What UK economic growth and a UK-US trade deal may mean for cyber resilience

Economic growth is the UK government’s number one mission. The Prime Minister has said, “we will kick down the barriers to building, clear out the regulatory weeds and allow a new era of British growth to bloom.” 

The UK government hope a trade deal with the US, increased infrastructure spending and planning deregulation will encourage investment in the UK. But in readying for this economic stimulus another vital dimension deserves scrutiny: cyber resilience.

As mergers and acquisitions (M&A) activity increases, and state regulatory interventions in critical infrastructure become more common, cybersecurity is no longer a “nice to have”. It is a strategic imperative. With the UK’s upcoming Cyber Resilience Bill, the recently published Cyber Governance Code of Practice, and the EU’s NIS2 Directive reshaping the regulatory landscape, leaders must ensure that cybersecurity due diligence is embedded in every phase of industrial transition.

Cybersecurity due diligence - “Would You Buy a Factory Without Inspecting Its Fire Alarms?”

Imagine acquiring a billion-pound industrial asset only to find out weeks later that its control systems are riddled with vulnerabilities, its suppliers just got hit by ransomware, and no one knows where the data backups are.

That’s the reality facing more and more M&A teams as cyber threats become one of the biggest blind spots in acquisitions.

Operational Technology Systems: The Hidden Cyber Risk

Many industrial leaders and deal makers are waking up to the fact that Operational Technology (OT) — the systems that run furnaces, conveyor belts, and automated production lines — are highly vulnerable to modern cyber threats.

Unlike IT systems, OT environments were not built with cybersecurity in mind. They often run legacy software, rely on insecure protocols, and lack visibility tools. Once air-gapped systems are now increasingly connected through the Industrial Internet of Things (IIoT) and remote management tools, creating new attack vectors.

Attacks like the Colonial Pipeline ransomware incident highlight how a single cyber breach can shut down essential services. In heavy industry, the stakes are even higher—physical safety, environmental protection, and national supply chains are all at risk.

What the UK Cyber Resilience Bill may mean for Industrial Mergers and Acquisitions 

The UK’s Cyber Resilience Bill, expected to pass in 2025, represents a step-change in how cyber risks are regulated. It expands and updates the existing NIS Regulations 2018 to cover more sectors and impose stricter duties on operators of essential services.

For leaders involved in operating critical or essential services or the conduct of mergers and acquisitions in this space, this introduces a clear mandate:

Key requirements under the draft Bill will likely include:

• Mandatory risk assessments and regular audits
• Board-level accountability for cyber incidents
• Penalties for non-compliance, which could be in the region of £100k a day
• Expanded scope to include supply chain risk management

Whether acquiring or being acquired, companies will need to demonstrate robust cyber resilience policies, especially in industrial settings like steel manufacturing, energy, and chemicals.

But how much cyber diligence, oversight and governance is enough? This is where Cyber Risk Quantification can play a crucial role in enhancing M&A cyber due diligence by translating technical vulnerabilities into measurable financial terms. By leveraging models and frameworks that assess the likelihood and potential impact of cyber incidents—such as data breaches, ransomware attacks, or operational disruptions—acquirers can better understand the true cost of cyber risk within a target organisation. 

This can enable more accurate valuation, risk-adjusted pricing, and informed decision-making on whether to proceed, renegotiate, or implement specific post-deal cyber controls. Ultimately, it turns cyber due diligence from a compliance checkbox into a strategic risk management tool.

New Cyber Governance Code of Practice: Board-Level Responsibility

In April 2025, the UK Government published the Cyber Governance Code of Practice, developed in collaboration with the National Cyber Security Centre (NCSC) and industry experts. This code provides a framework for boards and directors to effectively govern cyber risks within their organisations.

Key aspects of the Code include:

• Clear actions for boards to manage cyber risks
• Cyber Governance Training to enhance understanding of cyber risk governance
• A Cyber Security Toolkit for Boards to support implementation of the Code's actions

The Code emphasises that cybersecurity is a board-level responsibility and should be integrated into overall governance and risk management strategies. It is particularly relevant for medium and large organisations, including those undergoing mergers or acquisitions.

Don’t Ignore NIS2: The EU Still Matters

Even post-Brexit, European regulation still applies if your operations, customers, or suppliers touch the EU. The NIS2 Directive, effective from January 2023, imposes enhanced cybersecurity obligations on both “essential” and “important” entities.

For any future partnerships or supply contracts involving British Steel and EU-based firms, compliance with NIS2 is now a prerequisite.

NIS2 requires:

• Cybersecurity policies based on risk management and governance
• Incident reporting within 24–72 hours
• Due diligence of third parties and digital supply chains
• Use of encryption, multi-factor authentication, and business continuity planning

Cyber Due Diligence: A Critical Component of M&A

Industrial M&A has traditionally focused on environmental, legal, and financial risks. But cybersecurity risk can kill deals or expose acquirers to major liabilities post-close.

Due diligence must now go beyond spreadsheets and site visits to include:

• Asset discovery and mapping of IT/OT systems
• Historical analysis of cyber incidents and breach exposure
• Forensic audits of legacy infrastructure and software dependencies
• Evaluation of cyber insurance, warranties, and liabilities
• Third-party vendor risk assessments

This process should be collaborative between legal teams, CISOs, and technical assessors, ensuring cyber risk is priced into the valuation and risk management strategy and can benefit from quantifying cyber risk in financial terms.

Building the Foundations of Cyber-Resilient Industry ready for growth

Building cyber-resilient industry means embedding cybersecurity as a foundational element for growth—where resilience is not just about preventing cyber-attacks, but ensuring organisations can withstand, respond to, and recover from them with minimal disruption. 

With the UK’s proposed cyber-resilience legislation and EU directives like NIS2 placing accountability on boards, companies must adopt a proactive approach to cyber-risk management. This includes conducting robust cyber due diligence, integrating cyber-risk quantification into enterprise risk models, and aligning investment with risk appetite as well as having well-tested plans and capabilities to minimise the impact of any cyber incident. 

Organisations that do this effectively will be better positioned to pursue growth confidently, maintain trust, and safeguard national and economic security in a digitally interconnected landscape.

Key Takeaways for Senior Leaders

• Cybersecurity must be a frequent point of discussion in the boardroom.

• Assessing, quantifying, understanding and managing cyber risk must be a part of the M&A playbook.

• Upcoming legislation will enforce accountability.

• OT systems in critical infrastructure are soft targets for cyber threats, unless actively managed. 

• Due diligence must cover cyber risks.