Policyholder Disputes partner Chloe Derrick comments on the recent Russia-linked cyber-attack on Southern Water that may have compromised more than 500,000 customers’ data, and the broader significance of this issue.

Providing water to 4.7 million people in Sussex, Hampshire, Kent and the Isle of Wight, Southern Water warned a proportion of their customers that their bank details and National Insurance numbers could have been compromised after a ransomware attack by Russia-linked hacking group, Black Basta.

The attack on Southern Water, alongside the reported ransomware attack alleged to have been by the same Russian hacking group on Hyundai Motor Europe last month, is yet another illustration of the heightened global cybersecurity risks which exist in the current political climate.

Cyber events and ransomware attacks not only threaten the security of consumer data. The financial consequences to a business which can flow from a cyber event, and its ability (or lack thereof) to withstand cyber-related disruptions are significant and potentially catastrophic.


How are UK regulators reacting?

In September 2023, the Financial Conduction Authority (FCA) announced cyber insurance as one of its wholesale ‘insurance market priorities’, following concerns that uncertain cyber insurance products could create what the FCA termed a ‘misalignment’ between business expectations and an insurer’s stance on policy coverage.

The Prudential Regulation Authority (PRA) followed suit in January 2024 when it outlined its own insurance supervision priorities for 2024. In a similar approach to the FCA, the PRA has confirmed that it will be focusing on cyber underwriting risk, with a view to ensuring that the insurance sector has sufficient capital and risk management practices in place commensurate to the rapid growth of cyber insurance programmes and the inherent volatility of this type of risk. As part of the PRA’s focus on cyber threats, it will equally be monitoring whether cyber insurance wordings are clear.


What can companies do?

We expect the level of contract uncertainty risk that is attracting both the FCA and the PRA’s attention to give rise to increasing insurance coverage disputes between businesses and their insurers.

Companies should carefully review the coverage that they have in place to ensure that the organisation (and its directors) are sufficiently safeguarded, both from external cyber threats and other regulatory risks arising from their own internal cyber security policies and practices.



You can find further information regarding our expertise, experience and team on our Policyholder Disputes page.

If you require assistance from our team, please contact us.



Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.


Key Contacts

See all people