Merton Council's risk of cyber attack has increased, according to the latest Key Strategic Risk Register (KSRR). The register, reviewed by the Governance Standards and Audit Committee on Thursday 13 November 2025, showed the risk had risen from amber to red.

The increased risk is attributed to a rise in cyber incidents targeting the disruption of systems, with a shift towards exploiting third-party supply chains and directly targeting organisations.

The Key Strategic Risks Register Q1 2025-26 included a total of 12 entries, comprising nine key strategic risks and three key strategic issues. Seven of these were categorised as red, indicating a high priority for management and mitigation.

One of the red risks identified was: Risk of Cyber attack on the Council's IT Infrastructure and Systems.

Heat maps showing the Key Strategic Risks and Issues (KSRR) for June 2025 and June 2024.
Heat maps showing the Key Strategic Risks and Issues (KSRR) for June 2025 and June 2024.

The risk of cyber attack was raised from a score of 12 (amber) to 16 (red), with the likelihood of an attack increasing from 3 to 4. According to the LBM Report Template - GSAC Risk Report 2025-26, the consequences of a successful cyber attack could include:

  • Loss of service, potentially threatening the lives of vulnerable clients.
  • Publication or loss of personal or commercially sensitive data.
  • Loss of income or legal repercussions.
  • Reputational damage for the council.

To mitigate the cyber threat, the council employs several measures, including:

  • Email hygiene systems.
  • Best-of-breed firewalls and DNS controllers.
  • Anti-virus and malware protection on all devices, with regular updates.
  • Patching of end-user devices, servers, and network infrastructure based on National Cyber Security Centre (NCSC) recommendations.
  • A managed Security Operations Centre (SOC) via a Systems Incident and Event Management (SIEM) provider.

The council has also engaged a supplier to undertake a Continuous Threat Exposure Management (CTEM) gap analysis. To address the recommendations from this analysis and build a robust cyber security strategy, the council is looking to recruit a Cyber Manager and Cyber Officer. Additionally, all servers have been moved to Amazon, reducing the potential attack vector, and the current backup solution has been replaced with a cloud-only system.

Despite these measures, the report stated that the global risk environment and continued news of breaches across public sector organisations meant that the risk of a cyber-attack remained high.