Thommessen CyberHub: Key expectations and predictions for 2023

Cyberrisks in 2023 - it's all about the supply chain

The global rise of credential theft and data extorsion has continued at an exponential level throughout 2022. “Stealer-as-a-Service” cybercrime groups have placed credential and data theft at the hands of anyone able to access their dark market platforms or data repositories. Based on recent events, the main cybersecurity exposure for corporates in this threat landscape is their supply chain.

Supply chain networks are complex and increasingly reliant on technology, which makes them ideal to serve as launchpads for cyberattacks against the main target. At the same time, legal requirements for corporates to control their supply chain are increasing, while any real risk transfer of cyber related risk exposures through insurance is becoming more and more expensive.

Consequently, in order to effectively manage cyber risk in 2023, corporations need to review and reduce their liability exposure towards their supply chain. They need to ensure that their business partners have robust cybersecurity measures in place, and that their supply chain contracts adequately address the risk of cyber related incidents and the parties’ responsibilities in this respect.

Laws are ramping up

Legislators are seeking to simplify and streamline the regulatory requirements that apply to the administering of cybersecurity risks, which is welcomed, but the complexity of the, still, fragmented and overlapping legal landscape remains. Two notable new legislative instruments have been adopted in the EU in November 2022, which both will introduce concepts of fines and penalty regimes for non-compliance, and fundamentally allocate the responsibility for managing cyber risks stemming from the supply chain, to corporations. We expect these laws to change the way companies work with digital operational resilience and cyber risk in the years to come; legal and organisational requirements will have to be addressed through additional internal policies and routines and IT-agreements must be drafted to comply with new outsourcing obligations.

General requirements – NIS 2.0

Recognising the inadequacy of existing laws and the lack of a uniform legal approach, the EU is seeking to bolster cyber resilience by enacting a legislative framework that applies in all EEA and EU jurisdictions. Most notably, and recently, the EU Parliament approved in November the Network and Information Security Directive 2 (NIS 2.0) which will replace the first EU-wide cybersecurity legislation – the NIS Directive from 2016.

In essence, NIS 2.0 increases and harmonizes baseline security requirements, as well as establishing particular requirements for critical infrastructure such as energy systems, health care networks and transportation services. Failure to comply with NIS 2.0 may result in administrative fines between 1.4% and 2 % of total turnover worldwide.

Sector specific requirements - DORA

In addition, legislators are tightening requirements that apply for organizations acting in specific sectors, including healthcare, energy and the financial sectors. For example, companies providing financial services within the EU/EEA will be subject the Digital Operational Resilience Act (DORA) which seeks to ensure that the entity providing financial services has adequate control over its supply chain, particularly its ICT third-party service providers. This means that, once DORA is formally adopted, a number of financial institutions may need to re-draft a its ICT-related agreements in order to be compliant with the new laws. DORA introduces a penalty regime which is reminiscent of the General Data Protection Regulation (GDPR) - failure to comply may result in administrative fines up to €10 million or 2 % of the entities' total turnover worldwide, whichever is higher.

Additional legislative changes, which will introduce further requirements pertaining to organisations' administering of cybersecurity risks, will be implemented in the near future.

How Cyberassurance can reduce risk exposure

Insurance markets are not providing sufficient risk transfer opportunities for corporations as cyber insurance premiums are higher than ever but with reduced limits, increased retentions and wider exclusions, due to the heavy losses that have hit the cyber insurance markets over the last couple of years.

The best way for corporations to improve digital operational resilience, ensure compliance with the new regulatory requirements and reduce their cyber risk exposure, which largely stems from their supply chain, is by managing their legal risk exposure through (i) contracts and (ii) ensuring a tangible audit process of the security standards applied in the relevant supply chain. To the extent existing agreements do not comply with the novel requirements, which is likely the case for the majority of corporations within the EU/EEA, agreements must be revised to ensure that they cater for the new legislative framework in order to avoid possible administrative fines and to better administer cyber related risk exposures. This necessitates a clear understanding of which rules that apply to your organisation and to your suppliers, as well as reviewing and, possibly, re-drafting relevant agreements to meet applicable obligations.

Thommessen CyberHub

Thommessen's CyberHub, a forum for international experts within threat intelligence, forensics, insurance, cyber assurance and incident response, will in 2023 arrange seminars on the topics mentioned above to help our clients understand and, ultimately, be better prepared for handling the new requirements to their cyber risk management. We provide assistance in relation to third-party contract reviews, governance measures against cyberattacks (proactive actions), as well as, in the event of an attack, practical and legal assistance to minimize the impact (reactive actions).