Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

The law’s long arm reaches wrongdoers

Let’s start with some good news (for a change). Cybercriminals felt the heat from law enforcement last year, while ransomware payments fell. At the end of January, police forces from eight countries took down two of the world’s largest cybercrime forums. Between them, the Cracked and Nulled platforms had more than 10 million users and had generated over €1 million in profits. Intel471 has a detailed analysis of other significant law enforcement operations in 2024, including against the LockBit ransomware gang and multiple malware droppers. Meanwhile, a division of the Department of Homeland Security said it had disrupted more than 500 ransomware attacks since 2021. Europol, which supported the forum takedowns, also published three reports: one, into the challenges in cybercrime and investigations involving digital evidence. The second is a guide for cooperation between financial providers and investigative authorities. The third relates to ethical decision making in assessing technologies for law enforcement.

Increased law enforcement crackdowns and better collaboration also contributed to a 35 per cent drop in ransomware payments last year. Chainalysis’ figures showed more victims are refusing to pay compared to the previous year. It’s probably worth saying that 2023 was a record year, with ransom payments reaching $1.25 billion. But still, progress is progress.

Cyber insurance industry faces a pivotal year

The cyber insurance industry faces a “pivotal year”, influenced by evolving ransomware threats, regulatory changes, and the integration of artificial intelligence (AI). RPC’s Annual Insurance Review 2025 highlights these trends, noting a surge in ransomware incidents in the UK despite improved organisational security measures. The report noted a shift in the ransomware landscape towards a self-service model, where groups like Ransomhub and FOG enable less-skilled actors to execute attacks. This increases the volume of incidents, often leading to ‘amateurish’ or unsophisticated efforts like faulty ransomware deployment or data deletion. This can mean decryption keys are ineffective even after a victim has paid the ransom. AI plays a dual role: it enhances threat actors’ capabilities, leading to more efficient and widespread attacks, but it also offers defensive potential through AI-supported threat detection.

Insurance Business magazine’s report about the same document focused on how regulatory developments are reshaping the industry. The EU Digital Operational Resilience Act (DORA) and the anticipated UK Cyber Security and Resilience Bill aim to enforce stricter cybersecurity standards across various sectors. These regulations increase businesses’ exposure to scrutiny, compelling insurers to reassess underwriting practices, coverage levels, and policy exclusions. A reminder here that the UK Government is considering a ban on ransomware payments. Separately, a survey of 500 businesses commissioned by Chubb found that 89 per cent are planning to expand their cyber insurance coverage.

Data protection and privacy roundup: more moves towards trustworthy AI

Data protection authorities have issued a joint statement stressing the importance of privacy-focused AI development. Regulators from Ireland, the UK, France, South Korea, and Australia highlighted their role in shaping trustworthy data governance frameworks. In other legislative news, the European Commission has withdrawn proposals for the ePrivacy Regulation and AI Liability Directive due to a lack of consensus. The current ePrivacy Directive and related national laws remain in force. TechCrunch reported: “The dominance of behavioural advertising business models that rely on tracking and profiling web users to monetise their attention has raised the commercial stakes for any reform of EU ePrivacy rules.”

Staying with AI, the European Data Protection Board (EDPB) has adopted a statement on age assurance for minors’ online safety and expanded the ChatGPT taskforce to cover broader AI enforcement. Meanwhile OpenAI has introduced a feature allowing EU users to process API requests within the region with zero data retention. This ensures GDPR compliance, but it only applies to newly created projects, not existing ones.

GDPR complaints are winging their way to six well-known Chinese apps, TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. The privacy advocacy group NOYB filed them, claiming the apps are unlawfully transferring EU citizens’ data to China. Separately, NOYB also filed a complaint against the weather app WetterOnline for sharing users’ personal data, including precise location information, with third-party advertisers. In response, the app claimed GDPR compliance was “disproportionate effort”.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here