Cyber threats are the same the world around, but the implications and consequences can feel very different based on the market. That’s why, regardless of where an organization operates, it's essential to understand not only what's happening in its sector, but also what's happening on the world stage that could impact the sector.
Though incident counts have trended down somewhat in the U.S. recently, as 2023 gets underway, the expectation in Europe and the “rest of world” markets is that cyber incidents are likely to increase in frequency. In addition to increased frequency, there are a number of market-specific factors that may have global influence on cybersecurity incidents.
Class actions: A U.S. phenomenon becomes a global issue
The cyber class action suits that continue to develop in the U.S. are a perfect example of a cyber trend that has ramifications for businesses outside of the market vertical in which it is occurring. In the U.S., greater incident complexity is being observed, including a rise in class actions, than ever before. In today’s market in the U.S., a data breach made public one day can result in a lawsuit the next.
This is a phenomenon somewhat unique to the U.S. — it’s rare to see class actions outside of the States — however, in places like the U.K. and in Australia, there are mechanisms by which aggrieved data subjects can bring representative actions or seek group litigation orders. The scale of the problem is not as big as in the U.S., but that has not stopped claimants from trying to recover damages for loss or misuse of their data. And, whilst Canada does have class actions, the volume is significantly less than in the United States.
Nonetheless, the risk of getting embroiled in class action litigation does exist beyond U.S. borders. Global companies who operate in the U.S. or hold U.S. citizens’ data can and do get caught up in data class action litigation. With global entities getting dragged into data disputes in other jurisdictions on a regular basis, it’s important for organizations to understand and be prepared for the reality of data breach litigation even if they operate outside of the U.S.
Regulation heats up in Australia
Global companies with a presence in Australia should be aware that this is a market that is experiencing significant regulatory activity in 2023. There's development of greater regulatory interest from the Office of the Australian Information Commissioner (OAIC), driven, in part, by a new government in Australia that has endeavored to spread its wings, and by amended data privacy legislation in the form of The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. If implemented, the new law will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4 million) penalty to whichever is the greater of: AUS $50 million (~$32 million); or 3x the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period. Increased Australian media interest means that breaches that would historically have gone unnoticed are now front page news. Organizations operating in Australia should be carefully watching these developments to stay on top of the implications for their own operations.
New French legislation
France has just introduced a new law which requires that any organization that suffers a “breach of an automated data processing system” must file a complaint with the police within 72 hours of becoming aware of such a breach if they wish to claim for any loss or damage under their insurance policy. A failure to file a complaint with the police will entitle insurers to decline coverage for the claim. It is not yet clear whether the new law will apply only to French companies operating in France with a French insurance policy or not. There is much speculation that the trigger applies to any organization that is impacted by a breach of their automated data processing systems in France, but all companies with French interests should be aware of this new law and take adequate steps to report as necessary in order to protect their position vis a vis their insurers.
European proximity to war drives complexity of sanctions
For many countries, including those in Europe, the existence and application of sanctions became a firm focus this past year because of the war in Ukraine. Of course, Europe is a little bit closer to the conflict than the rest of the world and that in itself makes handling events like ransomware matters a bit more complex; not least of all because the sanctions regime impacts a number of the countries in which the threat actors sit. Sanctions are obviously an international issue, but it feels slightly closer to home for countries operating in Europe because they're just down the road.
In today’s global world, it's imperative to be well-versed about trends and regulations well beyond the boundaries of an organization's own sector. From regulations to sanctions, every market vertical has its own level of nuance and unique complexity, making it necessary for organizations to understand the world stage. Insureds should be watching closely as trends and regulations evolve globally, and asking themselves, “What does that mean for my insurance and my market?”
Author's note: The information set forth in this document is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. It should not be construed or relied upon as legal advice and is not intended as a substitute for consultation with counsel. Beazley has not examined and/or had access to any particular circumstances, needs, contracts and/or operations of any party having access to this document. There may be specific issues under applicable law, or related to the particular circumstances of your contracts or operations, for which you may wish the assistance of counsel. Although reasonable care has been taken in preparing the information set forth in this document, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information.