Image of outside building. Side view.


Published on 10 January 2022

In this chapter of our Annual Insurance Review 2022, we look at the main developments in 2021 and expected issues in 2022 for Cyber.

Key developments in 2021

In 2021, we expected to see the release of the UK Supreme Court's decision in the case of Lloyd v Google, a class action brought by Mr Lloyd against Google.  The claim arose out of use of a workaround that allowed Google to place a third party cookie on iPhones, bypassing default privacy settings to collect and sell information on users' browsing habits.

The Lloyd v Google judgment, released 10 November 2021, was hotly anticipated and addressed key questions on damages and the permissibility of opt-out class actions. On damages, the judgment cemented  that there must be a material level of distress below which you cannot recover damages.  However, there was no further guidance on what constitutes "material".  Another key issue was whether the loss of personal data had value in and of itself such that damages could be recovered even if the loss of data did not lead to any distress.  This was rejected by the Supreme Court and, although it was noted that this decision is being made under DPA 1998, it is expected that the decision with have force in terms of the GDPR also.  Finally, on the question of whether representative actions are permitted for mass data privacy claims under Civil Procedure Rule 19.6 the Supreme Court said that, in principle, this could work, but in reality, each person would be affected in a different way.

These outcomes will come as welcome news to data controllers and processors.  However, the Supreme Court highlighted that they would have been happy for there to be a representative action for liability only and, if such liability is established, a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation. This could perhaps leave a door open in certain circumstances.

What to look out for in 2022

At a time when cyber insurance is more important than ever, with cybercrime remaining very prevalent and Jeremy Fleming, Director at GCHQ, announcing a doubling of ransomware attacks over 2021, it is becoming more difficult to get cyber insurance cover.

In 2022, we expect to see the cyber insurance market continue to harden.  Following Lloyds of London's phasing out of silent cyber cover, it will become increasingly rare to see cyber incidents being covered by other insurance policies,.  This is a welcome development in principle.  But it comes at a time when the capacity of the cyber market is being tested given the prolific impact and cost of ransomware that cyber insurance has had to address over the last 12 months in particular.  Whilst we can expect to see an increase in standalone cyber insurance products in 2022, prices expected to remain high.  Lloyds insurer Beazley said that cyber price rises "continue to exceed expectations" and the FT reported that, in the third quarter of 2021, cyber insurance prices rose 73% in the UK.  This is a good opportunity for cyber insurers to get the price right and provide cyber insurance at a good rate.  It is also potentially a good time to enter the cyber market with the lure of more balanced premiums and without the encumbrance of legacy ransomware losses.  There remains much to be positive about in the cyber insurance market, but this is a line of business which is growing up quickly

Written by Elizabeth Zang.

Download our full Annual Insurance Review 2022 for more insights.