Dear Sir/Madam, Did You Know That AI is a Risk to Your Business?

UK Government Warns Businesses on Growing AI Cyber Threats

On 15 April 2026, the UK’s Department for Science, Innovation and Technology, together with the Cabinet Office, issued an "Open Letter to Businesses on AI Cyber Threats". This letter to UK business leaders provides details on how the threat landscape is changing and how the barrier for attack is being lowered by the release of new AI models like Anthropic’s new model, Mythos. 

It’s not the first time we’ve seen AI used directly in cybersecurity attacks, and it’s well known that threat actors are using technologies to review and analyse data breaches at speed, but now governments seem to be waking up to the immediacy of the threat.

AI models are now skilled hackers

The letter, signed by Liz Kendall MP, Secretary of State for Science, Innovation and Technology, and Dan Jarvis MP, Security Minister, Cabinet Office and Home Office, details the new cyber threats now faced by business, and outlines the ways businesses must respond.

The Government letter states that, for years, the most serious cyberattacks have relied on a small number of highly skilled criminals or hackers – but that situation is now changing. New AI models can now do the job of skilled hackers: exposing weaknesses in software, writing the code to exploit them, and doing it at a speed and scale that would have been impossible even a year ago. 

New AI models pose a growing threat

Last week, AI firm Anthropic revealed its new Mythos AI model. Testing by DSIT’s AI Security Institute (AISI), one of the world’s leading bodies for evaluating the capabilities of Frontier AI, has found it to be substantially more capable at cyber offence than any model previously assessed by the UK Government. 

The AISI assess that frontier model capabilities are doubling every four months (compared to every eight months previously). This finding highlights the speed at which AI capabilities are developing. OpenAI have also just announced the scaling up of their Trusted Access for Cyber program, showing this isn’t isolated to a single company. The Government asserts that the trajectory is clear and that it’s vital that businesses are prepared for frontier AI model capabilities to rapidly increase over the next year and to plan accordingly.

The UK Government response

The UK Government has already built the AI Security Institute, the most advanced capability of any government in the world for understanding frontier AI systems. This ensures they have an independently verified, robust assessment of current capabilities.

The National Cyber Security Centre, part of GCHQ, defends the UK online and continues to publish practical guidance for business. The Cyber Security and Resilience Bill, which is currently progressing through Parliament, will strengthen protections for critical services, like the NHS and the energy system, and the government will shortly also publish the National Cyber Action Plan, setting out the steps they’ll take to ensure the UK’s national security against cyber threats. 

Dr Richard Horne (Head of the NCSC) sent a supporting letter to the Financial Times on 15 April 2026, saying the following. “AI will make it easier, faster and cheaper to discover and exploit weaknesses that previously required more time, skill or resource for attackers to identify.”

It’s not the first time Horne has issued mass communications aimed at executives and boards on the importance of cybersecurity. In October 2025, Horne sent a letter to CEOs and chairs of UK-based organisations, stressing the importance of board engagement in cybersecurity risk management. 

The role of business

The messaging is clear: there is an obligation to for businesses to engage fully in cybersecurity. The AI Cyber Security letter states that every business in the UK has a part of play, as cyber criminals won’t just target government systems and critical infrastructure, they will - and do - target ordinary companies, of every size, in every sector. 

The letter further outlines the steps organisations should take to protect against AI-driven cyber threats:

1. Take cybersecurity seriously, at the very top of your organisation.

If your board hasn’t recently discussed cyber risk, do so – and regularly. This isn’t an issue to just delegate to a business’ IT team. The government urges boards to use the Cyber Governance Code of Practice to ensure their organisation is sufficiently protected (with smaller businesses directed to use the NCSC’s Cyber Action Toolkit to help them build their cyber protection). Not all incidents can be prevented, so businesses should plan and rehearse how their organisation would respond to a significant incident, including consideration of how cyber insurance can support response and recovery. 

2. Get the basics right with Cyber Essentials.

The UK Government correctly asserts that most successful cyberattacks exploit simple weaknesses: outdated software, weak passwords, missing backups. Cyber Essentials is the government-backed certification scheme that protects against the most common attacks. Organisations that hold it are significantly less likely to suffer a damaging cyber incident. For most businesses, certification is neither expensive nor difficult. Businesses should also look to embed Cyber Essential requirements across their supply chains (large organisations should use the NCSC’s Cyber Assessment Framework). 

3. Follow NCSC advice and sign up to their ‘Early Warning’ service.

The National Cyber Security Centre (NCSC) provides free, practical advice, training and guidance at ncsc.gov.uk, for organisations of every size. Advice will also be issued by regulators (for regulated sectors). Early Warning is a free service from NCSC, that can inform organisations of potential cyberattacks, affording them valuable time to act before an incident escalates.

We’re entering a period where the pace of technological change may test every institution in the country. Businesses that act now – treating cybersecurity as an essential part of running a modern company, not an optional extra – will be the ones best placed to thrive.

Thomas Murray advice to PE firms

For private equity, managing cyber risk rigorously safeguards cash‑flow, protects leverage ratios, preserves exit multiples, and satisfies the ESG mandates of limited partners. A disciplined cyber risk framework therefore becomes as essential to the PE value‑creation playbook as operational improvements or sales‑growth initiatives. The focus on oversight and the responsibility of business leadership to engage with cybersecurity risk extends into the boardrooms of PE owned organisations. Expectations on how organisations and their investors engage with the growing threat is rightly increasing. 

A quick high impact step that PE leaders can take is to reduce the attack surface of their portfolios. As Horne states “the importance of reducing unnecessary exposure to attack”, in a world of bolt-ons, rollups, and growth, having visibility of the attack surface of investments can be challenging. Thomas Murray helps PE and their portfolios to do exactly this – and at scale. 

When it comes to pre-investment, the recent Thomas Murray webinar, The Art of the Hack, saw PE expert, Ed Starkie, and ethical hacker, Hassan Mahmud, discuss vulnerabilities, attack methods and – importantly – everything you need to do to protect deals in the current environment.

Read the webinar follow-up article 5 Key Takeaways From a Deal Hacker: What PE Firms Should Look for When Doing Cyber Deal Due Diligence to find out how to protect deals and assets.