May 2025 – Newsletter Update

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment, Health & Safety and Quality – click to jump to the relevant section. This update covers the period from the mid-February to mid-May 2025.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

Published UK legislation

No new principal UK legislation and no other relevant legislation relevant to our customers was identified as having come in to force in this quarter.

Proposed UK Legislation

Further information relating to the proposed UK Cyber Resilience Act (UK CRA) that was discussed in our last infosec update was released in April UK Cyber Resilience Act (UK CRA). It is expected to: –

  • Place specific obligations on: –
    • IT Managed Service Providers (MSPs)
    • ‘Operators of Essential Services’ (water, transport energy, healthcare, digital infrastructure etc.) and ‘Relevant Digital Service Providers’ (the type of organisations already covered under NIS 2018) to manage their supply chain
  • ‘Designated Critical Suppliers’, who will be a subset of suppliers to the above, disruption to whose services would cause significant disruption to the above
  • Give empowerment to regulators and enhance oversight including: –
      • Issuing a code of practice to affected organisations (will be similar to organisations covered by NIS2 in the EU and likely to be based on the NCSC Cyber Assessment Framework)
      • Improving incident reporting (expanding the scope of NIS 2018 that relates to providers of essential digital services) including updating incident reporting requirements.
      • Improving the ICO’s information gathering powers including requiring more information from digital service providers and enforcing failure to register
  • Allow the government to amend the act without an act of parliament, to allow it to keep pace with technical innovation

It may also include: –

  • Bringing larger data centres in to scope
  • Requiring the Secretary of State to publish strategic priorities
  • Empowering the Secretary of State to require organisations regulated under the act to take action in response to serious cyber-attacks affecting national security and to direct regulators to take action in similar circumstances

The above indicates that it will approximate to the EU’s Network and Information Security Directive 2 (NIS2).

Note – The EU also recently introduced an act that it has called the ‘Cyber Resilience Act’ (CRA). That act was discussed in our last update and which is different in purpose and scope to the UK CRA. The EU’s CRA imposes obligations on providers of digital services to improve the security of their products.

In May, the House of Lords proposed amendments to the draft UK Data (Use and Access) Bill. That bill was also discussed in our last update. After replies from the House of Commons, the remaining proposed changes at 20th May 2025 include…

  • Limiting the scope of ‘scientific data’ that would be covered under the act by amending the wording of the ‘reasonableness’ test
  • Introducing transparency rules for business data used to train AI models and to allow copyright owners to be able to identify whether any of their work has been used to train the AI
  • Introducing transparency rules for ‘bots’ used to obtain data to train AI models, including crawlers and fetchers, to require that the organisation discloses the name of the bot used, the responsible legal entity for the bot and specifically what the bot is used for

Other

  • In May; the EU extended its Adequacy Decision on the UK under EU GDPR for six months from its original expiry date of 27th June 2025 through Opinion 06/2005. The extension allows time for the UK Government to enact its draft Data (Use and Access) Bill discussed above and in our previous update.
  • ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines) is expected to be replaced imminently by ISO/IEC 27701:2025 Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance.

Exact details have not yet been released but a fundamental change appears to be that, as indicated by the change of name, the standard will no longer serve solely as an extension to an organisations’ existing ISO 27001 certification, but has been constructed to allow organisations to implement a Privacy Information Management System as a stand-alone Management System and to have it certified as such.

Publication of the new standard is expected in May 2025 with the usual 3 year transition period for organisations holding the current (2019) version of the standard.

Microsoft

SANS Internet Storm Centre published the following summaries of the patch Tuesday releases from :-

Other

  • Microsoft delayed rollout of a new OneDrive feature “Prompt to Add Personal Account to OneDrive Sync” that could reportedly detect personal OneDrive accounts on business devices and prompt the user to synchronise their personal account with their business account. Concerns were raised that this might allow transfer of business data out of business OneDrives to personal OneDrives, if that transfer had not been specifically blocked by system policies. More here
  • Teams will soon prevent users from capturing screenshots of sensitive information shared during meetings. Plans are for a worldwide rollout in July. More here
  • The ‘BypassNRO.cmd’ script that allowed users to bypass the requirement to use a Microsoft account when installing Windows 11, has been removed from the latest W11 Insider Preview Build. MS claim this is to enhance the security and user experience of W11. Some users previously used the script to avoid linking accounts for privacy reasons. More here

Apple

Details of Key apple updates and security fixes can be found on Apple’s security updates page

Other

  • Apple updated all its operating systems in May to address 65 vulnerabilities, many of which affected multiple Apple operating systems including older OSs. More here

Linux, Android, Google

  • Google & Android
    • Android 16 will include ‘Integrated Advanced Protection’ as a device-level security setting for all users, not just Google account-holders, and AI-enhanced scam detection tools for GoogleMessages on Android devices. More here and here
    • Google has agreed to pay $1.375 billion to the state of Texas to settle lawsuits over unauthorized tracking of users whose location sharing was turned off and for collecting biometric data including fingerprints and face-matching data without consent. Incognito searches and other private activity was also tracked. Google said that its product policies had since changed. More here
  • Linux
    • Researchers believe that the first malware capable of infecting the boot process of Linux systems has been developed. The proof-of-concept bootkit malware code ‘bootkitty‘, developed by Korean students includes an exploit for previously identified UEFI vulnerabilities. More here
    • Vulnerabilities have been found in the ‘needrestart’ Linux utility used to restart services after upgrades. The vulnerabilities can allow local users to escalate their privileges. More here
    • A flaw in Kubernetes Image Builder could allow unauthorised access to Virtual Machines via SSH. The flaw has been given a CVSS score of 9.8 out of 10. More here

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

Categories Posts (Click to view)
AI Incidents impacting retailers – recommendations from the NCSC
Governance/Guidance/General Information Facing the cyber threat behind the headlines
Governance/Guidance/General Information New online training helps board members to govern cyber risk
Governance/Guidance/General Information Cyber Security and Resilience Policy Statement to strengthen regulation of critical sectors
Governance/Guidance/General Information CyberFirst Girls Competition: a proud milestone and exciting future
Technical/Configuration Advice Decommissioning assets
Technical/Configuration Advice Software Code of Practice: building a secure digital future
Technical/Configuration Advice Impact of AI on cyber threat from now to 2027
Technical/Configuration Advice Software Security Code of Practice – Assurance Principles and Claims (APCs)
Technical/Configuration Advice Advanced Cryptography: new approaches to data privacy
Technical/Configuration Advice New guidance on securing HTTP-based APIs
Technical/Configuration Advice Privileged access workstations: introducing our new set of principles
Technical/Configuration Advice Setting direction for the UK’s migration to post-quantum cryptography
Technical/Configuration Advice Timelines for migration to post-quantum cryptography
Technical/Configuration Advice ACD 2.0: Insights from the external attack surface management trials

The NCSC also publishes current cyber security reports and advisories here, and malware reports and analysis here

Information from the Information Commissioner’s Office and partner agencies

  • Registration for the online Data Protection Practitioner’s Conference on 14th October 2025 here

Noteworthy cyber incident and breach news reported in the quarter

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

  • In February , Engineering firm IMI reported a cyber incident. In its preliminary results report, it noted that it expected to have to adjust its 2025 reports by between £20m and £25m for costs incurred including recovery, risk management, IT upgrades and ‘advisory costs’. More here
  • In April, the Information Commissioner’s Office fined Merseyside-based DPP Law Ltd (DPP) £60,000, following a cyber-attack that led to highly sensitive and confidential personal information being published on the dark web. More here
  • Also in April, retailers Marks and Spencer (M&S) and Coop reported cyber breaches subsequently identified as originating from a the Scattered Spider cybercrime group reportedly using DragonForce ransomware. In May, Harrods reported they had also suffered a similar attack.
    • Marks and Spencer subsequently reported that it would likely continue to suffer disruption until July and estimated costs to be in the order of £300m in lost profits and reductions in its stock market value running to many hundreds of millions. Reports indicate that it intends to make a maximum claim on its cyber insurance policy of £100m. Customer data was confirmed as stolen. M&S has reset online customer account passwords and emailed advisory emails. More here and here
    • Coop reportedly shut down multiple systems to contain the breach and minimise damage, however this led to disruption and did not prevent the reported theft of ‘significant amounts’ of customer data. Costs have not yet been reported. More here,
    • The costs of the Harrods’ attack are unclear. More here
  • In May, the UK Legal Aid Agency reported a cyber-attack on its online digital services that occurred on 23rd April. Data relating to applicants for legal aid dating back as far as 2010 (potentially millions) may have been stolen. More here

Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter

The NCSC publishes current cyber security reports and advisories here, and malware reports and analysis here

Environment

Legislative changes

No relevant legislation was published in the period. Various commencements for existing acts were published.

Health & Safety

Legislative changes

No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.

HSE Bulletins and News

  • Improved guidance for self-employed workers – HSE has redesigned its webpages for self-employed workers to make it easier for them to understand when health and safety law applies and to find the guidance they need. More here
  • April was stress awareness month in the UK and global asbestos awareness week also fell in April. More here and here
  • 6th May was world asthma day. More information on occupational asthma here
  • No Falls week also fell in May. More info here
  • Mental Health Awareness Week ran from 12th to 18th May. The HSE have released a new online learning module for risk assessments for stress. More info here and here

Quality

An update to ISO 9001 was expected to be published in 2025, however, according to an ISO Committee statement released at the beginning of April – Revision of ISO 9001 – this has now been pushed back to September 2026 to allow further consultation  We will continue to monitor this and provide updates on changes when the public draft is released. The public draft is expected in the next few months.

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use