Cyber update – what’s been happening in Q1 2024

As Q1 2024 comes to a close, I look back at some of the key cyber developments that have been keeping us, and our clients, busy so far this year:

• UK organisations more likely to pay ransoms:  We are continuing to advise clients on ransomware attacks, and it was therefore interesting to see research from Proofpoint, reported in The Times, that UK companies are more likely to pay a ransom than in other jurisdictions. Reports suggest 85% of UK victims pay ransoms, compared to a global average of 58%. 
   
• Corporate governance and the impact on the board: Despite, recent UK Government cyber research (20^th March) suggesting that “for many organisations, the board is under-engaged,” the corporate governance side of things has been in the spotlight recently: 
  
  • The NCSC recently produced new guidance for CEO’s on responding to a cyber incident, highlighting the role it believes board members have. The guidance advises CEO’s to put proportionate and effective governance in place and bring external experts in to help manage ‘the legal, technical, operational and communications considerations that a serious incident brings.’ It also advises CEO’s to consider the impact of the breach (including on team resilience and welfare), the risks of making a ransomware payment, public messaging, reviewing lessons learnt and reporting incidents to the NCSC and law enforcement.  The CEO guidance followed the NCSC’s blog and video on cyber security governance and the role of the board published in February, and last year’s update to its boardroom toolkit. 
  • We also saw an updated Corporate Governance Code and guidance published this January which expressly  includes a section on cyber for the first time (see our article). Institutional investor voting  guidelines have also been expanded recently to include specific references to cyber, all resulting in increased focus on the way in which boards manage, and report, cyber governance and controls (particularly for those companies that have already faced major cyber issues).  
     
• Supply chain remains a key risk: The fallout from the Capita breach continues to impact our clients. This highlights both the long tail of incidents and how many organisations can be impacted when a supplier is hit. It was also interesting to see that cloud providers now seem to be a particular target for some threat actors. The NCSC recently warned that some ransomware groups are changing their tactics and directly targeting cloud services as more organisations and governments move to cloud infrastructure. 
   
• Preparing for new legislation: Many of our clients are getting ready for new cyber laws that are on the way in both the UK and EU. For example: 
  
  • the EU’s Cyber Resilience Act, which aims to increase the level of cyber security in connected devices, was approved by MEPs in March. The UK has also recently introduced its own rules around connected devices (see blog); and 
  • the NIS regime, designed to achieve a high common level of security across the EU (focussing on critical national infrastructure/essential services), is also being updated. In-scope clients are preparing for the EU’s NIS2 (see blog), with its expanded scope covering new sectors, a 24 hour early warning requirement and senior management liability (the latter being another corporate governance development for organisations to consider). NIS2 is already law, but applies in Member States from this October. The UK is also looking to update its equivalent legislation, for example by bringing managed service providers into scope (see blog). However, the timing for this is still unclear, with the UK Government recently re-confirming (in its response to the Joint Committee on National Security Strategy Ransomware recommendations) that it will make the necessary changes as  soon as parliamentary time allows.