Cyber Security News: June 2026

Three threads ran through the second half of June: the UK’s biggest cyber law in years moved a step closer, a widely used analytics tool came under live attack, and the way regulators tell organisations to patch is being rethought. Here is what happened between roughly 11 and 25 June, and what it means if you run a small business, buy cyber cover or hold Cyber Essentials.

Cyber Security and Resilience Bill reaches the House of Lords

The Cyber Security and Resilience (Network and Information Systems) Bill had its first reading in the House of Lords on 17 June, after clearing all its Commons stages earlier in the month. Second reading in the Lords is expected on 14 July, and the Bill is on track for Royal Assent later in 2026, with phased implementation that may run into 2028. The Bill widens the set of organisations caught by the UK’s network and information systems rules, hands regulators stronger enforcement powers, and tightens incident reporting. Most small businesses are not directly in scope, but if you supply IT, software or managed services to in-scope sectors such as health, water or energy, expect tougher security and reporting clauses to flow down through your contracts. You can track the stages on the UK Parliament Bill page.

Splunk flaw added to the exploited-vulnerabilities list

CISA added a critical Splunk Enterprise vulnerability, CVE-2026-20253, to its Known Exploited Vulnerabilities catalogue on 18 June after confirming it was being used in real attacks. The flaw lets an unauthenticated remote attacker create or overwrite files on an affected server through an exposed database service, and it can lead to remote code execution. Splunk is more of a mid-market and enterprise tool than a corner-shop one, but the pattern matters to any SME: a fix was available, then attackers moved against the businesses that had not applied it. That gap between patch and install is exactly where Cyber Essentials draws its line, giving you 14 days to apply high-severity and critical updates. Our Cyber Essentials patch deadline calculator works out your clock. Details at BleepingComputer.

CISA rewrites the patching rulebook around real-world risk

On 10 June, CISA issued Binding Operational Directive 26-04, which changes how US federal agencies decide what to patch first. Instead of ranking everything by its CVSS severity score, agencies now weigh whether a flaw is actually being exploited, how exposed the asset is, and how easily an attack can be automated, with the most dangerous bugs carrying a three-day deadline plus a check for signs of intrusion. The directive only binds US agencies, but it signals where guidance is heading on both sides of the Atlantic: patch by what attackers are using, not just by the headline severity number. For a small business with limited IT time, that is a sensible filter. Prioritise internet-facing systems and anything on the exploited list, rather than trying to clear every advisory at once. Reported by Infosecurity Magazine.

S&P signals the cyber insurance price turn is coming

S&P Global Ratings set out its 2026 cyber insurance outlook this month, forecasting that global premiums will rise by 15% to 20% a year towards roughly $23bn by the end of 2026, driven by heavier claims, more data theft and the cost of AI-assisted attacks. That is a notable shift after two years of falling and flat pricing. For UK buyers the read-across is to make the most of the soft market while it lasts. If your renewal is due this year, shop around now, lock in cover before rates harden, and make sure the controls you attest to are genuinely in place so a future claim is not denied. Our guide to cyber insurance costs for UK small businesses covers what a fair price looks like. Outlook from S&P Global Ratings.