Regulatory reform will shape 2023 cyber risk landscape

While the Russia-Ukraine conflict may have drawn the attention of cyber criminals away from ordinary businesses for some of 2022, the importance of managing cyber risk has not diminished, with cases steadily rising again in the second half of the year. We are seeing a rise in the number of businesses seeking legal advice on cyber-readiness in response.

In 2023, organisations should continue to evaluate their readiness to deal with cyber issues. Consideration of cyber risk in the supply chain should form part of that. A number of high-profile attacks on suppliers have had an impact on many customer organisations. Businesses should be interrogating their supply chain to ensure their critical suppliers have the appropriate security in place, and the relevant contractual safeguards.

Demonstrating cyber-readiness can help businesses minimise the impact of incidents when they happen and meet the increasing expectations of regulators too: data analysed by Pinsent Masons, concerning matters our cyber risk experts were engaged on in 2022, showed a significant increase in the number of cases scrutinised by regulators. This scrutiny is becoming more thorough – last year we saw the UK’s Information Commissioner’s Office (ICO’s) pose up to 50 questions in relation to incidents, compared with up to just 20 in 2021.

Cyber criminals remain motivated by the prospect of making money from compromised data. This is evidenced by the fact that the volume of ransomware attacks on businesses continues to grow. The regulatory response to this trend is becoming less sympathetic over time. Last year, the ICO issued its first fines for breaches of data protection legislation in the UK concerning data breaches arising from ransomware attacks, and issued guidance to help businesses understand what measures they should take to address ransomware risk too.  

Businesses not only have to be alive to the evolving tactics of cyber criminals, but the changing regulatory landscape too. In 2023, there are likely to be significant developments that will shape how businesses will have to consider and manage cyber risk in the UK and EU in the years to come.

Changes to the Network and Information Systems (NIS) regime

The second Network and Information Security Directive (NIS2) came into force in the EU on 16 January 2023. Though EU member states have 21 months to implement the directive, organisations may wish to make an early start on working on their NIS2 compliance programmes, particularly those in sectors not previously caught by similar cybersecurity regimes.

NIS2 imposes stricter cybersecurity obligations around risk management, incident reporting and information sharing. More entities across more sectors will have to take measures to comply with the new regime, including organisations in ‘essential’ sectors such as energy, transport, banking, health, digital infrastructure and public administration and space, among others.

The existing NIS regime in the UK closely resembles that in the EU under the original NIS directive. Like in the EU, however, UK reforms are also proposed – though the potential amendments look slightly different.

The UK government’s proposals for NIS reform envisage that cybersecurity obligations are pushed vertically down the supply chain of those providing essential services to current operators of essential services. This will require organisations to review their supply chain and contracts with core providers. Technology providers will be significantly impacted with the increased scope of the UK NIS regime: it is proposed, among other things, that managed service providers be included within the scope of the framework.

Digital Operational Resilience Act (DORA)

New operational resilience obligations have also been agreed by EU law makers in recent weeks. The Digital Operational Resilience Act (DORA) will apply to financial services firms and technology providers that supply them and amend existing legislation concerning operational risk and risk management requirements in EU financial services.

For financial institutions, DORA effectively codifies requirements around ICT security risk management and outsourcing that are contained in a suite of guidelines produced by EU authorities, enhancing requirements they face in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers.

DORA also provides for direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance.

Even though DORA will not apply directly in the UK, UK companies with business in Europe will be subject to its requirements. Even for those UK businesses that will be outside the scope of DORA, the legislation offers an insight into how UK policy and regulation around operational resilience is likely to develop.

Prudential Regulation Authority (PRA) rules around operational resilience began to take effect in 2022 and its expectations on firms will grow over time. There are things technology providers can do to support firms to comply and the PRA’s requirements should be reflected in service contracts. Separate plans have also outlined to subject ‘critical third parties’ – a term likely to include cloud computing providers and other technology suppliers – to direct regulation in the UK’s financial services sector on operational resilience grounds.

UK data reform

In June 2022, the then Boris Johnson-led UK government set out its plans to update UK data law following an extensive consultation exercise. At the heart of the plans was the concept of responsible use of personal data.

Publication of the government’s policy paper was followed in July 2023 with the introduction of a new UK Data Protection and Digital Information Bill into parliament, with significant changes proposed to the current data protection regime. However, amidst leadership changes at the heart within the governing Conservative party, a second reading of the Bill was postponed. The Bill remains before the House of Commons, meaning businesses must wait to see how the UK landscape on privacy regulation and enforcement will change.

Mass actions

A series of court decisions have tempered what was a potential onslaught of mass action claims being brought against organisations in the aftermath of cyber incidents. The limitation of damages for “loss of control”, coupled with the finding that cyber attacks would not provide grounds for a claim of misuse of private information (MOPI) or breach of confidence – with the corollary effect that ATE premiums are not recoverable – together mean that we have not yet seen successful damages claim proceed through the UK courts on a mass basis.

However, the mass actions landscape is evolving. There has been growing pressure in recent years to ensure that effective, affordable routes exist for bringing mass actions, particularly by consumers. In the EU, member states had until 25 December 2022 to transpose the EU Directive on Representative Actions for the Protection of the Collective Interests of Consumers (RAD) into their national legal systems. RAD requires that by June 2023, EU member states must have in place at least one procedural mechanism which meets minimum standards, for consumers to seek collective redress.

RAD does not apply within the UK, where there are already court procedures to enable the bringing of group litigation. Nonetheless, perhaps it is an early sign that the issue of “access to justice” for individuals, where efficiency can be created through mass actions, will remain an area of key focus, and an agenda which claimant law firms will be motivated to explore.