In 2025, we saw that cyber attacks can happen to businesses of all sizes. We saw attacks occur across various industries including retail, and both the private and public sector.

“We saw trends around supply chains being used to access different organisations, and that ransomware attacks were particularly prolific,” says Esther Mallowah, Head of Tech Policy at ICAEW. “When it comes to the actors these were diverse and included state backed hackers, organised crime groups and cyber attack groups. These trends are likely to continue into 2026.”

Businesses should also be aware of the growth of AI and its impact on cyber security. We’ve seen the use of AI to facilitate cyber attacks through drafting of phishing emails and the creation of deep fakes, which have fuelled an increase in economic and financial crime. But AI can also be helpful in detecting and combatting attacks with many cyber security tools incorporating the technology. There is also a need for businesses to consider security in the implementation of AI systems.

“Organisations should make sure they configure AI tools correctly, think about cyber security and data privacy when they’re integrating AI tools with other systems and consider the security of AI agents,” says Esther Mallowah. “What sort of access are you giving the agents and how are you monitoring what access they have?”

Regulation changes

Cyber security and resilience are not only a concern for individual businesses but also across the economy. The UK government has been considering how to respond to the evolving threat landscape including growing digitalisation and interconnectedness, which makes supply chains particularly vulnerable. The Cyber Security and Resilience Bill, which was introduced to parliament in November 2025, seeks to bring regulation up to speed, addressing gaps such as business reliance on suppliers including Managed Service Providers (MSPs). It aims to bring relevant businesses into regulatory scope, which may include some small businesses that have previously been outside the scope of regulation.

“They’ll therefore have new requirements they’ll have to adhere to around cyber security,” says Mallowah. “It’s really important for these businesses to be strengthening their cyber security and resilience in preparation for any changes that might come through.”

Another regulatory change is around AI more generally. In 2026, AI governance will become increasingly important, says Mallowah. “Through 2024 and 2025 we’ve seen a lot of businesses experimenting with AI, identifying use cases and running pilots. I think 2026 is where they’ll start seriously thinking about scaling that adoption of AI and they’ll want to do that ethically, responsibly and in compliance with regulations.”

The EU AI Act has key requirements that are expected to come into force in 2026, including conformity assessments for high-risk AI systems.

Mallowah says there are discussions around the exact timelines for this, but businesses will need to keep an eye on it throughout 2026. In the UK, the Government is consulting on the setup of a cross-economy sandbox or AI growth lab to test AI innovations against the current regulatory framework, which could also lead to changes within the regulatory space.

How businesses can manage risk

In the meantime, Mallowah says businesses can ensure they implement the three lines of defence for risks around technology, including AI and cyber security. This includes ensuring that employees understand and are equipped to perform their roles.

The first line of defence is management, who are responsible for identifying and owning risks and developing ways to mitigate these.

The second line is risk management teams and compliance teams, to oversee the management of risks and report on these.

And the third line of defence is an independent assessment of governance, risk management and compliance. This can be done by internal or external audit teams, regulators or independent bodies to provide assurance, says Mallowah.

“2026 is likely to see lots of progress on the assurance front,” adds Mallowah. “The UK Government’s keen on supporting AI assurance as a way to enable adoption and growth, and that’s likely to continue in 2026, including focusing on things like developing an AI assurance profession and development of tools to support AI Assurance.” ICAEW will be holding its second AI Assurance conference on 6 July. Register your interest. 

How businesses can manage risk

In the meantime, Mallowah says businesses can ensure they implement the three lines of defence for risks around technology, including AI and cyber security. This includes ensuring that employees understand and are equipped to perform their roles.

The first line of defence is management, who are responsible for identifying and owning risks and developing ways to mitigate these.

The second line is risk management teams and compliance teams, to oversee the management of risks and report on these.

And the third line of defence is an independent assessment of governance, risk management and compliance. This can be done by internal or external audit teams, regulators or independent bodies to provide assurance, says Mallowah.

“2026 is likely to see lots of progress on the assurance front,” adds Mallowah. “The UK Government’s keen on supporting AI assurance as a way to enable adoption and growth, and that’s likely to continue in 2026, including focusing on things like developing an AI assurance profession and development of tools to support AI Assurance.” ICAEW will be holding its second AI Assurance conference on 6 July. Register your interest.