Cyber and Data Risk

Usage of internet connected products will continue to increase, yet these products are an often overlooked element of cyber security and risk. Although it is expected that connected products have some basic element of inbuilt cyber security, it is a legitimate concern that many do not. In an effort to rectify this, legislation is required. The UK Product Security and Telecommunications Infrastructure Act recently received Royal Assent. This Act, alongside the European Commission proposals for a Cyber Resilience Act, places additional regulatory burdens on both software and hardware manufacturers to strengthen the cyber security of digital products. The UK Act, via regulations yet to be laid, will place duties relating to security requirements and compliance on manufacturers and importers of connectable products to be used in the UK. The EU model would introduce common rules for manufacturers, developers and distributors to ensure the security of connected products. For insurers and businesses, the possible monetary sanctions under both pieces of legislation are significant. The legislation, and subsequent regulations in the UK, need to be closely scrutinised to ensure a progressive plan for compliance is in place.

The government will come under increasing pressure in 2023 to prioritise the passage of the Online Safety Bill. Intending to address the issue of illegal and harmful content online, the Bill has found itself inextricably tied to the inquest of Molly Russell, which concluded that social media had “contributed to her death in a more than minimal way”. In light of this finding, there has been a renewed push to advance the Bill. Changes in government over the past year have delayed the Bill, along with concerns over the impact of the legislation on freedom of speech. The EU Digital Services Act (DSA) also aims to achieve similar goals to the Bill, and with the DSA taking effect from 1 January 2024 at the latest, insurers and corporates should be mindful of potential impacts on their business models and future regulatory expectations if they trade in the EU.

EU data subjects seeking compensation under Article 82 of the GDPR will find it increasingly difficult to obtain compensation if they can only prove they have suffered ‘mere upset’ as opposed to genuine non-material damages. The recent opinion of Advocate General Sanchez Bordona in UI v Österreichische Post AG, while currently not binding on the European Court of Justice, indicated a clear view on this issue, consistent with the position adopted by the UK courts in similar instances. The threshold proposed in the case is a pragmatic approach to the issue of non-material damage, while leaving the particular characteristics of something more than ‘mere upset’ to Member States. The fine line between the concepts of ‘mere’ and ‘genuine’ upset is likely to be the foundation of disputes, and interpretation will inevitably vary between Member States. However, for insurers and corporates, the opinion offers further positivity for the prospect of compensatory regime which does not reward trivial claims.

Sophisticated cyber criminals are increasingly attacking vital infrastructure such as gas, steel and power plants, causing maximum impact. The Colonial Pipeline ransomware attack of 2021 shut key conduits delivering fuel from Gulf Coast refineries to major East Coast markets for days, resulting in panic-buying at petrol pumps and price gouging. The South Staffordshire Water cyberattack in August 2022 claimed to poison water supplies at the treatment plant in the middle of the UK’s worst drought in history. These examples highlight the vulnerabilities facing critical infrastructure and the need for enhanced cyber-security measures to swiftly mitigate the potentially life-threatening consequences when systems are compromised. Such attacks create systemic exposures for cyber and non-cyber insurers alike.

Ransomware attacks are becoming increasingly sophisticated as cyber-criminals evolve their methods by using expansive infrastructure and multiple malware tools to exploit vulnerabilities. Stolen credentials obtained by phishing scams remains one of the most common ways to launch ransomware attacks on businesses and government organisations. The shift to a hybrid working environment and virtual conferencing alongside the development of ‘deep fake’ technology has been a crucial factor. The ever complex threat landscape requires a multi-layered solution that combines anti-malware, data loss prevention, email security, endpoint detection response, vulnerability assessment, patch management, remote monitoring and backup capabilities. Staff training and public education also have key roles to play.