The reported listing of UK Biobank data online is being treated as a cyber breach. From an insurance perspective, it may not meet the threshold required to trigger one.
The incident, which involves data accessed legitimately by approved researchers before being exposed externally, exposes a disconnect between how cyber policies are designed and how data risk now materialises.
For Ed Ventham, head of broking at Assured Cyber, the issue is not whether this constitutes a breach, but whether it activates cover.
“There’s not been any unauthorised access. That is the trigger. It’s the unauthorised access piece. It wasn’t there.”
Without that threshold being met, the exposure shifts, often beyond the point where insurers have clear visibility. Early indications suggest the dataset was shared through legitimate research channels before being mishandled or redistributed, a model central to how it is intended to function.
“This type of data sharing is the fundamental purpose of UK Biobank, in order to further research into the prevention and treatment of disease,” said Arran Roberts, partner at Kennedys.
That framework is underpinned by contractual agreements, including data security provisions, which may now define where liability sits, depending on how the exposure occurred.
“This could lead to potential liability for breach of contract for whichever institution this data originated from, if it is possible to trace,” Roberts said. “At this stage, we don’t know the full circumstances under which the data came to be listed for sale.”
What emerges is not a single point of failure, but a chain of exposure, where risk is defined not by how data is accessed, but by what happens after it is shared.
“Liability is distributed across the ecosystem, though it often concentrates with the entity that last controlled the data before it left a secure environment,” said William Altman, director for threat intelligence services at CyberCube.
That shift places governance, rather than perimeter security, at the centre of the risk, while also highlighting how quickly control falls away once data is shared beyond the organisation. The result is an increasing concentration of exposure in third-party relationships, which Ventham identifies as the most significant area of risk for insurers.
“The risk now is the third parties that you rely upon. It is the biggest exposure for insurers right now. It’s massive, that supply chain risk.”
Underwriting, however, remains focused on internal controls, with far less scrutiny applied once data moves beyond the organisation.
“A lot of underwriting questions around data goes onto the controls around data that you process and that you hold, that you control,” Ventham said. “When it’s then been passed to a third party, the due diligence that needs to be done is asking, what are they doing with that data or how are they securing it. That isn’t being asked enough.”
The result is a structural blind spot: exposure expands as data is shared, while oversight does not. That gap is compounded by uncertainty over how the data itself is defined, with UK Biobank describing the dataset as “de-identified”, a term likely to attract regulatory scrutiny.
“The term is not one the ICO encourages the use of,” said John Pain, partner at Kennedys. “Whether, and if so, to what extent, the data in scope can be used to identify a given data subject, is likely to be something the regulators scrutinise.”
Even if anonymisation is deemed effective, the exposure does not fall away.
“Large health and genomic datasets carry a non-trivial risk of re-identification when combined with other data,” said Altman.
For insurers, the immediate question is whether policies respond at all, and that will depend heavily on how cover is structured.
“Whether any policy could be triggered in these circumstances would depend on the precise wording applied,” said Roberts.
The case is already prompting a rethink, particularly around how policies respond where no traditional breach has occurred.
“I’m now on the hunt for a policy that allows the privacy liability to be triggered when not from an unauthorised access,” Ventham said. “If you can have an insurer that says, I’m just going to cover you if you have a privacy event, the data is linked to your business, that is broad, that’s really good, and you want that.”
How insurers respond remains uncertain, though Ventham said the market typically reacts to emerging risks in one of two ways: tightening cover or expanding it.
Cyber underwriting has long focused on keeping attackers out; the harder question now may be what happens once access is granted.
