Cyber_Bytes - Issue 74

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber App: Breach Counsel at Your Fingertips 

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

UK government ransom ban – what does this mean for insurance?

RPC's Head of Cyber & Tech Insurance, Richard Breavington, was recently featured in Insurance Business' article on the UK government's proposed ransom ban and what it means for insurance.

The government has proposed legislation that would ban all public sector bodies and critical national infrastructure – including the NHS, local councils, and schools – from making ransomware payments. The aim is to make these entities less attractive targets for criminals; this would expand the current ban on ransom payments by government departments.

Speaking on how such a ban could impact organisations, Richard said: “If the option to pay a ransom is removed, the potential impact could be significantly greater because organisations are unlikely to be able to restore data unless backups are available or the data can otherwise be replaced from non-affected sources.”

For cyber insurers, a ransom ban would need to be factored into planning at both the underwriting and claims stages. For instance, there is a possibility that multiple insured organisations could be successfully attacked at the same time and be unable to pay a ransom.

Richard commented: “Insurers are developing various strategies to deal with this – including sophisticated modelling, asking questions upfront about supply chains to monitor exposure across insureds – and reinsurance. However, it remains a key concern in this area.”

Click here to read more from Insurance Business and here to read the GOV.UK consultation.

DPP Law Ltd faces a £60,000 penalty notice

The ICO required DPP Law Ltd (DPP) to pay a £60,000 fine after finding that they had infringed Articles 5(1)(f), 32(1), 32(2), and 33(1) of the UK GDPR.

These articles cover:

• Article 5(1)(f): Ensuring data is processed securely.

• Article 32(1) and (2): Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

• Article 33(1): Notifying the Information Commissioner of a personal data breach without undue delay and, where feasible, within 72 hours.

DPP’s email server had stopped working and staff had no access to DPP’s IT network. DPP’s in-house IT manager established that all files across its servers had been corrupted. DPP’s external IT supplier believed that DPP had suffered a ransomware incident, despite not receiving any ransom demands.

The ICO determined that, by neglecting to undertake an assessment of the risks posed to data subjects as a result of the lack of availability of personal data, DPP did not notify the Commissioner until 43 days after the Cyber Incident, which was well-beyond the 72-hour reporting deadline. Furthermore, DPP demonstrated a lack of understanding of its obligation to notify the Commissioner of a personal data breach by not appreciating that lack of availability constituted a personal data breach.

The finding that DPP did not have appropriate technical and organisational security measures in place at the time of the incident provides a further precedent as to what that crucial standard actually looks like in practice.  Not for the first time, the lack of MFA in place was a factor in deciding that the standard had not been met.

The incident led to the exfiltration and dark web publication of personal data belonging to 791 individuals, including clients and expert witnesses. This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients.

Read the decision from the ICO here.

ICO issues notice of intent to fine 23andMe £4.59mn for data breach

On 24 March 2025, the UK Information Commissioner's Office (ICO) issued a Notice of Intent to fine 23andMe £4.9m in relation to a data breach that was reported in October 2023.

23andMe is a biotechnology company offering direct-to-consumer genetic testing services. Consequently, the company holds sensitive personal data for its customers.

The October 2023 data breach involved a hacker who claimed to have stolen DNA information from 23andMe customers, and subsequently, published the data of over 1 million customers as proof. It was later confirmed that the hacker had gained access to the personal data of 6.9 million customers in total.

The ICO launched an investigation into 23andMe with the intention to (i) identify the information implicated in the incident and any potential harms involved, (ii) examine whether adequate safeguards were in place, and (iii) assess whether 23andMe provided the required notifications to the ICO and affected data subjects. Given that the ICO had deemed 23andMe to be a custodian of sensitive information, the threshold for breaching its obligations was lowered.

This decision demonstrates the importance of identifying the sensitivity of the information held by an organisation and incorporating the appropriate technical and organisational measures to protect that information.

Click here to read the latest statement from the ICO.

The high stakes of cybersecurity issues in retail

Between 22 and 29 April 2025 three major retailers – Marks & Spencer, Harrods and the Co-Op – suffered cyber-attacks.

The effects of an incident on high profile retailers can be broad-ranging.  M&S had to pause all online transactions, and experienced widespread in-store disruptions. It has been confirmed that this single attack has resulted in the loss of more than £650m in the company's stock market value. The Co-Op, meanwhile, has been able to recover at a faster pace than M&S, who appear to have had their systems more comprehensively compromised. This might have been because the Co-Op's IT team discovered the incident while it was happening and made the decision to pull the plug on their systems during the attack, meaning threat actors were unsuccessful in deploying ransomware.

Cyber crime should be a cause for concern for all organisations. The number of "nationally significant" cyber attacks in the last 8 months has doubled compared to the same period a year ago.

In a recent speech, Cabinet Minister Pat McFadden has emphasised that cybersecurity can no longer be viewed as a luxury but must become "an absolute necessity" for organisations. 

A further point of interest on which we are starting to see comment is the extent to which these recent significant cyber losses could affect the cyber insurance market.  They provide a clear demonstration of the potential for rapid multi-limit losses.

Click here and here to read more from the BBC.

Main challenges of EU AI Act-GDPR interplay identified by Member States

On 14 March 2025, representatives from the EU Member States gathered to discuss and identify the compliance challenges that arise from the interplay between the EU AI Act and the EU GDPR.

The representatives have raised concerns surrounding the potential for conflicting legal requirements, inconsistent national governance approaches, and the need for legal advice to minimise the compliance burden.

The potential for conflict is created by the differing regulatory approaches underpinning the two pieces of legislation. The EU GDPR aims to protect personal data from a fundamental rights perspective, while the EU AI Act is primarily a piece of product safety legislation and protects personal data through targeted requirements based on risk levels.

This divergence could lead to contradictory outcomes where an AI system may be compliant with one piece of legislation, but not the other. It was stressed during the March discussion that the two laws must be interpreted and enforced coherently, and not viewed as distinct entities.

Additionally, the representatives called for the creation of joint task forces and technical working groups to create consistent interpretation of these laws across the EU Member States. The goal would be to create a uniform regulatory environment across the EU to reduce the administrative and financial cost of compliance.

The representatives emphasised the need for clear guidelines on how the two laws should interact, and how key concepts should be interpreted and applied. Currently, the Commission and European Data Protection Board are developing guidelines.

Click here to read more on MLex.

RPC at London Tech Week – 12 June 2025

Finally, join us on 12 June as we uncover the opportunities, challenges, and innovative solutions shaping the tech industry, presented by an exceptional line-up of experts. We'll be covering everything from how businesses can harness AI ethically for competitive growth to how tech is being used within organisations to bridge generational divides and unlock innovation. We'll also be sharing and celebrating the stories of inspiring women in the sector and looking at how tech and the use of tech has changed over the last decade and what the future looks like in terms of tech use in the media & entertainment, retail & consumer and other industries.

Find out more and register your place here.