Cyber security and resilience bill: impact on the insurance industry

The announcement of the Cyber Security and Resilience Bill in the King’s Speech demonstrates a commitment by the new government to develop and strengthen the UK’s cyber security infrastructure in an increasingly hostile threat environment.[1] Attacks on some of the UK’s key public sector institutions like the NHS in recent years have necessitated a need for an increased emphasis on cyber protection. In this article, we consider the impact that the Bill may have on the insurance market.

Stricter cyber security and reporting requirements

Should it be enacted, it is anticipated that the new legislation will require stricter cyber security requirements for the institutions that form part of the UK’s critical national infrastructure, including the NHS and governmental departments. This could take the form of mandatory, frequent assessments of vulnerability and checking the effectiveness of incident response plans that insured businesses have in place.

It is also likely to impose more stringent requirements for reporting data breaches and cyber security incidents on these businesses. Insurers may therefore wish to consider (i) how these more onerous requirements may affect cyber insurance policies; and (ii) whether to address them by asking more detailed questions at the underwriting stage, drafting policy conditions or otherwise.

Supply chain considerations

It is probable that the legislation will include requirements for insured businesses to consider the companies they might interact with in their supply chains to establish whether those companies fall within the scope of the new, more stringent requirements. Insurers and insureds alike will have to consider even more carefully the make-up of the insured’s supply chains and the related cyber security measures taken when assessing cover.

Strengthening of regulators’ powers

Any new legislation is also expected to strengthen regulators’ powers to introduce higher fines and penalties for organisations that fail to comply with the mandated cybersecurity standards. Consequently, insurers will be paying even closer attention to an insured’s compliance with any new requirements, which may impact their access to cover under cyber policies.

The insurability of regulatory fines is a longstanding topic of debate within the insurance market. Insurers will need to carefully consider the coverage position in respect of any fines levied following a breach of enhanced cybersecurity standards.

Considerations for Directors and Offices

The insurance market will also have to consider cover under other types of insurance such as Directors and Officers policies, as any liability for failure to implement the required stringent cyber security measures could be borne by senior management. Insurers would be wise to consider the collateral impact that more stringent requirements (and any non-compliance) will have on senior management’s responsibilities and access to cover under these types of policy.

The proposals do not, at present, include much detail but Kennedys’ Data Risk and Privacy and Coverage Teams will be monitoring developments closely and providing updates. With our extensive, expert knowledge and experience advising on cyber risk matters within the insurance industry, we will continue to consider and interpret the impact of this proposed legislation on the insurance market for our clients.

 

[1] The King’s Speech 2024: The new government’s vision for cyber security, data protection and AI