DAC Beachcroft has recently launched our Informed Insurance Predictions for 2025, our annual predictions for the insurance sector, which provides critical insights from our Data, Privacy and Cyber team on the pressing issues facing cyber practitioners in the coming year.
Reflecting on incidents in the past year also assist in understanding the development of the many important issues present in the cyber landscape.
Cyber resilience
Looking back to the morning of 19 July 2024, the visual of the Windows 'Blue Screen of Death', prompted by the CrowdStrike outage symbolised one of the most significant global cyber events since NotPetya in 2017. The incident generated significant questions around cyber resilience. The widespread operational disruption served as a wake-up call for supply chain risk management, catapulting it to the top of risk managers' agendas. The incident highlighted the risk associated with a small number of vendors providing systemically critical digital services, an issue only likely to increase in coming years. Although the CrowdStrike outage and subsequent disruption was the result of a non-malicious defective software update, and not the result of a malicious attack, it prompted wider reflections on cyber insurance coverage, particularly as CrowdStrike had limited much of its liability via its contractual agreements.
Coverage for non-malicious cyber events, including 'system failure' cover, is not always available or purchased by policyholders, yet the CrowdStrike incident emphasised its importance in the cyber insurance ecosystem. In the aftermath of CrowdStrike, it is unsurprising to see regulators and industry looking to raise awareness and educate on the components of a major cyber event and how the insurance industry might respond. As we have highlighted this month, the ABI and Lloyd's have issued a detailed paper which proposes a number of key reinsurance components for a consistent framework including the who, what, where, when, how and why of a major cyber event.
More widely, the Prudential Regulatory Authority had identified cyber insurance as a specific priority at the start of the year. The Lloyds Market Association followed shortly after with a number of new cyber war clauses, including three war exclusions for cyber treaty reinsurance, and a further market bulletin (Y5433) updating its requirements and expectation for the writing of cyber risks. These updates reflected the need for insurers and reinsurers to review their policy wordings and clauses, and it is clear that developments in this space will continue into the next year.
Although the CrowdStrike outage caused significant issues for key sectors such as healthcare, aviation and financial services, our maritime team earlier this year highlighted the unique risks associated with cybersecurity in this industry. That piece highlighted there is no universal, mandatory maritime cybersecurity standards, but a number of developments this year have highlighted that governments and regulators continue to strive to boost cybersecurity across a number of sector and critical industries, in line with the evolving threat landscape.
Developments in legislation and regulation
In the UK, the existing Network and Information Security Regulations, which entered into force in May 2018, established a common level of security for network and information services within two defined groups: 'operators of essential services' and 'relevant digital services providers'. The Regulations as currently drafted require urgent update. The new UK Government has confirmed that a Cyber Security and Resilience Bill will be introduced in 2025, to make these "crucial updates to the legacy regulatory framework".
Efforts to improve cyber resilience are not limited to legislation, as the ICO and National Crime Agency (NCA) signed a Memorandum of Understanding in September committing to collaborate on this issue, through a variety of actions including intelligence sharing and information, reminding parties of their regulatory obligations and harmonising public communications following incidents affecting both bodies.
Those affected by the NIS Regulations will not only await the publication of the Cyber Security and Resilience Bill but are likely to reflect upon the recently introduced NIS2 Directive in the EU. It should be noted that although NIS2 should have been transposed into the national law of Member States by 17 October 2024, the European Commission issued an enforcement notice in late November to 23 Member States for failing to fully transpose the Directive.
While implementation therefore remains ongoing across the EU, it is important to note that although not directly applicable in the UK, the NIS2 Directive applies to organisations operating or carrying out activities for EU businesses within scope.
In terms of the specific implications of NIS2, it recommends the integration of cybersecurity risk management measures when dealing with suppliers and service providers; this is crucial in the aftermath of CrowdStrike. In addition, 'high criticality' sectors (energy, transport, banking among others) and other organisations such as search engines are now subject to reporting obligations and are expected to specify their risk management measures. The introduction of NIS 2 Directive can also be viewed through the prism of the EU's wider digital strategy, part of which including the Digital Operational Resilience Act (DORA). Aimed at financial entities, and applying from January 2025, DORA is designed to enhance the overall cybersecurity posture of the EU financial sector, ensuring it remains stable and secure in an increasingly digital landscape. Our DPC and technology experts commented on the implications of DORA.
Internationally, our Santiago de Chile office also offered insight on the Chilean Law on Cybersecurity and Critical Infrastructure, the first of its kind in Latin America. The legislation bolsters Chile's cybersecurity as organisations in scope will have to increase their cybersecurity to prevent cyber-attacks, but it also brings with it new opportunities for Cyber (re)Insurers.
Connected products
The above pieces of legislation are largely directed at protecting individuals and ensuring national security, yet they do not cover all risks associated with cyber security. On average, there is now an average of nine smart or connected devices in every UK household, each posing a potential risk and creating vulnerable networks. In the UK, legislation that govern connected devices (such as smart TVs, game consoles, smart domestic appliances) was introduced this year, bringing in security requirements, recall obligations and fines for non-compliance across manufacturers, importers and distributors.
Our cyber experts commented on the implications of this piece of legislation, the Product Security and Telecommunications Infrastructure Act, noting this new legislation might give cause for action plans under affirmative Cyber, Product Liability, Tech E&O, and Product Recall policies as to whether coverage is unintentionally provided for these new risks. The continuing impact of this piece of legislation in the UK will be felt over the coming years, and we await developments with interest.
In the European Union, a similar piece of legislation has been recently confirmed in the Official Journal, the Cyber Resilience Act. Akin to, but broader in scope than the UK PSTI Act, the law mandates manufacturers of products with digital elements to implement robust security measures throughout the product lifecycle, including secure design, regular software updates, and transparent vulnerability handling. Classifying 'products with digital elements' into different product classes it imposes scaled cybersecurity obligations to economic operators involved in the supply chain. The majority of the measures under the CRA will take effect from 2027, leaving a significant period of implementation, but again, this demonstrates the importance being placed on robust cybersecurity across systems and products.
Ransomware and other threats
For the first time, the NCSC collaborated with cyber insurance industry, namely; the ABI, British Insurance Brokers' Association ("BIBA") and International Underwriting Association ("IUA"), to issue joint guidance for organisations considering paying a ransom. The guidance, which our Data, Privacy and Cyber team contributed to, and published in June, discourages organisations from paying ransoms without properly investigating the available options and assessing the risks involved. Much like the increased awareness and education sought by the insurance industry, this guidance reflected increasing nuance across both regulators and companies in understanding how to respond to ransomware.
The issue of this guidance was timely as it coincided with a ransomware attack on Synnovis, an organisation providing services to the NHS. Records covering over 300m patient interactions were affected by the attack, which also resulted in a number of planned operations and treatments being cancelled. This Synnovis attack demonstrated the continuing challenges posed by ransomware across the cyber security ecosystem particularly where the development of 'ransomware as a service' makes it difficult to challenge tactics, techniques and procedures of ransomware groups.
Issuing guidance in response to the Synnovis attack, the NCSC highlighted ransomware as "the most acute cyber threat facing the vast majority of UK businesses." The ENISA Threat Landscape Report issued, in September, also highlighted ransomware (alongside DDoS attacks) as the largest cyber threat facing organisations in the EU.
Against this backdrop, both the Synnovis attack and the CrowdStrike outage are likely to have formed part of the Government's reasoning behind the decision to designate UK data centres as Critical National Infrastructure. Referencing those recent issues with healthcare service, this designation means, in the event of a further attack on a data centre hosting NHS patient data, government intervention would mitigate the risk of damage to essential services.
For those organisations affected by ransomware, the risk of a data breach is very possible. Our experts highlighted that personal data breaches, both in number and severity, involving ransomware have increased since 2020 and 2021, and analysed available information to consider whether organisation are likely to be subject to formal enforcement action, where a ransomware attack compromises personal data.
That detailed review noted that the scourge of global ransomware shows no signs of abating. However, the success of Operation Cronos in challenging the LockBit ransomware group highlighted that law enforcement-led strategy can have major successes. Coordinated by the UK National Crime Agency (NCA) and the FBI, along with nine other international agencies, the operation resulted in the seizure of LockBit's leak site on the dark web and unprecedented access to LockBit's systems and infrastructure. Our team discussed the legal and commercial implications of the takeover of LockBit ransomware group infrastructure, and questions for those clients who paid ransoms to exfiltrate data.
Looking forward
Beyond the threat posed by ransomware, warnings from the National Cyber Security Centre (NCSC) throughout this year continued to provide clarity where cyber risks are currently prominent and expected to increase in the coming year. The NCSC have warned of risks posed by state-sponsored attackers, who are exploiting vulnerable small-office and home-office devices which often do not have the latest software or security updates, which makes the legislative developments in product cybersecurity measures even more important.
Recent warnings, highlighted in this month's In Case You Missed It section have focused on the exploitation of 'zero-day' vulnerabilities, recently discovered weaknesses not yet resolved, which are increasing the risks to higher priority targets.
As we look to 2025, there has never been so many significantly important developments in relation to cyber risk, as recorded in our Insurance Predictions.
