2023: The Cyber & Data Risk Horizon

Published 30 enero 2023

Cyber & Data risks continue to be identified by various organisations as the key concern that they are facing as they move deeper into 2023. To mark the launch of our Informed Insurance predictions, which include predictions for cyber, we have given our newsletter subscribers a bonus of 4 more specific developments to look for in 2023.

Informed Insurance

Our international experts have contributed to over 140 insurance predictions [hyperlink - https://insurance.dacbeachcroft.com/predictions/] for 2023 and beyond, aimed at supporting the global insurance market in preparing for the challenges and opportunities ahead.  The predictions are categorised under six key themes (climate change, class actions, global risk, modernising the workplace, regulation and technology) and cover 17 different classes of insurance business, including cyber and data risk.

Among our Cyber & Data Risk predictions, we’re expecting cyberattacks on critical infrastructure to increase and that the new UK Product Security and Telecommunications Infrastructure Act will add to the regulatory burden. Take a look here.

And if that wasn’t enough, our team has highlighted 4 more key milestones to monitor in 2023.

1. Resilience is on the menu

Within the context of cybersecurity, the word ‘resilience’ will continue to be key this year. The recent confirmation of the NIS 2 Regulations in the European Union focused on improving “resilience and incident response capacities” within the EU by October 2024.  The Digital Operation Resilience Act has also recently been placed within the Official Journal, with the Cyber Resilience Act aimed at connected products, proposed in September. This extensive package of measures is aimed at minimising cyber threats via ongoing processes of assessing, testing and improvement and promoting an environment of cyber resilience

Within the UK, resilience is the second pillar of the UK Cyber Strategy, and is “foundational to [the UK’s] wider strategic aims.” To that end, the Government recently passed the Product Security and Telecommunications Infrastructure Act dealing with connected products and the Government has also stated its intention to amend the UK NIS Regulations too.

Businesses will need to monitor the progress of any legislative change which may affect them, but should also be mindful that the issue of their cyber resilience should not be prompted purely by legislative measures; it should be at the forefront of their cyber planning for the coming years.

2. Progression of the Online Safety Bill

Following a lengthy period of inertia throughout the third quarter of 2022, progression of the Online Safety Bill has resumed. The Bill is now in its report stage in the House of Commons. Insurers and corporates should be mindful of potential impacts on their business models and future regulatory expectations as the Bill progresses.

With the primary aim of the legislation to protect users from harmful content online, a significant area of contention during parliamentary discussions relates to proposals to prosecute senior executives in social media companies. Initially this was limited to circumstances where executives had failed to assist Ofcom investigations. It is now understood that following discussions with Conservative MPs, the Minister for Digital, Culture, Media and Sport has agreed to amend the draft legislation to include the prospect of criminal charges for senior managers who ignore the risk of serious harm to children.

3. ICO and Tiktok

Tying back into the overarching concerns around the safety of children online, the outcome of the ongoing ICO investigation into TikTok will be awaited with great interest. The Information Commissioner published provisional findings in September 2022 and issued TikTok with a ‘notice of intent’, an indication that a fine will follow. The decision of the ICO, and any possible fine, will be of great interest, particularly for those closely watching the approach of the ICO to breaches and complaints in the coming years.

That provisional notice stated that the ICO had evidence the company may have processed the data of under-13s without parental consent and a lack of transparency as to how that data was being used. In announcing their initials, the ICO quoted a potential of £27 million. However, whether that fine is indeed levied, or if their provisional findings are upheld remains unclear. In response to the notice, TikTok was entitled to make their own representations.

4. Artificial intelligence, ChatGPT and the mainstream

One of the most thought-provoking issues in 2023 will be the risks associated with the use of AI language chatbots and other artificial intelligence solutions. Increased awareness and usage of ChatGPT, has prompted discussions around the limits of its usage. Recent discussion has centred around the possible use of ChatGPT in educational assessments and the potential associate risks to academic integrity. However, from a cyber risk perspective, there are clear and apparent risks in the wider use of AI programs such as ChatGPT.

Although ChatGPT’s content usage policy makes clear that “end-users [are not permitted] to generate the following types of content… spam, deception, malware,” reporting indicates that it is possible to circumvent any protections preventing the creation of these materials.

One user asked ChatGPT itself[1], ‘How Can ChatGPT be used in cyberattacks?’, and, as perceptively as you may expect, it identified phishing, impersonation, scamming and generating malware as possible uses.  Moving into this new year, progress in this sphere should be watched with curiosity and concern.