28 March 2023
Renditions of Auld Lang Syne had barely finished before we heard about the first data breaches of 2023. PayPal, T-Mobile, JD Sports and Activision were just a few of the companies who suffered data breaches in January and February in a clear sign that threat actors don't intend to slow down this year.
In PwC's annual CEO Survey for 2022, almost two-thirds of UK CEOs said they were extremely or very concerned about cyber attacks impacting their ability to sell products and services. But what cyber threats are on the horizon for the year ahead?
To help answer this question we held a webinar, Cyber Horizons for 2023, to share our views on the emerging threats and trends for 2023. Our Taylor Wessing speakers were lucky enough to be joined by Oliver Crofton from cyber defence company BlueVoyant to discuss what BlueVoyant sees as the main threats this year.
We kicked off by looking at the outlook for 2023. Oliver shared his short (or rather, long) list of threats BlueVoyant is monitoring including:
Ed Spencer and Laura Singleton were up next to give their views on a big question - is insurance the answer? The market for cyber insurance is in a challenging place right now, and many businesses have seen premiums skyrocket leading them to question whether insurance is worth the cost of the policy.
So, is insurance worth the premiums? Cyber attacks are hugely expensive to deal with and can cost tens of millions of pounds. Companies need to pay for lawyers, specialist IT recovery firms, third party experts, the often overlooked cost of business interruption – and that's without considering the cost of any ransom which might be demanded.
Insurance offers businesses the opportunity to mitigate financial and legal risk, but is in no way a complete solution – it helps after the event but is not a preventative measure. It's ultimately up to businesses to decide whether the cost of insurance premiums is justified or whether they want to allocate more funds to prevention instead.
Our speakers discussed the pros and cons of both options, also emphasising that it's important for companies to fully understand what cover they've bought and that they comply fully with the policy wording.
Our webinar ended with Jo Joyce and Michael Yates discussing breach readiness. They covered the steps organisations should take to protect themselves using our audit, improve, and test methodology laid out below.
Audit – You should start by assessing your current level of preparedness through an audit. Engage with stakeholders across the business to work out general cyber awareness, then create a report to take to your board to outline any vulnerabilities or areas of concern identified.
Improve – If you already have a breach response plan and policies, update them for any areas identified in the audit stage. If you don't have them, prepare them! Ensure your plan is clear and comprehensive, and that everyone knows who's doing what, and at what stages, should the worse happen. Importantly, make sure your plan is stored somewhere you won't lost access to should your company be compromised.
In terms of those involved in your response, appoint your crisis response team in advance. Don't get stuck trying to assemble a team during a crisis, adding unnecessary pressure when you're already dealing with a multitude of competing priorities.
You should also prepare your reporting notices or litigation hold notices in advance. The decision to report can take up a huge amount of time when you're trying to deal with a crisis. And that's before you've even sat down to draft the documents you might need to submit. Prepare as much material in advance to save crucial time later.
Lastly, identify training opportunities for any knowledge gaps you've identified that you could plug with training.
Test – Once you've worked out what you need to do, and have improved your arrangements, it's best to run a breach simulation exercise. This will give you a chance to work out if your policies actually work, identify any practical issues with your response plan, and identify if anyone is missing from your breach response team.
You can view the entire webinar below to hear the full discussion. If you'd like to know more about any of the topics discussed, or would like advice about proactive cyber defence in general, please get in touch.
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
by Jo Joyce