Cyber_Bytes - Issue 58

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

Changes to the One-Stop-Shop

In July 2023, the European Commission proposed regulations to enhance cross-border cooperation under the GDPR. The current position under the European GDPR faces challenges such as unfair outcomes, inconsistent processes, and ineffective dispute resolution.

The proposal aims to improve procedure across EU jurisdiction, including the adoption of a General Form, strengthening the right of defence, and clarifying dispute resolution.

The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the proposed regulations.  They set out the following further recommendations: extending the role of Supervisory Authorities; removing unnecessary formalities; safeguarding the right of Supervisory Authorities in one jurisdiction to object to decisions of another; establishing time limits for procedural steps; and address practical collaboration obstacles.

The hope is that accepting these suggestions can consolidate and improve the one-stop-shop mechanism across the EU. 

To read RPC's article on this, please click here.

QBE Study Reveals Employee Cybersecurity Gaps

A recent QBE study highlights common employee cybersecurity lapses, urging increased training and security measures. Findings show that:

1. Nearly a third of employees (31%) have engaged in actions that could jeopardise workplace cybersecurity.
2. These actions range from falling victim to phishing scams (5%) to accidentally introducing malware (7%).
3. Additionally, incidents of device loss or theft (6% and 7%) and password sharing (13%) were reported.
4. Less than half of respondents reported effective cybersecurity measures, including employee training (46%), multifactor authentication (43%), and phishing simulations (29%).

The study highlights the need for better employee education and a stronger cybersecurity plan.

Erica Kofie, Head of Cyber Proposition for QBE Europe, stressed the importance of ongoing employee education and sporadic phishing simulations. As cyber threats evolve, businesses must remain vigilant and continually update their strategies.

To read more, please click here.

Lloyd's of London warns of major $3.5 trillion cyber-attack on payments

According to a scenario modelled by Lloyd's of London and the Cambridge Centre for Risk Studies, 'a hypothetical but plausible cyber-attack would cause widespread disruption to global business. The US would take the biggest hit by losing $1.1 trillion over five years, followed by China and Japan with $470bn and $200bn respectively.

With cyber security breaches against financial services increasing from 187 to 640 across a 3-year period, cyber insurance saw over $9 billion in gross written premiums last year. This is predicted to grow to $25 billion by 2025. There are concerns that financial services firms, especially pension schemes, would be vulnerable to some form of cyber-attack resulting in a data breach. While hackers target pension schemes because of large amounts of valuable, sensitive and financial data, cyber security is fundamental to pension scheme trustees' legal duties.

To launch a payment system attack, hackers could plausibly plant malicious code in critical software used to confirm transactions and verify payments, create a back door to paralyse the payment system and divert any funds to the hacker's accounts.   

To read more, please click the Lloyd's article here. 

UK Information Commissioner Warns Data Breaches Endanger Domestic Abuse Victims

The UK Information Commissioner has issued a strong warning to organisations, urging them to handle personal information with utmost care to protect victims of domestic abuse from further harm.

Over the past 14 months, the Information Commissioner's Office (ICO) has reprimanded seven organisations for data breaches affecting domestic abuse victims. These breaches include:

1. Revealing Safe Addresses: In four cases, organisations disclosed victims' safe addresses to their alleged abusers, necessitating immediate relocation.
2. Identity Disclosure: Women seeking information about their partners had their identities disclosed.
3. Home Address Disclosure: Home addresses of adopted children were revealed to their birth father, who was incarcerated for offenses against their mother.
4. Unredacted Reports: Unredacted assessment reports were sent to individuals who posed risks to children.

The organisations involved range from law firms to government departments, and their breaches are reported to have stemmed from inadequate staff training and data protection procedures.

John Edwards, the UK Information Commissioner, urged organisations to implement basic security practices like comprehensive training and double-checking records to prevent further harm to victims. The ICO's revised enforcement approach aims to work closely with the public sector to prevent data protection issues, offering clear instructions for improving data protection practices to prevent similar incidents. For organisations working with domestic abuse victims, key actions include having processes in place to support data privacy requests, regularly verifying contact information to prevent data disclosure to outdated addresses and providing thorough role-specific data protection training for staff.

To read more, please click here.

FCA's Insurance Market Priorities for 2023 – 2025

The Financial Conduct Authority (FCA) has identified key priorities and areas of concern for the insurance market in the years 2023-2025, which include a cyber focus. These include addressing governance and culture, operational resilience, embedding the Consumer Duty, and reducing financial crime.

Market-Wide Priorities:

1. Higher Standards: Enhance governance, culture, diversity, and equity to improve customer outcomes.
2. Operational Resilience: Focus on operational resilience, especially concerning third-party services, to prevent customer harm.
3. Consumer Duty: Implement the Consumer Duty to ensure positive consumer outcomes for products, price, understanding, and support.
4. Preventing Harm: Strengthen oversight of Appointed Representatives to minimise potential harm.

Wholesale Insurance Specific Priorities:

1. Competition and Growth: Foster competitiveness in the London market to provide innovative solutions for customers.
2. Standards & Culture: Promote an inclusive culture, address non-financial misconduct, and prioritise diversity, equity, and inclusion.
3. Operational Resilience: Ensure effective operational resilience to minimise disruptions.
4. Cyber Insurance: Ensure clear policy wordings, fair claims handling, and products that meet customer needs.
5. Consumer Duty: Comply with the Consumer Duty, focusing on products, price, consumer understanding, and support.
6. Combatting Financial Crime: Implement controls to combat financial crime, especially in the context of international sanctions.
7. Financial Stability: Maintain sufficient financial resources to meet threshold conditions and service debt under stress scenarios.

These streamlined priorities highlight the FCA's focus on enhancing industry standards, protecting consumers, and ensuring market integrity.

To read the FCA's letter, please click here.