The UK's regulatory framework for VTOLs (vertical take-off and landing aircraft) is promisingly taking shape. In September 2024, the Civil Aviation Authority (CAA) announced the establishment of two key working groups and it is now focused on introducing regulations that are in step with other regulators (principally the US and EU) but appropriate for the UK environment. In January 2024, the CAA consulted on (i) the handling rules for VTOL aircraft using battery power for propulsion and (ii) design proposals for vertiports at existing aerodromes. All this bodes well for the UK's ambitions to lead the way in this important sector of the aviation industry, while maintaining its usual high regulatory standards. As outlined in the UK's Future of Flight action plan (a Government-Industry Statement of Intent, published in March 2024), piloted eVTOL flights in the UK are identified as a key aim in 2026 "as a first step to scaled operations and a sustainable industry". The plan envisages a partnership between government, the CAA and industry to forge operational capabilities, physical infrastructure and the nurturing of associated manufacturing and technological development. As we look to the next 12 months, the UK's position of prominence in the VTOL space looks assured.

From 1 January 2025, it will be mandatory in the UK for a functioning carbon monoxide (CO) detector capable of alerting via aural and/or visual warnings to be fitted in certain piston-engine aircraft when operating with passengers. The aim is to restore "an acceptable level of safety".  CO poisoning has been cited as a factor in multiple general aviation accidents globally. Under CAA Safety Directive SD-2024/001 (V2), which comes into effect from 1 January 2025, the Civil Aviation Authority (CAA) will recognise both aviation-standard and commercial, off-the-shelf CO detectors. As to the latter, there is a wide range of competitively priced, commercially available units intended for use in domestic environments. Although not specifically approved for aviation use, findings from the CAA’s 12-month study suggest that these devices can function reasonably at typical recreational GA altitudes.

The growing wave of class actions in the United States related to biometric data privacy violations will continue to rise, with the state of Illinois at its forefront with its Biometric Information Privacy Act. There have already been a number of significant settlements with companies like Facebook, Google, TikTok and Meta in various states, with further actions expected. Enforcement efforts are expected to continue, particularly in California, with clarity on enforcement expected from its Supreme Court. Legal challenges over insurance coverage for biometric data privacy claims will also develop as jurisdictions interpret cover for novel actions. 

Labour's plan to encourage millions of homes to be fitted with solar panels (the so-called rooftop revolution) and create more solar farms will lead to more claims. Technology is developing at pace; initial installation costs are high; not all roofs are suitable; safety and fire risks are high; and the skilled workforce is unlikely to be able to meet anticipated output. While the industry gets to grips with all of this, we predict greater risks for insurers that all stakeholders will need to consider. Construction all risks underwriters need to consider their exposure carefully and ensure wordings and premium accurately reflect the risks involved.

AI has reshaped the financial services industry. It is widely used to summarise information, automate credit and loan decisions, detect and prevent fraud, drive operational efficiency and productivity, and reduce the risk of human error. But if AI learns from incomplete or imperfect data, there is a significant risk of unintended discrimination or unconscious bias, and unchecked reliance on AI could affect large data sets within a customer base and ultimately lead to claims for consumer redress. Recognising the critical importance of AI to corporate strategy and operations and the claims risk, financial institutions are increasingly appointing Chief AI Officers (CAIOs) to oversee the execution and integration of AI projects, promote ethical AI-practices, and ensure the adoption of AI aligns with corporate vision and regulatory requirements.

Following the Information Commissioner's Office's (ICO) stated intention to issue the first fine to a processor for breach of its obligations under data protection law, processors will look to shift how they document their own compliance, including due diligence when appointing sub-processors in their supply chain. It will also result in many processors likely adopting a more robust position in contracts with controllers when negotiating liability caps for data breaches. Although the final penalty or enforcement notice has not been issued yet, the provisional decision has undoubtedly created a renewed focus and raised potential concerns for processors, reminding them of the importance of things like multi factor authentication. In the event that further fines are levied against processors in the coming year, the rationale behind these regulatory decisions will be awaited with great interest. Any fines issued to private sector or public sector controllers will provide additional understanding on whether the ICO will look to take a harsher line on processors who deliver software and services to the public sector only, or whether the ICO is adopting a wider remit of targeting processors across all sectors.

Representing one of the most significant global technology outages since NotPetya in 2017, the CrowdStrike incident will act as a poster child to prompt policyholders and insurers to review their policy wordings and coverage where a systemic or supply chain cyber incident has the potential to cause a massive financial impact. Coverage for non-malicious cyber events, including 'system failure' cover, is not always available or purchased by policyholders, and the CrowdStrike incident highlights its need. The CrowdStrike incident acts as a useful case study to review appropriate interruption periods, 'waiting periods' and retentions for non-physical damage BI cover, if purchased. It also prompts future discussion as to where the line is drawn between a policyholder's software and systems, and a managed services provider. Policyholder reliance on systemically important and vulnerable systems is continuing to increase beyond infrastructure and the cloud, challenging insurers to determine appropriate coverage limits and value appropriate premiums.

Digital threats are becoming increasingly common, more sophisticated and more impactful as society's digital transformation continues and there is an ever-increasing dependence on digital technology. As a result, cyber security laws will increase both in number and extent. At a UK level, we have already seen the Cyber Security and Resilience Bill introduced in the Labour government's first King's Speech. The Bill aims to "strengthen the UK’s cyber defences [and] ensure that critical infrastructure and the digital services that companies rely on are secure" and will expand existing regulations to cover "more digital services and supply chains". In parallel, in September 2024, the UK government classified UK data centres as ‘Critical National Infrastructure’, a step designed to improve the security and resilience of these engines of the modern economy. Similarly, in the EU, the requirements of the revised Network and Information Systems Directive (NIS2) had to be implemented by EU members states by 17 October 2024, replacing the outdated laws implementing NIS1.

AI capabilities have developed exponentially in the past two years. In particular, advances in generative AI have resulted in this technology leaping to the top of board room opportunity and risk agenda and into the minds of the general public. However, it appears that the roll out of AI systems across organisations has slowed, in part due to complex privacy considerations. As data protection regulators continue to intervene, this trend will continue. As the privacy challenges arising from the use of AI systems crystalise and the regulatory focus increases, the Data Protection Impact Assessment will emerge as a crucial data protection tool.

Threat actors will continue to breach defences and cause loss, with the human factor remaining the weakest part of organisations' security systems. The continued search for the best balance between system security and usability will allow for continued penetration of systems. New challenges such as AI-related scams will create further risk. Although tools such as multi-factor authentication make third-party access harder, with cloud-based systems and resilient back-ups aiding recovery, none represent a panacea. In the future, we anticipate that data will simply be stolen, compared to current trends where data is often encrypted and ransomed against publication. For consumers affected by these incidents, while bank redress schemes may offer some form of remedy, they may encourage threat actors to see data theft as a victimless crime. For businesses, however, there will be no such redress.

In the absence of a more generous approach by the courts when assessing quantum and costs, the pursuit of data breach claims on behalf of individuals will prove to be a question of financial risk for claimant representatives. Recent decisions have demonstrated the difficulty in succeeding in data breach actions where minimal distress or loss has been caused to a claimant. Alternatively, claimant representatives may look to pursue actions on behalf of numerous individuals in a class action. However, these actions are by no means a guaranteed route to success. The decision in Farley v Paymaster saw a significant percentage of data breach actions in a mass claim dismissed for not meeting the appropriate threshold of seriousness, and Adams v Ministry of Defence demonstrated the challenges of using an 'omnibus' Claim Form, where multiple claimants are added to a single claim. The Civil Procedure Rule Committee is considering this method of pursuing multiple claims, and this route may be closed off or narrowed significantly upon further guidance. Nonetheless, we still expect that claimant practitioners will explore other avenues to pursue data breach actions in response to judicial guidance and other pressures, as they have done in the past.

Resilience is not just a cyber security issue, but a broader and pervasive concern for all. Many insurers with EU-regulated entities will be in-flight with technology, controls, contractual and organisational compliance activity in readiness for the EU's Digital Operational Resilience Act's (DORA) application on 17 January 2025. DORA and related regulatory activity, such as the UK's Operational Resilience rules and proposed rules regulating Critical Third Parties, reflect concerns over operational resilience risks for the insurance sector, particularly where threat vectors are technology-enabled, as many are. A feature of the new rules is their interest in the mapping of adverse resilience impacts (and firms' impact tolerances to these), and how supply chains may be vulnerable – and not just at the tier 1 level, but all the way down the sub-contractor stack. The CrowdStrike outage in July 2024, which at one point grounded the major US airlines, showed how business-critical systems can be vulnerable to cascading failures originating not from threat actors, but from tech firms.

At the 10th Dive in for Diversity Festival this autumn Sir Trevor Phillips, former head of the Commission for Racial Equality, warned about the potential negative impacts of AI on diversity and inclusion. He put the market on notice that it must be alive to the dangers of drifting into this minefield unawares. As certain roles are reshaped or even eliminated by AI, it is necessary to step back and look at the relative impact on disadvantaged groups, asking whether they are disproportionately represented in those roles. Many in the sector are already concerned about the ability of AI to take over certain functions that were always carried out by junior staff and trainees and how that might impact the future talent pipeline but they must also look at how that might potentially limit access to the industry and its supporting professions, especially by people from diverse educational backgrounds. The challenge will be to create entry points for people that ensure everyone has the same opportunities. With greater scrutiny, measurement and monitoring of all aspects of diversity, businesses could quickly find themselves going backwards and publicly held to account if they do not make this a key focus of their adoption of AI.

The focus on the benefits of AI for insurance companies will give way in the coming year to addressing how to manage the related risks. Policyholders and insurers will need to focus on how policies respond to developments in this area, including whether adjustments to policy wordings, affirmative endorsements or exclusions are necessary. As previously identified with cyber-related issues, the risk of 'silent AI' continues, with potential exposures contained within more traditional policies which may not specifically deal with AI risks. There is now an emerging series of products designed to address this issue, with careful drafting being applied to deal with concepts not addressed in existing wording.