Category

Blog

The Next Frontier – Exploring Insurance for NFTs

By | Blog

A Non-Fungible Token (NFT) is a digital asset that signifies ownership or proof of the validity of a special item, work of art, photograph, or digital collectable. Unlike fungible (interchangeable) digital assets, such as Bitcoin and Ethereum, NFTs are unique. That means they cannot be traded one for the other, as each NFT has its own unique independent value.

Read More

The Rise of AI: Risks, Rewards, and the Need for AI Insurance

By | Blog

As large language models like ChatGPT and LLaMa democratise AI usage, the risks associated with increasingly potent AI models should not be ignored. Imagine businesses relying on biased AI or unstable models – the potential financial and reputational damage could be significant.

AI Guarantee Insurance

Enter AI Guarantee Insurance, a product designed for the age of artificial intelligence. In a world powered by easily trainable models like LoRa, where an AI ‘arms race’ looms and sophisticated phishing attacks threaten, this innovative insurance will offer protection against a range of AI-related risks. From performance failures and unfair outputs to legal disputes and even cyberattacks, AI Guarantee Insurance provides comprehensive coverage to mitigate the risks from AI.

Here are some examples:

      • Performance Guarantee Insurance: Safeguards against losses from underperforming AI systems, protecting businesses from inaccurate insurance quotes or failed marketing campaigns, ensuring financial security for those relying on AI-driven processes.
      • Business Interruption Insurance: Covers financial losses in the event of AI-induced disruptions to business operations. As AI becomes more prevalent across all industries and sectors, it is crucial to provide protection against such interruptions.
      • Fairness and Non-Discrimination Insurance: Offers financial security against lawsuits arising from biased AI outputs. With the increasing focus on ethical AI practices, businesses must protect themselves from legal action related to discrimination or unfair practices resulting from AI decision-making.
      • Intellectual Property Insurance: Provides defence against intellectual property infringement claims specifically related to AI models. As AI technology evolves, intellectual property disputes and consequent legal actions are likely to increase.

Who needs AI insurance?

Those requiring AI insurance span a diverse range of industries and needs. For example:

      • Insurtech Pioneers: Start-ups using AI algorithms for personalised insurance and dynamic risk assessments need protection against performance failures, biased outputs, and potential legal challenges arising from unfair pricing or coverage decisions.
      • AI-Powered Customer Service: Insurance agencies and brokers using AI-powered chatbots and virtual assistants face risks such as data breaches, misinformation, and discrimination. AI insurance mitigates these threats, ensuring customer trust and regulatory compliance.
      • Frontline Healthcare: Healthcare organisations deploying AI for diagnosis, treatment plans, and drug discovery require protection against inaccurate diagnoses, biased algorithms, and potential privacy violations. AI insurance offers peace of mind for organisations and patients.
      • Autonomous Vehicles: Developers and manufacturers of autonomous vehicles face immense liability concerns. AI insurance covers accidents, malfunctions, and even hacking attempts, safeguarding companies from financial ruin and protecting passengers.
      • AI-enabled Supply Chains: Companies using AI for demand forecasting and logistics optimisation need insurance against inaccurate predictions, leading to production bottlenecks or inventory losses. AI insurance ensures business continuity and minimises financial setbacks.
      • Developers Shaping the Future: Technology companies creating AI systems also require protection against data breaches, cyberattacks, and intellectual property theft. AI insurance provides vital defence against these threats, securing the developers’ valuable IP and fostering innovation with confidence.
      • Manufacturing in the AI Age: Manufacturing companies relying on AI-controlled production face risks like equipment malfunction, production errors, and even biased AI decisions impacting output. AI insurance safeguards against these potential disruptions, ensuring smooth operations and product quality.
      • Regtech Innovators: Employing AI algorithms for regulatory compliance and risk management require safeguards against operational deficiencies, biased outputs, and potential legal repercussions stemming from regulatory violations or compliance failures.

Parametric Insurance

Imagine an insurance policy triggered by a tremor, not a claim, where instant payouts hinge on pre-defined parameters like earthquake intensity or rainfall levels. That’s the magic of parametric insurance, powered by AI crunching real-time data from satellites, weather gauges, and even blockchain-powered sensors that pinpoint parametric triggers with laser accuracy.

For instance, Swiss Re’s parametric Flight Delay Compensation uses an AI model that predicts flight delays, enabling instant payouts to customers without the need for complex claims processes. Another example is the World Food Programme (WFP), which partners with Munich Re to provide parametric insurance for farmers in Africa. Based on rainfall data, payouts are triggered during droughts, protecting farmers’ livelihoods and preventing food insecurity. Hiveminds’ parametric solution, on the other hand, provides insurance for energy production from solar panels. Payouts are based on actual energy output, providing financial security for solar energy investors in case of underperformance.

Harnessing AI within Insurance

The insurance industry is also using AI, deploying it internally in the following areas:

      • Claims Processing: AI automates payments for straightforward claims, categorises and prioritises requests, differentiates plausible claims from potentially fraudulent ones, and interprets and assesses damages more efficiently.
      • Pricing and Underwriting: AI enhances decision-making through automated data gathering, enrichment, and storage. This includes personalised pricing models (parametric and otherwise) and improved competitor analysis, using sensitive factors for more predictive pricing.
      • Document Interrogation: AI-powered natural language processing facilitates document interrogation, allowing comparison of claims documents with policy wording to determine coverage, supporting compliance checks and streamlining document-related tasks like cover verification.
      • Marketing and Customer Communications: AI personalises customer interactions, automates reports and communications, enables chatbots, content creation, customer sentiment analysis, and generation of marketing materials.
      • Parametric AI Risk Cover: This innovative approach relies on pre-defined parameters (e.g., earthquake intensity) to trigger instant payouts in case of specific events, simplifying the claims process.

Progress and protection

Innovators like Lemonade and FloodFlash reflect the evolution of AI in insurance, and many other companies are now pushing the boundaries for insurtech. Lemonade uses AI to streamline claims through automation and machine learning, while FloodFlash provides instant, parametric payouts for specific events like floods based on parameters such as a water level surpassing an agreed threshold.

It is only by continuous testing and refining that we will maximise the benefits of AI while minimising the risks. Structuring insurance for AI risks is particularly challenging. As Michael Berger, head of Insure AI at Munich Re, says: ‘In principle, every AI system, including every generative AI system, is a probabilistic system. It is technically unavoidable that even if you build the most perfect AI or generative AI model, there will always be a certain probability that the AI will make mistakes.’

There are already many well-documented cases of AI going wrong. For example, Google’s Gemini chatbot generated racially inaccurate historical images, including people of colour depicted as Nazi soldiers, while an Amazon AI-enabled recruitment tool only recommended male candidates, forcing Amazon to scrap the ‘sexist AI’ tool. Additionally, Amazon’s facial recognition software mistakenly identified 28 members of Congress as criminals, highlighting inherent biases within the system.

The need for protection will grow as new use cases are developed and AI increasingly impacts our everyday lives. AI Guarantee Insurance and parametric AI risk cover will help to ensure we balance progress with protection.

For more information and advice on risk management, contact the Elmore team.

Network downtime insurance: A parametric solution

By | Blog

Network downtime insurance provides coverage for financial losses and other negative impacts following an unexpected interruption to a third-party supplier’s network services. Downtime may be caused by power outages, natural disasters, equipment failure, or any other event that prevents a service from running normally.

Digital transformation means there is now a high dependence on suppliers’ technology infrastructures such as the cloud services to support business activities. While technology is a boon for business efficiency, a network failure is a serious operational risk – especially for businesses that rely on continuous availability, such as retail, healthcare, and professional & financial services and manufacturing.

Even a single hour of downtime can have a huge financial impact. According to recent research from the Uptime Institute, the number of outages costing over US$100,000 has soared in recent years, and over 60% of failures result in at least US$100,000 in total losses. Moreover, a 2022 report from Information Technology Intelligence Consulting (ITIC) puts the hourly cost of downtime at more than US$300,000 for 91% of SMEs and large enterprises.

Network downtime insurance

The cloud is now the backbone of many businesses and is certain to become even more important with the relentless growth of digital services via the internet. Network downtime insurance is a parametric solution to protect businesses from losses arising from network service providers, such as Amazon, Google and Microsoft.

Large businesses usually depend on more than one cloud platform, which means they are less vulnerable than businesses that run on a single vendor’s platform and have highly competitive, time-sensitive models. For these businesses, network downtime insurance can be invaluable, particularly given the growing complexity of networks.

Service interruptions at cloud providers such as Amazon Web Services, Google Cloud, and Microsoft Azure, can be hugely damaging. For example, the major outage at AWS in 2021 affected millions of users and disrupted everything from Netflix to fast-food delivery. Given the potential financial impact of an outage, insurers are challenged to quantify the business risks. A client’s loss is an opportunity cost, so how do you calculate a precise figure? Because traditional measures don’t apply, normal loss-based indemnity won’t work, so for a policy to cover network downtime, insurers must use alternative risk parameters.

With parametric insurance, the cover is triggered when the insured’s cloud is down for a period specified in the policy, subject to a time-based deductible and possibly an indemnity per hour, which can simplify the claims process. This approach could be used to monitor cloud downtime, which can shut down e-commerce worldwide.

A network downtime monitoring agent – rather than the insured – would inform the insured and the relevant risk carriers when the policy was triggered, resulting in a swifter claims service. Policyholders would need only confirm that they have suffered a business loss.

Cybers insurance versus network downtime insurance

Although standard cyber insurance covers cloud downtime due to security failure, operational failure, or system failure of the insured’s own operations, it typically does not cover downtime due to non-malicious cyber events at a third-party network service provider.

Most of the carriers that Elmore works with offer business interruption payments actioned by a cyber security incident, however the business has to be affected for a period (depending on the policy) ​​ranging from 8-24 hours or more.

In contrast, parametric solutions are designed to pay after just one hour and so are a useful supplement to cyber insurance policies, where business disruption provisions are triggered only after a longer period.

Like other parametric insurance products, network downtime insurance is based on pre-defined parameters – hence the name ‘parametric’ – and there is no need to negotiate losses or file claims for damages.

Bridging the protection gap

Parametric downtime cover is a valuable way to bridge the protection gap, as cyber insurance is not a blanket solution and a business can be left exposed when normal operations are interrupted by third-party non-malicious cyber incidents. In addition, with the growing reliance on cloud technology, there is even more need to seek adequate cover, particularly for businesses that depend on continuous service.

To understand your downtime risks, speak to an Elmore Cyber Client Executive. We provide insurance reviews to assess your current coverage, whether for cyberattacks or downtime threats from non-malicious third-party events, and will advise on the best insurance for your needs. Contact us today.

Active cyber insurance for autonomous risk

By | Blog

As artificial intelligence (AI) increases, cyber insurers must adopt new technologies to counter the threat of ever more active malicious software (malware) that exploits weaknesses in a business’s network. Malware is continually evolving, and the emergence of malicious AI models such as ChaosGPT underlines the threat of autonomous bad actors and, potentially, the need for autonomous information security. 

Because cyber insurers have seen a significant rise in claims in recent years, they are now requiring their policyholders to employ continuous risk monitoring.

The emergence of active cyber insurance

Although improved controls have helped to protect businesses from hackers, cyber resilience has been largely in the hands of the policyholder during the policy period. Insurers have often had no insight into the risk profile of their policyholders until the policy renewed or a claim was made. 

This is where the concept of the ‘active’ cyber insurer comes in – to raise awareness of cyber risks and instil best practice – with insurers using autonomous and active cyber defence mechanisms to counter fast-changing risk environments. 

With its Cybermatics solution, AIG was one of the first firms to adopt real-time cyber security insights and tailored analytics. A similar approach was adopted by Coalition Risk Solutions Ltd, which  provides policyholders with personalised profiles of a firm’s ongoing digital risk. 

Such organisations are essentially insurtechs with different active insurance propositions. For example, CFC Underwriting, a long-term player in the cyber insurance market, calls itself a proactive insurer’, while a recent entrant to the UK market, Cowbell, offers an ‘adaptive’ approach. The primary aim of these insurers  is to help improve the security maturity levels of a businesses through a technology-based underwriting approach. At the time of writing other entrants are coming to market with new active cyber insurance solutions. 

More than just a policy 

The days are fast disappearing where an insurance policy is the sole offering of a cyber insurer, as this does not recognise the complexities of cyber risk and the need for risks to be actively managed.

Active insurance has three main components: 

  • Active/proactive protection – the provision of monitoring during the lifetime of the policy and alerting policyholders of critical vulnerabilities before they can impact the business.
  • Active risk assessment – a cyber risk survey is an integral part of the underwriting assessment, and a typical report will highlight critical issues and ones that are not so important but, if addressed, would improve the cyber hygiene of the business. Some insurers offer a ‘dashboard’ where policyholders can access insurers technology to address vulnerabilities and other areas that require improvement. 
  • Incident response service – Insurers provide a 24/7 incident response service to help policyholders manage a cyberattack. This consists of a panel of experts offering specialist assistance including legal services, forensics, and public relations consultancy. A cyber incident can develop very quickly, and it is essential that help is immediately available.

Additional benefits now generally include training programmes such as simulated phishing attacks and arrangements with partners who can provide cyber security solutions at discounted rates.

SME vulnerabilities 

This business sector is particularly vulnerable to cyberattacks, as SMEs may have limited financial and technical resources to build meaningful cyber resilience. An insurer that can help to build resilience is therefore invaluable as the digital economy and related threats grow. 

Raising awareness with Elmore 

Data has shown that active insurance can mitigate and prevent cyberattacks, reducing loss ratios more effectively than conventional cyber insurance. This allows insurers to offer premiums commensurate with improved risk profiles and continue to provide broad policy coverage.

As cyber risks increase, the role of the active insurer is vital. With the rapid development of AI and new varieties of ransomware, active management of cyber risk will be essential for all businesses.  

At Elmore we are committed to raising awareness of cyber risks and encouraging good practice. To find out more about our risk management services and active approach, contact us now

How solar flare events impact cyber insurance

By | Blog

The European Space Agency defines a solar flare as ‘a tremendous explosion on the Sun that happens when energy stored in twisted magnetic fields (usually above sunspots) is suddenly released.’ On Earth, a solar flare could have a devastating impact on power grids and cause widespread damage as a result of interconnected risks.

Although there has been little modelling of the risks and minimal loss experience, scientific research is now creating a better understanding of the phenomenon, underlining the severity of the threat and the need to be prepared for solar flare events. For example, the Helios Solar Storm Scenario, a report published by The Cambridge Centre for Risk Studies, provides a catastrophe scenario for a US-wide power system collapse after a solar flare. Furthermore, the Carrington Event, a solar storm in 1859, provided a real-life demonstration of the threat to critical infrastructure – and that in an age without the technology and power systems that would be at risk today.

Counting the cost

The Helios Solar Storm Scenario report highlights the risk exposure across various systemic shocks and serves as a stress test for managers and policymakers. Three different scenarios explored damage distributions and restoration periods, with US insurance industry losses estimated to be between US$55 billion and US$333.7 billion. This range, at the low end, is approximately double the insurance payouts for major natural disasters like Hurricane Katrina and Superstorm Sandy.

The Helios Solar Storm Scenario imagines direct and indirect damage resulting in power blackouts, insurance claims, and economic losses. Global supply chain disruptions are estimated to be between US$0.5 and US$2.7 trillion while the global GDP impact is put at between US$140 billion and US$613 billion. The report proposes three scenario variants (S1, S2, and X1) to capture different levels of damage and restoration times, emphasising the uncertainty surrounding extreme space weather impacts.

The limits of cyber insurance

Typically, cyber insurance policies will not specifically exclude space weather events (yet); however, there is a more general and far-reaching exclusion for infrastructure failure. Namely:

“Electrical failure, including any electrical power interruption, surge, brownout or blackout.”

A cyber insurance policy might also exclude space weather events more directly, as follows:

“Electromagnetic fields, radiation, earthquake, windstorm or other natural peril or any pollution or alleged or threatened discharge, dispersal, seepage, release or escape of pollutants or contamination of any kind.”

Note that cyber insurance policies will usually only cover non-physical damage from a cyber event. Therefore, interruption to revenues, loss of profits, and the increased costs of working as a result of a major space weather event, are likely to be excluded. However, it might be possible to claim some cover if the infrastructure which is impacted by the organisation is owned and operated by the policyholder and not a third party.

Given that the probability of a severe space weather event is similar to that of a global pandemic, it is a risk that should not be ignored. It is vital to understand the potential impact of an extreme event such as a solar flare and the strategies which can be deployed to minimise the impact to network operations as well as insurance policy coverage.

For more information and to understand how your insurance portfolio may be impacted by a space weather event, please contact the ElmoreCyberTeam@elmorebrokers.com.

Aligning technology terms of service with professional indemnity insurance provisions

By | Blog

SaaS and technology professional services providers face risks in undertaking and implementing their
supply of services, including security risks, compliance risks, supplier risk and most importantly
execution risk. One way a firm can manage the fallout if these risks materialise is to have a clear
terms of service/master service agreement with their customer.

The first line of defence
Technology firms are typically entrusted with managing, accessing, and safeguarding sensitive data
and digital assets. As such, they can face challenges as digitalisation increases and bad actors
become more adept at exploiting vulnerabilities. Having watertight terms of service is the first line of
defence, not only do they establish the rules of engagement but also serve as a legal framework to
mitigate a variety of risks.

Professional indemnity insurance (PII) is an added safety net that provides financial protection
against when the terms of service are frustrated as a result of errors, omissions, or negligence in the
provision of technology products and professional services. The interplay between standard terms of
service and changing insurance policy terms and conditions is key to managing evolving risks and
having the requisite policy coverage in place.

The devil is in the detail.
Many technology PII policy wordings include clauses that can be broadly interpreted as excluding
coverage for certain types of liabilities. For such policies, there are some key terms that should be
considered in relation to a firm’s service agreement with its clients:

1. Conditions precedent to liability – if there are any conditions in the policy of this nature,
they can require the policyholder to meet certain onerous obligations to be eligible for
cover. Accepting liability provisions that align with the services rendered is crucial to ensure
that the coverage provided by PII is not inadvertently rendered ineffective.

2. Exclusions for some types of liability – there may be gaps between the liability being
accepted in the services agreement and the types of liability being indemnified in the PII
policy wording. It is important to run through the PII exclusions to ensure that they do not
contradict with your terms of service.

3. Notification restrictions in contract – in cases where the PII insurance or accompanying
cyber insurance have strict notification requirements, they can conflict with the terms of
service. This may prevent notification in line with the policy requirements.

4. Force majeure – acts of God are usually quite broad in contracts; however, a narrower set of
scenarios may be present in the PII policy, possibly allowing a wider scope in contract.

5. Disputes – these will typically trigger a notification to PII insurers if they remain unresolved,
and there will usually be a mechanism in a PII policy to handle disputes. It is important to
ensure alignment with the mechanisms offered in the terms of service.

Expert insights
The relationship between a technology firm’s terms of service and PII liability provisions should
never be underestimated or overlooked. It demands a proactive and collaborative approach, where

legal experts craft terms of reference that not only reflect the nature of the services but also align
seamlessly with the protection offered by PII.
As the technology landscape continues to evolve, firms must pay close attention to potential
alignment issues and ensure that they don’t fall short when matching terms of service with PPI
provisions.

For further information and advice on managing infosec risks, contact the Elmore team.

The New Media Bill – Keeping Pace with Technology

By | Blog

At the end of March this year, the  UK Government Department for Culture, Media & Sport published its Draft Media Bill, which updates the legal framework for the media industry. Reform has been discussed for some time, and it is a significant achievement to reach this stage. Part of the Media Bill was heard in the UK Parliament for the first time in July, with the remainder due later this year.

Digital transformation is seen as the principal driver for the Bill, as technology is moving at a fast pace and legislation must catch up with innovation. Media access and demand are greater than ever, and because the on-demand economy requires media content anywhere, anytime, we need both the right permissions and the right technology.

The Draft Media Bill is a lengthy document and the main areas are summarised below:

  • Public Service Television

Introduce a new ‘public service’ remit for the UK’s public service broadcasters: the BBC, ITV, STV, Channel 4, S4C, and Channel 5. Traditional broadcasters such as these are struggling to maintain audience levels and it is hoped that a new remit will help them preserve viewing figures and, in some instances, increase them.

  • Prominence on Television Selection Services

Reform the ‘prominence’ rules so that viewers can more easily locate public service channels on online TV platforms             . Current prominence rules state that the public service   broadcaster must be listed in the first five slots in electronic programme guides on TV sets. However, these rules do not extend to TV and other user interfaces within online TV platforms.

  • Content

This focuses on Channel 4 and is intended to remove the restrictions that prevent the channel from producing content. Channel 4 will remain in public ownership with the aim of increasing its commercial flexibility and building a presence outside of London.

  • On-Demand Programme Services

Ofcom currently has no power over video on-demand (VOD), so a code will be introduced to protect audiences from any harmful material and to introduce greater accountability. In addition, the aim is to help improve public accessibility to video on-demand (VOD) services.

  • Regulation of Radio and Radio Selection Services

Encourage engagement with the radio industry to obtain a better understanding of the     policies and practices of smart speaker platforms such as those offered by Amazon. Also, help maintain the number of listeners on radio stations, with access to be provided to all UK-licensed UK radio stations irrespective of size and to be free of charge.

Elmore Comment

The Media Bill is a significant reform that will shake-up the UK media industry and modernise it to protect some of the long-established core media services. It will also encourage the development and growth of new and existing media under a more flexible regulatory regime.

Media liability insurance is a specialist form of insurance providing coverage for areas such as defamation, privacy and breach of infringement. This is generally on a broad civil liability basis in the UK, and we would therefore expect policy coverage to respond to new media risks that may arise following the implementation of this Bill when it eventually becomes law. Having said that, insurers will no doubt maintain a watching brief to manage any new and emerging risks, factoring the risks into their rating assessment of the premium and terms and conditions under which policy coverage is granted.

Don’t Mention Cyber War…

By | Blog

Nation State Attacks

The cyber insurance market is increasingly concerned about the impact of nation state cyberattacks. Cyber activity during the war in Ukraine has highlighted this risk and what might happen if a cyberattack escalated. The NotPetya zero-day attack in 2017 was another warning. Although intended for infrastructure targets in the Ukraine, businesses were impacted throughout the world.

As cyberattacks evolve and spread, insurers are well aware of the need to manage this type risk and ensure the long-term sustainability of the cyber insurance market.

Action by Lloyd’s

Lloyd’s of London has been proactive in addressing this exposure and the Lloyd’s Market Association (LMA) cyber war working party has issued updated cyber war clauses, which came into effect on 31 March 2023. They are to be implemented on standalone cyber insurance policies underwritten by Lloyd’s Managing Agents.

New Cyber War Model Clauses

While the principal aim is to provide clarity for both insurers and insureds, there are two versions. Understandably, this has drawn criticism.

Version A is where attribution of the cyberattack is clearly stated: “in determining attribution of a cyber operation to a state, the insured and insurer will consider such objectively reasonable evidence that is available to them.”

Version B is where there is no agreement on how a cyber operation is attributed to a nation state to determine whether the exclusions operate. For this, Lloyd’s will require evidence of a mechanism that has been agreed with policyholders on a case-by-case basis.

The ‘A’ clauses can be summarised as follows:

1. LMA5564A: This is a blanket exclusion for any losses occurring or in consequence of war or a cyber operation.

2. LMA5565A: Places specific sub-limits on claims payments in the event of cyber operations. This, however, also excludes absolutely those operations launched in war, in retaliation by specified states, or which cause major detrimental impacts to the functioning of a state.

3. LMA5566A: As per LMA5565A (2 above), but there are no specified sub-limits on claims payment.

4. LMA5567A: As per LMA 3 but allows coverage in respect of “bystanding assets” (i.e., those that may be impacted by a cyber operation, but not those targeted) resulting from cyber operations causing major detrimental impacts to the functioning of a state.

Snapshot of the ‘A’ Cyber War Clauses

Takeaways

• Lloyd’s Insurers may use wording variations of the NMA clauses, and it is therefore important that these clauses are reviewed during placement of a cyber insurance policy.
• To avoid disputes during claims settlements, new definitions such as “Cyber Operations” “Major Detrimental Impact” and “Essential Services” should be clear.
• Focus should be given to how attribution is arrived at and that policyholders understand this process.

Outside of the Lloyd’s cyber insurance market we are seeing other leading cyber insurers adopt their own clauses using different terminology which has been driven by their reinsurers. We are also seeing insurers who have not yet imposed new cyber war clauses. The market has therefore not reached consensus on this important issue.