2023 and beyond: Emerging risks and legislation

Parent companies are in the firing line for harms caused by foreign subsidiaries

Growing awareness of ESG issues and rights to access justice is fuelling an increase in group actions against UK and EU-domiciled parent companies for alleged human rights abuse and environmental damage caused by their overseas subsidiaries and affiliates. With the English Supreme Court’s confirmation that parent companies can be liable for such harm, and the EU’s proposal to legislate for mandatory due diligence on human rights, the environment and good governance throughout supply chains, it is inevitable that this trend will continue. Now is an opportune time for parent companies to review their policies, procedures and corporate governance arrangements and get a real handle on risk management and governance of subsidiaries. Ignorance will not assist those at the top of the corporate chain.

Greenwashing and climate change litigation

Climate activists will continue to challenge the actions of private companies and governmental agencies and bodies. As promoting green credentials becomes ever more important in marketing, consideration must be given to the potential risks arising from those efforts. Producers and manufacturers who want to persuade consumers to purchase their products (rather than those of a competitor) by stating they have been responsibly sourced, manufactured and packaged, risk liabilities relating to unfair trade practices or breaches of competition law and consumer protection laws.

Regulators are responding with more rules to eliminate misleading and unsubstantiated claims, and with greater enforcement activity.

Across the globe, a wide variety of climate litigation is underway, from greenwashing challenges to applications to the European Court of Human Rights regarding factory farming. The high-profile action by ClientEarth against the board of Shell emphasises the prospect of individual directors being the subject of climate-related litigation; the outcome will create an important precedent.

Directors will continue to be under the microscope during challenging economic conditions

While the country struggles to recover from the economic damage of Covid-19, continuing financial uncertainty means companies are now facing a further slew of financial issues beyond their control. An increase in insolvencies will see more claims by creditors against the directors of insolvent companies to recover their losses. The Supreme Court has recently considered the duties owed by directors to creditors in circumstances where a company faces financial uncertainty, holding that a ‘real risk’ of insolvency is not sufficient for the creditor duty to arise. Rather, the duty to creditors is only engaged when the directors know, or ought to know, the company is insolvent or bordering on insolvency, such that it is ‘probable’.

Expect more regulation on protecting the workforce and accountability over supply chains

A new Modern Slavery Bill, announced in the Queen’s Speech on 10 May 2022, awaits further Parliamentary debate. Its purpose is to update the existing Modern Slavery Act 2015 and to ‘strengthen the protection and support for victims of human trafficking and modern slavery and increase the accountability of companies and other organisations to drive out modern slavery from their supply chains.’ The Bill will introduce criminal offences and financial penalties for non-compliance. Globally, legislators have taken significant steps in recent years to introduce responsibilities on companies to prevent harm arising from their operations; this is part of a broader trend of formal legal obligations beginning to align with voluntary business human rights standards, in particular the UN Guiding Principles on Business and Human Rights.

Liability for failure to ensure cyber security for connected devices

Stringent requirements at both UK and EU level will increase governance on cyber security for connected devices. The UK Government has recently passed the Product Security and Telecommunications Infrastructure Act, which aims to protect consumer connectable devices from cyberattacks. ‘Smart consumer’ products will need to be designed more securely against cyberattacks at the manufacturing stage. Any non-compliance risks fines of £10m or 4% of global revenues (similar to the GDPR). Similarly, the European Commission has proposed the introduction of the Cyber Resilience Act for products with ‘digital elements’. Any non-compliance risks an administrative fine of up to €15m or up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher. Companies will face increasing scrutiny over the coming years. Now is an opportune moment for companies in this sector to review their cyber security obligations for existing and future products to ensure compliance.

Ransomware attacks will continue to dominate cyber-security landscape

Ransomware attacks are becoming increasingly sophisticated as cyber-criminals evolve their methods by using expansive infrastructure and multiple malware tools to exploit vulnerabilities. Stolen credentials obtained by phishing scams remains one of the most common ways to launch ransomware attacks on businesses and government organisations. The shift to a hybrid working environment and virtual conferencing alongside the development of ‘deep fake’ technology has been a crucial factor. The ever complex threat landscape requires a multi-layered solution that combines anti-malware, data loss prevention, email security, endpoint detection response, vulnerability assessment, patch management, remote monitoring and backup capabilities. Staff training and public education also have key roles to play.

New enforcement powers for breach of sanctions

New powers to impose civil penalties for breach of financial sanctions may signal more enforcement activity in 2023. The Economic Crime (Transparency and Enforcement) Act 2022 imposes strict liability, rendering due diligence or the need to show any knowledge or suspicion of acting in breach of financial sanctions irrelevant. The Office for Financial Sanctions Implementation can impose fines of up to £1m or 50% of the value of the breach (whichever is higher). It also has the power to name and shame companies, even where a monetary penalty has not been imposed.

Should you wish to read our full suite of 2023 predictions, please visit our dedicated portal: Informed Insurance.