Digital threats are becoming increasingly common, more sophisticated and more impactful as society's digital transformation continues and there is an ever-increasing dependence on digital technology. As a result, cyber security laws will increase both in number and extent. At a UK level, we have already seen the Cyber Security and Resilience Bill introduced in the Labour government's first King's Speech. The Bill aims to "strengthen the UK’s cyber defences [and] ensure that critical infrastructure and the digital services that companies rely on are secure" and will expand existing regulations to cover "more digital services and supply chains". In parallel, in September 2024, the UK government classified UK data centres as ‘Critical National Infrastructure’, a step designed to improve the security and resilience of these engines of the modern economy. Similarly, in the EU, the requirements of the revised Network and Information Systems Directive (NIS2) had to be implemented by EU members states by 17 October 2024, replacing the outdated laws implementing NIS1.

Resilience is not just a cyber security issue, but a broader and pervasive concern for all. Many insurers with EU-regulated entities will be in-flight with technology, controls, contractual and organisational compliance activity in readiness for the EU's Digital Operational Resilience Act's (DORA) application on 17 January 2025. DORA and related regulatory activity, such as the UK's Operational Resilience rules and proposed rules regulating Critical Third Parties, reflect concerns over operational resilience risks for the insurance sector, particularly where threat vectors are technology-enabled, as many are. A feature of the new rules is their interest in the mapping of adverse resilience impacts (and firms' impact tolerances to these), and how supply chains may be vulnerable – and not just at the tier 1 level, but all the way down the sub-contractor stack. The CrowdStrike outage in July 2024, which at one point grounded the major US airlines, showed how business-critical systems can be vulnerable to cascading failures originating not from threat actors, but from tech firms.

During 2024, a new law on cybersecurity and critical infrastructure was enacted. It is the first of its kind in Latin America, aimed at bolstering Chile's cybersecurity for organisations in scope through risk management; security standards for the prevention, containment and resolution of incidents; and sanctions that will vary depending on the risk and size of the organisation. The notification requirement will have the greatest impact on both the local insurance market and reinsurers, as non-compliance can lead to fines up to US$ 1,500,000. With this new law in place, we are already seeing demand for cyber insurance coverage grow and it will continue to do so into 2025.

The increasing importance of cyber resilience is emphasised by a number of new legislative proposals and wider developments, such as technical requirements for IT security as part of the implementation of the EU NIS 2 Directive. More and more companies will be forced to assess their existing IT security measures and to adapt their cybersecurity strategies as legal requirements expand their scope. EU NIS 2 Directive, for example, expands requirements beyond the traditional critical national infrastructure companies.