The changing cyber landscape – current threats, new laws, regulations and insurance

Taylor Wessing's Data and Cyber team recently hosted a Cyber Strategy Seminar in collaboration with FGS Global, a leading crisis communications firm. 

Our first highlights post brings together a summary from the 'Changing Landscape' panel session.

The session was an opportunity for our expert panel to provide an overview of the current state of the threat, legal and insurance landscape from a cyber security standpoint. 

Members of our international team, Ed Spencer (Senior Counsel, London) and Thomas Kahl (Partner, Frankfurt) were joined by April Bellchambers (Fintech and Venture Capital Lead at insurance broker, Capsule Insurance) and Ted Cowell (Head of Cyber Security UK at global intelligence and cyber security consultancy, S-RM).

Overview of current threats

• Ransomware remains the most significant threat facing businesses with a continued increase in number and scale of attacks globally. 
• The increase appears to be as a result of the continued shift to sophisticated Ransomware-as-a-Service (RaaS) groups who have become more competitive and are deploying AI to enhance their effectiveness.
• The threat of AI continues to evolve and the high degree of automation it brings in relation to initial victim identification and subsequent hacking processes will likely lead to a continued increase in attacks for some time.
• There has been a marked increased in supply chain attacks, particularly software supply chains, which potentially allow threat actors the opportunity to infiltrate significant numbers of businesses simultaneously. 
• There are more 'drive by' attacks (which arise from a vulnerability in hardware or software as opposed to specific targeting of a business or sector) meaning rapid patch application has taken on new importance.

New rules and regulations

• Organisations are facing a tsunami of new regulations from around the world – with NIS2, DORA, CRA, EU AI Act and other local privacy laws.
• Global businesses are facing significant challenges when it comes to compliance due to the conflicting geographic scope of local regulations.
• A ‘catch all’ approach is not feasible meaning constant monitoring of the regulatory landscape is required with a risk-based approach likely following the strictest regulations should be the starting point. 
• Compliance is not only in relation to pre-incident, but also in relation to post-incident and in particular local reporting obligations with strict time limits.
• Businesses should consider having a global incident handbook with local appendices but must ensure that it is a living document which constantly evolves and includes very clear assigned responsibilities.

Cyber insurance

• ­The last 10-15 years has seen the role of cyber insurance change as the market has matured and become more sophisticated.
• Insurers have a much greater understanding of the threats and risk they are writing leading to a more thorough process to obtain insurance.
• With greater understanding of the risks, and better underwriting information, pricing has become fairer. That being said, growth in the market is attributable to premium rate increases rather than increasing take-up.
• Ransomware continues to be the dominant risk and loss driver for cyber insurance. 
• Businesses need to engage with their broker to ensure that cover is appropriate to include not only the immediate costs of incident response and system recovery but also business interruption and potentially cover for any follow-on litigation either from customers or impacted data subjects.