Hello and welcome back to the Pinsent Masons podcast, keeping you up to date with the most important developments in business law every second Tuesday. My name is Matthew Magee and I'm a journalist here at Pinsent Masons. And this week we get to the bottom of why authorities are demanding that energy companies improve their cybersecurity. But first, here's some business law news from around the world:
Australian businesses must act on fuel cost orders
Rules on high risk AI to be delayed under EU omnibus deal and
FCA reviews claims management sector in significant intervention
Businesses in a road transport contractual chain in Australia, including retailers, logistics companies, construction contractors, transport providers and waste management companies, must act now to assess their obligations under the Fair Work Commission's Fuel Cost Order. In April, in a response to rising fuel costs due to conflict in the Middle East, the FWC issued a Road Transport Contractual Chain Order that imposes cost of fuel related pay adjustment obligations for contracts or arrangements concerning the performance of work in the road transport industry. The order requires a fortnightly review of what companies pay for the performance of works to ensure that those performing works are not left out of pocket for an increase in the cost of fuel. However, because of the way the order has been worded and the complex web of contracts involved, businesses face difficulties in interpreting how it applies to them and in implementing its requirements.
EU rules regarding AI systems categorised as high risk will take effect from late 2027, not this summer, if a new deal struck by legislators is adopted in the coming weeks. The high risk AI regime is one of the most significant features of the EU AI Act, imposing obligations on providers, deployers, importers and distributors of high risk AI in relation to risk management, data quality, transparency, human oversight and accuracy. Under the provisional agreement the institutions have struck, which still has to be formally ratified, the rules applicable to standalone high risk AI systems would apply from December 2027 rather than August this year, while the rules regarding high risk AI systems embedded in products would apply from August 2028. The planned delay is designed to provide more time for EU policymakers to formulate standards, tools and guidelines to help businesses meet their obligations under the new regime.
The UK's Financial Conduct Authority has opened a formal review of the claims management market in a step that could lead to legislative reforms. According to the regulator, the review has been driven by concerns that consumers are being failed by a number of claims management companies and law firms involved in the claims industry. It said it will collaborate with the Solicitors Regulation Authority and other regulators. Financial regulation expert Jonathan Cavill said the review is significant. He said its scope covering lead generation, marketing, fee structures, regulatory perimeter issues and end to end consumer journeys means that virtually every participant in the claims management supply chain will need to take stock.
Right now an energy crisis looks like constrained supply and soaring prices at petrol pumps. But believe it or not, it could be worse. Imagine if our energy networks and generation were disrupted not by conflict and interrupted supply, but by a full blown cyber attack. Imagine having no electricity at all for a time as suppliers or network operators were held to ransom by attackers. Picture all the systems governing our everyday lives being without power. The ramifications would be enormous and this isn't pie in the sky. Attacks are already happening. IBM's annual report on cyber threats says that AI is turbocharging the number and efficacy of attacks, and that 8% of all cyber attacks are aimed at energy companies or infrastructure. It's a scary prospect, which is why governments and regulators are increasingly involved. The latest change is happening in the UK, where energy companies look likely to be subjected to even greater scrutiny of their cybersecurity safeguards. The government and the energy regulator Ofgem are planning to increase the number of companies caught by regulation and the number subjected to the most stringent regulation in a new consultation, as London based cybersecurity expert Stuart Davey explains.
Stuart Davey: So the current cyber regulations in the UK in the energy sector go back to 2018 and the Network Information Systems Regulations, the NIS regulations. At the moment, only those organisations caught by the NIS regulations have a positive obligation to put in place cybersecurity measures in the energy sector. These regulations capture what are known as operators of essential services, and the thinking back in 2018 was to target those large providers and large operators of assets in the energy sector.
Matthew Magee: Imagining that bleak picture of a society shut down by energy blackouts explains why the cybersecurity of energy companies is regulated at all. But why is that regulation being increased now? Stuart says it's because of changes in how we generate and distribute energy, for new approaches bring new vulnerabilities.
Stuart: There has been a significant change and shake up of the energy sector and as the UK moves towards delivering against the government's Clean Power 2030 ambitions, there are loads of new operators coming into the energy sector, with new battery storage capacity being brought on stream, new wind and new solar capacities. There is a desire to ensure that the operators of those new assets and the much more diversified wider energy ecosystem that contains many more operators than previously was the case have an appropriate level of cybersecurity for that wider range of organisations. What are the other reasons for this? It is increasing digitalisation, increasing number of operators and increasing number of entities involved in the wider ecosystem. That is why the government is keen to ensure that there are cybersecurity measures in place beyond what is already regulated for.
Matthew: So what exactly is changing? Stuart says that all companies will be expected to reach a certain baseline level of compliance with cybersecurity standards, and the number of companies expected to meet the highest standards will increase. And he says it won't be cheap.
Stuart: They're proposing to do that in two ways, one of which is seeking views in this consultation about whether the current thresholds for what is an operator of essential services are the right ones. That might involve, for example, reducing or bringing down the generation thresholds, the transmission thresholds or changing to encompass other parts of the downstream gas and electric ecosystem to class as essential services. With regulation comes much higher standards and broadly that involves at its highest level alignment to the NCSC Cyber Assessment Framework and the enhanced profile that Ofgem now expects organisations to be working towards. The additional proposal being put forward is that for those organisations that don't meet the current thresholds or any amended thresholds, should be effectively a baseline level of cybersecurity put in place. The current proposal would involve the baseline being the Cyber Essentials certification. Whether that's the baseline Cyber Essentials or Cyber Essentials Plus, which involves an additional layer of independent verification. It may well be that organisations that actually have very mature cyber policies and cyber measures find that the uplift to get to what is being demanded by the regulators may not be as significant as it is for organisations that are less mature and have more work to do. The consultation documents give some indicative costs that broadly they might expect. One off costs per controller are thought to be between £110,000 and £130,000 as one off costs, and then annual costs of more like £200,000.
Matthew: The whole picture of cybersecurity regulation across the whole economy is changing in the UK as the Cybersecurity and Resilience Bill makes its way through the Parliament there. Stuart says that these changes are tied up with the ones in energy, so won't take effect for up to a year. So what should companies do now to prepare? Stuart says complying with existing laws, even if you're not obliged to yet, would be a good start.
Stuart: We work with a number of organisations that are exactly in the space of not yet in scope, but maybe because they are bringing more generation capacity online, for example, or they're acquiring new assets. They should therefore be looking towards what the requirements will be if they are brought into scope and working on their improvement plans to start to show that they can demonstrate compliance with what will be expected. These are complex processes and they take time to make the changes that are required to be able to demonstrate compliance. For those organisations that are unlikely to be within scope of the NIS regulations as they currently are or as amended, what the consultation is doing is demonstrating the expectation of the regulator that no matter the size of the organisation, if you are licensed by Ofgem, there will be an expectation to have baseline cybersecurity measures in place. That will be tied to the relicensing process. If that is the direction of travel, then it would be sensible for those organisations to start to consider or review their cyber posture, look at the Cyber Essentials and Cyber Essentials Plus certifications and start that journey. What is being proposed for that level is not to put in place significant or onerous additional requirements, but to have in place the measures to enable these organisations to defend themselves against the most common cyber threats. You could take it regardless of what the regulator is expecting. That is a prudent thing to do in this day and age of increased levels of cyber attack.
Well, thank you very much for tuning in, for reviewing, recommending, passing it on to colleagues, and for every minute you spend with us. We know you're under time pressure and we really appreciate it. Remember, you can get your news in a weekly personalised digest at pinsentmasons.com/newsletter or you can just look at pinsentmasons.com every day to read the global business law coverage produced by our team of reporters, containing all the expertise of our colleagues all over the world. So until next time, thank you and goodbye.
The Pinsent Masons Podcast was produced and presented by Matthew Magee for international professional services firm Pinsent Masons.
