Cyber
In this chapter of our Annual Insurance Review 2024, we look at the main developments in 2023 and expected issues in 2024 for Cyber.
Key developments in 2023
In 2023, we have been seeing an expansion of the regulatory and legislative landscape for cyber both nationally and globally, with the NIS 2 Directive (NIS2) and the Online Safety Act 2023 expected to be particularly impactful on the cyber market.
NIS2 came into force on 16 January 2023 and promised to "future-proof the UK NIS Regulations" – the predecessor to NIS2 which came into force in May 2018. NIS2 has increased the scope of businesses captured by the NIS Regulations to include, for example, social network platforms, data centre providers and managed service providers. The government highlighted that managed service providers in particular are being brought into the scope of NIS Regulations "due to their unique and growing importance in the UK economy and the systemic dependencies they create across multiple sectors". This demonstrates an increased focus on the importance of supply chain to managing cyber risks.
The Online Safety Act 2023 also casts a wide net, imposing requirements on any services that allow content generated by users of the services to encounter content published by other users. This most obviously applies to social media platforms, online forums, dating sites etc. But it could have far wider effect – for example, potentially capturing websites allowing comments to be posted by users. The main requirements relate to protecting users from scam ads and online fraud, with particular requirements as to the protection of children. These are laudable aims, but the potential scope is far-reaching, with the net result being an increasing regulatory and legislative web for a range of businesses to navigate.
What to look out for in 2024
In 2024, we expect to see increased scrutiny on organisations in relation to basic security protocols. Cyber security breaches continue to increase, with not just a record number of ransomware incidents being reported, but a considerable number of business email compromises taking place as well. The compromise of account credentials remains a common method of entry and, whilst no defences are fool proof, there are some relatively basic security measures that can be taken which considerably reduce the chances of this type of compromise. One such security measure could be enforcing multi-factor authentication to the login process for employee accounts, to help in protecting against the consequences of phishing, credential stuffing and brute force attacks.
Cyber insurance underwriters have been placing a greater focus on assessing the security that prospective insureds have in place before offering appropriate cover. We have seen instances of insurers insisting on specific security protocols being in place as a pre-requisite for providing cyber insurance. This is also a point that regulators are certainly aware of, with the ICO having released a statement that data security incidents can occur when organisations do not have appropriate technical and organisational measures to protect the personal data they hold and confirming that this is "a key area of action for the ICO". Given this stance taken in both the cyber insurance market and the regulatory landscape, we expect to see an increase in the base level of security across a wide range of organisations.
Written by Elizabeth Zang.
Stay connected and subscribe to our latest insights and views
Subscribe Here