Cyber_Bytes - Issue 79

Welcome to Issue 79 of Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber app: Breach counsel at your fingertips 

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

Information Commissioner Backs Cyber Security and Resilience Bill: Calls for Clear Secondary Legislation, Proactive Oversight and Adequate Resourcing

On 23 December 2025, the Information Commissioner issued his response to the Cyber Security and Resilience (Network and Information Systems) Bill, expressing broad support for the reforms to bolster the UK’s cyber defences. The Bill significantly broadens its remit beyond operators of essential services and relevant digital service providers to include relevant managed service providers and designated critical suppliers, reflecting the interconnected nature of modern digital supply chains.

For certain key areas of infrastructure, the Bill signals a shift from a reactive approach to a proactive, risk‑based oversight, backed by enhanced powers: wider information‑gathering, strengthened information‑sharing gateways with safeguards across regulators and government, new regulatory enforcement powers, and an expanded cost‑recovery framework to fund day‑to‑day supervision, inspections and enforcement.

At the same time, the Commissioner underscores that key operational details will be set through secondary legislation, including thresholds for what constitutes a “significant impact” for incident reporting, baseline security and resilience requirements, criteria and duties for “critical suppliers”, the application of penalties, and further enhancements to information‑gathering to support risk prioritisation.

Read more from the ICO here.

Data (Use and Access) Act 2025: key changes in force from 5 February 2026

Most of the privacy‑related provisions of the Data (Use and Access) Act 2025 (DUAA) are now in force, through the DUAA (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82). The bulk of the data protection and privacy reforms under Part 5 of the DUAA take effect from 5 February 2026, amending the UK GDPR and the Data Protection Act 2018.

The commencement regulations also contain important transitional provisions. Existing time limits for responding to data subject requests continue to apply where a controller received the request before section 76 DUAA came into force, and the pre‑existing penalty notice regime will continue to govern cases where the ICO issued a notice of intent before the new penalty provisions (section 101) commence. Organisations will need to factor these transitional rules into their handling of ongoing requests, complaints and investigations.

Section 103 DUAA 2025, together with Schedule 10, will introduce a new statutory requirement for controllers to establish and operate internal processes for handling privacy complaints from data subjects. Section 103 and Schedule 10 are scheduled to commence in June 2026.

With the main DUAA privacy provisions now in force, organisations subject to UK GDPR and the DPA 2018 should:

• review and update their data protection compliance frameworks (including lawful bases, transparency wording, data subject rights handling, automated decision‑making and international transfers);
• assess and, where necessary, enhance governance and record‑keeping to reflect the ICO’s strengthened information‑gathering and enforcement powers; and
• begin work on formalising privacy complaint‑handling processes ahead of the June 2026 commencement of section 103.

To access the statutory instrument bringing these provisions into force, click here and to read more about the commencement update by Practical Law click here.

ICO reprimands GP for sending 23 years of medical records to their insurer

The ICO has issued a reprimand to Staines Health Group, an NHS GP surgery, after it disclosed an excessive amount of a terminally ill patient’s medical history to their insurance company. The insurer had requested five years of records, via the patient, to support an insurance claim. However, the practice sent 23 years of medical records directly to the insurer. The patient believes the unnecessary disclosure of historic medical information contributed to a reduced pay‑out on their claim.

The ICO found that the incident stemmed from basic governance failures, including the absence of clear written procedures for handling insurance‑related information requests and a lack of regular refresher data protection training for staff. In response, the surgery completed a significant event report, introduced written guidance and sign‑off processes for insurance requests, updated staff training, and placed the responsible staff member under supervision following a warning.

The ICO is using the reprimand to remind organisations of the need for clear processes, quality assurance checks before sharing personal data externally, and up‑to‑date training when handling particularly sensitive health information.

Click here to read the ICO news.

Government Cyber Action Plan: central direction, accountability and skills to “Defend as One”

On 6 January 2026, the UK Government published its Government Cyber Action Plan, setting out a strong, centralised model to secure public services so they are “trustworthy and resilient”. Led by a newly formed Government Cyber Unit within DSIT and supported by the Government Cyber Coordination Centre (GC3) and NCSC, the plan prioritises four strategic objectives:

• better visibility of cyber and digital resilience risk;
• addressing severe and complex risks that cannot be managed by a single organisation;
• improving responsiveness to fast‑moving events;
• rapidly increasing government‑wide resilience.

A phased implementation runs to 2029, with near‑term deliverables including the Government Cyber Incident Response Plan, expanded detection and incident learning capabilities, a pipeline of shared services and support, and a new Government Cyber Profession to attract, upskill and retain talent.

For public bodies, the plan means clearer expectations, mandatory policies and standards, and greater central support, but also firmer assurance and reporting. Departments will be held to documented risk appetites, annual strategy reviews and regular exercising of incident response and restoration plans, with GC3 coordinating cross‑government response and operating a single incident repository to embed lessons learned.

For suppliers and managed service providers, security requirements will be embedded more consistently into contracts and regulators will pursue a “Defend as One” approach to threat detection, vulnerability management and information sharing. In practice, organisations should accelerate secure‑by‑design adoption, tackle legacy risks, prepare for post‑quantum cryptography, strengthen SOC/detection capabilities, and harden supplier oversight and contractual flow‑downs.

Access the Action Plan through gov.uk here.

Pro-Russia hacktivist activity continues to target UK organisations

The NCSC has issued fresh warnings that Russian-aligned hacktivist groups are continuing to target UK organisations, particularly local authorities and operators of critical national infrastructure, with disruptive denial of service (DoS) and distributed denial of service (DDoS) attacks. Groups such as NoName057(16), active since March 2022, are conducting ideologically motivated operations against entities in NATO states and other European countries perceived as hostile to Russian interests. Although these attacks are often technically simple, the NCSC notes that successful disruption can have significant operational impact by taking websites and online services offline, including those supporting operational technologies.

In response, the NCSC is urging all organisations to review and harden their DDoS defences. Recommended actions include:

• understanding where services are vulnerable to resource exhaustion (and which suppliers are responsible);
• ensuring upstream protections are in place with ISPs, DDoS mitigation providers and content delivery networks;
• building services so they can scale rapidly under load; and
• having clear, tested response plans that allow for graceful degradation while maintaining administrative access.

The NCSC also stresses the importance of regular testing and monitoring so organisations can detect and respond quickly when attacks begin. Access the NSCS's core DoS guidance and heightened cyber threat collection.

To read more from NCSC, click here.