Technology

Airtags in bags? Dangerous goods regulations could revisit their use

Following a flurry of press coverage about lost baggage in late 2022, the prevailing view is that tracking devices such as the Apple Airtag or Samsung Galaxy Smart Tag are permissible in checked luggage, and do not constitute a breach of aviation dangerous goods regulations issued by the International Civil Aviation Organisation (ICAO). The US Federal Aviation Administration has stated “luggage tracking devices powered by lithium metal cells that have 0.3g or less of lithium can be used on checked baggage”. The European Aviation Safety Agency by contrast notes Regulation (EU) 965/2012 on air operations places responsibility on airlines, saying the devices are allowed as long as they have no impact on the safe operation of the aircraft. Typically these tags operate with a CR2032 battery containing around 0.1g of lithium. The reality is that these devices are basic and exist to track location, operating as little more than a GPS-style beacon. However, technology has perhaps moved more quickly than the regulators, and we foresee ICAO issuing more specific guidance to provide further clarity.

UK space operations will be Cosmic

For 2023, the British Space Age will be well and truly established as rocket launches to place satellites in orbit are expected from Cornwall and elsewhere. In October 2022, the modified Boeing 747, Cosmic Girl, arrived at Newquay Airport in anticipation of regular satellite launch operations from Spaceport Cornwall (the UK’s first horizontal launch spaceport). This B747 aircraft has been converted to carry and release a rocket which will then propel attached satellites into orbit. Further, we expect that the growing development of UK space facilities, from Cornwall to the Shetland Islands, where capabilities permit, will begin to host private, human spaceflights and sub-orbital hypersonic flight, at first for those willing and able to pay the substantial costs of recreational travel to the edge of space, but subsequently developing into potential scheduled passenger worldwide point-to-point transportation and cargo operations. In terms of insurance, evolving space operations have the potential to see the further development of policies that insure bodily injury for space passengers, spaceflight delay and cancellation, and D&O liability as regards the management of space operating companies.

Technology holds the solution to post pandemic labour shortages

2023 is likely to see further disruption to scheduled passenger flights across UK airports as labour shortages within the industry look set to remain an issue. These staff shortages (both in terms of recruitment and retention) impact across the board: from airport staff to third-party providers, ramp agents and UK Border staff. UK airports and airlines are finding it particularly challenging to hire workers from the European Union in the light of restrictions imposed following the UK’s departure. In addition, many job cuts in the industry left the existing workforce sceptical about returning to the airline business. Jobs need to be redesigned and new business models and decision-making processes need to emerge to help with the labour shortage. Technology has a key role to play and this must be introduced in partnership with employees. The buzzwords will be automation, electrification, digitalisation and data sharing. It is no longer a question of re-using old strategies but defining new norms for a sustainable future workplace.

Digitisation of claims to spread further into casualty claims

The relative complexity of employers, public liability and occupational disease claims compared to low value motor claims has meant that digital processes have not been as heavily embedded into the conduct of those claims to date. Digitisation of injury claims and litigation has primarily focused on low value motor claims, with simplification directed at systems such as the Official Injury Claims Portal. However, the recent mandatory expansion of the Damages Claims Portal (DCP) represents a significant extension of digitisation to casualty claims and subsequent litigation processes as a whole. We expect the capabilities of the DCP will be increased in the coming months to include further elements of the litigation process. Recent proposals to extend compulsory mediation for lower value actions also highlight the expected direction for the handling of casualty claims in the future.

Connected products legislation to add regulatory burden

Usage of internet connected products will continue to increase, yet these products are an often overlooked element of cyber security and risk. Although it is expected that connected products have some basic element of inbuilt cyber security, it is a legitimate concern that many do not. In an effort to rectify this, legislation is required. The UK Product Security and Telecommunications Infrastructure Act recently received Royal Assent. This Act, alongside the European Commission proposals for a Cyber Resilience Act, places additional regulatory burdens on both software and hardware manufacturers to strengthen the cyber security of digital products. The UK Act, via regulations yet to be laid, will place duties relating to security requirements and compliance on manufacturers and importers of connectable products to be used in the UK. The EU model would introduce common rules for manufacturers, developers and distributors to ensure the security of connected products. For insurers and businesses, the possible monetary sanctions under both pieces of legislation are significant. The legislation, and subsequent regulations in the UK, need to be closely scrutinised to ensure a progressive plan for compliance is in place.

Ransomware attacks will continue to dominate cyber-security landscape

Ransomware attacks are becoming increasingly sophisticated as cyber-criminals evolve their methods by using expansive infrastructure and multiple malware tools to exploit vulnerabilities. Stolen credentials obtained by phishing scams remains one of the most common ways to launch ransomware attacks on businesses and government organisations. The shift to a hybrid working environment and virtual conferencing alongside the development of ‘deep fake’ technology has been a crucial factor. The ever complex threat landscape requires a multi-layered solution that combines anti-malware, data loss prevention, email security, endpoint detection response, vulnerability assessment, patch management, remote monitoring and backup capabilities. Staff training and public education also have key roles to play.

Beware director liability for failure to ensure cyber security for connected devices

Stringent requirements at both UK and EU level will increase governance on cyber security for connected devices. Directors should pay careful attention now because prevention is always better than cure. The UK government has recently passed the Product Security and Telecommunications Infrastructure Act, which aims to protect consumer connectable devices from cyberattacks. ‘Smart consumer’ products will need to be designed more securely against cyberattacks at the manufacturing stage. Any non-compliance risks fines of £10mn or 4% of global revenues (similar to the GDPR). Similarly, the European Commission has proposed the introduction of the Cyber Resilience Act for products with ‘digital elements’. Any non-compliance risks an administrative fine of up to €15mn or up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher. Boards will face increasing scrutiny over the coming years. Now is an opportune moment for directors of companies in this sector to review their cyber security obligations for existing and future products to ensure compliance.

Cyber war endorsements will invite innovation

Cyber war endorsements are like buses: after a prolonged absence of new clauses, there are now several different options available to cyber underwriters. These include the LMA market clauses (LMA5563- 5567), the Marsh/Munich Re clause introduced in Spring 2022, plus a range of bespoke responses from leading insurers in this space. The LMA group has reconvened to review this further. This has been brought into focus by the conflict between Russia and Ukraine, and associated events such as the Viasat satellite attack and damage to the Nord Stream pipeline. Finding solutions that limit exposure to systemic risks but do not impede commercially attractive solutions for the market is challenging. While we appreciate the need for consistency across towers, and back-to-back provisions with reinsurers, further innovation is welcome in identifying acceptable solutions.

On board charging of electric vehicles will significantly increase fire risks

With the increased prevalence of electric vehicles (EVs), ensuring the sufficient supply of electric charging infrastructure is an imperative, as was recognised as far back as 2018 and incorporated into Part 2 of the Automated and Electric Vehicles Act 2018. The issue of safety is paramount, owing to the fire risks associated with the size of high-voltage Lithium-ion batteries required to power an EV, and their propensity to burn at high temperature without the need for oxygen. This risk is most pronounced where large numbers of vehicles (including EVs) are contained in confined spaces, such as underground car parks, and especially roll on – roll off (ro-ro) ferries, where there is also a risk to life for passengers. In July 2022, the UK’s Maritime and Coastguard Agency issued safety guidance for EV charging on ro-ro ferries, which recommends charging infrastructure should, where possible, be positioned on the weather deck which is more easily accessible in the event of an electrical fire. Marine insurers will face increased exposure to loss events caused by on board EV charging on ro-ro ferries, and should undertake a comprehensive risk assessment when underwriting such business.

Telemedicine technology is here to stay but may increase risks

COVID-19 significantly reduced the frequency of face-to-face consultations and caused a seismic shift to telemedicine, particularly the use of video consultations, which is here to stay. Telemedicine technology reduces the spread of infectious diseases in clinics and enables swift access to healthcare at a distance with associated cost and time-saving efficiencies. However, the virtual doctor-patient relationship poses risks. Doctors will need to exercise caution to avoid misdiagnosis and to ensure that older or less tech-savvy patients remain able to access medical services. Doctors should have a low threshold for calling their patients in for face-to-face consultations, physical examination and assessment. If not, it is inevitable that serious conditions will go undiagnosed, increasing claims brought by patients.

Healthcare AI litigation will raise liability apportionment issues and litigation costs

The benefits of healthcare artificial intelligence (AI) are already being seen in radiological analysis. However, as more AI devices come to market, there will also be increased risks. For example, as the devices self-learn, the thought processes by which they make decisions may not be transparent (known as the ‘black box problem’). The present law of medical negligence is ill-equipped to deal with AI, causing uncertainty over how claimants will litigate AI claims. Will they pursue AI claims through Bolam negligence, on the basis that the AI product should be judged according to the same principles as a human clinician? Will they pursue these claims as product liability claims? Or even a mixture of both? In addition, there will be the question of how blame should be apportioned between clinicians and AI producers. These factors will increase litigation complexity and costs.

Genomic technology will provoke new questions

The UK is at the forefront of the use of genomics (the body’s genes) in healthcare. This allows a more targeted, effective and tailor-made approach to patient care based on an individual’s needs. It can lead to early diagnosis or even the prevention of medical conditions. But genomics may raise patient expectations and when expectations are not met, litigation often ensues. As genomics play a larger role in healthcare, questions relevant to medical negligence liability will start to shift from “why didn’t you diagnose my condition?” to “why didn’t you prevent my condition from developing in the first place?” Genomics, like AI, is a new frontier which introduces new legal issues. Not only will there be different questions asked around liability, but they will be asked of different people. Genomics will see a new hybrid professional, the bioinformatician, whose role will straddle medicine and large data and who will sit at the heart of the provision of genomic-based healthcare. What’s more, questions will be asked by different people: not only will injured parties bring claims but we can expect to see representative actions pursued by sectors of the population who perceive unfair discrimination in the creation and availability of such personalised healthcare.

Data integrity risks will remain a significant challenge

The healthcare industry is rapidly onboarding technologies to improve operational efficiencies and deliver better patient-centric care. Both artificial intelligence (AI) and genomics rely on the generation of big data for algorithms and prediction models, but this comes with data integrity risks. Cyber security, data misuse (such as discrimination between population subsets) and data privacy claims are on the rise and remain a challenge for the industry. The availability of clinician performance data, while promoting transparency and the evaluation of healthcare quality, also creates litigation risk and the need for bespoke insurance covers supported by individualised ratings.

Usage and behaviour based pricing will make further inroads

As consumers look to generate savings on their outgoings during the cost of living crisis, behaviour based insurance products, such as motor, are likely to generate increased business. While publicity around policies involving telematics data has often focused on younger and ‘unsafe’ drivers, more people may now be prepared to re-evaluate these policies given the prospect of reduced premiums and additional discounts. Beyond ‘pay how you drive’ policies, other types of coverage, such as ‘pay-per-mile’, may find a new audience. The mass adoption of remote working caused by the pandemic has been maintained to a significant extent, and usage based coverage may prove to be attractive to drivers who no longer contend with the daily commute five days a week.

Transport infrastructure and legislation will remain obstacles

Vehicles equipped with automated lane keeping systems (ALKS) are expected to become available in the UK market by 2024, and the government has repeatedly indicated that it plans on classifying ALKS as automated driving for the purposes of the Automated and Electric Vehicles Act 2018. Without adequate updating of the road network infrastructure, including clear lane and intersection demarcation, ALKS will have difficulty functioning properly and safely on all motorways and dual carriageways. Additionally, the government has stated that further primary and secondary legislation is needed to ensure the safe introduction of automated vehicles. The government has already scrapped the Transport Bill mentioned in the last Queen’s Speech and has indicated that a more focused future transport bill will be put before parliament. Realistically, however, there will not be time for a new bill before late 2023.

Will AI uptake save the NHS?

NHS waiting lists have passed seven million and the Care Quality Commission’s annual report has warned that the health and care system is gridlocked and unable to operate, with staff struggling to provide good, safe care as a result. Recruiting more staff alone won’t be enough to solve the crisis. Hopes are pinned on the MedTech sector to provide solutions to improve patient outcomes and facilitate the transformation to more sustainable models of health and care. Software as a medical device (known as SaMD) and AI have grown in market share and complexity, with products that could not have been imagined when existing regulations around medical devices were developed. The Medicines and Health products Regulatory Agency has published a roadmap setting out how it will create a regulatory regime that protects patients while at the same time providing certainty to industry.

Onshoring efforts will bring about new insurance exposures

The UK will need to develop a strategy for development of its domestic semiconductor and other technological industries. Insurers will be mindful that any such moves, encouraging resilience in a time of geopolitical uncertainty, will generate the writing of new business. This in turn will lead to possible liability and recall exposures in the future. Reliance on countries like Taiwan for supplies of crucial components such as batteries and semiconductors is no longer in the wider strategic interest. The EU, via the proposed European Chips Act package, has made moves to strengthen Europe’s semiconductor industry and technological capabilities. The UK, like the EU, has huge commitment to economic growth through electric vehicle production but the manufacturing infrastructure for their components will need to be supported domestically. For insurers, the spectrum of insurance required to support this infrastructure represents opportunity but generates consequent risk.

Education: Cyberattacks on educational institutions will increase

Educational institutions continue to be an attractive target for cyber criminals due to the high number of potential access points and the sensitive information and data held. Attacks have increased markedly over the last two years, partly due to the shift to online learning following the pandemic which has given hackers more opportunity to exploit vulnerabilities. The government’s Cyber Security Breaches Survey 2022 provides a clear illustration of the extent of the problem, with 62% of higher education institutions reporting experience of breaches or attacks at least weekly. That same report reveals that awareness of government guidance and initiatives needs to improve dramatically, particularly in primary schools. Insurance can help to deal with the aftermath of an attack but, with the education sector increasingly targeted, it will become more difficult to obtain and more stringent requirements will be imposed. Schools and colleges must make cyber-security a priority and should, as a minimum, ensure that they comply with the cyber-security standards issued by the Department for Education.

Technology Professionals: Challenging economic circumstances may lead to more tech E&O claims

Rising inflation and the increased cost of energy, resources and wages is likely to lead to an intensified search for technological/IT solutions to optimise production and to enable companies to stay competitive. As with any new and potentially untested technology, there will be risks. Expectations may be high but with constrained budgets the opportunities for testing and development may be limited. There is also a real risk that these technological solutions are oversold or fail to meet expectations during development or deployment, leading to claims against technology advisers or providers. Claims can also be expected in respect of projects which, with the passage of time, have become obsolete or economically unviable due to the changing economic environment.

Australia: Reforms to the Australian Privacy Act will be implemented

Following the spate of high-profile breaches affecting large organisations in Australia, changes and reforms to the Australian Privacy Act are due to be urgently implemented in 2023. These changes have been flagged since 2019, but have inexplicably remained on the backburner until now. While there is much fanfare about the scope of these reforms, particularly around increased penalties, we are likely to see the Privacy Act being more closely aligned with global privacy laws. In addition to greater penalties being levied for privacy breaches, we will also see previously exempt small businesses being subject to the Act, individuals having greater rights (including a right of direct action for privacy interference) and regulators having greater enforcement powers. We will also see heightened scrutiny of organisations and the way personal information is being collected, held and disclosed. These changes will consequently result in higher risks for insurers, particularly for third party liability claims, class action lawsuits and directors’ and officers’ liability. As the third-party liability landscape continues to evolve, some specific risks under cyber policies may need to be carved out into stand-alone policies to cater for specific phases of a cyberattack. This may include separate policies for first party costs and third party cyber liability policies, or specific policies/endorsements for ransomware cover.

Australia: The cyber blame game will continue and recoveries will increase

We will continue to see an increase in claims against IT professionals following cyber events, as well as a rise in software provider cyberattacks that result in more significant aggregation risk for insurers. Although these claims arise in several ways, we are likely to see more claims against managed services providers (MSPs) and cloud services providers (CSPs) that are responsible for hosting the data of their clients, and are themselves a victim of a cyberattack. In this way, the cyberattacks gain a greater impact surface to leverage against the victims. These claims are usually founded in an allegation that the MSP or CSP did not have adequate cyber-security measures in place to prevent attacks. It is often also alleged that the MSP and CSP did not comply with its contractual obligations regarding backups. The affected clients typically seek compensation for the costs of responding to the incident, reconstituting/recovering their data and business interruption. We are also seeing an increased appetite among cyber insurers for subrogated recoveries against IT professionals, as cyber insurers look to mitigate their costs of assisting insureds in response to cyber incidents.

Australia: Green hydrogen will fuel a new energy insurance market

Analysts have estimated the green hydrogen market could be worth US$10trillion by 2050. Given the market potential and the many green hydrogen projects already planned, including the US$32bn Asian Renewable Energy Hub in Australia’s Pilbara region, energy insurers should expect to see a significant increase in global demand associated with constructing and operating green hydrogen plants and pipelines. Green hydrogen developments are a positive news story for the world. However, the new technology comes with risks that underwriters will need to consider carefully. For example, green hydrogen is highly flammable and is difficult to store and transport. While these issues are being addressed through extensive global research and development, insurers will need to stay on top of these developments. This includes monitoring how the marine industry embraces ammonia, a fuel derived from green hydrogen, as a potential transportation solution.

Australia: There will be positives and negatives to battery technology

Efficient power storage is a key element of a low-carbon economy. Lithium-ion batteries are proving a popular solution as they are rechargeable, have a high energy density, no memory effect and low levels of self-discharge. However, they are also risky as they contain flammable electrolytes. Manufacturing defects, physical damage/abuse and incorrect charging have been linked to uncontrolled thermal venting/ runaway of cells. Lithium-ion batteries have been linked to many fires, including a significant fire incident involving a Tesla battery project in Australia. These fires are intense and difficult to bring under control, so determining causation can also be complex. Lithium-ion battery storage and transportation, including issues associated with dangerous goods classifications for sea carriage, and disposal are other issues that are causing concern for insurers. While the search continues for ways to make battery technology more stable, risks are being managed with quality products, active maintenance and fire prevention strategies.

Australia: Cyber piracy will be a key concern for shipping companies

Cyber risk is now front and centre for the shipping industry following numerous high profile incidents, such as the Petya cyberattack, the 2020 cyberattack on CMA CGM’s systems, the ransomware attack against the Colonial oil pipeline in the US in May 2021 and, in March 2022, the cyberattack on global logistics company, Expeditors. The issue is also a key focus of regulatory guidance from the International Maritime Organisation. With the increased interconnectivity between vessels and shore based systems, use of automated systems and the development of unmanned or autonomous vessels, the spectre of a significant physical damage loss at sea looms larger. To date, most cyberattacks in the shipping industry have focused on onshore operations, but it is conceivable that cyber criminals could take control of vessels at sea. A common vulnerability is the industry’s generally low level of preparedness for cyber incidents, including low levels of risk awareness, ineffective procedures and high levels of human error in offshore security breaches.

Australia: Regulators and financial lines insurers alike will turn their gaze on crypto-assets

2022 was characterised by insurers beginning to offer products for the unique specialist risks represented by the crypto-asset ecosystem (including coin issuers and digital currency exchanges) after many years of underinsurance. The kinds of insurance that have become available include many of the traditional policies a corporate entity would be expected to purchase, but with a purpose built focus, such as crime, professional indemnity and D&O insurance. Traditionally, insurers have been sceptical of these risks, particularly due to regulatory uncertainty about whether crypto-assets will be treated as regulated ‘financial assets’ or not. With international regulators casting a closer eye over crypto-asset offerings as time goes on and, in many jurisdictions, working towards enacting specific legislative amendments, 2023 may represent the perfect storm for the captive market of crypto-asset providers to be seized on by financial lines insurers. The risks associated with these assets vary in maturity across jurisdictions, however increased regulatory certainty will steadily temper this and give insurers more confidence to enter the market.

Germany: The No.1 cyber threat will remain ransomware

Press releases, statistics from authorities and day to day claims practice show the foremost cyber threat is still ransomware. Even though many companies are now in a much better position than they were a few years ago, it is difficult, especially for small and medium-sized enterprises, to maintain the corresponding organisational and human resources. For the insurance industry the situation will remain challenging. Most of these cases result in high costs. At the same time, a binding and uniform IT security standard is lacking in most countries. However, a lot has happened in Germany recently. It will be interesting to see whether these standards also become established in insurance contracts, as has long been the case with comparable technical requirements in property and product liability insurance.

Germany: ECJ decision on damages under the GDPR will be critical

One of the most important provisions of the General Data Protection Regulation (GDPR) is Art. 82 on damages for infringement. In the form of non-material damage, the GDPR has introduced a new concept for many EU states. However, many important questions remain unresolved. A recent Opinion of the EU Advocate General provides hope that some of these questions will soon be answered by the ECJ. The decision will be very important for cyber insurers. Data risk and data breach cover in cyber insurance is a sleeping giant. It is not uncommon for claimants to use a claim under Art. 82 as a threat. Against this background, the Advocate General rejected the use of Art. 82 GDPR as a claim for punitive damages. Furthermore, he was of the opinion that Art. 82 does not contain a presumption of damage in favour of the claimant. However, he did not find a de minimis limit. It will be interesting to see if the ECJ will share this view, because it can be a major challenge when companies and their insurers are faced with cases involving a large number of very small claims. The ECJ’s decision on such a central issue will be critical and should be closely monitored.

Latin America: Cyber products and regulation will accelerate

In recent years we have seen how cyberattacks have become more sophisticated and the businesses affected have extended from financial institutions to governments, digital platforms, large retailers and energy companies. As a result, we are seeing an increase in the purchase of specific cyber-related insurance products. Latin American countries are starting to react to this trend with new laws to increase safety standards for public entities and critical infrastructure; protocols being established in large companies; and new criminal sanctions. Latin American countries will now start facing issues such as silent cyber, prohibitions on ransoms and the need for further regulation, all of which will require local markets to collaborate with the international insurance sector.

Latin America: InsurTech will develop in response to inflationary pressures

The winds of an imminent global recession are already affecting the way in which the different markets and sectors are defining their strategies for the future. Although each industry will react differently to their unique challenges, what is common to all areas is that it will be necessary to redefine the traditional ways of doing business and to adapt to a global market with high rates of inflation and devalued currencies. An additional effect of high inflation in LatAm is to reduce the appetite of consumers to buy new insurance. Although we have previously expected high growth margins in various countries in the region due to the low penetration rate, inflation and premium increases are creating additional obstacles. However, technology offers real opportunities in the search for efficiency. We therefore expect these pressures to lead to an increase in the development of the Insurtech industry in LatAm.