Cyber_Bytes Issue 71
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
RPC Cyber App: Breach Counsel at Your Fingertips
As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.
RPC Cyber can be downloaded for free from the Apple Store or Google Play Store.
RPC looks back at recent developments
For the cyber market, the past year brought with it many legislative and regulatory changes, as well as sophisticated cyber-attacks and ground-breaking law enforcement activity.
We have produced our very own 'Key Cyber Developments' update to provide a recap of the key issues and changes that took place over the last year. This includes insights on:
-
Key legislative and regulatory changes in the UK and EU;
-
Significant cyber incidents;
-
Domestic regulatory activity;
-
Law enforcement activity, and more.
Click here to read our 2024 update in full.
Why 2025 will be 'pivotal' for cyber insurance
RPC's Richard Breavington comments on why he thinks it will be a big year for the cyber insurance industry. Speaking to Insurance Business, Richard highlights the increasing regulation coming across the EU and UK which will increase minimum security standards in a broad range of sectors, as well as imposing additional notification obligations for cyber incidents.
Richard also discusses that ransomware groups are adopting new models, such as 'as-a-service' structures where affiliates independently broker access to victims' systems for high commission rates. These models could increase the volume of incidents and result in more unsophisticated attacks. Finally, it's predicted that we'll see more threat actors use AI to enhance the scale and effectiveness of their attacks.
Click here to read more from Insurance Business.
DORA comes into force
On 17 January 2025, the Digital Operational Resilience Act (DORA) became enforceable across EU Member States. DORA requires financial services entities and third-party ICT providers operating in the EU to comply with strict new technical requirements and standards to protect against digital threats. There is provision in DORA for significant enforcement action, including substantial fines, for organisations found to have been non-compliant.
Click here to read our recent article on the content and likely effect of DORA.
Home Office Consultation: six proposals on the future of ransomware payments
On 14 January 2025, the Home Office released a public consultation seeking views on various methods aimed at combatting the criminal ransomware 'business models' exploited by threat actors. The Consultation is made up of two key documents: the Ransomware Legislative Proposal which contains 3 key broad proposals, and the Options Assessment which looks at 6 more detailed options.
The Ransomware Legislative Proposals include:
-
A targeted ransomware ban for public sector organisations;
-
A ransomware payment regime in which all planned ransomware payments must be reported before they are made; and
-
A mandatory incident reporting regime which requires victims to report ransomware incidents.
The six more granular options in the Options Assessment are:
-
A complete ban on ransom payments;
-
A targeted ransom ban for regulated critical national infrastructure and public sectors;
-
A ransom payment prevention regime for all payments;
-
Mandatory reporting of all ransom payments prior to transactions (sector specific or economy);
-
Mandatory ransomware incident reporting regime for all sectors; and
-
Mandatory ransomware incident reporting regime for targeted sectors.
Interestingly, there is also an 'Option 0' which is to do nothing.
The primary aims of the Consultation are to (i) reduce the amount of money flowing to ransomware criminals; (ii) increase the ability of operational agencies to disrupt and investigate ransomware attacks, and; (iii) enhance the government’s understanding of the threats in this area to inform future interventions.
The Consultation is open until 8 April 2025. Click here to read more and/or complete the Consultation from the Home Office.
FCA consults on incident reporting obligations
In December 2024, the FCA published a consultation paper for firms to report operational incidents and material third party arrangements. The paper closely mirrors proposals put forward by the Bank of England and PRA, which are designed to align with international standards such as DORA (as mentioned above).
These proposals aim to introduce a consistent, sufficient, and timely reporting framework for firms, payment service providers, UK Recognised Investment Exchanges, registered trade repositories and registered credit rating agencies. The FCA paper proposes a definition of "operational incident" and requires firms to report incidents where a breach meets one or more of the following thresholds:
-
Consumer harm: where the incident could cause or has caused intolerable levels of harm to consumers from which they cannot easily recover.
-
Market integrity: where the incident could pose or has posed a risk to the stability, integrity or confidence of the UK financial system.
-
Safety and soundness: where the incident could pose or has posed a risk to the safety and soundness of the firm or other market participants.
The proposals would also involve the firm producing an initial report, intermediate report and final report following an incident, much like DORA. Further, firms would be required to report on 'material third party arrangements'. These are arrangements between a firm and a third party where the disruption or failure of the service could:
-
Cause intolerable levels of harm to the firm's clients;
-
Pose risk to the soundness, stability and confidence of the UK financial system; or
-
Cast serious doubt on the firm's ability to satisfy threshold conditions under the FCA handbook or meet the operational resilience requirements under SYSC 15A of the FCA's Principles for Business.
Click here to read our article for further insights and click here to consider the FCA's Consultation which closes on 13 March 2025.
EU's Digital Fairness Act
In October 2024, through a 'Digital Fairness Fitness Check', the EU Commission evaluated the adequacy of consumer protection law and found issues with a number of harmful online tactics. Examples of these include complicated subscription systems, dark patterns, addictive deign, unfair contract terms, lack of transparency and exploitative ads. Considering this, the EU Commission is expected to present a new 'Digital Fairness Act' to combat these harmful tactics. Whilst this act has not yet been formally introduced, it is anticipated that 2025 will bring a public consultation on the issue, and a first draft of the Act could be seen by 2026.
Click here to read more from Publyon.
Government increases Data protection fees for data controllers
After a 2024 consultation on proposed amendments to the data protection fee regime, which mandates data controllers to pay an annual fee under the Data Protection (Charges and Information) Regulations 2018, the government has published the consultation results. These results were based on 103 complete responses from various organisations and individuals.
In short, the government intends to increase the fee regime by 29.8% for all three tiers of data controllers. The Tier 1 fee which applies to micro-organisations will be £52 (previously £40); the Tier 2 fee which applies to small and medium organisations will be £78 (previously £60); and the Tier 3 fee which applies to only large organisations will be £3,763 (previously £2,900).
Click here to read the government's consultation outcome for further details and thoughts behind the changes.
Stay connected and subscribe to our latest insights and views
Subscribe Here