The recent spate of cyber-attacks on retailers have shown how British companies are grappling with a daily wave of cyber threats that are growing in both frequency and severity. These attacks have the potential to jeopardise our way of life, as demonstrated by the incidents at M&S and the Co-Op, leading to empty shelves in some supermarkets.

If one or more of our major banks were to suffer a catastrophic cyber-attack, it could result in a systemic risk to the entire financial system. This is why boards now need to have a laser focus on their digital risks. And it’s why we are urging the government to bring forward legislation to strengthen company reporting on digital resilience, audit, and assurance.

The attacks we’ve seen in recent weeks demonstrate how quickly a digital breach can disrupt business operations, halting payments, delaying online orders, and damaging supply chains. Public trust has suffered, along with the reputations of some of the UK’s most recognisable brands. In M&S’s case, the financial impact has been stark: the company estimates a £300 million hit to operating profits and nearly £750 million wiped from its market value.

This highlights how UK businesses are simply not as prepared as they should be for the scale or sophistication of today’s digital threats.

Ultimately, the colossal business costs of these attacks are impacting the wider economy, including jobs and growth. If even the best-known names in British retail can be successfully targeted, then what does that mean for UK PLC?

These cyber-attacks come just weeks after a joint Chartered IIA and ISACA letter to the business secretary, urging the government to ensure its forthcoming legislative package on audit and corporate governance reform includes measures to support stronger digital resilience.

We want to see reform of the non-financial reporting framework to ensure that major businesses are not only reporting on their digital risks and resilience, but also on the audit and assurance they have received, both to demonstrate that these risks are being managed, mitigated, and controlled effectively, and to ensure continued economic growth.

Digital risk needs structured oversight

The rising tide of cyber-attacks should be a wake-up call for both business and government. Companies are not only vulnerable through their systems, but also through suppliers, cloud platforms, and third-party services. Yet there is no legal reporting requirement for companies to explain how digital risk is assessed, governed, or independently assured.

This is where legislation must now catch up and be modernised to reflect the digital age. The Companies Act 2006, passed a year before the first iPhone was released, has not kept pace with our fast-changing digital world. We support calls for the government to adopt two key measures already recommended in Sir Donald Brydon’s Independent Review into the Quality and Effectiveness of Audit.

First, large companies should be required to publish a resilience statement outlining how they prepare for material risks, including cyber, technology, and digital risks. Second, they should publish an audit and assurance policy, explaining what assurance is obtained and how it is used by the board.

Such measures should be designed to embed digital resilience into corporate governance and reporting by making companies explain how they assess and prepare for cyber threats. This would help to ensure that boards and their audit and risk committees are more focused on digital risks and give investors a clearer picture of which companies are actively managing digital risk, and which are not.

Some may see these measures as an unnecessary reporting burden, but the ongoing fallout from the M&S attack tells a different story. The breach triggered a significant drop in market value and damaged both the company’s financial outlook and its reputation. For large companies, it shows how the cost of failing to prepare for cyber threats can far exceed the effort required to manage and report digital risks effectively.

This is exactly what makes the Audit and Corporate Governance Reform Bill and the review of non-financial reporting, which will amend the Companies Act 2006, so important to the success or failure of British businesses, and thus to everyday lives. But despite being promised in the King’s Speech last year, the draft bill has yet to be published, delaying progress at a time when cyber-attacks are becoming more frequent and more damaging. Meanwhile, the review into non-financial reporting has again been delayed and will now not be consulted on until the end of the year.

Internal audit and IT teams are already responding

While Westminster dithers and delays, audit, risk, and governance professionals on the ground are already adapting. Across both internal audit and IT governance, we are seeing a shift in focus and resources to keep pace with the ever-evolving cyber threat landscape. Internal audit leaders regularly report that cyber risk is one of their top priorities.

In the Chartered IIA’s recent Risk in Focus 2025 survey, 83% of Chief Internal Auditors placed cyber-security as the biggest risk facing organisations, and the risk they spend the most time auditing. The Global Internal Audit Standards and our own Internal Audit Code of Practice have also been updated to include a specific focus on cyber, technology and digital risks. We now need the law to catch up.

How UK audit reform can raise the standard

Voluntary guidance, such as the government’s Cyber Governance Code of Practice, is a step in the right direction. But without legal backing, we are concerned it will not go far enough. The Audit and Corporate Governance Reform Bill, along with the review of non-financial reporting, offers the perfect opportunity to ensure our laws are updated to reflect the modern world and set clear reporting expectations enshrined into UK law.

Other jurisdictions, including the US and EU, are already advancing mandatory cyber risk reporting requirements. If the UK fails to act, it risks falling behind its global peers, both in regulatory standards and digital resilience.

The recent attacks on some of the UK’s best-known businesses have exposed where the gaps are. The next step is to close them.

Gavin Hayes is Head of Policy and Public Affairs, and Mo Warsame is Senior Policy and Public Affairs Executive at the Chartered Institute of Internal Auditors