Cyber Risk: 2023 in review

Our team provided the DACB AI Explainer series (Article 1, Article 2 and Article 3) to provide overviews of key AI concepts and developments in 2023. As we move into 2024, we expect substantial developments across the UK and European Union on the regulation of artificial intelligence.

Our 2023 cyber risk horizon piece also highlighted the high position of cyber resilience on the UK Government agenda. In February, the Department for Digital, Culture, Media and Sport issued a call for views aimed at all organisations with an interest in software and digital supply chains. As of yet, the Government has yet to publish a response to the consultation, but we await any further progression with interest, as the call for evidence emphasised that any policy options advanced will align with the overarching UK Digital Strategy, Product Security and Telecommunications Act and the proposed changes to the Network and Information System Regulations in the UK.

We also observed the need for the UK Government to ensure that the introduction of smart energy systems is conducted with a clear vision ensuring that systems are protected from cyber-attack. Shortly after publication, the Government published a response to the consultation commenced in September 2022 on these very issues, noting that it would be working with industry on a variety of issues addressed in the consultation.

Unfortunately, there has been no progression on the proposed updates to the Network and Information System Regulations, which were initially announced by the Government in November 2022. We expect to see progression on this issue in the coming year, particularly in light of the progression of the European Union's NIS2 Directive, with Member States required to transpose the NIS2 Directive into their national legislation by October of this year.

A welcome development in 2023 on the issue of cyber resilience was the publication of Regulations under the Product Security and Telecommunications Infrastructure Act. The regulations will bring the UK’s consumer connectable product security regime into effect on 29 April 2024. Their publication, offered clarity for manufacturers, importers and distributors, making clear their obligations in respect of consumer connectable products. Negotiations in respect of the Cyber Resilience Act, covering similar ground in the European Union effectively concluded in 2023, and is the subject of commentary in this bulletin. However, concerns raised upon the publication of the UK Regulations on the issue of mutuality of valid assessments in the UK or EU remain.

The ever-growing cyber insurance market was the subject of development in the past 12 months, with newsworthy events particularly occurring in the early months of the year. In January 2023, cyber risk was the subject of a Dear CEO letter from the Prudential Regulatory Authority, and the Lloyd's Market Association published eight clauses addressing war and cyber operations.

Across the English Channel, changes to the French Insurance Code increased the burden on victims of cyber-attacks who wish to make a claim under their cyber policy.

Beazley became the first insurer to launch a cyber catastrophe bond, which provides the insurer with protection for losses exceeding US$300m from a cyber cat event. This announcement confirmed the increasing focus that insurers generally will be required to manage exposure to systemic risk in cyber. In early 2024, Beazley announced further developments in this space.

Our insurance wordings team also provided a detailed analysis of cyber cover for professional advisers and the collateral damage writeback.

This year, the Information Commissioner's Office and the National Cyber Security Centre signed a Memorandum of Understanding setting out the broad principles of collaboration between the organisations and formalising a framework governing the sharing of information and intelligence between them. The MoU provides practical outcomes for corporate victims of cyber-attacks, such as re-enforces the need for organisations to incorporate reporting to the NCSC as part of their breach response plans; with the possible incentive such co-operation might result in a reduction to a regulatory sanction later down the line. Confirmation of the specifics of information sharing between the ICO and NSCS will also mean that organisations can seek guidance from the NCSC, with the comfort that specific information regarding the incident will not be shared with the regulator.

For those organisations experiencing cyber-attacks, the outcome of the UK Cyber securities breaches survey provide indications of where risk can occur, with areas of cyber hygiene (password policies, network firewalls, etc) seeing declines. The indications remain from this survey are that phishing attacks will remain the predominant form of cyber attack. The National Cyber Security Centre's Sixth Annual Report on Active Cyber Defence, published in July 2023 also highlighted the continued prevalence of these types of attacks.

Beyond phishing, a report by NCC Group in September highlighted record levels of ransomware attacks, and the NCSC released to help ensure that cloud-based backups are resistant to the effects of destructive ransomware. There have been positive outcomes across the world against ransomware groups, and in March, we reported on notable successes by law enforcement.

Finally, as we move into 2024, and consider where the next major cyber risk may spring from, it is appropriate to refer to the current hotspot, Latin America, and the commentary offered by our Santiago de Chile office on why Latin America should top cyber insurers' lists.

References

¹https://www.intelligentinsurer.com/beazley-closes-dollar-140m-144a-cyber-cat-bond-polestar-re