Four things from the past working week that a UK board should know about, in the order I would raise them with a chair over coffee on Monday. Two are patch-now items on kit that faces the internet; two are the UK institutions that police and legislate this stuff moving on the same week. Each has a decision attached, which is the only reason it survived the cut.
1. A CitrixBleed sequel arrived, and the exploitation followed within a day
On 30 June, Citrix disclosed and patched CVE-2026-8451, a pre-authentication memory overread in NetScaler ADC and Gateway that lets an unauthenticated attacker read chunks of appliance memory — the same class of flaw as the 2023 CitrixBleed incident that fed the wave of ransomware through the back half of that year. watchTowr, whose researcher found the bug in late March while reproducing a separate issue, published a full technical write-up the same day. Attackers began exploiting it within 24 hours of disclosure, which is roughly the CitrixBleed playbook run again, faster. The flaw bites hardest where NetScaler is configured as a SAML identity provider, gateway or AAA server — in other words, on the boxes doing your remote access and single sign-on.
For boards. NetScaler is the front door for a lot of UK remote working, and a memory-overread flaw leaks session tokens, which means patching is necessary but not sufficient. Ask two questions: have the internet-facing NetScalers been updated, and have the active sessions been terminated and secrets rotated since? CitrixBleed taught the market that the second step is the one people skip, and it is the one that stops an attacker walking in on a token they already stole.
2. On-prem SharePoint is on a US federal patch clock that runs out today
On 1 July, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue and gave US federal agencies until today, 4 July, to fix it. It is a deserialisation remote code execution flaw in on-premises SharePoint Server, and the uncomfortable detail is the low bar to trigger it: any authenticated user with basic Site Member permissions can run code on the server, no administrative rights required. Microsoft shipped the fix back in May, so anyone still exposed has had two months. The activity has echoes of Storm-2603, the group that has spent the past year turning on-prem SharePoint flaws into Warlock ransomware deployments, though the KEV entry stops short of confirming a ransomware link this time.
For boards. This only matters if you still run SharePoint on your own servers rather than in Microsoft 365, but plenty of UK organisations do, often for the document stores nobody wants to migrate. The question is not whether you have patched — it is whether you know you still run on-prem SharePoint at all, and whether it faces the internet. A US deadline is not a UK obligation, but the exploitation it reflects does not check your jurisdiction.
3. The police put a number on UK ransomware, and asked you not to pay
On 29 June the City of London Police, through Action Fraud, launched a campaign urging organisations not to pay ransoms. The figures underneath it are the useful part: 323 UK organisations reported a ransomware attack between April 2025 and March 2026, more than half of them SMEs, with reported losses of around £270,000 — a 50 per cent rise on the year before, and near-certainly an undercount, because admitting a ransom payment is itself awkward. The official line from the NCSC and law enforcement remains that paying is neither endorsed nor condoned, and reports go through Action Fraud on 0300 123 2040.
For boards. "Do not pay" is easy to nod along to in July and hard to hold to at 2am mid-incident, when the operational pressure is real and the register is being encrypted. That decision should not be improvised in the moment. Ask whether you have a written position on ransom payment, agreed in advance, that names who can authorise a payment, what legal and sanctions checks must clear first, and what the default is. If the honest answer is that you would work it out on the night, you have already conceded the negotiation.
4. The Cyber Security and Resilience Bill moved a step closer
The Cyber Security and Resilience (Network and Information Systems) Bill was updated on 1 July and is down for its second reading in the House of Lords on 14 July. It rewrites the 2018 NIS regulations for the threat landscape as it now is, and the parts a board should note are the scope and the reporting. Direct regulation extends to managed service providers, data centres and designated "critical suppliers"; incident-reporting duties broaden; and the regulators gain real enforcement teeth. Royal Assent is expected this year, though phased implementation means the obligations land over the following period rather than overnight.
For boards. This is a horizon item, not a this-week action, but it is the one that changes the shape of the others. If you supply IT services, run a data centre, or sit in someone else's critical supply chain, you may be regulated directly for the first time, with reporting duties attached. The sensible move now is to work out whether the Bill's scope reaches you, before a regulator or a customer's procurement team works it out for you.
The thread that ties this together
Two of this week's stories are the same story told twice: an internet-facing system — a remote-access appliance, a document server — disclosed and then exploited within hours, by attackers who do not wait for the patch window to close. The other two are the UK response tightening around it: the police putting a price on ransomware and asking you not to feed it, and Parliament widening the set of organisations that will have to answer for their resilience in law. The connective tissue is speed. Attackers now move in a day; regulation moves in years; and the gap between the two is exactly the space a board is responsible for managing. So the question to carry into next week is a plain one: of the systems that face the internet on your behalf — yours and your suppliers' — which one would be exploited before you had finished reading the advisory?