system-wide resilience depends on policy. With the right legislative foundation, the UK can ensure businesses are increasing their security and preparing for the future.