A growing sense of uncertainty is taking hold as the UK faces two compounding pressures. On one hand, prolonged international trade negotiations are leaving many investors and business leaders feeling removed from decisions that impact their long-term strategies. On the other, a series of high-profile cyber attacks on UK and global companies has cast doubt on the country’s resilience and readiness.
What we are witnessing in the spring of 2025 may be more than just a surge in cyber incidents; it could be the sector’s Black Swan moment. Black Swan events are rare, unpredictable incidents with severe consequences that only seem obvious after they happen. Originally coined by risk theorist Nassim Nicholas Taleb, they challenge assumptions about what we think we can forecast.
Other Black Swan events
- The 2008 financial crash, triggered by unrecognised systemic risks;
- The 9/11 terrorist attacks, which reshaped global security;
- The rise of the internet, which transformed economies in unforeseen ways.
While individual breaches are neither rare nor unpredictable, the near-simultaneous compromise of multiple major UK retailers, exploiting similar vectors such as social engineering, help desk impersonation, and low-tech fraud, represents a convergence that few foresaw. It’s the combination, not the components, that marks this as a statistically rare and systemically disruptive event.
The so-called Cyber Spring was never modelled for, and yet with hindsight we may all find ourselves pointing to missed signals: lax internal protocols, weak password hygiene, help desk vulnerabilities long flagged by security professionals and a tense geopolitical climate. In classic Black Swan fashion, the explanations will now arrive quickly, but the cost of the oversight will be even faster.
The scale and visibility of these breaches have prompted an unprecedented response from the UK government, with the announcement of a £16m boost to national cyber security efforts, specifically aimed at bolstering business resilience in the retail and consumer sectors. Following the high-profile attacks on brands such as Harrods, Marks & Spencer, Adidas, the NHS and more, Chancellor of the Duchy of Lancaster, Pat McFadden, stated that cyber security is “not a luxury but an absolute necessity.”
This intervention signals a shift in tone from advisory to urgent, reinforcing what investors already suspect: cyber resilience is now a core part of operational integrity, brand value and national economic security.
Protecting your business as investors protect their portfolio
Black Swan events often expose the blind spots in even the most sophisticated forecasting models, and that’s exactly what investors are now facing. Many of the compromised firms were considered digitally mature on paper, yet still fell victim to old-fashioned manipulation. This signals a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
We’re seeing firsthand why cyber security should be a decisive factor for investors looking to secure value and reduce risks. The fallout from recent events will be felt across profits, portfolios and the people themselves. Whether that’s the teams working to understand the source and scale of the attack (over many months, if not years), the executives managing difficult conversations, the customers who are concerned about their data or the staff who are worried about their jobs, the impact is far reaching and the road back from the breach is a long one.
This moment is forcing a recalibration. Traditional risk models are being questioned, as they failed to anticipate that a wave of basic, human-led attack vectors could take down enterprises in such a tightly clustered timeframe.
Investors, who were already tightening their scrutiny of information security practices, will likely accelerate this action to safeguard their portfolios from similar exposure. As the frequency and severity of cyber incidents rise, investment decisions will be increasingly shaped by the robustness of a business’s cyber security credentials. This will take cyber security away from checkbox criterion, to one of the most decisive factors in determining a business’s resilience, value and future.
Build to withstand scrutiny
A clear and well-documented approach to cyber security is fundamental to business value and long-term viability. With threat actors adapting faster than ever, there’s an expectation that businesses will match that pace with proactive, standards-driven measures.
The lesson of 2025’s Cyber Spring is that resilience is not only about technology, but also about recognising the psychological and systemic biases, what Taleb would call the illusion of certainty, that leave businesses exposed.
As shown in this latest spate of attacks, no business can sit on its laurels when it comes to cyber security. Firms must assume that cyber attacks are a matter of when, not if.
As Taleb argues, the goal isn’t to predict Black Swans, but to build systems that are robust and even benefit from disruption. For businesses, that means developing not just technical defences, but also cultural awareness, simulation protocols, and internal resilience that can weather the psychological and financial aftershocks of a breach.
For investors, that makes pre-deal scrutiny of cyber controls a necessity, and for businesses, it makes certification, processes, and best practices non-negotiable.
Ed Bartlett is CEO of Hicomply, a compliance certification specialist.
