Global regulations & considerations in cybersecurity

While the nature of cyberattacks and liabilities knows few geographic boundaries, different regions can take distinct approaches toward regulation and how insurance should respond to cyber events. Some of these differences are shaped by varying attitudes and laws that govern litigation, the degree to which critical infrastructure is exposed, and other local pressures. Corporate leaders and risk management professionals of multinational companies must navigate a maze of evolving and inconsistent standards across multiple jurisdictions.

United States

The U.S. is the world’s most litigious environment, which increases cybersecurity risks for operating within its borders.

Class-action litigation may represent a bigger headache to companies than regulations. Plaintiffs filed 1,488 data breach class-action lawsuits in 2024, a 1,265% increase since 2018, according to the Duane Morris law firm. The FTC can pursue companies for failures to reasonably safeguard consumer data. The FTC brought its first data security case under the FTC Act in 2003 and has brought 90 more cases since then.

A relatively recent federal law may lead to sweeping changes to cybersecurity reporting requirements. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed in 2022. CIRCIA directed CISA to adopt rules governing when critical infrastructure organizations must report cyberattacks and ransomware payments.

When the rules take effect, they are expected to require covered entities in critical infrastructure sectors to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours. CISA was scheduled to finalize the rule in May, but a partial government shutdown has delayed implementation.

Other sector-specific federal laws — the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach-Bliley Act (GLBA) for consumer financial companies — govern data privacy and breach notifications.

FTC rules imposed under the Children’s Online Privacy Protection Act (COPPA) require businesses, and particularly their websites and online applications, to receive parental consent before collecting personal data on children under 13. The FTC updated COPPA-related rules in 2025 to expand the definition of personal information to include biometric data and to require parental consent for targeted advertising.

Beyond the federal government, states have enacted their own privacy and data protection laws. Many of these laws bear similarities, but some go further than others. California, for example, requires companies to notify affected individuals within 30 days of discovering a data breach under the California Consumer Privacy Act (CCPA).

Starting in 2026, CCPA also requires cybersecurity audits by independent auditors of businesses that collect consumer data to the point that its disclosure could pose a significant risk. Businesses that generate more than $100 million in revenue must submit their first audit in 2028, while companies that generate less than $100 million in revenue report their audits in subsequent years.

AI regulation in the U.S. remains limited. The White House wants the U.S. to lead in AI development and issued an executive order in December to limit states’ ability to regulate the technology.

Australia

Australia is arguably the world’s second most litigious country after the U.S. But it may lead the way in terms of regulatory aggressiveness.

In the last two years, the Australian Securities and Investments Commission (ASIC) publicly sought to make an example out of a company — a test case the office can link to a breach of a director’s duties — that fails to protect its cybersecurity systems.

Other sector-specific regulators, like the Australian Prudential Regulation Authority (APRA), have adopted a similar posture. The APRA successfully pursued two companies that hold financial services licenses for their failures in maintaining cyber resiliency in the last 18 months.

Another Australian company was fined $3 million for violating the Australian Privacy Act. While the fine was modest, the Office of the Australian Information Commissioner’s investigation findings were scathing, citing the company for contracting with subpar vendors to remediate the violation.

Asia-Pacific

Certain Asian countries have adopted more precise cybersecurity measures in recent years and are rapidly maturing from a general guideline stance to a more stringent, enforceable regulated environment. While major players like China and Singapore have established frameworks, other countries are in the process of implementing significant updates to align with global standards like GDPR.

China

Since coming into effect in November 2025, the Personal Information Protection Law (PIPL) requires cybersecurity incidents involving critical infrastructure to be reported within one hour and those involving non-critical infrastructure within four hours.

Hong Kong

Following China closely, Hong Kong adopted new regulations in 2026 for critical infrastructure operators, including public infrastructure and key private industries such as banking and healthcare. Critical infrastructure organizations operating in Hong Kong must conduct regular risk assessments and security audits of their computer and network systems and maintain emergency response plans.

Japan

Japan has shifted from a passive stance to a more proactive Active Cyber Defence Law (enacted in May 2025, operational by 2027) as well as the Act on the Protection and Use of Critical Economic Security Information (effective May 2025).

Indonesia

The Personal Data Protection (PDP) Law became fully enforceable in October 2024, imposing fines of up to 2% of annual revenue for noncompliance.

Singapore

With ambitions of becoming a regional cyber innovation center, Singapore has historically been in possession of a sophisticated set of cybersecurity laws, such as the Computer Misuse Act 1993, Spam Control Act 2007, Personal Data Protection Act 2012, and Cybersecurity Act 2018. This has equipped Singapore to move forward with developing grants for AI-infused threat detection and quantum-safe encryption.

South Korea

The Personal Information Protection Act was updated to levy fines of up to 10% of a company's total revenue, add rules governing decisions made by AI, and require mandatory breach notifications within 72 hours.

Thailand

Guidelines were updated for Data Subject Access Requests, as well as transparency for digital platform fees to protect consumer data.

Vietnam

Its frameworks were extended beyond cybersecurity to include legal frameworks for blockchain with strict localization requirements.

Europe/United Kingdom

The litigation environments in Europe and the United Kingdom are more restrained than the U.S. and Australia. Class-action lawsuits, or collective actions, are rare.

Regulations often take the lead in policing cybersecurity matters in these jurisdictions.

The European Union’s General Data Protection Regulation (GDPR) continues to govern how organizations maintain and handle personal data and information. Fines for violating GDPR can reach 20 million euros or 4% of an offending enterprise’s global revenue, whichever is higher. A similar regulation applies in the U.K.

The EU also passed the AI Act, a comprehensive law that governs AI. The AI Act requires AI systems deemed “high risk” to be resilient against intrusions and system exploitations. The law came into force in August 2024, with specific provisions set to become effective through August 2027.

Risk-specific considerations in different countries

Ransomware trends around the world

Even as ransomware is universally recognized as a critical cyber risk, its significance and nature vary by geography, as do attitudes toward ransom payments.

In the highly litigious U.S., concerns about lawsuits are paramount, providing one explanation why ransom payments have not increased substantially even as demands continue to rise.

There has also been the problem of newer threat actors that inconsistently honor promises — and, in fact, are more likely to double-cross victims even after payment. The increasing prevalence of data exfiltration means companies may still face significant litigation and regulatory risks, giving ransomware targets a valid reason not to pay ransoms.

In the U.K. and Europe, ransomware is viewed primarily as a business interruption and governance issue. Senior corporate leaders are focused on regulatory expectations and resilience rather than negotiation outcomes.

In Australia, ransomware targets tend to take a pragmatic approach: Ransom payments are increasingly avoided, but regulators — including ASIC and APRA — heavily influence response strategy and costs.

In Asia, ransomware is a persistent threat but does not typically spark litigation. The consequences of attacks are primarily operational, not legal. Decisions about paying ransoms are thus driven by downtime tolerance and recovery speed, as regulatory enforcement and class‑action exposure remain relatively limited.

In Latin America, ransomware remains one of the most prevalent cyber threats, particularly among small and medium enterprises with weaker cybersecurity controls. Companies tend to be more tolerant of downtime, and regulatory or litigation consequences are limited. Ransom payments are considered more often, but targets are growing more skeptical of payments due to unreliable threat actors and persistent business interruption losses.

In the Middle East and North Africa, ransomware is seen as a strategic operational and regulatory risk. Ransomware incidents often affect critical infrastructure, healthcare, energy, banking, and government‑linked entities, for which continuity and public trust are paramount. Data localization laws and sector regulators strongly shape response decisions, with implicit or explicit expectations not to pay ransoms, particularly in regulated sectors. As a result, organizations frequently prioritize containment, restoration, and regulatory engagement over negotiation, even when outages are prolonged.

The global perspective on pixel tracking

While U.S.-based companies have been the most frequent targets of pixel litigation, companies based elsewhere — notably, in the U.K. and Australia — have also been targeted in suits filed in the U.S.

Beyond litigation, pixels and other tracking technologies are governed under the EU’s GDPR, its equivalent law in the U.K., and other laws in Latin America and the Middle East. These laws require that companies obtain consent from website visitors before using such technologies. Compliance is enforced through regulatory action rather than private litigation, though enforcement activity worldwide is uneven, and many regulators do not prioritize pixel tracking.

The insurance industry, however, is watching for potential developments in Australia, another litigious country that often follows the U.S. lead on legal and regulatory matters. Although pixel tracking is not currently a primary focus of Australian regulators and there currently is no mechanism for private litigation in Australian courts alleging improper use of tracking technologies, that could change in the future.