London Market Brief July 2019: cyber insights
A roundup of recent cyber-related developments, including the black box effect in ship risk profiling, GDPR fines from the ICO, silent cyber risks, cyber threats to the life sciences sector, insuring the emerging offshore digital assets industry and claims transformation in Latin America.
Black box effect in ship risk profiling
While the benefits of the data science techniques are wide ranging, there have been questions raised about some potential implications, such as the ‘black box’ effect, when human intervention is removed entirely.
In the maritime sector, inaccurate automated predictions may lead to denial of services/goods or unjustified discrimination: underrated vessels may sustain damages and/or losses arising out of incorrect automated assessing of insurance, safety or environmental risks, together with inaccurate setting of insurance premiums; overrated vessels may be posing increased risks to the shipping industry.
The maritime industry should be aware of the importance of having effective safeguards against the ‘black box’ effect in ship risk profiling.
Related item: Black box effect in ship risk profiling
Why is the Information Commissioner’s Office like the England Cricket team?
In addition to issuing Notices of Intention to fine to both BA and Marriott, the ICO has recently published its annual report which includes confirmation that Cathay Pacific will be subject to investigation as a result of unauthorised access to the personal data of 9.4 million customers in 2018.
The level at which these fines have been issued will likely reverberate across Europe, but whether we will achieve cross-jurisdictional consistency of future fines remains to be seen, especially given two of the major organisations mentioned in the ICO’s annual report are based outside of the EU.
- Why is the Information Commissioner’s Office like the England Cricket team?
- The ICO’s first public demonstration of power and its reverberations through the business community
'Silent cyber' – have you heard it?
The term 'silent cyber' has developed to describe losses that are seemingly remote but can be covered by traditional insurance policies not written with cyber exposures in mind and that, as a result, do not expressly include or exclude cyber risk.
The most commonly used cyber exclusion in marine - the Institute Cyber Attack Exclusion Clause (CL380) - fails to account for non-malicious risks. Dating back to 2003, CL380 could not have foreseen the threats that cyber risks present today and, as such, is currently under review. Used in isolation, it does not exclude silent non-malicious cyber risk.
The rapid increase of cyber perils creeping into conventional lines of business has resulted in the Prudential Regulation Authority and Lloyd’s calling on insurers to address this issue as a matter of urgency.
Contacts: Michael Biltoo and Ingrid Hu
Related item: 'Silent cyber' - have you heard it?
Charles River attack places spotlight on the cyber threat to the life sciences sector
The pharmaceutical industry is one of the most targeted industries for cyber attacks, suffering from a 150% increase in the past year alone.
Life science companies may hold both acutely commercially sensitive information (e.g. R&D related and intellectual property) and also hold special category personal data such as medical records from clinical trials.
Life science companies must continue to educate staff in cyber security and make sure they understand from board room to shop floor the threats faced. Concepts like data separation and two-factor authentication should be familiar to everyone. The cyber threat environment is constantly and rapidly evolving and seems unlikely to become more benign any time soon.
Taming the Wild West: insuring the emerging offshore digital assets industry
The recent announcements that Google and Facebook will be entering the cryptocurrency space, and that a number of major US retailers will be accepting payment in cryptocurrencies, adds much needed credibility and confidence to the digital assets industry.
This means that it is unlikely to be long before digital assets go mainstream and impact our everyday lives. Insurers will therefore increasingly have to confront the risks presented by digital assets and to develop appropriate expertise. In doing so they might follow the progress in offshore financial centres as they lead the charge in seeking to regulate this challenging but rapidly emerging sector.
Contact: Mark Chudleigh
- Taming the Wild West: insuring the emerging offshore digital assets industry
- Bitcoin is not considered as legal tender
Technology is transforming claims in Latin America
Over the past five years Latin America has seen a rise in the prevalence of cyber risk. Financial institutions have been the main target, particularly via social engineering; the manipulation of employees into breaking security procedures to gain access to systems or networks. A 2018 report found that 92% of banks in the region had reported some kind of digital security event, with the average cost of an attack placed at US$1.9 million.
As a result, the region has seen a demand-driven expansion in the underwriting of standalone cyber risks. Regional insurers’ greater adoption of technology could provide more efficient/streamlined means of dealing with a potential rise in the notification of direct standalone cyber claims.
Related item: Technology is transforming claims in Latin America