When considering the legal risks associated with cyber, and the insurable exposures, one can be forgiven for thinking that they arise out of privacy related laws such as GDPR[1] or only those organisations operating critical national infrastructuCre and caught by NIS Regulations[2].
These laws were designed to protect individuals and national security. However, looking to the issue of cyber risk, huge gaps lie between the scope of these existing laws. Of course, cyber risk exists in relation to data other than personal data, organisations within the supply chain can cause just as much damage as a result of cyber-attacks to the organisations caught by legislation, and the "internet of things" is creating vulnerable networks outside of traditional infrastructure and corporate systems.
The cyber risk posed by the "internet of things" was highlighted in government statistics from Department of Culture, Media and Sport which stated that there is now an average of nine smart or connected devices in every UK household[3], with the estimated cost to consumers "from insecure consumer IoT alone, over the next ten years [totalling] £14.8 billion."[4]
It is against this backdrop that new legislation that governs connected devices has been introduced, bringing in security requirements, recall obligations and fines for non-compliance. The sector scope of the legislation extends beyond tech manufacturers, extending to sectors such as housing development and construction.
In January 2019, the PRA issued a letter to all UK insurers stating they must have action plans to reduce the unintended exposure that can be caused by "non-affirmative cyber cover”, also known as "silent cyber". Given the wide ranging exposures, this new legislation might give similar cause for action plans under to affirmative Cyber, Product Liability, Tech E&O, and Product Recall policies as to whether coverage is unintentionally provided for these new risks.
The PSTI Act
On 29 April 2024, regulations creating clearly defined minimum security standards for internet and network-connected consumer 'smart' products came into force in the UK. The provisions of the Product Security and Telecommunications Infrastructure Act 2022 ("PSTI Act") and associated regulations represent a significant piece of legislation, creating a new regime ensuring that consumer smart products are adequately protected from cyber security risks.
Relevant smart products covered by the PSTI Act and associated regulations are network-connectable[5] or internet-connectable[6] items including smart TVs, smartphones, games consoles, smart watches, smart speakers, smart domestic appliances, connected alarm systems, security cameras, doorbells and baby monitors. Certain smart products such as electric vehicle charge points, medical devices and smart meters are excluded from the PSTI Act as their cyber security is covered by existing legislation.
The PSTI Act applies to the following entities in relation to relevant products:
- Manufacturers - This also includes anyone marketing a product under their own name or trademark, even if the product itself was manufactured by another person.
- Importers – Any party importing the product into the UK from a country outside the UK, who is not a manufacturer.
- Distributors – Any party who makes the product available in the UK and is not a manufacturer or importer of the product.
Attempts during Parliamentary discussions to automatically make online marketplaces (e.g., Amazon, eBay) distributors for the purposes of the Act were defeated. These companies would have to be acting as manufacturers, importers or distributers of connectable products under the defined terms in order to be held responsible.
A surprisingly broad scope
Although manufacturers, distributors and importers seem to be straightforward concepts, a review of the explanatory notes which accompanied the Act during the legislative process generate unexpected areas in which businesses not usually operating in the tech/cyber space may find themselves having to comply with the Act, particularly when considering who is considered to have 'supplied' a consumer connectable product[7].
Referring to section 55(5) of the Act and the legislation's explanatory notes, the effect of these provisions mean that customers may receive similar protections when hiring someone to install products in their premises as customers who directly buy in-scope consumer connectable products. The following examples of wider liability than might be expected are provided:
- A developer equipping a new house with built-in smart products (such as a fridge) will be considered a distributor with respect to that smart fridge and will have to comply with the duties of distributors, such as not making the product available if there is a compliance failure and ensuring that the product is accompanied by a statement of compliance.
- Builders hired by homeowners to build a garage fitted with smart surveillance cameras will be considered a distributor of the product and would need to comply with the relevant duties placed upon distributors.
- A developer selling, or otherwise disposing of an interest in a previously unoccupied house which includes in-scope products will also be considered to have supplied them to the new occupier as a distributor.
It is also important to fall into the trap of thinking that the PSTI Act is limited to consumer devices. If a product is offered in a commercial context but that same product is identical to a consumer product, then it will fall within the scope of the PSTI. Per the explanatory notes, this ensures "that all products that may reasonably be expected to be used by consumers are subject to the same security requirements, even where a particular individual product has not been directly made available to consumers."
PSTI Obligations, Duties and Enforcement
The duties of manufacturers, importers and distributors under the Act often overlap[8]; all are expected to do the following:
- Ensure that any relevant product manufactured, imported or distributed complies with regulated security requirements including a ban on default passwords, supplying information on how to report security issues and on minimum security update periods.
- Provide a certificate of compliance in line with the regulations.
- Where there has been a compliance failure, parties must investigate and resolve it, notify the relevant enforcement authority[9] and any customer to whom the product was supplied by the importer, notify others in the supply chain and if not the failure will be remedied, take all reasonable steps to prevent the product being made available to UK customers.
- Retain records relating to any investigations in respect of compliance failures including the outcome, details of the failure and any remedial actions undertaken, for a period of 10 years.
As noted above, penalties for manufacturers, distributors and importers found to be in non-compliance of the Act include compliance, recall and stop notices and large fines up to £10 million or 4% of worldwide revenue.
European Union legislation
Manufacturers of smart products in particular should also be mindful of developments in the European Union, particularly those exporting products to EU nations.
The Cyber Resilience Act (“CRA") is close to formal adoption, and once this step is completed, there will be a three-year period until it takes effect, subject to some provisions take effect sooner. This legislation carries similar aims to the PSTI Act, by looking to improve existing low levels of cybersecurity in "products with digital elements" across the EU. A number of high-profile cyber-attacks resulting from suboptimal product security have been cited as justification for this legislative intervention.
Based on the draft legislative wording, the CRA is wider in scope than the PSTI Act. Not only does it relate to hardware and software rather than just internet and network connectable products, it also contains requirements relating to conformity assessments, security-by-design (including the ability for a product to be reset to its original state and to monitor its own internal data access, and requirements for the product to process only data that is necessary to its intended use), and vulnerability management.
For those manufacturers who export their products to the European Union, understanding their obligations under the CRA will be important. The European Scrutiny Committee in the House of Commons has already raised concerns were expressed that “the EU has not indicated it intends to recognise an assessment of the cyber-security performance of a particular product carried out in the UK as valid for assessing compliance with the obligations under the Cyber Resilience Act.”
This could mean that products complying with the PSTI Act could still fall foul of the requirements of the CRA. This could lead to increased costs for UK businesses to meet the higher security standards so British businesses who wish to export hardware or software products to the EU (and not just internet-connected or network-connected products).
PSTI and Insurance
Insurers should be alive to such unexpected breadth and scope of this new legislation. For example, insurers of construction companies or property development companies might only have expected to face risks arising from structural or contractual failures and not those arising from third party-manufactured smart products procured and distributed by the insured company.
The consequential and insurable risks to an insured could extend to business interruption (as a result of a "stop-now" notice), security investigation costs, recall response and costs, and liabilities to third parties within the manufacture-import-distribution chain.
The recoverability of fines for non-compliance with the Act under a policy will be subject to any exclusionary language and/or the usual ‘illegality defence’ and public policy doctrine(s) surrounding such matters.
The PSTI Act introduces entirely new legal risks for manufacturers, importers and distributors which could prompt discussions as to whether cover should be intentionally provided or excluded under Cyber, Product Liability, Tech E&O, and Product Recall policies.
[1] UK General Data Protection Regulation
[2] The Security of Network & Information Systems Regulations 2018
[3] https://committees.parliament.uk/writtenevidence/109515/html/, paragraph 4
[4] https://committees.parliament.uk/writtenevidence/109515/html/, paragraph 8
[5] Definition within the Act, section 5
[6] Definition within the Act, section 5
[7] https://publications.parliament.uk/pa/bills/lbill/58-03/016/5803016en06.htm
[8] The duties of manufacturers, importers and distributors can be found in Chapter 2 of the PSTI Act
[9] In the UK, this is the Office for Product Safety and Standards.
