In April 2026, the UK Government introduced the Cyber Resilience Pledge – a clear message that cyber security is no longer just an IT concern, but a leadership responsibility.
The pledge is simple, but the context behind it is not.
Cyber threats in the UK are increasing in both frequency and impact, with:
- the average cost of a significant cyber attack reaching around £195,000 per business
- and an estimated £14.7 billion annual cost to the UK economy
At the same time,
- Almost half of UK businesses (43%) reported a cyber breach or attack in the past year.
-
Nationally significant cyber incidents in the UK have more than doubled in a year
For accountancy firms and other professional practices, this reinforces a simple point: cyber security is now a business risk with financial, operational, and reputational consequences.
It’s also worth noting that this direction is not unique to the UK Government’s Cyber Resilience Pledge. The Scottish Government’s Cyber Resilient Scotland 2025–2030 framework reinforces many of the same themes, particularly the idea that cyber resilience is not just a technical issue, but a shared organisational responsibility. It places clear emphasis on leadership accountability, understanding and managing cyber risk, and ensuring organisations can both respond to and recover from incidents effectively.
Why financial services firms are in the spotlight
Accountancy and financial services firms sit in a uniquely exposed position.
They are:
- Custodians of sensitive financial and personal data
- Embedded across complex client and supplier networks
- Expected to demonstrate professional accountability and trust
What the pledge means
The Cyber Resilience Pledge commits organisations to three actions:
- Making cyber a board-level responsibility
- Improving visibility of threats and vulnerabilities
- Strengthening security across the supply chain
On the surface, these are practical steps. In reality, they represent a shift in how organisations think about risk.
It moves cyber into the boardroom
Cyber is no longer something handled purely by IT teams.
It becomes part of:
- Strategic planning
- Operational decision-making
- Risk management discussions at leadership level
For partners and directors, this is the most important shift. As currently, only around 27% of businesses currently have board-level responsibility for cyber security
It introduces accountability and visibility
Signing organisations commit to:
- Publishing their pledge
- Reporting on progress
- Demonstrating their approach to cyber resilience
This creates a new expectation, organisations must show how they are managing cyber risk, not just say they are.
What this means in practice: your suppliers are part of your security
The third commitment in the Cyber Resilience Pledge is often something which is generally overlooked, but it’s one of the most important. It recognises that cyber security doesn’t stop at your own organisation. Put simply, it means making sure the businesses you rely on meet a basic standard of cyber security, so they don’t become a weak point.
Most firms secure their own systems well, but rely on a wide network of suppliers, from IT providers to software platforms and external advisors. Each connection introduces risk. If one supplier has weaker controls, it can create a pathway into your business.
Requiring Cyber Essentials at a minimum helps changes this. Instead of assuming suppliers are secure, you ask for evidence, or simply check here. It gives you confidence that key suppliers meet a recognised baseline. This doesn’t mean treating every supplier the same. The focus is on those with access to systems, data, or critical services, where the risk is highest.
Where Cyber Essentials isn’t required, the decision should still be deliberate, understood, documented, and aligned with your firm’s risk appetite.
The shift is simple but significant: moving from relying on trust to having clear assurance. Your security is only as strong as the ecosystem around you. Ultimately, it comes down to a simple question: Are the businesses you depend on as secure as you need them to be?
The uncomfortable truth for many firms
Despite the growing risks, many organisations are still really early in this journey. A relatively small proportion of businesses have clear board-level ownership of cyber security, and even fewer have full visibility of the risks within their supply chain.
For financial services firms, that creates exposure. Because when something goes wrong:
- Clients do not differentiate between internal and supplier failures
- Regulators do not distinguish between technical and governance gaps
- Reputational impact sits with the firm
Where firms should focus next
Whether or not you formally sign the Cyber Resilience Pledge, the expectations it represents are already shaping the market.
For firms, this means focusing on:
- Leadership ownership – clear accountability for cyber risk at board level
- Visibility – understanding risks across systems, data, and suppliers
- Preparedness – ensuring the business can respond and recover effectively
Final thought
Cyber resilience isn’t about preventing every incident. It’s about understanding your risk, making informed decisions, and ensuring your business can continue to operate under pressure.
It is fundamentally about trust, continuity, and responsibility.
At Lugo, we support clients by combining Cyber Essentials certification, independent auditing, and regular Technology Alignment reviews to ensure their environments are consistently assessed and improved over time.
