November 2025

In this month's newsletter, we're excited to welcome a new team member, hear about Jack's epic challenge, and take a look at the proposed Cyber Security & Resilience Bill, the latest OWASP updates, and the result of the Synnovis attack. 

Spotlight on the Cyber Security & Resilience Bill

The proposed new Cyber Security and Resilience Bill has been introduced to Parliament, marking a major push to strengthen the UK’s cyber defences. It’s designed to prevent disruptive attacks like the 2024 Synnovis ransomware incident and, more recently, the Jaguar Land Rover incident. 

What organisations need to know:

• Expanded Scope: About 1,000 service providers (including cloud/data centre providers, MSPs, and other “critical suppliers”) will fall in scope and be required to meet robust cybersecurity standards. If you provide critical digital services to the NHS, you’ll likely be directly regulated under these new rules.

• Stricter Requirements: Third-party suppliers are expected to strengthen their cybersecurity posture by conducting risk assessments, implementing robust data protection measures, and hardening network defences to minimise the potential impact of attacks. Regulatory bodies will increasingly require clear evidence of effective cyber hygiene practices from all critical suppliers.

• Incident Reporting: Organisations in scope will need to report significant cyber incidents to their regulator and the NCSC within 24 hours, with a full incident report due in 72 hours. Speedy detection and response plans will be essential to meet these deadlines.

• Enforcement Powers: Regulators will have expanded powers to issue turnover-based fines, require detailed information, conduct inspections, and mandate remediation. In urgent national security cases, the government can direct actions such as ordering an NHS Trust or critical supplier to isolate or suspend high-risk systems during an active threat. These enhanced enforcement measures are intended to enable faster, more proactive risk reduction across essential services and their suppliers.

This Bill would be the most meaningful upgrade to the UK’s cyber regulatory framework since NIS was introduced in 2018, and it closes a gap that attackers have repeatedly exploited: essential services are only as resilient as their suppliers. By pulling MSPs, cloud, data centres, and other key digital suppliers into scope, the government is signalling that “indirect NHS risk” is now direct regulatory risk for vendors.

Welcome Aboard, Amy!

Please join us in welcoming Amy as our new Operations Manager here at Periculo. Amy will be working behind the scenes to keep our projects running smoothly and ensure we continue to deliver a first-class service.

"I'm thrilled to join Periculo as their Operations and Service Delivery Manager. Their core values of trust and integrity deeply resonate with me, and I can already see how much the people in the company are committed to supporting their customers in the digital health sector. I look forward to contributing to their mission and working alongside such a talented team!"

We’re excited to have Amy on the team!

Jack’s Movember Challenge

This November, our colleague Jack has set out on a remarkable challenge in support of Movember: running a distance that matches each day of the month—1km on the 1st, 2km on the 2nd, 3km on the 3rd, continuing up to 30km on the 30th. By the end of the month, Jack will have covered an impressive total of 465 kilometres, all whilst proudly growing a Movember moustache. This is no small feat, and we’re fully behind him as he pushes through the final days. If you’d like to support Jack’s efforts and contribute to a great cause, you can make a donation here.

Update on Synnovis: When Supplier Cyber Risk Becomes Patient Risk

The Synnovis ransomware attack in 2024 was a stark reminder that third-party cyber risk quickly becomes patient risk. When a key NHS pathology supplier went down, thousands of appointments were delayed, services ran manually for months, sensitive data was stolen, and the disruption was linked to patient harm. The lesson is clear: Organisations need stronger supplier assurance, from evidence-based security checks to contractual requirements and certifications like Cyber Essentials Plus. Securing the supply chain isn’t just extra admin; it’s part of keeping your whole organisation and supply chain safe.

Read more on the Synnovis update here.

OWASP Top 10: 2025 — What’s New

The OWASP Top 10 has been updated, with some notable changes in how risks are grouped and prioritised to reflect today’s threat landscape. If you build or run digital health software, it’s worth understanding what’s shifted and what that means for your testing and controls.

We’ve broken down the key updates in our latest blog. 

NHS DSPT Reminder – Don’t Delay

A quick, friendly nudge on the NHS Data Security & Protection Toolkit (DSPT): if your organisation connects to NHS systems or handles NHS patient data, you’re required to complete the DSPT every year. For many organisations, this includes an independent audit. The NHS will want to see that the 11 mandatory controls are genuinely in place.

Now is the right time to get audit-ready: review your progress, pull your evidence together, and fix gaps while you still have breathing room. 

Want a clear walkthrough of what the independent audit involves this year, plus what “good evidence” looks like for each control? Read our DSPT audit guide for the assertions here or book a quick call. 

Security Fact of the Month

Nearly 75% of healthcare organisations experienced cyberattacks that disrupted patient care in the last year.

Security Tip of the Month

Patch promptly, patch often and enable automatic updates.

Many cyber attacks exploit known flaws that already have fixes available; in fact, an estimated 60% of breaches could be prevented by timely patching. Make it a habit to apply software updates as soon as they are released (or enable automatic updates).

Jargon Buster

Shadow IT

Any software, hardware, or IT system used in an organisation without the IT department’s approval, knowledge, or oversight. Such unsanctioned tools can create security blind spots, as they may not be monitored or protected by the organisation’s standard safeguards.

If any of this month’s topics hit close to home, whether it's supplier risk, OWASP alignment, or getting audit-ready for your DSPT, we're here to help. Schedule a call and explore our latest blogs. Together, we can strengthen your digital health business and make compliance and security feel a little less daunting. Until next time, stay secure.