‘We cannot regulate cyber threats away,’ top lawyer warns
British businesses are facing a growing compliance burden as governments race to respond to rising threats and the rapid spread of AI, but regulation alone may not solve the problem.
“We cannot regulate cyber threats away”, partner and head of data and cyber at international law firm RPC Cavan Fabris told City AM. “There’s a risk this becomes more about compliance than a genuine uplift in resilience”.
The former Deloitte Legal lawyer added that companies are increasingly caught between overlapping UK, EU and US cyber regimes, while simultaneously trying to keep pace with more sophisticated attacks.
“The reality is that global organisations don’t want 50 different complaince regimes to follow”, he said.
“The more compliance regimes you add with more nuances and more risk for penalties, it increases the cost of an organisation to perform and remain resilient”.
The warning comes as businesses prepare for a wave of incoming or renewed cyber regulation across Europe, including the EU’s Cyber Resilience Act and growing pressure from UK ministers for firms to strengthen their cyber defences.
Earlier this month, ministers urged nearly 200 business leaders to sign a new “cyber resilience pledge”, amid fears AI tools could dramatically accelerate cyber attacks.
Fabris said companies are increasingly benchmarking themselves against tougher European rules regardless of where they are headquartered.
“My clients are benchmarking their requirements to the EU Cyber Resilience Act, not necessarily to what the UK is doing” he said. “They feel that if they meet the EU requirements, they’ll meet the UK ones by default.”
That, he argued, creates a difficult balancing act for Britain as it attempts to diverge from Brussels post-Brexit while still remaining attractive for global firms.
“Britain wants to stand on its own two feet regulatorily while sitting between Europe and the US,” he said. “But organisations operating globally still need to comply with European and US requirements.”
Businesses still unprepared for cyber attacks
Despite tightening rules, Fabris believes many companies remain underprepared for the practical realities of dealing with cyber incidents.
“If you’re preparing for a crisis while you’re in the middle of a crisis, you’re not going to handle it very well,” he told City AM.
“Who’s responsible? Who’s in charge? What’s the communication flow? Most organisations are not prepared to deal with those situations.”
One of the biggest problems he said he encounters is that businesses often do not fully understand what data they hold or where it sits.
“If you can’t tell me what data you have, then how can you tell a regulator that you’re protecting it?” he added.
AI is also reshaping the threat landscape, making phishing attacks and impersonation attempts significantly harder to detect.
“We used to be able to determine a phishing email by the use of English grammar,” he said. “Now you’ve got deepfakes. You’ve got AI that can do the threat for you.”
But despite concerns around increasingly sophisticated attacks, Fabris said many breaches still stem from relatively simple internal failings.
“The majority of cyber breaches are not because you still have an aggressive hacker out there,” he said. “It’s because we as humans are still making mistakes.”
For smaller firms especially, he believes resilience often comes down to governance rather than expensive technology.
“Does everybody in your organisation need access to everything?” he said. “How long do we need to retain data? The more data you retain, the more risk you create.”
Fabris also questioned whether some of the tighter reporting obligations now emerging across Europe are practical for businesses facing live incidents.
“If the breach is in my supply chain, how do I get that information from them within 24 hours?” he said. “That becomes regulation for regulation’s sake unless businesses are given clear and workable expectations.”
For firms trying to navigate an increasingly fragmented cyber landscape, Fabris said resilience cannot become a box-ticking exercise.
“It’s a constant posture organisations need to have. It’s not a one-off exercise.”
