- within Corporate/Commercial Law topic(s)
- in United States
- within Corporate/Commercial Law, Energy and Natural Resources and Criminal Law topic(s)
As autumn takes hold, our Risk Conference series kicks off. We are looking forward to welcoming attendees to the events where we will address some of the key corporate risks that have the potential to impact organisations and businesses of all types.
The change of seasons is a timely reminder to review risks affecting your business, ensure risk registers are up to date and consider what new risks have emerged requiring attention: all key themes reflected in our risk paper.
Our Risk Conferences are the ideal forum to hear from our specialist teams with insights into managing tricky and emerging risks and share thoughts and lived experiences with others. At the beginning of the year, we highlighted hot compliance and risk topics for 2025. We have reviewed those risks and here is our own take on priority risks for corporates that are relevant now.
Cyber risk
Cyber security and risk of attack remains a priority and a topic that is high on the agenda of all organisations. 2025 has already seen several reported incidents, involving well known retailers. More recently, CRM giant Salesforce, announced that they were responding to a cyber security incident. With most organisations still failing to address cyber security across supply chains, the risks are real; you are only as strong as your weakest link. Cyber security risk remains a priority, and organisations should now be looking closely at their supply chain and third-party relationships to identify potential vulnerabilities and ensure plans are in place to manage any risks.
Global trade
The UK government has broadened its focus on sanctions compliance. New regulators and penalty regimes mean that the risks of non-compliance with sanctions are a real threat and the consequences potentially significant, including reputational damage, loss of business and penalties. In case you missed it, we set out here the key regime and legal changes in 2025 so far, UK sanctions enforcement activity, and relevant and available guidance to ensure compliance.
Climate and sustainability risk
The shifting political and economic priorities impacting sanctions and export control also play into actions across the regulatory landscape required to achieve a more sustainable global economy. Climate and sustainability risk is accelerating, highlighting the need for businesses to develop robust risk mitigation solutions. Other business stressors, including economic uncertainty, are drivers that take attention away from climate risks and sustainability, but recent regulatory activity highlights the perils of making those risks less of a priority. The Financial Conduct Authority (FCA) began an investigation into Drax Group's sustainability practices and market disclosures and the pace of climate related litigation continues to increase across a number of jurisdictions with an increasing focus on holding companies' green credentials to account. Notably, the landmark case brought by Milieudefensie, member of Friends of the Earth Netherlands, against Shell is proceeding to the Supreme Court of the Netherlands and a decision is awaited on whether the company could be subject to an absolute reduction of its greenhouse gas emissions.
UK data protection law
The recently enacted Data (Use and Access) Act 2025 introduces some important changes to existing UK data protection laws. The introduction of a new right for individuals to complain to organisations about how their personal data is managed will oblige businesses to investigate complaints without undue delay, and to issue a clear outcome to the individual. This new law introduces a new corporate risk and is one that should be on risk registers for 2025 if not already.
ECCTA and the new failure to prevent fraud offence
The new failure to prevent fraud offence, as introduced by ECCTA (the Economic Crime and Corporate Transparency Act 2023) came into force on 1 September 2025. Even if your business is not caught directly by the new offence it is important to understand potential impact across any corporate group or your supply chains and actions that may be required. ECCTA represents the largest shake up to Companies House ever and mandatory identify verification requirements for certain members, directors and People with Significant Control begins on 18 November 2025. This guide provides information on who needs to undertake ID verification, when and how.
New sanctions for consumer law breaches
Last year, new legislations brought significant changes in the ways in which businesses interact with consumers - from April 2025 the Competition and Markets Authority (CMA) has had new powers to impose significant penalties on businesses in breach of UK consumer laws. The new regime allows the CMA to investigate alleged breaches and requires organisations to take remedial steps such as website changes or even payment of financial redress to consumers. In particular the CMA can issue fixed penalty notices of up to £300,000 or 10% of annual turnover (whichever is higher). Further fines may be imposed for non-compliance with an order (up to £150,000 or 5% of annual turnover). This represents a major change as, prior to April 2025, the CMA was only able to enforce consumer laws via the courts – a process typically reserved for only the most egregious breaches. The same legislation also introduced two new prohibited marketing practices: 'drip pricing', and fake reviews. New regulations for subscription contracts will come into force in 2026. Businesses manufacturing, distributing, advertising, or selling products and services to UK consumers should review their customer journeys and terms and conditions to ensure they are compliant with the new requirements.
Class actions
A new and emerging risk in Scotland is the possible introduction of an 'opt out' class action mechanism, which could bring the current regime much closer to a US-style model. This would have significant implications for businesses with a physical presence in Scotland, selling products or services to Scottish customers, or holding their data. It could make Scotland a very attractive forum for large-scale group claims and 'forum shopping'. This is only just coming under consideration, and we will keep clients updated. We would also welcome the opportunity to explain this issue more and hear your views on this.
These and other key corporate risks will be covered at our Risk Conference series over the coming months. If you have not already signed up, secure your spot by clicking the links below. We hope to see you there.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
