5 min read

Cyber risk: 2022 in review

Read more

By Stuart Hunt


Published 13 December 2022


The cyber landscape has been significantly affected by the geopolitical climate in 2022. The conflict in Ukraine prompted renewed contemplation of the prospect of state-led cyber operations within the context of armed conflict. National cybersecurity strategies addressing critical infrastructure have been at the forefront of deliberations about the future, alongside traditional cyber risk issues such as ransomware. As part of our monthly cyber risk insights, we have considered these and a whole variety of issues which we will take in throughout this review of the year.

Defining war, and the risks arising from it, have been a notorious issue in previous years, and at the start of 2022, we discussed the publication of new war risks exclusion clauses for cyber war and state attributed cyber operations by the Lloyd’s Market Association (“LMA”). The conflict in Ukraine has brought state-led cyber capabilities firmly back into the consciousness of risk assessors, consultants and underwriters across the insurance market.  Our commentary on this issue highlighted the potential disruption that could be caused by state-sponsored operations, and further commentary on the crucial role that attribution will play, particularly in light of decisions that may need to account for political expediency. War risks exclusions similar to those published by LMA earlier this year will be key in reducing insurers’ exposure and the risk of adverse judgments in contested claims.

The number of sanctions generated by the conflict in Ukraine re-emphasised that funds or economic resources are prevented from being made available to or for the benefit of certain entities or individuals. Whether directly or indirectly, knowledge or suspicion of the involvement of a sanctioned party leaves those making payments at risk of a criminal offence. Those parties wishing to engage with threat actors are arguably left with minimal opportunities to reduce impacts on their businesses, and we may see further developments in this area in the coming year.

One of the other major outcomes of the outbreak of war has been widespread concern about the potential impact of a compromise of the UK’s critical national infrastructure. Whilst we have been fortunate as a nation not to experience significant offensive cyber operations, the Security of Network and Information Systems Regulations were amended in the wake of Brexit. These changes addressed the thresholds at which incidents involving ‘operators to essential services’ causing risk to public safety, public security or loss of life need to be reported to the ICO.  Looking to the future, the UK Cyber Strategy published in June this year set out a comprehensive approach to promote and protect the UK’s interests and national infrastructure.

As a part of the UK’s critical national infrastructure, the aviation sector has also been one of the most high-profile targets for cyber-attacks in recent years. The unique nature of the aviation sector means it requires a specific legislative and regulatory environment. As our team emphasised in our navigation of aviation cyber risk, the global footprint of the section requires legal expertise from a multi-jurisdictional perspective. From the air to the seas, our primer for marine cyber risk emphasised the distinctive nature of the marine sector, with the divergence of legal, regulatory, and physical environments ashore and afloat.

We also reviewed a Lloyds’ of London report which considered the need to build resilience to cyber-attacks which could cause damage to physical environments. Various different industries are potentially exposed to such instances, such as those including embedded fuel sources, including items like batteries and boiler fuel, hazardous materials (e.g. sewage and petroleum).

Ransomware remains a major risk to both critical national infrastructure and private enterprises, such as the London and international insurance markets. Data provided to the Department for Digital, Culture, Media and Sport, and the ICO indicate that whilst phishing attacks are the most common type of cyber incident, they rarely escalates to a significance requiring notification to the ICO, unlike ransomware attacks by comparison. Consistent at a European level, the European Union Agency for Cybersecurity reported this year that ransomware attacks continued to dominate the cybersecurity landscape between mid-2021 and 2022. The “Confronting Reality in Cyberspace” report issued by the US Council for Foreign Relations also found that increases in digitalisation are directly correlated to increases in an organisations’ vulnerability to cybercrime, ransomware, disruption and theft.

In light of the continued prevalence of ransomware attacks, the Lloyd’s Market Association issued a bulletin setting out guidance for handling a ransomware claim incident. The guidance to identifies the key issues to be addressed when considering whether or not to engage with the threat actor, and specific guidance aimed at insurers’ legal, compliance and claims teams.  The ICO also produced their own guidance on their approach to ransomware incidents, comprising eight main topics. The guidance, despite not being mandatory, will likely inform the ICO’s approach to considering enforcement action arising from ransomware incidents.

Bound to this issue of ICO enforcement, the ICO and National Cyber Security Centre published a joint letter to the Law Society and Bar Council seeking to address the argument that hat payment of the ransom constitutes mitigation of the risk to individuals and should be a factor taken into account by the ICO when assessing whether any enforcement action is appropriate. The guidance, whilst valuable, only addresses one of the likely factors to be considered when making a payment following a ransomware attack.

The risk of ransomware and other types of cyber attack are also amplified due to the ever-increasing network of complex supply chains which organisations require to deliver products, service and systems. Our team highlighted both examples of the risks of a supply chain breach, and our top tips for mitigating these risks. These tips are extremely helpful in ensuring the integrity and resilience of each link within the supply chain, which is a major challenge for risk managers.

A further test for those same risk managers can be the security of the personal data of their organisations own employees. However, the exfiltration of HR data via a cyber breach can still occur, and this generates a significant amount of legal and practical issues from a HR perspective. Our cyber and employment teams discussed how to deal with pre-breach and post-breach issues.

Beyond guidance and strategy, legislation dealing with various elements of cyber risk has advanced this year. The UK Government published it’s response to the ‘Data: A new direction’ consultation in June of this year, closely followed by the publication of the draft Data Protection and Digital Information Bill. The draft Bill proposed to amend the existing UK GDPR and Data Protection Act 2018.  However, following the political turmoil of the past 12 months in the UK, this legislation has stalled somewhat and it is unclear whether the Bill will progress in its current form.

One piece of legislation which has successfully the navigated the political maze is the Product Security and Telecommunications Infrastructure Act. The Act is a key development in the Government’s ongoing commitment to improving cybersecurity in a diverse range of smart-products. Our newsletter this month contains an overview of the Act’s provisions along with consideration of proposed EU legislation dealing with similar issues.

Finally, in the coming years, issues surrounding the environment will likely permeate all elements of our lives. This year, the World Economic Forum stated that cyber crime and climate change are seen as the two biggest threats facing the modern world. Despite the lack of an obvious connection between those two issues, we explored the thought-provoking ways in which those two issues are intersecting, and will continue to overlap into 2023 and beyond.