THE GLOBAL INSURANCE MARKET AND CHANGE

LLOYD’S INSURANCE LAW LIBRARY

Series Editors: Robert Merkin and Malcolm A. Clarke
 Directors’ and Officers’ Liability Insurance Chinese Insurance Contracts
Adolfo Paolini and Deepak Nambisan Law and Practice
Zhen Jing
Insurance Law and the Financial Services
Ombudsman Service The Law of Liability Insurance
Judith P. Summer Second Edition
Malcolm A. Clarke
Reinsuring Clauses
Ozlem Gurses Good Faith and Insurance Contracts
Fourth Edition
Insurance Disputes Peter MacDonald Eggers QC, Simon Picken and
Third Edition Patrick Foss
The Right Honourable Lord Mance,
Iain Goldrein QC The Law of Compulsory Motor Vehicle
and Robert Merkin Insurance
Özlem Gürses
The Law of Liability Insurance
Malcolm A. Clarke Directors’ and Officers’ Liability
Insurance
Lloyd’s Adolfo Paolini and Deepak Nambisan
Law and Practice
Julian Burling The Global Insurance Market and Change
Emerging Technologies, Risks and Legal
Systemic Risk and the Future of Challenges
Insurance Regulation Edited by Anthony A Tarr, Julie-Anne Tarr,
Edited by Andromachi Georgosouli and Maurice Thompson and Dino Wilkinson
Miriam Goldby

For more information about this series, please visit: www​.routledge​.com​/ Lloyds​-Insurance​-
Law​-Library​/ book​-series​/ LILL
 THE GLOBAL INSURANCE
MARKET AND CHANGE

EMERGING TECHNOLOGIES, RISKS AND

LEGAL CHALLENGES

E D I T E D B Y A N T H O N Y A TA R R ,
J U L I E - A N N E TA R R , M A U R I C E T H O M P S O N A N D
DINO WILKINSON
First published 2024
by Informa Law from Routledge
4 Park Square, Milton Park, Abingdon, Oxon OX14 4RN

and by Informa Law from Routledge

605 Third Avenue, New York, NY 10158

Informa Law from Routledge is an imprint of the Taylor & Francis Group, an informa business

© 2024 selection and editorial matter, Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson and Dino
Wilkinson; individual chapters, the contributors

The right of Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson and Dino Wilkinson to be identified as
the authors of the editorial material, and of the authors for their individual chapters, has been asserted in
accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by
any electronic, mechanical, or other means, now known or hereafter invented, including photocopying
and recording, or in any information storage or retrieval system, without permission in writing from the
publishers.

Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-1-032-29813-9 (hbk)

ISBN: 978-1-032-33309-0 (pbk)
ISBN: 978-1-003-31905-4 (ebk)

DOI: 10.4324/9781003319054

Typeset in Times New Roman

by Deanta Global Publishing Services, Chennai, India

Lloyd’s is the registered trade mark of the Society incorporated by the Lloyd’s Act 1871 by the name of Lloyd’s.
 CONTENTS

List of Editors vii

List of Contributors ix

CHAPTER 1 INTRODUCTION 1
Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson and
Dino Wilkinson
CHAPTER 2 BIG DATA, ARTIFICIAL INTELLIGENCE AND
INSURANCE 22
Dino Wilkinson, Alec Christie, Anthony A Tarr and
Julie-Anne Tarr
CHAPTER 3 ON-DEMAND INSURANCE 47
Anthony A Tarr, Julie-Anne Tarr and Antton Peña
CHAPTER 4 EMBEDDED INSURANCE 66
Angus McDonald, Kirsty Paynter and Ernie Van der Vyver
CHAPTER 5 DISTRIBUTED LEDGER TECHNOLOGY AND
BLOCKCHAIN: INSURANCE 95
Lee Bacon and Julie-Anne Tarr
CHAPTER 6 PARAMETRIC INSURANCE 127
Wynne Lawrence, Julie-Anne Tarr, Nigel Brook, Meg
Chaperon and Arnaud Sorel
CHAPTER 7 AUTONOMOUS VEHICLES: LIABILITY AND
INSURANCE 157
Julie-Anne Tarr and Anthony A Tarr
CHAPTER 8 AUTONOMOUS SHIPS: LIABILITY AND INSURANCE 182
Maurice Thompson and Martin Davies
CHAPTER 9 UNMANNED AERIAL VEHICLES: LIABILITY AND
INSURANCE 212
Maurice Thompson, Anthony A Tarr, Julie-Anne Tarr and
Simon Ritterband
CHAPTER 10 THE RISE OF FINTECH: LIABILITY AND INSURANCE 246
Karen Boto, Georgia Amos, John Moran, Jennifer Robbins and
Jordan Welden-Iley

 v
 C ontents

CHAPTER 11 CYBER RISK AND INSURANCE 286

Reece Corbett-Wilkins, Chris McLaughlin, Adam Taylor,
Stuart Lloyd, Caitlyn Bellis, Ruth Yeend, and Kirsty Paynter
CHAPTER 12 PROFESSIONAL INDEMNITY INSURANCE 333
Darryl Smith, Kirsty Paynter and Steven Donley
CHAPTER 13 PANDEMICS AND INSURANCE 374
Gary Meggitt
CHAPTER 14 CLIMATE CHANGE AND INSURANCE 409
Nigel Brook, Wynne Lawrence and Zaneta Sedilekova
CHAPTER 15 CLIMATE CHANGE: LIABILITY RISK 445
Nigel Brook, Wynne Lawrence and Lucia Williams
CHAPTER 16 CONCLUSION: NEW AND EVOLVING CHALLENGES
AND OPPORTUNITIES 478
Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson
and Dino Wilkinson

Index 499

vi
 EDITORS

Dr Anthony A Tarr
BA, LLB (Natal), LLM (Cambridge), PhD (Canterbury), PhD (Cambridge).
Senior Consultant, Clyde & Co, Brisbane
Director, Robyn Ashton Consulting Pty Ltd, formerly Vice Chancellor, University of
the South Pacific; Dean and Professor of Law, Indiana University – Indianapolis School
of Law; Dean and Sir Gerard Brennan Professor of Law, T C Beirne School of Law, The
University of Queensland, and Dean and Foundation Professor of Law, School of Law,
Bond University; author of ten books/treatises including Insurance Law in New Zealand
and Australian Insurance Law and, most recently, as a general editor/author of Drone Law
and Policy: Global Development, Risks, Regulation and Insurance.
Chairman, managing director or non-executive director of various commercial and
resource sector companies, formerly chief executive officer of the Queensland Law
Society, director of the Indiana Bar Foundation and Chairman of the Fiji Law Reform
Commission.

Professor Julie-Anne Tarr

BA (Wisconsin), JD (Cornell), LLM (Monash), PhD (Queensland).
Professor of Commercial Law, Faculty of Business and Law, Queensland University
of Technology and an experienced Board Director and Chair. She specialises in insur-
ance and risk management, regulation of emerging technologies, commercialisation
(IP) and complex contracting. Author of more than 100 articles, law reform reports, and
seven books/treatises in the insurance law area, including Disclosure and Concealment
in Consumer Insurance Contracts, Laws of Australia: Insurance and, most recently, as a
general editor/author of Drone Law and Policy: Global Development, Risks, Regulation
and Insurance.
A well-known industry speaker, she has held professorial and senior executive roles
in the United States, South Pacific and Australia including at Queensland University of
Technology, Indiana University, University of the South Pacific, the QIMR Berghofer
Medical Research Institute and Queensland’s Litigation Reform Commission.

Maurice Thompson
LLB (Bond), LLM (Shipping)(Hons)(Cape Town), LLM (Admiralty)(Distinction)(Tulane).
Partner, Clyde & Co, Melbourne and Perth.
Maurice qualified in 1992 and has 31 years’ experience advising clients in the insur-
ance, shipping, energy, offshore oil & gas, resources & mining, commodity trading, avia-
tion, drones and ports sectors, both domestically and internationally.
Notwithstanding that his expertise is originally in marine and he leads Clyde & Co’s
“Energy, Marine, Natural Resources” group in Asia Pacific, Maurice is a lawyer with a

 vii
 E ditors

proven growth mindset, evidenced by (i) founding Clyde & Co’s market leading insur-
ance subrogation practice in Dubai in 2016, utilising a captive corporate vehicle to drive
contingency returns; (ii) founding Clyde & Co’s first to market cross-sector Global Drones
Group in 2019, introducing and developing opportunities for insurance underwriters, cor-
porates and regulators across a myriad of sectors. As part of this initiative, he co-authored
and was a General Editor of the ground breaking text book Drone Law and Policy: Global
Development, Risks, Regulation and Insurance published by Informa UK Limited; and
(iii) developing a leading global reputation with litigation funders, private equity and
corporates for successfully pitching complex cases to achieve disputes financing, with
a remarkable record to date of 10/10 across a wide range of ‘bet the company’ and news
headlining cases, for 8 different litigation funders globally.

Dino Wilkinson
Partner, Clyde & Co, Abu Dhabi.
Dino is recognised as one of the leading technology lawyers in the Middle East and was
named in The Legal 500’s Hall of Fame for his work in technology, media and telecom-
munications law. Dino has advised clients throughout the region on technology transac-
tions, data protection and cybersecurity for more than 15 years. He has also worked with
governments and regulatory authorities in the region on a number of significant legislative
developments in this area, including the drafting of electronic commerce laws, data-shar-
ing regulations and privacy legislation. Dino’s expertise spans all types of technology-
related transactional and advisory work, including support for technology startups and
advice for established clients on digital transformation projects. He has worked on mat-
ters of regional and international significance, including mobile app and internet prod-
uct launches, national digital wallet schemes and a national health insurance information
exchange platform. Dino’s clients include government departments and ministries, state-
owned entities and private sector organisations in the Middle East, including insurers,
brokers and corporates. He also helps international clients to navigate legal and regulatory
challenges in the region.

viii
 CONTRIBUTORS

Georgia Amos Associate, Clyde & Co, London.

Georgia has a dual role as an Associate in the London Cyber Risk team and as Global
Cyber Practice Product Manager, having joined the cyber practice following her time in the
Clyde & Co Data Lab. Georgia has experience routinely advising clients in their response
strategy to cyber security incidents, including negotiating with threat actors, co-ordinating
forensic cyber investigations, undertaking data mining reviews, guiding PCI-DSS inves-
tigations and responding to formal data subject claims. Georgia has also advised on the
legality of ransomware payments and the recovery and tracing of crypto-assets follow-
ing acquisition by a third party. Prior to joining the Cyber Risk team, Georgia spent time
providing legal and regulatory advice on fintech, data, technology, and IP matters across
sub-Saharan Africa whilst on secondment in Dar es Salaam, Tanzania. Georgia now utilises
her experience as an Associate to develop client-facing legal product offerings and inter-
nal tech-led solutions for Clyde lawyers, in order to achieve operational excellence and
increased efficiencies within the cyber risk continuum, to assist businesses with preparing
for, responding to and recovering from a cyber incident.

Lee Bacon Partner, Clyde & Co, London.

Lee is a London-based arbitration and dispute resolution partner with a particular focus
on the energy and natural resources sectors and also with significant insurance and rein-
surance experience. He has been involved in considering the impact of smart contracts,
blockchain and related technologies since 2015 and has written a series of papers that
cover the extensive possibilities of these technologies within the existing legal and regula-
tory framework. Lee is currently instructed by clients seeking to utilise these emerging
technologies on a number of projects to include payment-rail systems, parametric insur-
ance and digital marketing initiatives, as well as helping to steer the use of such technol-
ogy alongside the Legal Delivery and Innovation team at Clyde & Co.

Caitlyn Bellis Associate, Clyde & Co, Sydney.

Beginning her career in cyber law at Clyde & Co in 2020, Caitlyn is an Associate in the
Technology & Media team and is admitted as a lawyer in Australia. Caitlyn has an avid inter-
est in the world of cyber incident response and takes pride in assisting clients end-to-end.
This includes cyber incident response, crisis communications, stakeholder management,
insurance reporting, privacy and sanctions advisory and regulatory investigations defence.
Caitlyn has a keen interest in technology and the law, particularly technology-facili-
tated crime and the legislative and regulatory response to this rapidly changing space.
Graduating with a Bachelor of International Studies and Laws, majoring in Social Policy,
Caitlyn is passionate about the human impact that technological advances and increased
cyber risk has on society.

 ix
 C ontributors

Karen Boto Partner, Clyde & Co, London.

Karen advises on coverage and disputes across all types of D&O and financial lines lia-
bility insurance. Her experience also includes advising on insurance and reinsurance pol-
icy wordings, as well as complex international programme arrangements. Her work often
involves an international element, including all methods of alternative dispute resolution
in different jurisdictions. She frequently acts as monitoring Counsel for overseas lawyers.
Karen also has extensive experience in handling complex claims against professionals in
the financial sector. Her practice focuses on defending high-value and multi-party claims
against wealth asset managers, financial advisors, insolvency practitioners and Lloyd’s
brokers and their insurers. Karen is a regular contributor and speaker on issues relating to
the FI and D&O industry. She also advises on the emerging risks in the fintech and crypto
insurance space and has written a series of articles on these subject matters.

Nigel Brook Partner, Clyde & Co, London.

Nigel Brook heads the firm’s reinsurance team in London. He is founder and co-lead
of the firm’s global Resilience and Climate Risk practice, and advises and presents on
climate change issues including duties of care, liability and governance. He has also co-
authored several papers on the use of parametric insurance to address the protection gap.

Meg Chaperon Head of Marketing & Communications, Descartes Underwriting.

Meg Chaperon leads Descartes Underwriting’s global marketing and communication
initiatives. Descartes offers a new generation of data-driven insurance that builds cor-
porate and public sector resilience against climate and emerging risks. Before joining
Descartes, Meg worked as a product manager in Silicon Valley, where she led go-to-
market strategy and international expansion efforts in APAC and EMEA markets. Prior to
that, she worked at the forefront of climate science and international climate negotiations
as a consultant in Washington DC, Africa and the Pacific. Meg holds a master’s degree
from Columbia University and a B.Sc. from the University of California, Berkeley.

Alec Christie Partner, Clyde & Co, Sydney.

Alec has significant experience in delivering practical compliant solutions for all par-
ticipants in the digital economy across both the private and public/government sectors
(including in financial services, education, health/life sciences, e-commerce, online media
and entertainment), especially in the areas of data privacy and cyber security, information
law, IoT, e-commerce including electronic contracting, digital and business transforma-
tions, big data analytics, digital innovation and IP strategies, cloud, blockchain, crypto-
currencies and NFTs, tech procurement/sourcing and multi-jurisdiction transactions in all
of these areas in the Asia Pacific region.

Reece Corbett-Wilkins Partner, Clyde & Co, Sydney.

Reece is well regarded for his ability to advise boards and other senior members in the
executive, legal, IT, risk management and public relations functions to navigate Australia’s
complex cyber landscape. Reece and the wider team have helped thousands of entities
respond to incidents including some of Australia’s most prominent and industry-wide cyber
events in recent times, and several supply-chain attacks and multi-party-data-breaches.

x
 C ontributors

Reece is often sought after for his privacy and technology subject matter expertise,
crisis management experience and strong relationships with non-legal incident response
vendors, law enforcement bodies, government agencies and other industry stakeholders
to achieve favourable outcomes. In addition to providing incident response services, he
routinely advises on incident preparedness and resilience strategies to address cyber risk
head-on, prior to an incident occurring. Following cyber incidents, Reece acts in third-
party IT liability claims, consumer claims, regulatory investigations and recovery actions.
It is this end-to-end experience which informs Reece’s approach to managing a cyber
crisis.
As a frequent speaker on various podcast programmes, webinar series and industry
events, Reece contributes regularly to thought leadership in the industry. Additionally,
Reece regularly contributes to law reform initiatives and was previously invited to a round-
table discussion with the Australian Government in advance of the release of Australia’s
2020 Cyber Security Strategy (the only lawyer to be invited).

Martin Davies Professor, Senior Consultant, Clyde & Co, New Orleans.
Admiralty Law Institute Professor of Maritime Law, Tulane University Law School, and
Director of the Tulane Maritime Law Center, New Orleans, United States. Martin holds
a DCL degree from Oxford University and an LLM from Harvard Law School. Before
joining Tulane, he was Harrison Moore Professor of Law at The University of Melbourne
in Australia, and before that, he taught at Monash University, The University of Western
Australia and Nottingham University. He has also been a visiting professor at universities
in China, Italy, Azerbaijan and Singapore. In 2019, he was elected to be Titulary Member
of the Comité Maritime International (CMI). He has authored (or co-authored) books on
maritime law, international trade law, conflict of laws and the law of torts. He has also
published many journal articles on these topics. He has extensive practical experience as
a consultant for over 30 years on maritime matters and general international litigation and
arbitration, in Australia, Hong Kong, Singapore and the United States.

Steven Donley Special Counsel, Clyde & Co, Melbourne.

Steven has practised as a contentious defence and insurance coverage lawyer for over
15 years. He specialises in professional indemnity, financial lines and directors’ and offic-
ers’ insurance. A key focus of his practice is construction and infrastructure disputes. He
acts in contract works and construction-related third-party liability claims. Steven has a
proven track record of effectively resolving complex, cross-border and multi-party dis-
putes for insurers and their insureds in litigation and arbitration. He is also an innovation
enthusiast. Steven is qualified and has practised in Australia, Canada and Ireland.

Wynne Lawrence Legal Director, Clyde & Co, London.

Wynne specialises in insurance and reinsurance disputes and insurance regulatory
matters. She is a founding member of the firm’s cross-disciplinary Climate Change and
Resilience practice group, drawing together expertise and insights from diverse practice
areas and jurisdictions in Clyde & Co’s international network to deliver strategic advice
to clients on climate risk and the legal implications of climate change and the transition to
a low-carbon economy.

xi
 C ontributors

Wynne works on a wide range of insurance coverage disputes before the English High
Court and Arbitration tribunals, with a focus on high-value and complex reinsurance
matters involving multiple jurisdictions and parties. She also has extensive experience
in speciality lines, bloodstock, contingency, personal accident and health, and construc-
tion insurance. She regularly advises on UK insurance regulatory matters (FCA and
Lloyd’s).
Wynne was lead author of the Insurance Development Forum’s report on “Technology
and the protection gap” as well as Clyde & Co’s series of reports on Climate Change Liability
Risk. She was co-author of the Geneva Association report on Climate Litigation Risk.
Wynne advises insurers and other firm clients on climate risk and disclosures, deliver-
ing seminars and workshops on climate-related liability risks to businesses, directors and
officers. She is regularly invited to speak on the topic of climate change litigation and has
authored a number of articles in leading industry publications on parametric insurance,
insurtech, the protection gap, and climate liability risk.

Stuart Lloyd Senior Associate, Clyde & Co, Sydney.

Stuart advises insurers about the meaning and effect of policy terms and conditions,
monitors the live handling of cyber incidents by corporate insured and acts to protect
insurers’ positions in coverage disputes including through litigation and arbitration as
required.
Stuart is qualified as a solicitor in England and Wales and spent five years working in
the London market. He has completed secondments with a leading company insurer and
the in-house counsel department of Lloyd’s managing agent.
Stuart’s experience includes advising insurers in a GBP 20,000,000 claim for indem-
nity under a cyber insurance policy arising out of a high-profile ransomware incident
which affected the insured entity around the globe. He has also advised insurers about a
GBP 2,000,000 claim for indemnity under a cyber insurance policy for restoration and
incident response costs by a well-known roadside assistance company following a “near-
miss” cyber incident.
He has represented insurers through to mediation in a disputed claim under a cyber
policy arising out of a non-malicious system failure and advised insurers in a claim under
a cyber policy by a professional services company following a hybrid extortion event
involving the theft of 160 GB of highly sensitive client and non-client data.

Angus McDonald Co-Founder and CEO of Cover Genius.

Angus McDonald is the co-founder and CEO of Cover Genius, the insurtech for embed-
ded protection that protects the global customers of the world’s largest digital compa-
nies including Booking Holdings, Intuit, Hopper and several others. Its award-winning
global distribution platform XCover is also available on Amazon, eBay and Shopee. With
more than a decade of experience in executive roles at high-growth technology compa-
nies, Angus oversees the expansion and development of strategic partnerships for Cover
Genius across a variety of industries.
Before Cover Genius, Angus was the VP of International Business Development at
iClick Interactive and the Head of Publisher Partnerships at Yahoo!
Angus has a Bachelor of Science in Mathematics and Computer Science from the
University of Technology, Sydney, and is a passionate contributor to rural and youth

xii
 C ontributors

well-being programmes through personal efforts and those of CG Gives, the philanthropic
arm of Cover Genius.

Chris McLaughlin Principal, Clyde & Co, Sydney.

Chris is a highly experienced Cyber Risk Leader, based in Sydney. With over 25 years
of global experience in information security and risk management, he is a respected leader
in the cybersecurity industry. He has provided strategic counsel to some of the world’s
largest companies, helping them to enhance their cyber readiness, response and recovery.
Chris’s focus is on delivering information and operational technology risk assessments,
breach compromise and threat assessment, cyber strategy development and related advi-
sory services to clients. He has a deep understanding of the cyber security landscape,
having held various leadership positions in organisations such as PwC, Gartner, EY, and
IBM.
Chris holds a BSc(Hons) in Communications Systems Engineering, an MSc in
Information Security, is a Chartered IT Professional, a Fellow of the British Computer
Society and holds several other professional certifications, including CISSP. His diverse
experience includes serving as Head of Cyber Solutions for an international brokerage
firm, leading cyber security consulting engagements as a director in a global professional
services firm and acting as a trusted advisor in risk management as a partner in a global
information technology and research firm.

Gary Meggitt Associate Professor, Faculty of Law, The University of Hong Kong.
Gary holds a MA from Oxford University and a MPhil from the University of Hong
Kong (HKU). He was admitted as a solicitor in England and Wales and spent 12 years
in practice with several leading UK law firms. He was also called to the bar in England
and Wales. After leaving private practice, Gary taught at BPP Law School in London
and was the Course Director of its Full-Time Bar Vocational Course (BVC). He joined
the Law Faculty at HKU in 2007 and teaches civil litigation, commercial dispute reso-
lution, professional conduct and insurance law. Gary has written extensively on civil
litigation, ADR, lawyers’ professional conduct and insurance-related subjects. He is
the author of Wilkinson’s Professional Conduct of Lawyers in Hong Kong (Sixth Desk
Edition, LexisNexis, 2022) and Mediation and ADR Confidentiality in Hong Kong
(Wildy, Simmonds & Hill Publishing, 2019). Gary is a member of the Hong Kong
Law Society’s Insurance Law Committee and also serves as Convener for Head IV
(Accounts & Professional Conduct) of Hong Kong’s Overseas Lawyers Qualification
Examination.

John Moran Partner, Clyde & Co, Sydney.

John specialises in D&O, professional indemnity and financial lines and has developed
a market-leading cyber incident response practice, one of the firm’s largest and most inno-
vative projects around the globe. He also co-leads the firm’s global cyber practice. John is
a recognised expert in the local Australian and London insurance markets and is currently
acting in defence, advisory and monitoring counsel roles in some of Australia’s most
prominent securities and D&O class action litigation. Over the past 12 months, John has
been acting in some of the market’s biggest financial lines and D&O matters, and for insur-
ers in a number of class actions resulting from the Financial Services Royal Commission.

xiii
 C ontributors

Having built a reputation as the “go-to” for corporates who face cyber crises, John rou-
tinely assists organisations with cyber incident readiness and resilience exercises includ-
ing incident response planning and tabletop training, as well as in relation to regulatory
investigations, class actions, third-party claims and recovery proceedings following inci-
dents. John and his team have advised on more than 4,000 cyber incidents across all sec-
tors globally, including some of the most high-profile and complex investigations, many
of which have attracted considerable media attention.

Kirsty Paynter Assistant Editor, The Global Insurance Market and Change: Emerging
Technologies, Risks and Legal Challenges.
Kirsty has completed various legal qualifications including a Bachelor of Laws (Hons),
a Postgraduate Diploma in Commercial Law, a Postgraduate Diploma in Legal Practice
and a Graduate Certificate in Future Law Technologies. In 2021, she co-authored and was
the assistant editor of Drone Law and Policy: Global Development, Risks, Regulation and
Insurance published by Informa UK Limited.
Kirsty has extensive experience in governance, strategic planning and regulatory com-
pliance review. She is a sessional lecturer and teaches corporate governance including data
protection and D&O duties in the Faculty of Business and Law at Queensland University
of Technology. She is currently enrolled in an insurance-related PhD topic.

Antton Peña Founder and Chief Strategy Officer, Flock, London, United Kingdom.
Antton is the Founder of Flock, a London-based insurtech on a mission to make the world
quantifiably safer.
Antton’s background is in engineering, design and product development, with extensive
experience in the mobility and transportation industry. After working for Audi and Seat,
he moved into academia to research how emerging technology could be safely integrated
into society, and it was there that Flock and its mission were born.
Antton graduated from Imperial College and the Royal College of Art (MSc and MA
in Masters in Global Innovation Design). Prior to founding Flock, Antton was the co-
founder of Farewill, the world’s first digital will-writing platform.

Simon Ritterband Managing Director, Moonrock Drone Insurance, London, United

Kingdom.
Simon currently sits on a number of key government advisory panels in the United
Kingdom along with the Department for Transport (UK), the Civil Aviation Authority
(UK) and other key stakeholders within the industry. He also sits on the British Standards
Institute Committee (BSI).
He regularly consults with national authorities on the drone industry, and Moonrock
is firmly established as a leading drone insurance provider in the market. With policies
developed in partnership with leading A-rated insurers, Moonrock drone insurance poli-
cies cover areas previously unavailable such as invasion of privacy, cyber-attack, hull,
noise and public liability insurance.

Jennifer Robbins Senior Associate, Clyde & Co, Brisbane.

Jennifer specialises in complex insurance coverage issues, particularly in relation to finan-
cial institutions, corporate misconduct and shareholder disputes. Jennifer has advised

xiv
 C ontributors

insurers in relation to numerous class actions, regulatory proceedings and large-scale

customer remediation programmes in the financial services sector. Her experience also
extends to advising on privacy liability, cyber incident response and emerging risks in the
tech and fintech spaces.
Jennifer is also an experienced commercial litigator and has successfully defended a
wide range of companies and professionals in litigated claims (including accountants,
financial planners, building certifiers, engineers and solicitors). In particular, she has
extensive experience in handling claims against professionals in the financial services
sector.

Zaneta Sedilekova Associate, Clyde & Co, London.

Zaneta advises insurers and other firm clients on climate risk and disclosures, emerging
biodiversity and supply-chain risks, and their wider implications for businesses and wider
sectors. She also acts as a Biodiversity Risk Advisor to global think tank, Commonwealth
Climate and Law Initiative, where she studies the implications of biodiversity risk on
directors’ duties.
Zaneta combines her legal expertise with technical knowledge of artificial intelligence
and machine learning, which she developed during her time in Clyde & Co’s innova-
tion hub Data Lab, to deliver forward-looking advice to the firm’s clients in the area of
wider digital transformation. Before joining Clyde & Co, Zaneta completed her LLB at the
University of Glasgow and LLM in International Law with a focus on climate change and
environmental law at the University of Cambridge, Downing College.

Darryl Smith Partner, Clyde & Co, Melbourne.

Darryl is a Partner of Clyde & Co, where he runs an insurance practice from the Melbourne
office, and a Senior Fellow (Melbourne Law Masters) at the University of Melbourne,
where he teaches Liability Insurance Law.
The majority of Darryl’s practice involves conducting the defence of professional
indemnity and D&O (in particular, regulatory inquiries) insurance claims. Darryl’s in-
depth knowledge of the insurance and reinsurance industry enables him to provide prag-
matic and commercial solutions to his clients.
In addition to contentious work, Darryl provides coverage advice and assists his clients
with compliance and regulatory issues unique to the insurance industry.

Arnaud Sorel General Counsel, Descartes Underwriting.

Arnaud Sorel serves as General Counsel of Descartes Underwriting, a Managing
General Agent specialising in corporate insurance against climate and emerging risks.
Prior to Descartes, Arnaud held the role of General Counsel at Axa Corporate Solutions
after serving in additional positions within the Axa Group and as a lawyer at Clifford
Chance earlier in his career. With more than 15 years of legal experience in the insur-
ance industry, including in the field of large risks, Arnaud has worked in Paris, Hong
Kong, Singapore and London. He holds separate advanced degrees from Université
Paris 1 Panthéon-Sorbonne, Sciences Po, and ESCP Europe, and has a keen interest in
energy and challenges linked to climate change. Most recently he completed an additional
advanced degree in Energy Law and served as a juriste in support of the French Ministry
of Ecological Transition.

xv
 C ontributors

Dr Anthony A Tarr Senior Consultant, Clyde & Co, Brisbane.

BA, LLB (Natal), LLM (Cambridge), PhD (Canterbury), PhD (Cambridge).
Director, Robyn Ashton Consulting Pty Ltd, formerly Vice Chancellor, University of
the South Pacific; Dean and Professor of Law, Indiana University – Indianapolis School
of Law; Dean and Sir Gerard Brennan Professor of Law, T C Beirne School of Law, The
University of Queensland, and Dean and Foundation Professor of Law, School of Law,
Bond University; author of ten books/treatises including Insurance Law in New Zealand
and Australian Insurance Law and, most recently, as a general editor/author of Drone Law
and Policy: Global Development, Risks, Regulation and Insurance. Chairman, managing
director or non-executive director of various commercial and resource sector companies,
formerly chief executive officer of the Queensland Law Society, director of the Indiana
Bar Foundation and Chairman of the Fiji Law Reform Commission.

Professor Julie-Anne Tarr BA (Wisconsin), JD (Cornell), LLM (Monash), PhD (Queensland).

Professor of Commercial Law, Faculty of Business and Law, Queensland University of
Technology and an experienced Board Director and Chair. She specialises in insurance and
risk management, regulation of emerging technologies, commercialisation (IP) and complex
contracting. Author of more than 100 articles, law reform reports, and seven books/treatises
in the insurance law area, including Disclosure and Concealment in Consumer Insurance
Contracts, Laws of Australia: Insurance and, most recently, as a general editor/author of
Drone Law and Policy: Global Development, Risks, Regulation and Insurance. A well-
known industry speaker, she has held professorial and senior executive roles in the United
States, South Pacific and Australia including at Queensland University ofTechnology, Indiana
University, University of the South Pacific, the QIMR Berghofer Medical Research Institute
and Queensland’s Litigation Reform Commission.

Adam Taylor. Manager – Cyber Operations and Digital Governance Manager – University
of Newcastle.
Adam started his cyber security career in federal government supporting defence and
the department of home affairs in IT security. Adam then worked in IT risk and govern-
ance for banking and consulting firms. He is also a lawyer admitted in Australia and has
a passion for when legislation and regulation intersect with cyber security.

Maurice Thompson Partner, Clyde & Co, Melbourne and Perth.

LLB (Bond), LLM (Shipping)(Hons)(Cape Town), LLM (Admiralty)(Distinction)(Tulane).
Maurice qualified in 1992 and has 31 years’ experience advising clients in the insur-
ance, shipping, energy, offshore oil & gas, resources & mining, commodity trading, avia-
tion, drones and ports sectors, both domestically and internationally.
Notwithstanding that his expertise is originally in marine and he leads Clyde & Co’s
“Energy, Marine, Natural Resources” group in Asia Pacific, Maurice is a lawyer with a
proven growth mindset, evidenced by (i) founding Clyde & Co’s market leading insur-
ance subrogation practice in Dubai in 2016, utilising a captive corporate vehicle to drive
contingency returns; (ii) founding Clyde & Co’s first to market cross-sector Global Drones
Group in 2019, introducing and developing opportunities for insurance underwriters, cor-
porates and regulators across a myriad of sectors. As part of this initiative, he co-authored

xvi
 C ontributors

and was a General Editor of the ground breaking text book Drone Law and Policy: Global
Development, Risks, Regulation and Insurance published by Informa UK Limited; and
(iii) developing a leading global reputation with litigation funders, private equity and
corporates for successfully pitching complex cases to achieve disputes financing, with
a remarkable record to date of 10/10 across a wide range of ‘bet the company’ and news
headlining cases, for 8 different litigation funders globally.

Ernie Van Der Vyver Partner, Clyde & Co, Johannesburg.

Ernie’s practice covers a broad range of corporate and regulatory matters with a focus
on the financial services industry.
Ernie regularly assists clients in structuring, negotiating and documenting complex
corporate and commercial transactions, including mergers and acquisitions, joint ven-
tures, strategic alliance structures, complex insurance and reinsurance contracts, profit
share arrangements, transactions involving insurtech and parametric/indexed products,
new insurance and reinsurance products and portfolio transfers.
In addition, he advises clients on all aspects of financial service regulation in South
Africa, including licensing of insurers, reinsurers, branches of foreign reinsurers, cell
captive insurers and microinsurers, intermediary licensing and regulation and compliance
with data protection laws.
Ernie has been named a leading Insurance & Re-Insurance Lawyer by The International
Who’s Who and Expert Guides and has been named a ranked lawyer for insurance by
Chambers Global 2020 and 2021. Ernie is also recognised as a recommended lawyer for
Dispute Resolution by the Legal 500, 2021.

Dino Wilkinson Partner, Clyde & Co, Abu Dhabi.

Dino is recognised as one of the leading technology lawyers in the Middle East and was
named in The Legal 500’s Hall of Fame for his work in technology, media and telecom-
munications law. Dino has advised clients throughout the region on technology transac-
tions, data protection and cybersecurity for more than 15 years. He has also worked with
governments and regulatory authorities in the region on a number of significant legislative
developments in this area, including the drafting of electronic commerce laws, data-shar-
ing regulations and privacy legislation. Dino’s expertise spans all types of technology-
related transactional and advisory work, including support for technology startups and
advice for established clients on digital transformation projects. He has worked on mat-
ters of regional and international significance, including mobile app and internet prod-
uct launches, national digital wallet schemes and a national health insurance information
exchange platform. Dino’s clients include government departments and ministries, state-
owned entities and private sector organisations in the Middle East, including insurers,
brokers and corporates. He also helps international clients to navigate legal and regulatory
challenges in the region.

Lucia Williams Associate, Clyde & Co, London.

Lucia specialises in international arbitration of complex, high-value disputes arising
from catastrophic environmental incidents, extensive property damage and mass tort law-
suits, particularly under excess insurance contracts. Lucia is part of Clyde & Co’s global

xvii
 C ontributors

Resilience and Climate Risk practice and has drafted a number of thought leadership
reports and presented on climate change litigation and liability risks.

Ruth Yeend Associate, Clyde & Co, Sydney.

Ruth Yeend is an Associate in the Technology & Media team at Clyde & Co where she
has worked since 2019. She graduated with a Bachelor of Security Studies with the degree
of Bachelor of Laws (Honours) in 2021 and was admitted as a lawyer in Australia in 2022.
Ruth has experience in assisting clients with navigating the full lifecycle of cyber inci-
dents, responding to data breaches and complying with notification obligations. Ruth is
particularly interested in supporting clients impacted by multi-party data breaches and
regulatory investigations.

xviii
 C hapter 1

Introduction
Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson and Dino Wilkinson

CON T EN TS
Overview 2
Big data and artificial intelligence 6
On-demand insurance 7
Embedded insurance 8
Distributed ledger technology and blockchain insurance 8
Parametric insurance 9
Autonomous transportation: Liability and insurance 10
The rise of fintech: Liability and insurance 13
Cyber risk and insurance 15
Professional indemnity insurance 16
Natural disasters, climate change, pandemics and insurance 17
Natural disasters 18
Pandemics 18
Climate change 19
Concluding comments 21

DOI: 10.4324/9781003319054-1 1
 I ntroduction

Overview
The global landscape in which insurance is transacted is, on an almost annual basis, expe-
riencing the type of transformational change that historically would have been measured
in decades. Rapidly evolving technology—advanced analytics, applied and generative
artificial intelligence (AI),1 trust architectures and digital identity,2 industrialised machine
learning, cloud and edge computing, quantum technologies and immersive reality tech-
nologies3—are enabling data collection and leveraging for predictive and analytic pur-
poses at what, in the not-too-distant past, would have been taken as science fiction.
Moreover, over the next decade in this new and evolving technology-led metaverse,4
innovative and diverse ways for people and organisations to interact will influence every
facet of insurance, from industry services to actuarial forecasting, underwriting and rein-
surance.5 Social platforms, e-commerce and digital marketplaces have changed, and will
continue to change, consumer interaction processes and patterns; telematics, IoT (Internet
of Things), blockchain, digital platforms and AI amongst other technologies will reshape
how the industry measures, controls and prices risk. Collectively, these breakthrough
developments will reduce cost, improve efficiency, expand insurability and create new
products and business models.6
For contemporary insurers, availability and access to large-scale datasets combined
with corresponding scientific and technological advances in this digital age gener-
ate recourse to information and resources infinitely superior to their historical coun-
terparts. Lord Mansfield, in his seminal observation in Carter v Boehm7 more than
250 years ago, stated:
Insurance is a contract based upon speculation. The special facts, upon which the contingent
chance is to be computed, lie most commonly in the knowledge of the insured only; the under-
writer trusts to his representation and proceeds upon the confidence that he does not keep
back any circumstance in his knowledge.

1 See extensive discussion in Chapter 2 Big Data, Artificial Intelligence and Insurance.
2 See,“McKinsey Technology Trends Outlook 2022: Trust architectures and digital identity,” McKinsey &
Company, August 2022. McKinsey comment (p 2) that “Digital-trust technologies empower organizations to
gain a competitive advantage by building, scaling, and maintaining the trust of stakeholders (eg, customers,
regulators) in the use of their data and digital-enabled products and services,” www​.mckinsey​.com/~​/media​
/mckinsey​/ business​%20functions​/mckinsey​%20digital​/our​%20insights​/the​%20top​%20trends​%20in​%20tech​
%202022​/ McKinsey​-Tech​-Trends​- Outlook​-2022​-Trust​-Arch​-DigID​.pdf.
3 See “An Introduction to Immersive Technologies,” Vista describe immersive technologies as creating
“distinct experiences by merging the physical world with a digital or simulated reality,” www​.vistaequitypart-
ners​.com​/insights​/an​-introduction​-to​-immersive​-technologies/.
4 Numerous definitional variations exist, but in essence the metaverse may be described as a virtual-reality
space in which users can interact with a computer-generated environment and other users; see, https://lan-
guages​.oup​.com​/google​- dictionary​- en/.
5 “Meet me in the Metaverse,” Accenture, Technology Trends, 2022 www​.accenture​.com ​/content ​/dam ​/
accenture​/final​/industry​/insurance​/document​/Accenture​-Insurance​-Technology​-Vision​-2022​.pdf​#zoom​= 40,
Accenture states: “Over the next five years, the rise of the metaverse will being to influence every facet of
insurance—from operations and the workforce to distribution and revenue pools.”
6 See, for example, Shanique Hall, “How Artificial Intelligence Is Changing the Insurance Industry,”
NAIC, CIPR Newsletter, August 2017, www​.naic​.org​/cipr​_ newsletter​_ archive​/vol22​_ ai​.pdf.
7 (1766) 3 Burr 1905.

2
 I ntroduction

While this observation has not been supplanted, little doubt exists that in this evolving
data-driven global insurance market, an insurer’s asymmetry of information relative to
any particular transaction being negotiated may be negated or become less significant.
Furthermore, the role of information asymmetry per se will be significantly reduced as
new models of risk forecasting become more prevalent that replace or minimise tradi-
tional indemnification frameworks of the last centuries.8
Dynamic challenges and opportunities lie ahead for the industry. Areas such as on-
demand insurance, the growth of embedded insurance, parametric insurance and the
rise of financial technology—“fintech” for short—will introduce levels of complex-
ity well beyond traditional paradigms, priming change and disruption. In parallel,
developments and initiatives driven by distributed ledger technology or blockchain
solutions within the insurance industry are designed to improve efficiency, lower the
costs of transaction processing and improve data quality and transparency. Fraud
detection, risk prevention and “smart contracts” are at the forefront of several col-
laborative efforts undertaken within the industry or in conjunction with major exter-
nal technology entities. Key challenges and risks to be considered in the context of
existing legal frameworks relate to security and privacy, governance, scalability and
standardisation.
Globally, insurtech9 start-ups have taken the lead in relation to new products, distri-
bution models and platforms within the insurance sector.10 However, large institutional
insurers are responding to this trend by leveraging emerging technologies (and their exist-
ing datasets), investing in complementary partnerships and exploring transformational
options to replace traditional services.11
The development and expansion of artificial intelligence in relation to driverless
cars, robots, the use of autonomous machines to execute complex tasks or transac-
tions, and other innovations, give rise to diverse legal issues that stretch, if not fray,
the edges of existing doctrines and precedent. Issues ranging from the concept of
“AI personhood”12 through to where liability and fault are best placed for effective
recovery, loss mitigation and transaction cost reductions will challenge regulators, the
courts, industry and society over the coming decades. Already allocation of liability
questions around accidents caused by automated vehicles have emerged as have liabil-
ity exposures and risks for physicians as against intelligent scanning machine diag-
nostics system errors and, in the financial services sector, accountability for decision
making outcomes wherein AI-algorithms referencing impermissible factors, such as
race and gender, in decision making contexts.13

8 See, for example, discussion in Chapter 5 Parametric Insurance.

9 “Insurtechs” are technology-led companies that enter the insurance sector, taking advantage of new
technologies to provide coverage to a more digitally savvy customer base; see, Tanguy Caitlin, “Insurtech—
the threat that inspires,” McKinsey & Company, 2017, www​.mckinsey​.com​/industries​/financial​-services​/our​
-insights​/insurtech​-the​-threat​-that​-inspires.
10 Financial technology companies (“fintechs”) operate within the banking sector. Ibid.
11 See, for example, Padraig Floyd, “On-demand insurance: Challenges and opportunities for large insur-
ance carriers,” www​.the​- digital​-insurer​.com​/on​- demand​-insurance​- challenges​-and​- opportunities​-for​-large​
-insurance​- carriers/.
12 See, for example, Matthew U Scherer, “Of Wild Beasts and Digital Analogues: The Legal Status of
Autonomous Systems” (2019) 19 Nevada Law Journal 259.
13 John Villasenor, “Products Liability Law as a Way to Address AI Harms,” Brookings, 31 October 2019,
www​.brookings​.edu​/research ​/products​-liability​-law​-as​-a​-way​-to​-address​-ai​-harms/.

3
 I ntroduction

The shift towards autonomous vehicles presents broad ranging challenges to insurers
at more routine commercial levels as to how best to revise their policies and premiums to
reflect the changing landscape and to compete for business. In relation to fully autono-
mous vehicles, it may be inevitable that the focus will shift from a driver liability centric
model to that of a framework of manufacturer or design defect allocation tied directly to
the vehicle. This will potentially implicate other policy types, including product liability
insurance for manufacturers of autonomous vehicles and their components. Moreover, it
will necessitate generation of new insurance products to address liability apportionment
for product liability issues, as well as around new and emerging risks such as cyber secu-
rity and data protection.14
Concurrently, global risks such as climate change, natural disasters, geopolitical
turmoil and health crises are having, and will continue to have, a major impact on
the global insurance market. Pressure is being exerted upon traditional insurers of
energy, coal, oil, gas and natural resources companies by international organisations,
climate campaigners and shareholders.15 Already numerous insurance companies
have withdrawn, or like Lloyd’s, signalled their intention to withdraw from providing
certain insurance cover to companies in these sectors. Although such contractions
will reduce competition and have flow on consequences for pricing of available insur-
ance cover, they may also open doors for innovative thinking - such as consideration
of resource insurance mutuals, comprised of like-minded “members”/insureds across
the international resources landscape sharing and pooling certain identified risks.
The losses associated with wildfires, hurricanes, floods or earthquakes and other natu-
ral catastrophes create huge challenges for the global insurance industry. AGCS16 observe
that:
Losses continue to rise with climate change and changes to exposures (for example, increas-
ing economic activity in natural catastrophe zones). Wildfires in the US and Australia, flood-
ing in Europe and Asia and tornado and convective storm activity in the US are just some of
the many recent loss activities to have made headlines around the world. At the same time,
two Atlantic hurricane seasons out of the previous five (2017 and 2021) rank among the top
three most active and costliest on record.

Globally, in light of climate change, there is overwhelming evidence of an existing and

growing insurance protection gap in relation to the affordability and insurability of natu-
ral catastrophes (Nat Cat) insurance coverage. For example, the European Insurance and

14 Max W Gershweir, “The future of liability insurance in the age of the driverless car: The US perspec-
tive,” Kennedys Law, 1 April 2019, www​.kennedyslaw​.com ​/thought​-leadership​/article​/the​-future​- of​-liability​
-insurance​-in​-the​-age​- of​-the​- driverless​- car​-the​-us​-perspective; Paul Tullis, “Self-Driving Cars Might Kill
Auto Insurance as We Know It,” Bloomberg, 19 February 2019, www​.bloomberg​.com ​/news​/articles​/2019​- 02​
-19​/autonomous​-vehicles​-may​- one​- day​-kill​- car​-insurance​-as​-we​-know​-it. See also European Commission,
“Communication from the Commission to the European Parliament, the Council, The European Economic
and Social Committee and the Committee of the Regions, Sustainable and Smart Mobility Strategy—Putting
European transport on track for the future” (Brussels 9 December 2020, COM 789 Final) (hereafter COM 789).
15 See for example, “Insuring the Climate Transition: Enhancing the insurance industry’s assessment of
climate change futures,” UN environment program finance initiative, UNEPFI’s Principles for Sustainable
Insurance Initiative, January 2021, www​.unepfi​.org​/industries​/insurance​/insuring​-the​- climate​-transition/.
16 “Global Claims Review 2022—Trends and developments in corporate insurance losses,” Allianz Global
Corporate & Specialty, July 2022, www​.agcs​.allianz​.com​/news​-and​-insights​/reports​/claims​-in​-focus​.html​
#download (hereafter Allianz 2022).

4
 I ntroduction

Occupational Pensions Authority (EIOPA)17 reports that currently in Europe only a quar-
ter of total losses caused by extreme weather and climate-related events across Europe are
insured. EIOPA comments further that:
Climate change will continue for many decades to come. Improved climate projections provide
further evidence that future climate change will increase climate-related extremes (for exam-
ple, heat waves, heavy precipitation, droughts, flood, top wind speeds and storm surges…). In
order to address the protection gap, increasing the insurance penetration is not sufficient as
due to the increasing frequency/intensity of some events, some risks might become uninsur-
able. Proactive measures on buildings’ vulnerability, localisation of exposure and optimised
insurance coverages will be important elements of a resilient society.

The COVID-19 pandemic similarly has exposed a coverage gap where, in the absence of
a specialist pandemic risk product, business interruption insurance (BII) policies have
borne the brunt of COVID-19 pandemic-related claims. Lockdowns and other restric-
tions associated with COVID-19 have triggered a spate of potential BII claims, with many
insurers exposed through policy wordings that had not kept up to date with changing
legislation. Legal uncertainty, and significant financial exposure for insurers, have raised
concerns about the strength of insurers’ risk management frameworks. Moreover, despite
the inevitability of future pandemics, the severity of the ongoing COVID-19 pandemic
and the initial bout of activity from the insurance industry, financial regulators and other
public bodies in respect of “filling” the perceived “coverage gap” which it exposed, no
medium or long-term insurance-based solution has yet been implemented.
Nevertheless, external challenges such as climate change and pandemics present not
only risks but also opportunities for innovation in risk analysis, risk reduction or insur-
ance product development within a changing risk landscape.18 For example, in relation to
climate change, the industry can, and does, help foster an understanding of the existing
and new risks to society brought about by climate change.19 At the international level, it is
understood that the insurance industry is a key partner in efforts to adapt to a changing cli-
mate, particularly in disaster risk financing, modelling and capacity building.20 Moreover,
industry innovations—such as the development and growth of parametric insurance21
where payouts are based on a triggering event rather than a specific loss—open the doors
to the possibility of alternative forms of risk transfer. In doing so, developments such as
parametric insurance can support both international institutions and governments’ disas-
ter protection risk planning portfolios as well as private enterprises. Similarly, resilience
bonds are being developed, where investors loan money for major infrastructure projects
designed to improve resilience against climate risks (such as new sea wall defences), while
insurers provide interim cover to those who face the risks pending completion.
Technology and insurance in the digital age as well as some of the key external dynam-
ics impacting the global insurance market are considered in this book, and the balance of
this chapter paints a slightly fuller picture of the chapters that follow.

17 “Dashboard on insurance protection gap for natural catastrophes,” December 2022, www​.eiopa​.europa​
.eu​/tools​-and​- data​/dashboard​-insurance​-protection​-gap​-natural​- catastrophes​_en.
18 See detailed discussion in Chapter 14 “Climate Change” and Chapter 15 “Climate Change: Liability Risk.”
19 “Insuring the Climate Transition: Enhancing the insurance industry’s assessment of climate change
futures,” UN environment program finance initiative, UNEPFI’s Principles for Sustainable Insurance
Initiative, January 2021, www​.unepfi​.org​/industries​/insurance​/insuring​-the​- climate​-transition/.
20 See discussion in Chapter 14 “Climate Change” and Chapter 15 “Climate Change: Liability Risk.”
21 See discussion in Chapter 5 “Parametric Insurance.”

5
 I ntroduction

Big data and artificial intelligence

Central to the enormous changes, challenges and opportunities that the insurance indus-
try is experiencing and will be navigating over the next decade is so-called “big data,”
which refers to the enormous datasets that insurers are now able to compile, store, analyse
and parse for information relevant to individual risks. Access to big data and predictive
analytics has the potential to transform insurance practice with a consequential impact on
existing principles of insurance law.
Artificial intelligence (AI) or machine learning is an indispensable fellow traveller with
big data, as AI-based systems have the power to rapidly and efficiently analyse enormous
amounts of data, identifying and making good use of correlations that would elude even
the most expert human analyst. AI is rapidly evolving and is transforming the insurance
industry in areas such as underwriting, customer service, claims, marketing and fraud
detection.
The availability of big data in conjunction with technological advances in AI, predic-
tive analytics and blockchain opens doors to new and exciting opportunities within the
insurance industry.
However, this changing or changed insurance landscape is exacerbating several risks
and creating new challenges. For example, questions arise as to the appropriateness of the
data being utilised and analysed, and the predictive models being deployed in delineating
the scope of cover provided, or in determining whether cover is provided at all. Moreover,
significant privacy concerns arise in relation to big data pertaining to matters such as fair-
ness and discrimination, intrusiveness and contextual integrity of personal data.
These and other concerns have generated, and will continue to demand, major regula-
tory responses such as the European Union’s General Data Protection Regulation 2016/679
(GDPR) and recommended global strategies to address data protection and privacy—
such as that advocated by the Organisation for Economic Cooperation and Development
(OECD) in 2020. There will be changes to disclosure obligations—by the prospective
insured and insurer. In this evolving data-driven global insurance market, an insurer’s
asymmetry of information relative to any particular transaction being negotiated may be
negated or become less significant.
It is clear that rapid advances in AI and big data analytics have had, and will continue
to have, a profound impact on the insurance industry and that on-demand or usage-based
insurance products are key beneficiaries of these changes. This “seismic, tech driven
shift”22 has the potential to streamline processes and lower costs, and to exceed customer
expectations for individualisation and dynamic adaptation. These are all areas that will
be “front of mind” for insurers during the next decade and are considered in more detail
in Chapter 2.

22 See, for example, Ramnath Balasubramanian, Ari Libarikian and Doug McElhaney, “Insurance 2030—
The impact of AI on the future of insurance,” McKinsey & Company, 12 March 2021, www​.mckinsey​.com ​/
industries​/financial​-services​/our​-insights​/insurance​-2030​-the​-impact​- of​-ai​- on​-the​-future​- of​-insurance.

6
 I ntroduction

On-demand insurance
As noted above, the availability of big data in conjunction with technological advances
in AI, predictive analytics and blockchain opens doors to new and exciting opportunities
within the insurance industry.
These technological advances create the foundation, or launching pad, for new “on-
demand” insurance products23 that are emerging and will undoubtedly play a funda-
mental role in the future of the insurance industry generally. Research published by
the International Underwriting Association (IUA) observes that pay-as-you-go models
of cover will allow customers to automatically activate policies when and where they
need them.24 As Tom Chamberlain, then Chair of the IUA’s Developing Technologies
Monitoring Group, explained:
In the future insurance will be based around whatever you are doing. You will be in your
house and your insurance will be active and when you leave your front door your premium
will step up as it is now unoccupied. You will then get into a shared economy car and your
phone will interact and automatically trigger your insurance for that journey. Your insurance
will follow you as you go and as your activity changes. It will no longer be a manual process
and could realistically work for everything you do requiring insurance.25

On-demand insurance is growing rapidly with predictions that, by 2030, the global insur-
ance market will evolve to contain highly dynamic, usage-based products that are tailored
to individual customer behaviours and will transition from an annual renewal model to
a continuous cycle, with products that constantly adapt to individual behavioural pat-
terns—driven by the application of data and individualised risk models.26
Examples include on-demand insurance being available for valuable personal pos-
sessions, drones, motor vehicles, homeowners and home-sharing hosts, travel and event
insurance, small business insurance, insurance offerings for workers in the gig economy,27
and cover for digital businesses against loss due to employer’s liability, public liability,
professional indemnity, cyber liability and directors and officer’s (D&O) liability.28
The availability and rapid expansion of new technologies create new and exciting
opportunities within the insurance industry. There are also complex challenges including

23 The term “on-demand” is open to various interpretations. For Scott Walchek, founding chairman and
CEO of pioneering on-demand insurance platform Trōv, it’s about “giving people agency over the items they
own and enabling them to turn on insurance cover whenever they want for whatever they want—often for just
a single item.” See Graham Buck, “Kiss Your Annual Renewal Goodbye; On-Demand Insurance Challenges
the Traditional Policy” 14 September 2018 (hereafter Buck 2018), https://riskandinsurance​.com ​/on​- demand​
-insurance​- challenges​-traditional​-policy​- constraints/.
24 Interview with Tom Chamberlain Allianz Global Corporate and Specialty IUA Developing Technology
Monitoring Group, “On-Demand and Conquer: Is the future of insurance a pay-as-you-go one?
IUA Publishes on demand insurance report,” IUA, 16 October 2019, www​.iua​.co​.uk​/ IUA​_ Member​/ Press​/
Press​_ Releases​_ 2019​/ IUA​_ publishes​_on​- demand​_insurance​_ report​.aspx​?WebsiteKey​= 84dca912​-b4fb​- 4a0f​
-a6e5​- 47ad899350aa.
25 Idem.
26 Tanguy Caitlin et al, “Insurtech—the Threat That Inspires,” McKinsey & Company, 2017, www​.mckin-
sey​.com​/industries​/financial​-services​/our​-insights​/insurtech​-the​-threat​-that​-inspires
27 Jeff Goldberg, “The 3 Pillars of On-Demand Insurance” 19 June 2018 “Gig economy insurance is most
familiar to those outside the insurance space: as more and more freelance and ‘gig’ opportunities such as Uber
and Postmates emerge, carriers are developing products to keep these independent contractors covered in a
part-personal, part-commercial hybrid coverage,” www​.ins​u ran​ceth​ough​tlea​dership​.com ​/the​-3​-pillars​- of​- on​
-demand​-insurance/.
28 Buck 2018 (n 23).

7
 I ntroduction

determination of liability for harm or damage, privacy considerations, cyber security risks
and insurer solvency.
Chapter 3 considers on-demand insurance and associated technological developments
supporting its global growth and development. Attention is then given to actual and pro-
spective impacts on insurance law and practice, highlighting opportunities and risks in
navigating the changing or changed landscape.29

Embedded insurance
Emerging technologies are facilitating partnerships between insurers and non-insurance
brands to create value and opportunity. Embedded insurance, where insurance is offered
within or in conjunction with the purchase of a non-insurance product or service from a
third party, displaces the current paradigm where insurance is taken as a “second step,”
after the underlying asset or event is confirmed.
The traditional mode of insurance places the burden on the consumer—for example,
when making a purchase, renting a property or booking an airline flight—to take on the
additional step of calling an insurance agent or seeking another means of adding insur-
ance protection to their transaction. Embedded insurance removes this extra step and
integrates protection in the initial transaction process. When done right, the result is a
seamless customer experience that allows the customer to easily see the benefit of adding
protection to their transaction and to be able to do so without much additional effort on
their end. For businesses to successfully leverage embedded insurance, they must work
with a partner that has the technology and experience to provide their customers with
relevant, tailored protection in real time.
The chapter addresses also the multitude of regulatory and other risks which need to
be successfully navigated. Applicable consumer and insurance laws, licences and regis-
tration requirements vary in each country, and in some countries, requirements vary in
each jurisdiction or state such as in the United States and Australia. Embedding insur-
ance cover across industries such as airlines and travel can require complex licensing and
authorisations across multiple jurisdictions to achieve truly global solutions.
Chapter 4 discusses the enormous changes, growth and opportunities that the embedded
insurance model is presenting. Two insightful case studies from Cover Genius, a global
provider of embedded protection, provide a further perspective into the end-to-end jour-
ney of embedded insurance from policy creation to claims management in an online world.

Distributed ledger technology and blockchain insurance

Chapter 5 reviews the developments and initiatives driven by distributed ledger technol-
ogy or blockchain technology within the insurance industry,30 which has huge potential to
support innovation across all areas of financial services. For the insurance industry to cap-
italise on the very real benefits, however, progress towards standardisation (of practices,
systems and databases) is required along with a willingness for intra-market cooperation

29 Generally, see Julie-Anne Tarr and Anthony Tarr, “On-demand insurance and the evolving technologi-
cal and legal environment,” (2021) Journal of Business Law 535.
30 Generally, see Professor Julie-Anne Tarr “Distributed ledger technology, blockchain and insurance:
Opportunities, risks and challenges” (2018) 29 Insurance Law Journal 254–268.

8
 I ntroduction

to foster ecosystems. If achieved, the prospects for the insurance industry in utilising this
technology to help embed itself as part of the wider digital economy will be bright.
Broadly, the activities undertaken by insurers and reinsurers in utilising this technol-
ogy to date fall into three camps. First, are those more prosaic initiatives designed to
improve efficiency, lower the costs of transaction processing and improve data quality and
transparency. Second, fraud detection, risk prevention and “smart” contracting are at the
forefront of several collaborative efforts undertaken within the industry or in conjunction
with major external technology entities. Third, and most interesting, is the development
of new markets and tools for risk management and sharing. While the first two limbs, effi-
ciency and fraud prevention, are important, it is the third which holds particular promise
and which is structurally important.
These opportunities are not without their corresponding challenges and risks, tech-
nological, legal and otherwise. Key challenges and risks to be considered in the context
of existing legal frameworks relate to security and privacy, governance, scalability and
standardisation. While this new technology may enhance data security, it is not free of
risk and may commonly give rise to three major types of potential liability risk: Ledger
transparency risks, cyber risks and operational risks.
One of the strengths of distributed ledgers is the enhanced level of transparency,
whereby every node operator has access to data stored on a distributed ledger, which also
facilitates the re-personalisation of data stored on a distributed ledger or enables nodes
to make an informed guess as to identities entering into certain transactions. This in turn
leads to two main legal risks: Data privacy, and insider trading and market abuse.
Regulators globally have to date largely taken a “light touch” approach to the question
as to whether existing legal frameworks are sufficient to meet the technological challenges
posed by distributed ledger technology or blockchain technology. This chapter considers
industry initiatives within the existing legal framework and reviews some of the chal-
lenges in extending and applying private law and regulation to blockchain applications.

Parametric insurance
In recent years, product innovation and data analytics have expanded the scope of com-
mercial insurance solutions to offer coverage for a wider range of threats, exposures and
perils.31 With its transparent and fast claims payment and ability to offer a payout without
actual physical damage to an asset, parametric or index-based solutions are often brought
to the table of discussion when covering hard-to-insure risks.32
Traditional commercial property insurance typically involves payment of a premium in
return for a promise to cover the actual loss suffered in the event of an insured fortuity or
named peril. Payment is made only after an actual loss assessment and investigation, with
the goal of putting the insured back in the position they were in prior to the event.
Conversely, parametric (or index-based) solutions, described and discussed in detail in
Chapter 6, are a type of insurance that covers the probability of a predefined event happen-
ing instead of indemnifying actual loss incurred. A parametric contract is an agreement to

31 “What is parametric insurance?” Swiss Re, 1 August 2018, https://corporatesolutions​.swissre​.com ​/

insights​/ knowledge​/what​_is​_ parametric​_insurance​.html.
32 Ibid.

9
 I ntroduction

make a payment upon the occurrence of a triggering event and as such is detached from
loss or damage to an underlying physical asset or piece of infrastructure.
A parametric solution always consists of (1) a triggering event, being an event whereby
the insurance cover is triggered if predefined event parameters are met or exceeded, meas-
ured by an objective parameter or index that is related to an insured’s particular exposure,
for example, an earthquake, tropical cyclone or flood where the parameter or index is the
magnitude, wind speed or precipitation respectively; and (2) a pre-agreed payout if the
parameter or index threshold is reached or exceeded, regardless of actual physical loss
sustained. The threshold is usually set in such a way that aligns with a client’s own vulner-
abilities, business continuity plans and risk tolerance.33
There are a number of advantages to deploying a parametric model, but the underly-
ing complexities both in terms of consumer expectations and regulatory oversight pose a
range of challenges. This chapter explores some of those benefits and issues.

Autonomous transportation: Liability and insurance

Chapters 7, 8 and 9 deal with the autonomous transportation revolution—on the land, on
and below the surface of the sea and in the air—and the associated insurance opportuni-
ties and challenges.
The widespread adoption of autonomous vehicles, vessels and aircraft will necessarily
bring with it major impacts to the insurance industry.34 For example, in the motor vehicle
industry, these impacts include decreased private ownership of vehicles, reduction in the
number and severity of accidents and insurance claims, potential liability allocation shifts
from the driver to the manufacturer of the vehicle and associated technology providers,
third-party liability risks, cyber liability, infrastructure insurance and assessment of risks
and premiums.
Many of the same issues will arise as a result of the use of autonomous and remotely
controlled ships (maritime autonomous surface ships or MASS), and the use and deploy-
ment of unmanned aerial vehicles (UAVs or drones).
Regulators and policymakers are still grappling with what the regulatory environment
and framework for autonomous road vehicles and MASS should encompass. Although
there is broad acceptance that regulatory intervention needs to tread a path that does
not stifle innovation and is not so “heavy-handed” as to stifle growth,35 how that will
play out remains subject to various interpretations. Sensitivity to this measured approach
is strongly evidenced in the December 2020 European Commission’s Communication
to the European Parliament,36 wherein the necessity to put European road transport on
track for the future was emphasised. Further, the importance of a coordinated European
approach to connectivity and transport activity to overcome crises such as the COVID-19

33 Jonathan Charak, Sebabrata Sarkar, “Parametric Insurance Proposition,” Zurich and Swiss Re, CAS
Spring 2020.
34 See, for example, Julie-Anne Tarr, Anthony Tarr and Amanda George, “Autonomous Vehicles:
Regulatory, Insurance and Liability Issues” (2021) 49 Australian Business Law Review 171.
35 See, for example, Kyle Bowyer, “The Robotics Age: Regulatory and Compliance Implications for
Businesses and Financial Institutions” The European Financial Review (21 April 2018) www​.eur​opea​n fin​
anci​a lreview​.com​/the​-robotics​- age​-regulatory​- and​- compliance​-implications​-for​- businesses​- and​-financial​
-institutions/.
36 See, for example, COM 789 (n 14).

10
 I ntroduction

pandemic and to strengthen the European Union’s strategic autonomy and resilience was
underscored.
In assessing the timing and nature of regulatory intervention, the various stages of
automation are critical. International standard J3016 for autonomous vehicles defined in
2014 by the Society for Automotive Engineers International (SAE) categorises six levels
of driving automation, from SAE Level Zero (no automation) to SAE Level 5 (full vehicle
autonomy).37 Similarly, the International Maritime Organization (IMO) has been conduct-
ing a scoping exercise that uses four provisional degrees of autonomy: (1) Ships with
automated processes and decision support; (2) remotely controlled ships with seafarers
on board; (3) remotely controlled ships without seafarers on board; (4) fully autonomous
ships that are able to make decisions and determine actions by themselves.
Accenture and Stevens Institute of Technology38 predict that there will be 23 million
fully autonomous vehicles travelling United States’ highways by 2035, but at present even
the most advanced vehicles in their migration to full autonomy may be categorised as SAE
Level 2 or 3. At present, the only ships operating at IMO Level 4 are short-haul ferries, and
some harbour tugs are operating at SAE Levels 2 and 3. However, Advanced Autonomous
Waterborne Applications (AAWA), a joint industry-based project based in Finland, has
plans for a SAE Level 3 or Level 4 ship that will operate in coastal waters by the end of the
2020s, and the European Union’s Maritime Unmanned Navigation through Intelligence in
Networks (MUNIN) project is assessing the feasibility of using a merchant ship at SAE
Level 4 throughout an open sea voyage within ten years.
These developments in turn generate debate as to whether the regulatory focus should
be on fully automated vehicles and ships to avoid the fragmented liability issues that come
with partial or conditional autonomy, and consideration as to what changes are required
now and what can be deferred. For example, the UK Department for Transport and the
Centre for Connected and Autonomous Vehicles recognised arguments for changes to
product liability law to facilitate damages being directly recoverable from manufacturers
but concluded that it was not a proportionate response when there were a small number of
autonomous vehicles in proportion to the whole vehicle fleet.39 Similar issues of regulation
and product liability arise in relation to partially or totally autonomous ships, but they are
complicated by the possibility that such ships will soon be able to undertake international
voyages, passing from one national legal system to another.
Regulatory questions are not the only items on the disruption menu. Insurers face
major challenges deriving from significant change that is foreshadowed in relation to the
ownership and operation of autonomous vehicles. It is anticipated that a large percent-
age of fully autonomous vehicles will be owned by motor vehicle manufacturers “such
as General Motors, by technology companies such as Google and Apple, and by other

37 Jennifer Shuttleworth, “SAE Standards News: J3016 automated-driving graphic update,” 7 January
2019, www​.sae​.org​/news​/2019​/01​/sae​-updates​-j3016 ​-automated​- driving​-graphic.
38 Lawrence Karp et al., “Insuring Autonomous Vehicles: Opportunity between now and 2025,” Stevens
Institute of Technology and Accenture (2017) (out of about 250 million total cars and trucks registered in the
US) (hereafter Accenture 2017).
39 Department for Transport, “Pathway to driverless cars: Consultation on proposals to support Advanced
Driver Assistance Systems and Automated Vehicles Government Response,” Centre for Connected and
Automated Vehicles, January 2017, https://assets​.publishing​.service​.gov​.uk ​/government​/uploads​/system ​/
uploads​/attachment​_data​/file​/581577​/pathway​-to​- driverless​- cars​- consultation​-response​.pdf.

11
 I ntroduction

service providers such as ride-sharing services.”40 Examples include Uber, which has
agreed to purchase as many as 24,000 self-driving Volvo cars once the technology is
production-ready, putting the vehicles into its extensive ride-hailing network.41 Similarly,
Amazon-owned Zoox has unveiled an electric autonomous vehicle as part of an intended
robotic taxi enterprise.42
With most autonomous vehicles likely to be owned by original equipment manufac-
turers and other service providers such as ride-sharing companies, Accenture and the
Stevens Institute of Technology43 predict the number of individual policies will decline,
along with revenues from premiums generated by these policies. Moreover, they add that
“since autonomous vehicles will be considerably safer than vehicles driven by humans,
there will be fewer road accidents, leading to reduced pricing for insurance policies.” A
reduction in the number of policies coupled with potentially lower premiums poses major
challenges to the traditional motor vehicle insurance market.
In contrast, it is expected that autonomous and remotely controlled ships will be owned
by private parties, as their existing crewed counterparts are, but they will alter the existing
dynamics of the most commonplace liability insurance relative to ships, which is done on
a mutual basis by Protection and Indemnity Associations (P&I Clubs). Mutuality is the
central tenet of P&I insurance, namely that every shipowner that enters a ship in a Club
is both insurer and insured. The dynamics of mutuality will operate very differently if
some ships are crewed and others are not—indeed, if liability is to rest with the software
designers or ship designers, it will not be an operational cost to be shared among the Club
members mutually.
Accordingly, regulators and insurers face significant challenges in addressing and
responding to the diverse and complex issues that arise in this emerging era of the driv-
erless car and crewless ship. Addressing these issues and choosing between competing
solutions is no easy task and has profound implications for insurance law and practice in
all jurisdictions.
With increased autonomy, it is inevitable that the focus will shift from human liability
to possible manufacturer or design defects in the vehicle or ship. With regards to ships,
this may challenge the bedrock of limitation of shipowners’ liability, with the rise in
importance to the shipping sector of manufacturers and designers of autonomous systems,
and classification societies. This will potentially implicate other policy types, including
product liability insurance for manufacturers of autonomous vehicles and ships and their
components, and necessitate apportionment of liability with new insurance products
which address product liability issues, as well as dealing with new and emerging risks
such as cyber security and data protection. Cyber security and data protection are already
acutely important for ships, which transmit and receive considerable quantities of infor-
mation from remote locations at sea to land-based servers, using increasing quantities of

40 John Cusano and Michael Costonis, “Driverless Cars Will Change Auto Insurance. Here’s How Insurers
Can Adapt,” Harvard Business Review, 5 December 2017, https://hbr​.org​/2017​/12​/driverless​- cars​-will​- change​
-auto​-insurance​-heres​-how​-insurers​- can​-adapt.
41 Mike Isaac, “Uber Strikes Deal with Volvo to Bring Self-Driving Cars to Its Network,” New York Times,
20 November 2017, www​.nytimes​.com ​/2017​/11​/20​/technology​/uber​- deal​-volvo​-self​- driving​- cars-​.html.
42 Kara Swisher, “Autonomous Vehicles Take Another Big Leap,” New York Times, 14 December 2020,
www​.nytimes​.com ​/2020​/12​/14​/opinion ​/Zoox​-Amazon​-self​- driving​.html?.
43 See Accenture 2017 (n 38).

12
 I ntroduction

bandwidth. Transmission of data to and from ships will necessarily increase when they
become remotely controlled or fully autonomous.
Notwithstanding the new horizons in efficiency ushered in through drone usage, there
are growing risks associated with the rapid growth in the use and deployment of drones,
and these risks are not at the stage yet where they are stabilising. Instead:
given technological advances, the veritable explosion in their usage, their capacity to carry
payloads and their ability to travel vast distances, the potential for injury or damage resulting
from drone operations is ever increasing. Their increased deployment through transport and
delivery services in high density population areas will further enhance personal injury and
property damage risks.44
Moreover, a primary and growing concern of aviation authorities and experts is the num-
ber of incidents where drones have come into contact with or caused hazards to aircraft.
Other risks, both from an operational and insurance perspective, include nuisance, pri-
vacy issues and concerns around data collection, through the use of drones to collect
information through aerial surveillance, which could result in the drone collecting unin-
tended data.45 This is particularly pertinent to government agencies and law enforcement,46
whose increasing use of drones gives rise to serious privacy issues and concerns around
data collection and use. However, these concerns are equally applicable to non-govern-
mental agencies who, for example, may use drones to collect unauthorised data through
aerial surveillance of a mining company’s resources, a farmer’s or commodity trading
company’s crops, or land developers’ properties.47
As with any rapidly evolving technology, drone use is revealing new vulnerabilities and
cybersecurity threats. No organisation is immune from the risks and associated costs of
tackling cyber threats. Loss of reputation, monitoring and notification costs, and network
interruptions associated with breaches all need to be considered. Attacks such as exploit-
ing drones’ software or firmware vulnerabilities to take over the drone and gain access to
other networks and systems of an organisation, or malware embedded in drone software
that could compromise the device where it is located and allow data sent to and from the
drone to be exfiltrated and reviewed, are real concerns. These risks need to be mitigated
with improvements in technology, regulation and appropriate insurance.
Chapter 9 outlines some of the challenges that insurers face and sets out some of the
approaches that insurers have taken to underwrite risks relating to drone operations.

The rise of fintech: Liability and insurance

Over the past few years, the rise of financial technology—fintech for short—has had a
profound impact across the globe. Indeed, there has been more progress in the fintech
sector in the last ten years than in the past century. While this journey largely began

44 Julie-Anne Tarr, Maurice Thompson and Anthony Tarr, “Regulation, risk and insurance of Drones: An
urgent global accountability imperative” (2019) 8 Journal of Business Law, p 559, 562.
45 Ibid., 561.
46 Matthew R Koerner, “Drones and the Fourth Amendment: Redefining expectations of privacy,” 2015
64(6) Duke Law Journal 1129, 1131; Laura La Bella, “Drones and Law Enforcement: Inside the World of
Drones,” (Rosen Publishing, 2017) 10.
47 See, for example, Maurice Thompson, Clyde & Co, who observes that “companies are at great risk of
industrial espionage from drones,” quoted in Ben Norris, “The Search for Risk-Based Rules,” 21 May 2019,
Commercial Risk Europe 14.

13
 I ntroduction

with fintechs disrupting the traditional banking sector by creating innovative finan-
cial products and delivering them digitally, almost instantaneously and for a fraction
of the cost, as will be apparent from the earlier chapters, a similar pattern is develop-
ing in the insurance space.
In this regard, one of the main reasons the fintech sector has grown so quickly is due
to its diversity. Fintechs are providing novel ways of doing business in every branch of
finance imaginable. While the propositions naturally differ from one fintech to the next,
they are typically leveraging breakthrough technologies such as big data, AI, distributed
ledger technology and blockchain (the foundation of cryptocurrencies), IoT/telematics,
robotics, biometrics and many more. These offerings are typically made available via
digital platforms and mobile apps.
This proliferation of new technologies has reshaped existing marketplaces, offering
consumers and businesses new ways of doing things they have already been doing and
even creating new ones in certain instances. It has allowed a host of exciting new com-
panies to enter the scene who are all looking to revolutionise the financial world. Some
are acting as “enablers” to incumbents, who (while they have been a little slow getting
there—often due to them being impacted by their legacy systems) now recognise that they
need to incorporate new innovative technologies so that they are not left behind. Others
are acting as “disruptors,” by seeking to change the entire business models of the incum-
bents. We have also seen the tech giants (i.e. Google, Amazon, Facebook and Apple)
becoming much more active in this space.
Chapter 10 explores the different types of emerging technology in the financial services
sector and the range of product offerings. Fintechs clearly offer many benefits including
employment and investment opportunities, faster and more efficient processing, personal-
ised services and financial inclusion. However, transforming traditional financial services
is no easy feat, and these potential benefits are, of course, matched with new and often
complex business risks.
The risks that fintechs and the industry face are canvassed in some detail. In broad
terms, one of the biggest hurdles that fintechs face is trying to adapt their products and
services to work within the relevant “regulatory perimeters” where they apply, which tend
to differ greatly from one jurisdiction to the next. This is also against a backdrop where
regulators across the globe are themselves seeking to understand emerging technologies
and are grappling with how to strike the right balance between not stifling innovation
while protecting consumers. In some jurisdictions, regulators intentionally adopt a pas-
sive stance and watch from the sidelines as the industry develops its own norms. The
absence of regulatory guidance can both encourage and deter innovation.
This chapter considers, at a high level, the types of government policy and regulation
implemented in different jurisdictions and how this is being used to encourage innova-
tion and support the use of new technology. For example, the UK Government’s policy
has focused on stimulating the fintech sector via the creation of an innovation hub and a
regulatory sandbox, the introduction of open banking and the establishment of various
taskforces.
While the rise in the use of fintech clearly brings with it unique risks, which should not
be underestimated, it also presents new opportunities for insurers willing to enter into
this emerging fintech insurance space. The chapter therefore also explores how the insur-
ance market is beginning to embrace this opportunity, while highlighting the obvious

14
 I ntroduction

challenges it presents. Fintech insurance policies require careful tailoring for the specific
insured, because no two fintechs are the same, and the product, and price, will also need
to match the business and the stage the company is at.
Whatever the stage on this journey, underwriters should approach these risks with a
healthy degree of caution—the risks are, after all, often experimental companies employ-
ing experimental technology.
Underwriters will also need to consider the impact of wider industry issues and the
evolving regulatory landscape, and have a clear understanding of the underlying technolo-
gies being used and the products/services on offer, to really define and address the specific
risks to the fintech in question. A “one size fits all” approach is unlikely to work here.

Cyber risk and insurance

Several of the chapters in the book naturally touch upon information security and cyber
risk to some degree given the digitisation of many industries and products. However,
Chapter 11 focuses on the very important and growing area of cyber risk insurance in
more specific detail.48 AGCS49 observe that:
Cyber insurance claims have increased significantly in recent years, driven by the rise of
threats such as ransomware attacks, but also due to the growth of cyber insurance. AGCS has
been involved in more than 1,000 cyber claims a year for the past two years, compared with
fewer than 100 in 2016. Claims frequency has begun to stabilize however, albeit at elevated
levels.
Ransomware remains a major concern—year-on-year attacks are reported to have
increased by 13%, a jump greater than the past five years combined. Double extortion, where
the ransomware attack is actually subterfuge for stealing data as well, is a trend that goes
under the radar. In short, companies can get hit twice from the same incident.

Cyber insurance is an insurance product which is intended to cover the costs, losses and
liability exposure of named policyholders arising out of a range of “cyber incident” types
(which will typically be defined) and applies to actual or suspected incidents, thereby
allowing suspected activity to be investigated even if the findings are ultimately that a
breach did not occur.
The major factors fuelling the cyber insurance market include data breaches that cost
millions of dollars to businesses, the surge in mandatory cybersecurity regulations and
legislation, prospects of recovery of financial losses, and the increased frequency and
sophistication of cyber threats.50
This chapter covers several elements of cyber risk management, incident response pre-
paredness and cyber insurance. It emphasises that despite the cyber risk and insurance
landscape constantly evolving, there are several fundamental principles which remain
constant despite all the moving parts.

48 For example, the global cyber insurance market size in the post-COVID-19 scenario is projected to grow
from US$7.8 billion in 2020 to US$20.4 billion by 2025, at a CAGR of 21.2% during the forecast period. See for
example, www​.marketsandmarkets​.com​/ Market​-Reports​/cyber​-insurance​-market​- 47709373​.html​?gclid​= EAI​
aIQo​bChM​Io5a​88Pm​K 9wI​VzTUrCh1x​-gU0EAAYAiAAEgJN7PD​_ BwE (hereafter Markets and Markets).
49 Allianz 2022 (n 16).
50 Markets and Markets (n 48).

15
 I ntroduction

It emphasises the need for directors and officers, core members of response teams,
insurance purchasers, risk managers, IT/information security and legal functions to
approach the management of cyber risk as a team effort and an issue that needs to be
tackled in a multi-functional way. The various standards that organisations may follow
to benchmark themselves against and achieve a certain level of maturity or competency
against a particular framework to achieve optimum levels of resilience and good “cyber-
hygiene” practices are discussed.
The chapter outlines the key steps that organisations can take to set themselves up for
success if they experience a cyber incident. The aim of this section is to provide busi-
nesses with tools that they can add to their toolkit, to anticipate incidents and develop
resilience so that they can maintain trust with their stakeholders while managing a crisis
and avoiding common pitfalls.
The benefits of cyber insurance for organisations are described, as well as some of the
recent challenges that the industry faces when discussing cyber insurance with clients in the
current environment. The views of various speciality cyber brokers are canvassed to provide
some perspective on the challenges and opportunities with the insurance market, the uptake of
insurance and how the industry can encourage more entities to take out insurance.

Professional indemnity insurance

Chapter 12 examines the fallout from the pandemic and the key challenges and opportuni-
ties that are likely to be at the forefront of the minds of professional indemnity insurance
market participants in the future, from both the carrier and insurance buyer perspective.
Pandemic-related claims have yet to materialise on the scale that may have been
expected, and given the time lag associated with losses resulting from economic or super-
visory issues for example, it may be some time before they do. However, the insurance
industry anticipates that there are key areas where COVID-19 might change buyers’ risk
profiles, with the increased threat associated with weakened supervision being the most
critical. Increased privacy, and cyber and ransomware exposures in the remote and hybrid
working environment are major concerns, together with the financing and insolvency con-
sequences of the economic impact of the recession. Insurance buyers are also keenly aware
of the impact of COVID-19 on their risk exposure, in particular, with regard to the shift
to remote or hybrid working. Staff oversight challenges, raised threats of data breaches,
cyber and ransomware attacks, and increased attention from regulators and professional
bodies regarding the maintenance of standards are at the forefront of their concerns.
AGCS51 anticipates that another growth area for claims will derive from complex con-
struction projects. They state:
More innovative designs, new materials and methods of construction are creating fertile
ground for large liability claims against architects, engineers, developers and construction
companies. Large complex construction projects increasingly rely on input from external pro-
fessionals that are highly specialized in providing technical expertise in their fields, such as
water resources and environmental engineers, geologists, metallurgists or design architects.
However, errors in data, statistical process control, detailed design and performance assess-
ment or simply poor advice are leading to problems that are difficult and expensive to rectify.

51 Allianz 2022 (n 16).

16
 I ntroduction

In addition to construction, risk trends emerging within other specific industries, includ-
ing healthcare and financial services, are examined, as well as how professionals within
those industries (and by extension, insurance carriers) are likely to be affected.
Other new challenges have emerged, including increased regulatory oversight, reces-
sionary pressures and economic headwinds (caused in part by geopolitical turmoil around
the world). These factors have and will continue to lead to insolvencies. For carriers, the
severity of claims has also increased, with inflation being particularly prevalent in claims
brought against construction professionals.
In relation to D&O cover, climate change and factors affecting the environment are now
a very significant priority for directors to provide the appropriate guidance to investors
and shareholders.52 Other social issues for directors to consider now are the ethical and
cultural risks from the increasing use of social media, and derivative class actions regard-
ing inappropriate workplace relationships.53
Some of the impacts anticipated will result in the use of more alternative risk transfer mod-
els, and more captive insurers, mutuals and government-backed programmes. These types of
structures are described, and an assessment is made as to how they will continue to emerge as
certain risks become more difficult to place or become commercially uninsurable.
The chapter considers also developments in how professional indemnity insurance is
transacted and how claims are processed, and how emerging technologies including big
data and automation will continue to develop and will enable market participants to do
business more efficiently and with greater accuracy. For the reasons set out in this chapter,
it is expected that in the years to come, technology will have a significant impact on the
traditional role of established professions, on emerging professions and on the broader
professional indemnity insurance market.
Against this backdrop of what can best be described as challenging times,
Chapter 12 considers these issues in a global insurance market context.

Natural disasters, climate change, pandemics and insurance

Chapters 13, 14 and 15 focus on major external dynamics and circumstances that have,
and will continue to have, very significant and global impacts on the insurance industry.
The insurance industry is just one of many parts of the world economy that will bear the
costs of climate change. Leading global insurers have for many years sounded the alarm
regarding the potential loss of value that climate change will bring about through, for
example, increased incidence of wildfires or lengthening of the wildfire season, or higher
sea levels and larger storms giving rise to storm surge and heavy flooding in coastal cities.
Similarly, pandemics such as COVID-19 bring insurance into very sharp focus.

52 See, for example, “5 ESG concerns for corporate boards with a social conscience,” World Economic
Forum, 30 March 2021, www​.weforum​.org​/agenda​/2021​/03​/5​- esg​- concerns​-for​- corporate​-boards​-with​-social​
-conscience​-jobs/.
53 Catrin Povey and Charlotte Hanson, “A hardening market for Directors & Officers insurance,” Capital
Law, 28 July 2022, www​.capitallaw​.co​.uk​/news​/2022​/08​/12​/a​-hardening​-market​-for​- directors​- officers​-insur-
ance/; see, for example, Scott Carlton, “The #MeToo Movement and the Shareholder Derivative Action,”
24 April 2019, American Bar Association, www​.americanbar​.org​/groups​/ litigation​/committees​/class​-actions​
/practice​/2019​/me​-too​-movement​-lawsuits​-shareholder​- derivative​-action/.

17
 I ntroduction

Natural disasters
The losses associated with wildfires, hurricanes, floods, earthquakes and other natural catas-
trophes create huge challenges for the global insurance industry. For example, Hurricane
Ian in the United States and other extreme weather events such as the winter storms in
Europe, flooding in Australia and South Africa as well as hailstorms in France and in the
US resulted in an estimated US$115 billion of natural catastrophe insured losses in the first
11 months of 2022, according to Swiss Re Institute.54 Such risks result in multiple losses in
the same geographic area at approximately the same time. This makes estimating potential
payments to policyholders and, in turn, setting appropriate premiums exceptionally diffi-
cult. Pandemic risk cover is even more problematical than other forms of natural catastro-
phe (Nat Cat) cover because the—usually far greater—multiple losses are not restricted to
a particular geographical area and may continue for months or years afterwards.
As the Natural Disaster Insurance Review explains,55 the role of insurance in commu-
nity recovery from natural disasters can be seen in three dimensions. First, insurance can
encourage mitigation to reduce losses from future weather events. The price, or premium,
for insurance provides signals about the level of risk from a range of hazards and has some
encouragement for risk mitigation and reduced vulnerability to loss. Second, insurance can
provide financial protection to property owners in the event of loss through a process of aggre-
gating premiums and spreading risk. Third, and more widely, insurance allows the economy
to manage risk more effectively, reducing financial uncertainty in the event of a disaster and
allowing for a more efficient use of capital by individuals, businesses and governments.

Pandemics
In light of the appalling toll on lives and livelihoods wrought by the COVID-19 pandemic,
Chapter 13 considers the challenges faced by the insurance industry, and especially by
those who provide BII cover, to future “inevitable” pandemics.56 It looks, first, at the
nature of BII cover across several markets. It then examines the most significant judg-
ments from the UK and other common law jurisdictions on the response of BII cover
to pandemic-related claims. These judgments reveal a confused and confusing jurispru-
dence on the subject, with courts struggling—and often failing—to balance the needs of
policyholders with the ability and willingness of insurers to meet those needs.
Despite the existence of some specialist pandemic insurance policies,57 overwhelm-
ingly, BII policies have borne the brunt of COVID-19 pandemic-related claims, including

54 “Hurricane Ian drives natural catastrophe year-to-date insured losses to USD 115 billion, Swiss Re
Institute estimates,” Swiss Re, 1 December 2022, www​.swissre​.com​/press​-release​/ Hurricane​-Ian​- drives​-natu-
ral​- catastrophe​-year​-to​- date​-insured​-losses​-to​-USD​-115​-billion​-Swiss​-Re​-Institute​- estimates​/2ab3a681​- 6817​
-4862​-8411​-94f4b8385cee.
55 “Inquiry into flood insurance and related matters,” September 2011, The Australian Government the
Treasury.
56 There is a general expectation of such future pandemics by those in the scientific community. See K E
Jones et al., (2008). “Global trends in emerging infectious diseases” (2008) Nature, 451(7181), 990–993; K F
Smith et al., “Global rise in human infectious disease outbreaks” (2014) Journal of the Royal Society Interface,
11(101), 20140950; and J Hilsenrath, “Global Viral Outbreaks Like Coronavirus, Once Rare, Will Become
More Common,” Wall Street Journal, 6 March 2020.
57 For example, a parametric pandemic risk insurance product, PathogenRX, was developed by Marsh,
Munich Re and Metabiota and introduced to the market in May 2018. R Banham, “This Insurance Would Have
Helped in Coronavirus Crisis but Nobody Bought It,” Insurance Journal, 3 April 2020, www​.insurancejournal​

18
 I ntroduction

in terms of media controversy and litigation. Insurers’ arguments that BII policies were
not designed to meet such claims have, often, succeeded in the courts but have not satis-
fied policyholders, regulators or political leaders’ demands for amelioration of the dire
financial consequences for businesses brought about by the COVID-19 pandemic.
The role of BII cover in meeting the coverage gap is considered, as are actual and/or
potential approaches by governments to facilitate and support the sharing of pandemic
risk in light of the almost insurmountable challenges the private insurance market faces
without external support. The failure of any of a number of public/private pandemic insur-
ance programmes to progress beyond the design stage into actual implementation over the
last three years is noted.
It concludes with an assessment of the likelihood of the pandemic coverage gap being
closed before the next outbreak. That assessment is not an optimistic one.

Climate change
The scientific consensus on climate change is clear: Humankind is facing an impending cri-
sis. In 2021, the Intergovernmental Panel on Climate Change stated that “it is unequivocal
that human influence has warmed the atmosphere, ocean and land:”58 In 2022, it warned that
“reaching 1.5°C [of global warming] in the near-term, would cause unavoidable increases in
multiple climate hazards and present multiple risks to ecosystems and humans.”59
Climate change poses a tremendous risk to the global financial system. Climate change-
related risks in financial markets are categorised as (1) physical; (2) transition; or (3) liabil-
ity risks. Physical risks encompass physical impacts of climate change, such as increased
flooding, extreme heatwaves, melting of ice caps, unprecedented wildfires and other natu-
ral hazards, which cause loss of lives and livelihoods, and damage to landscapes, build-
ings, property and infrastructure.
Transition risks are risks associated with the transition from a fossil fuel-based to a net-
zero economy. Examples include the risk of loss of investment in carbon-intensive assets
and infrastructure (so-called “stranded assets”), such as oil rigs, which will have to be
abandoned before the end of their economic life.
Liability risks often arise from mismanagement of physical and transition climate risks,
or alleged contribution to climate change, and may materialise in regulatory fines, legal
actions and reputational damage, all of which involve considerable costs to businesses.
Financial institutions and, in particular, the insurance industry will play a crucial role in
the global effort to mitigate these risks.

.com ​/news​/national​/2020​/04​/03​/563224​.htm. It has also been reported that only one policy was sold prior to the
onset of the pandemic, see E Ratliff, “We Can Protect the Economy from Pandemics. Why Didn’t We?” Wired,
16 June 2020, www​.wired​.com​/story​/nathan​-wolfe​-global​- economic​-fallout​-pandemic​-insurance/.
58 A Reisinger, M Howden, C Vera et al. “The concept of risk in the IPCC Sixth Assessment Report:
a summary of cross-Working Group discussions,” Intergovernmental Panel on Climate Change, Geneva,
Switzerland, 4 September 2020.
59 IPCC, 2022, “Climate Change 2022: Impacts, Adaptation, and Vulnerability.” Contribution of Working
Group II to the Sixth Assessment Report of the Intergovernmental Panel on Climate Change [H.-O. Pörtner,
D.C. Roberts, M. Tignor, E.S. Poloczanska, K. Mintenbeck, A. Alegría, M. Craig, S. Langsdorf, S. Löschke, V.
Möller, A. Okem, B. Rama (eds.)]. Cambridge University Press. Cambridge University Press, Cambridge, UK
and New York, NY, USA, 3056, doi:10.1017/9781009325844, 13.

19
 I ntroduction

Although physical risks are already creating loss, it appears that it will be the transition
to a net-zero economy that will have the largest impact over the next decade. To reach
the climate change goals set out in the Paris Agreement60 and pivot away from fossil fuel
dependence, policy advisors are outlining the need for dramatic business model transfor-
mations in different economic sectors as well as profound changes in everyday life that
impact core and essential sectors of the world economy. There are increasing signs that
we have entered a period of transition towards a net-zero economy, with actions gaining
momentum within both the public and private sectors. The availability of new technolo-
gies (for example, green, clean and carbon capture and storage (CCS)) is being coupled
with increasing government willingness to support the shift to a net-zero economy, with
some governments making “green” investment part of their post-pandemic recovery plans.
Insurers, investors and corporations are engaging in various platforms to set targets
and facilitate the transition to net-zero business models.61 Conversations are also taking
place through platforms such as the World Economic Forum on “Mission Possible,”62 the
“great reset”63 and “building back better.”64 Other important developments are happening
in the financial sector. These include growing adoption of the Financial Stability Board’s
(FSB) Task Force on Climate-Related Financial Disclosures (TCFD) recommendations
for assessing and disclosing climate risk and supporting informed decision-making for
investing, sustainable finance initiatives to mobilise mainstream finance to invest in the
transitioning, and climate risk consideration by financial and insurance regulators and
international rating agencies.65
In energy transition terms, as oil majors increasingly invest in renewable technologies,
insurers too have been moving into the renewables market, by acquiring specialist prac-
tices or upskilling underwriters. Lloyd’s has indicated that the market will phase out the
renewal of existing insurance policies for thermal coal, oil sands and new Arctic energy
exploration over the next decade.66 The pressure on insurers as institutional investors to
shift away from investing in fossil fuels is also growing stronger. In 2021, a group of eight
leading insurers joined together in the Net-Zero Insurance Alliance, pledging to transition
their underwriting portfolios to net-zero greenhouse gas (GHG) emissions by 2050.
There has already been significant shareholder pressure to defund coal, and hydro-
carbons—especially oil—look to be the next target. With everything moving in that
direction, insurers are quickly looking to diversify by adding renewables risks to their
portfolios. As different types of renewable energy gain momentum across the globe, mar-
rying sector-specific underwriting expertise with jurisdictional knowledge is becoming
a priority. Offshore wind is a prime example. The technology was developed and first
deployed in Europe, and most of the technical underwriting experience resides in London.

60 “Paris Agreement to the United Nations Framework Convention on Climate Change,” 12 December
2015, T.I.A.S. No. 16-110 4.
61 Net Zero Asset Owner Alliance, Net Zero Asset Manager Alliance, Climate Action 100+, etc.
62 www​.weforum​.org​/projects​/mission​-possible​-platform.
63 www​.weforum​.org​/great​-reset/.
64 www​.wem​eanb​usin​essc​oalition​.org​/ build​-back​-better/.
65 Maryam Golnaraghi, Joana Setzer, Nigel Brooke, Wynne Lawrence and Lucia Williams, “Climate
Change Litigation—Insights into the evolving global landscape,” The Geneva Association, April 2021.
66 See, “Lloyd’s takes action to accelerate transition to sustainable economy,” Lloyd’s, 16 December 2020,
www​.lloyds​.com ​/about​-lloyds​/media​- centre​/press​-releases​/ lloyds​-takes​-action​-to ​-accelerate​-transition​-to​
-sustainable​- economy.

20
 I ntroduction

However, now that offshore wind power generation is taking off in Asia, an on-the-ground
understanding of the commercial and regulatory landscape in countries such as China,
South Korea, Vietnam and Japan is vital. Going forward, the same will apply in the US,
as the technology starts to gain traction there.
Chapter 14 discusses how the global financial community, and particularly the insur-
ance sector, has worked to address the problem of climate change, focusing on physical
and transition risks.
Chapter 15 analyses the liability risks posed by climate change and discusses how cli-
mate liability risk is a consequence of increased physical and transition risks.
Along with these risks, several other factors are driving the growth of climate litiga-
tion. The chapter reviews the history of climate litigation. Various types of such litigation
have developed over the past few decades—ranging from government “framework” cases
aimed at increasing ambition to mitigate climate change at the national level to green-
washing cases and securities/shareholder actions against directors.
The chapter concludes by analysing what the growth of climate litigation and the
accompanying legislative scrutiny of the issue means for insurers, noting the growing
expectations that financial actors have and the practical steps being taken in facilitating
the transition to net zero.

Concluding comments
The final chapter reflects upon some of the critical and most significant transformations,
challenges and opportunities outlined and addressed in this book and forecasts some key
steps or issues going forward.
The rapid shift in the perception, scope and scale of the digital space since the turn of
the century has had—and will continue to have—a radical effect on many industries. For
insurers, the impact is particularly transformative. Not just in how they might transact
business but also in how they understand, assess and price risk.
The exponential increase in the capacity of organisations to collect, store and use data
also poses huge challenges for regulators, and there is no room for complacency. As dis-
cussed above, the global landscape in which insurance is transacted continues to change
at a rapid rate, particularly in relation to the availability of data, burgeoning access to
information and scientific/technological advances. Asymmetry of information, access to
and integrity of data, determination of liability in novel technological contexts and insur-
ance discrimination issues will continue to challenge regulators, insurers and the wider
community on a global basis.
Technological and scientific advances have the potential to impact insurance laws and
practices that have a long pedigree. For example, in this evolving data-driven global insur-
ance market, an insurer’s asymmetry of information relative to any particular transaction
being negotiated may be negated or become less significant. This may in turn demand
further reform to rebalance pre-contract information disclosure requirements in the global
insurance market.
Our concluding chapter reflects upon some of the key internal and external dynamics
impacting the global insurance market and takes a “look to the future” approach in con-
sidering such matters as technology and digital assets, asymmetry of information, genetic
testing, genetic information and epigenetics, space, climate change and future cyber risks.

21
 C hapter 2

Big Data, Artificial Intelligence and Insurance

Dino Wilkinson, Alec Christie, Anthony A Tarr and Julie-Anne Tarr

CON T EN TS
Introduction 23
Artificial intelligence 24
Big data 26
How can big data and AI be used by insurers? 26
Impact on the insured’s duty of disclosure 27
Recent reform of the duty of disclosure 28
The future impact of AI-driven big data analytics on the duty of disclosure 30
What big data and AI analytics can deliver for insurers 30
Targeted/personalised marketing 31
Automated decision-making 31
Fraud detection 32
Consumer insurance “disclosure” questions 33
Balancing advantages and addressing risks 33
Big data, AI analytics and data protection/privacy 34
What are the perceived data protection/privacy and cyber security issues? 34
Origins of current data protection/privacy regimes 37
What data protection/privacy principles generally apply to big data and
AI-powered analytics? 38
The future of data protection/privacy regulation and AI-powered analytics
of big data 41
Conclusions 44

22 DOI: 10.4324/9781003319054-2
 B ig Data , A rtificial I ntelligence and I nsurance

Introduction
The global landscape in which insurance is transacted continues to change at a rapid rate,
particularly in relation to the availability, lower cost/cheaper access to and the amount and
range of available data (for example, big data). This greater access to data combined with
corresponding scientific and technological advances (in particular, artificial intelligence
(AI)) results in contemporary insurers having recourse to information and resources infi-
nitely superior to their historical counterparts. However, the global nature of both big
data and today’s insurers also raises certain regulatory concerns relating to the different
jurisdictions from which the data originates:
For multinational companies, data analytics and data privacy are going to be significant risk
factors. It’s a compliance challenge that will be interesting for legal advisors and risk man-
agers to navigate. The next three to five years will be very busy in those areas. How do you
harmonise your data obtained from different jurisdictions?1

Big data2 refers to the enormous datasets which insurers have either collected themselves
or are able to access (and usually combine), which they can now interrogate, analyse and
“slice and dice” for information relevant to individual risks and for the risks related to
insuring an individual, group or types of insureds like never before. This provides new
insights into group, category, type and individual risks and predictive analytics that can
assist insurers to accurately predict (and thus better address) the needs of individuals,
types and groups of insureds and to better price the risk for each. Actuarial analysis has
refined the process of estimating risk/loss and setting premiums with appropriate regard
to a range of variables: Prudential margins are incorporated into loss forecasts to cater
for unforeseen contingencies, and the tyranny of distance is no longer a problem with
modern communications and technological advances. As the Centre for Insurance Policy
and Research3 explains:
There are a number of new and emerging technologies set to revolutionize the financial ser-
vices and insurance industry, including telematics, IoT, blockchain, digital platforms and AI.
These breakthrough technologies are reshaping the insurance industry by providing innova-
tive ways to measure, control and price risk; engage with customers; reduce cost; improve
efficiency; expand insurability; and create new products and business models.

In 2017, The Economist4 expressed its opinion that data had overtaken oil as the world’s
most valuable resource. However, unlike oil, data is showing no signs of being exhausted
any time soon. In fact, data is being generated at an exponentially increasing rate, with
Forbes5 reporting that, in 2018, some 2.5 billion gigabytes of data were being created per

1 General Counsel of a logistics company, Hong Kong, Clyde & Co. 2021. “Looking Glass Part 2: Deep
Dive into the New Risk Landscape,” 2022, www​.clydeco​.com​/en​/reports​/2022​/03​/ looking​-glass​-part​-2​-new​
-risk​-landscape.
2 Brendan McGurk, 2019, Data Profiling and Insurance Law. Bloomsbury Publishing (hereafter Data
Profiling).
3 National Association of Insurance Commissioners & The Centre for Insurance, Policy and Research,
“How Artificial Intelligence is Changing the Insurance Industry,” CIPR Newsletter August 2017, Shanique
Hall (CIPR Newsletter) www​.content​.naic​.org>inline-files>vol22_ai (hereafter CIPR Newsletter).
4 The Economist, “The world’s most valuable resource is no longer oil, but data,” The Economist (The
Economist, 6 May 2017), www​.economist​.com ​/ leaders​/2017​/05​/06​/the​-worlds​-most​-valuable​-resource​-is​-no​
-longer​- oil​-but​- data.
5 Bernard Marr, “How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should
Read,” Forbes, 2018, www​.forbes​.com​/sites​/ bernardmarr​/2018​/05​/21​/ how​-much​- data​- do​-we​- create​- every​- day​

23
 B ig Data , A rtificial I ntelligence and I nsurance

day. The ability to combine and analyse that data or determine how best to exploit that
“new oil” will lead to significant commercial advantages for all businesses, including
insurers:
Companies that can successfully adopt the benefits of data analytics, artificial intelligence and
other advanced tools will undoubtedly gain a competitive edge, but they must move quickly
to plug any knowledge gaps to ensure they are appropriately mitigating the associated risks.6
Data analytics are a key component of competitive advantage. As data becomes more plenti-
ful, exploiting its value whilst managing the associated risks is a priority for leaders across
all senior roles.7

Artificial intelligence
AI (including machine learning)8 is an indispensable fellow traveller with, and the tool to
unlock the “secrets” of, big data. AI analytics delivers the power to rapidly and efficiently
analyse enormous amounts of data, identifying and making good use of correlations that
would elude most current non-AI techniques—even the most expert human analysts—
and to learn and improve in the process.9
As Kevin Casey10 explains, in describing the reciprocal relationship that exists between
big data and AI analytics:
One of the fundamental business problems of big data could sometimes be summarized with
a simple question: Now what? As in: We’ve got all this stuff (that’s the technical term for it)
and plenty more of it coming—so what do we do with it? In the answers, it wasn’t always easy
to hear the answers to that question.
Moreover, answering that question—or deriving insights from your data—usually
required a lot of manual effort. AI is creating new methods for doing so. In a sense, AI and
Machine Learning (ML) are the new methods, broadly speaking.

As the engine to unlock the secrets of big data, AI enables machines to perform more
complex tasks (for example, analytics) that extend well beyond machines’ repetitive
mechanical activity and serves also to accelerate the implementation of deep data applica-
tion services. McKinsey & Company, in considering the impact of AI on insurance, paint

-the​-mind​-blowing​-stats​- everyone​-should​-read/​?sh​= 3a387d1860ba. To put this in context, Forbes reports that

90% of the world’s data was produced in the last two years alone.
6 Dino Wilkinson, Partner, Clyde & Co, Abu Dhabi, “Looking Glass Part 2: Deep Dive into the New Risk
Landscape,” 2022, www​.clydeco​.com​/en​/reports​/2022​/03​/ looking​-glass​-part​-2​-new​-risk​-landscape.
7 Chief Ethics and Compliance Officer, FMCG, USA, “Looking Glass Part 2: Deep Dive into the New
Risk Landscape,” 2022, www​.clydeco​.com​/en​/reports​/2022​/03​/ looking​-glass​-part​-2​-new​-risk​-landscape
(hereafter Chief Ethics, Clyde &Co).
8 CIPR Newsletter n3 p2, defines “AI” as follows:
“At its essence, AI can be defined as the science of making computers do things requiring intelligence
when done by humans, including learning, planning, reasoning, problem solving and decision-making. Various
AI-related technologies, such as natural language processing (NLP), computer vision, robotics, machine learn-
ing and speech recognition, have substantially progressed over the years to coalesce into systems that do, think,
learn and continuously adapt.”
9 See, for example, John Villasenor, “Products liability law as a way to address AI harms,” Brookings,
31 October 2019, www​.brookings​.edu​/research​/products​-liability​-law​-as​-a​-way​-to​-address​-ai​-harms/#:~​:text​
= Under​%20strict​%20liability​%2C​%20manufacturers​%E2​%80​%94including.
10 Kevin Casey, “How big data and AI work together,” Enterprisersproject​.co​m, 14 October 2019, https://
enterprisersproject​.com​/article​/2019​/10​/ how​-big​- data​-and​-ai​-work​-together.

24
 B ig Data , A rtificial I ntelligence and I nsurance

an interesting and compelling futuristic picture of the insurance ecosystem in 2030. Some
key points taken from their 2030 insurance predictions that resonate are as follows:
The experience of purchasing insurance is faster, with less active involvement on the part of
the insurer and the customer. Enough information is known about individual behaviour, with
AI algorithms creating risk profiles, so that cycle times for completing the purchase of an auto,
commercial, or life policy will be reduced to minutes or even seconds. Auto and home carriers
have enabled instant quotes for some time but will continue to refine their ability to issue poli-
cies immediately to a wider range of customers as telematics and in-home Internet of Things
(IoT) devices proliferate and pricing algorithms mature. Many life carriers are experimenting
with simplified issue products, but most are restricted to only the healthiest applicants and are
priced higher than a comparable fully underwritten product. As AI permeates life underwrit-
ing and carriers are able to identify risk in a much more granular and sophisticated way, we
will see a new wave of mass-market instant issue products.11

AI itself is rapidly evolving and, when in place, quickly learns and improves in situ. AI
analytics (and AI generally) learns from each analysis of the data it is asked to undertake
and uses those “learnings” for future insights and ever more accurate predictions. That is,
the analysis and predictions get better and better with use. It is transforming the insurance
industry in areas including underwriting, customer service, claims, targeted/personalised
marketing and fraud detection.
There is no doubt as to the rapidly growing importance of AI analytics in unlocking the
secrets of big data and, ultimately, in automating certain business decisions based on that
AI analysis of that big data:
All compliance and ethics people talk about is AI. How do we automate and how do we risk
monitor? I don’t think it’s well understood by business people across the spectrum. Although
outside the top three trends, AI is recognised as introducing new and complex implications for
risk management, and potential applications far beyond automating repetitive tasks and into
creative areas such as design.12

Insurers, insurtech, start-ups and incumbents alike are also looking to leverage both their
abundant data and other available datasets to find new areas for growth, with an industry-
wide push to make use of innovations such as AI to improve data analysis, the range and
depth of “questions” that can be asked of the data, the quality of decisions made by the AI
and to boost overall efficiency. Innovation is starting to take centre stage with insurers,
spurred on by the pandemic, during which insurers saw what could be achieved:
In my sector, insurance, the pandemic has increased the urgency behind the adoption of
insurtech. Suddenly there was an accelerated testing of all that had been happening in the last
five to seven years, in turn enabling insurtechs to prove their case beyond what they would
have been able to do under normal circumstances. Insurance, like many other sectors, is start-
ing to scrutinise every aspect of what it does and now it is ready to move forward with eyes
wide open to digitise to an extent not seen before.13

11 Ramnath Balasubramanian, Ari Libarikian, and Doug McElhaney, “Insurance 2030—The impact of
AI on the future of insurance,” McKinsey & Company, 12 March 2021, www​.mckinsey​.com​/industries​/finan-
cial​-services​/our​-insights​/insurance​-2030​-the​-impact​- of​-ai​- on​-the​-future​- of​-insurance (hereafter McKinsey
2030).
12 Chief Ethics, Clyde & Co (n 7).
13 Vikram Sidhu, Clyde & Co, New York, “Looking Glass Part 2: Deep Dive into the New Risk Landscape,”
2022, www​.clydeco​.com​/en​/reports​/2022​/03​/ looking​-glass​-part​-2​-new​-risk​-landscape.

25
 B ig Data , A rtificial I ntelligence and I nsurance

The experience of moving to remote working during the pandemic forced insurance businesses
of all sizes to address and overcome the issue of investment in outdated legacy IT systems by
moving to cloud-based solutions, a necessary pre-requisite for big data and AI analytics. This
opens up opportunities for product innovation and greater agility as insurers partner with tech
firms on transforming their platforms.14 However, with regulation in this space still embryonic
and without a harmonised approach to regulating AI across jurisdictions, insurers risk butting
up against different individual national, regional and sometimes provincial/state data protec-
tion/privacy laws and other regulations in their global use of big data and AI.
In addition to insurers’ use of AI analytics and big data for their business purposes, the
development and expansion of AI in relation to driverless cars, robots, the use of autono-
mous machines to execute complex financial transactions, IoT and other innovations also
give rise to diverse legal issues, including complex liability issues—with obvious insur-
ance implications. The availability and rapid expansion of new technologies, in particular
AI, create new and exciting opportunities within the insurance industry. However, these
also raise complex challenges and risks including determining the liability for harm or
damage, privacy considerations, cyber security risks and insurer solvency.
Below we consider how big data and AI analytics can be applied (and will continue to
grow) in the insurance sector in more detail, along with developments that have the poten-
tial to demand adjustment to, if not the evolution of, both certain fundamental principles
of insurance law and of the existing practices of insurers.

Big data
Big data provides significantly larger datasets or sources of information to enable (with
the right tools) insight into, among other things, specific risks and predictive analytics to
enable insurers to more accurately predict and thus price risk. This, as Brendan McGurk15
writes, enables a significantly more granular segmentation of risks, increases the effec-
tiveness of risk identification and also allows for targeted pricing that is more risk-sen-
sitive. This assessment dovetails with McKinsey’s16 predictions that by 2030 the global
insurance market will evolve to contain highly dynamic, usage-based products that are
tailored to individual customer behaviours (i.e. that are personalised) and will transition
from an annual renewal model to a continuous cycle. These products would constantly
adapt to individual behavioural patterns—driven by the application of the analysis of data
related to the individual and individualised risk models.

How can big data and AI be used by insurers?

Big data in conjunction with AI-driven analytics can be used to more precisely delineate
the scope of cover provided.17 For example, big data and AI analytics enable insurers to

14 Clyde & Co, “Insurance Growth Report 2022: Clyde & Co.,” 2022, p 6, www​.clydeco​.com​/en​/reports​
/2022​/02​/insurance​-growth​-report​-2022.
15 Data Profiling (n 2) p 2.
16 Tanguy Caitlin et al, “Insurtech—the threat that inspires,” McKinsey & Company, 2017, https://mck​.co​
/2h9yGC1.
17 In the US, one data company uses 442 non-medical attributes to predict medical costs and so which cli-
ents are profitable to insure; see “Insurance,” LexisNexis Risk Solutions, https://risk​.lexisnexis​.com ​/insurance.

26
 B ig Data , A rtificial I ntelligence and I nsurance

monitor an insured’s activities in real time (such as motor and health risks) with the data
about that insured’s behaviour (such as speeding in an insured motor vehicle). In princi-
ple, this enables an insurer to vary the scope of the cover or premium payable by way of
real-time variations, which could extend to a policy termination or premium increases if
certain behaviours occur.18 Another example may be drawn from the emerging US$100
billion-plus drone market,19 where very innovative products have been developed, includ-
ing the launch in January 2018 of Europe’s first app-based “pay-as-you-fly” drone insur-
ance. Through a mobile application, commercial and recreational drone pilots are able to
purchase on-demand customised drone (that is, equipment and liability) insurance lasting
from one to eight hours. The cost of this cover is “exposure-based,” as the risk is assessed
on a per-flight basis and determined by combining real-time data with algorithmic (or
AI-driven) risk assessments.20
The Geneva Association 21 observes that, in many instances, better data makes it possi-
ble to better align premiums and risks and to reduce the overall cost of insurance. This has
great economic and societal benefits in that it allows premiums to signal risks, reduces the
cost of informational asymmetries in insurance markets and enhances efficiency, thereby
boosting overall insurance protection. However, in its detailed consideration of big data,
the Association acknowledges significant privacy concerns in addition to concerns about
bias, fairness and discrimination, intrusiveness and the contextual integrity of personal
data. Other significant apprehensions arising from AI-driven big data analytics relate to
the affordability of and exclusion from insurance, implications for solidarity and risk pool-
ing, premium volatility and competition issues in relation to potential abuse of market
power and market transparency.22

Impact on the insured’s duty of disclosure

In the eighteenth century—a world without sophisticated communications, computers,
data processing facilities and medical advances such as genetic testing—it is easy to com-
prehend how the insured was perceived to be best placed to provide information pertinent
to an insurance transaction.23 Even up to (and including most of) the twentieth century,
due to limited datasets and analytics capability (and the high cost of analytics before
AI), the view that the insured was best placed to provide this information was eminently
justifiable. In addressing this perceived asymmetry of information between insurer and

18 See for example, “Motorists have agreed for their insurer to watch their driving patterns in return for a
discount,” The Courier Mail, 4 August 2019 www​.couriermail​.com​.au ​/moneysaverhq​/motorists​-have​-agreed​
-for​-their​-insurer​-to​-watch​-their​- driving​-patterns​-in​-return​-for​-a​- discount ​/news​-story​/915​b092​eb5a​047f ​7fb7​
72f9​115166146.
19 A PwC global report forecasts the drone industry to be worth US $127 billion by 2020. See “Clarity from
above: PwC’s global report on the commercial applications of drone technology,” May 2016 www​.pwc​.pl​/en​/
publikacje​/2016​/clarity​-from​-above​.html.
20 Flock, “The future of insurance for connected drone fleets” www​.flockcover​.com​/enterprise.
21 Benno Keller, “Big Data and Insurance: Implications for Innovation, Competition and Privacy,” The
Geneva Association, March 2018, www​.genevaassociation​.org​/sites​/default​/files​/research​-topics​- document​
-type​/pdf​_ public​/ big ​_data ​_ and​_insurance_-​_implications​_for​_innovation​_competition​_ and​_ privacy​.pdf.
22 Ibid p 16–30.
23 Carter v Boehm (1766)3 Burr 1905, at 1909 (per Lord Mansfield). See also Joel v Law Union & Crown
Insurance Co [1908] 2 KB 863; Barclay Holdings (Aust) Pty Ltd v British National Insurance Co Ltd (1987) 8
NSWLR 514.

27
 B ig Data , A rtificial I ntelligence and I nsurance

insured as to the risk to be transferred,24 the common law duty of disclosure was devel-
oped, requiring the insured to disclose all material facts. The materiality of information
is a question of fact determined by reference to the judgement of a prudent insurer at the
time when the insured was obliged to disclose.25
Brendan McGurk 26 argues that the burgeoning volume of data (i.e. big data) and AI
analytics impacts traditional arguments around information asymmetry that are at the
heart of the utmost good faith and pre-contract disclosure duties in insurance that evolved
at common law. He observes that, in the current global transacting environment, “insur-
ers are increasingly the originators of risk-related information about the insured” and,
accordingly, with ever-increasing frequency are “stepping into the shoes of the insured in
identifying and modelling risk factors which they consider apply to the insured.”27

Recent reform of the duty of disclosure

Even before the growing impact of big data and AI analytics is fully realised, concerns
in relation to the appropriateness and fitness for purpose of this common law duty of
disclosure28 have already led to significant reform. These reforms endeavour to achieve a
balance between the interests of the insurer and the insured in the process of transacting
an insurance contract and also in the outcomes attendant on the failure or asymmetry
in such disclosures when a claim is made. For example, the English and Scottish Law
Commissions embarked on a joint insurance law reform programme in 2006, and the
product of their work is the passage of two Acts—the Consumer Insurance (Disclosure
and Representations) Act 2012 (UK) and the Insurance Act 2015 (UK).29
The 2012 Act30 provides a good insight into the balancing dynamics deployed in alter-
ing a consumer insured’s duties in relation to non-disclosure and misrepresentation in
consumer insurance contracts. A “consumer insurance contract” is defined to mean a
contract between (a) an individual who enters into the contract wholly or mainly for pur-
poses unrelated to the individual’s trade, business or profession, and (b) a person who
carries on the business of insurance and who becomes a party to that contract by way of
that business.31 The consumer insured is under a duty to take reasonable care not to make

24 Anthony A. Tarr and Julie-Anne Tarr, “The Insured’s Non-Disclosure In The Formation of Insurance
Contracts: A Comparative Perspective,” International and Comparative Law Quarterly 50, no. 3 (July 2001):
577–612, https://doi​.org​/10​.1093​/iclq​/50​.3​.577
25 Generally, see Anthony Tarr, Professor Julie-Anne Tarr and Professor Malcolm Clarke, Insurance: The
Laws of Australia (Thomson Reuters, 2009) p 53–99.
26 Data Profiling (n 2).
27 Ibid 163.
28 See, for example, Australian Law Reform Commission, Report on Insurance Contracts (No 20, 1982),
para.180.
29 See for example, Insurance Contract Law: Misrepresentation, Non-disclosure and Breach of Warranty
by the Insured, Law Com. No. 182, Scottish Law Com. No. 134 (June 2007); Law Commission and the Scottish
Law Commission’s Law Com No. 319; Scot Law Com No. 219 joint report “Consumer Insurance Law: Pre-
Contract Disclosure and Misrepresentation” (2009); Insurance Contract Law: The Business Insured’s Duty of
Disclosure and the Law of Warranties, Law Com. No. 294, Scottish Law Com. No.155 (June 2012); Insurance
Contract Law: Business Disclosure; Warranties; Insurers Remedies for Fraudulent Claims; and Late Payment,
Law Com. No. 353, Scottish Law Com. No. 238 (July 2014).
30 This legislation is discussed in detail in Julie-Anne Tarr, “Transforming insurance law: A compara-
tive review of recent insurance law reform in the United Kingdom and Australia” (2016) 28 Insurance
Law Journal 10.
31 Consumer Insurance (Disclosure and Representations) Act 2012, s.1.

28
 B ig Data , A rtificial I ntelligence and I nsurance

a misrepresentation to the insurer.32 Whether the insured has complied with this duty is to
be determined in light of all the relevant circumstances,33 and the Act provides examples
of things which may need to be taken into account in making that determination: Namely
(a) the type of consumer insurance in question and its target market; (b) any relevant explana-
tory material or publicity produced or authorised by the insurer; (c) how clear and how specific
the insurer’s questions were; (d) in the case of a failure to respond to the insurer’s questions
in connection with the renewal or variation of a consumer insurance contract, how clearly
the insurer communicated the importance of answering those questions (or the possible con-
sequences of failing to do so); and (e) whether or not an agent was acting for the consumer.34

Subject to two qualifications, the standard of care required is that of a reasonable consum-
er.35 These qualifications are (a) if the insurer was, or ought to have been, aware of any par-
ticular characteristics or circumstances of the actual consumer those must be taken into
account,36 and (b) a misrepresentation made dishonestly is always to be taken as showing
lack of reasonable care.37 The effect of these provisions is to place the onus squarely on
the insurer to ask all relevant questions in respect of any consumer insurance contract.
Consequently, it is obvious that the clearer and more direct the questions are, the greater
the likelihood that an insurer could demonstrate failure to disclose/misrepresentation by
an insured under these new requirements. Of course, the AI-driven analytics of big data
can assist insurers to get these questions right across all of their consumer products and
types of consumers insured at a granular level: That is, questions personalised to the rel-
evant “type” of product and insured.
These two UK statutes address, among other things, consumer-related issues in insur-
ance transactions and imbalances in the rights and responsibilities between insurers and
insureds. They have also resulted in consequential significant amendments to the Marine
Insurance Act 1906 (UK) with potentially very important flow-down effects in other juris-
dictions which replicated this marine legislation in their domestic legal systems.38
These UK legal reforms attracted favourable comment and attention in Australia with
the Royal Commission into Misconduct in the Banking, Superannuation and Financial
Services Industry39 recommending reform of disclosure requirements in respect of con-
sumer insurance contracts under the Insurance Contracts Act 1984 (Cth). This recom-
mendation has been enacted in the Financial Sector Reform (Hayne Royal Commission)

32 Consumer Insurance (Disclosure and Representations) Act 2012, s.2(2).

33 Consumer Insurance (Disclosure and Representations) Act 2012, s.3(1).
34 Consumer Insurance (Disclosure and Representations) Act 2012, s.3(2).
35 Consumer Insurance (Disclosure and Representations) Act 2012, s.3(3). The Explanatory Notes to the
Consumer Insurance (Disclosure and Representations) Bill (HL), para. [28] elaborate upon this as follows:
“Under subsection (3) the test when looking at whether the consumer has taken reasonable care, is objective;
that of the reasonable consumer. This test does not usually take into account any particular characteristics
of the actual consumer, such as their age or knowledge of English. The notion of ‘reasonableness’ is a com-
monly used concept in English law to provide an objective but flexible standard against which any individual’s
conduct can be measured. The reasonable consumer denotes an average consumer with no special skills or
knowledge taking into account the examples in subsection (2).”
36 Consumer Insurance (Disclosure and Representations) Act 2012, s.3(4).
37 Consumer Insurance (Disclosure and Representations) Act 2012, s.3 (5).
38 See, for example, Julie-Anne Tarr, “Marine insurance law reform in Australia—A following sea” (2017)
45 ABLR 117.
39 Final Report; 1 February 2019. Commonly referred to as the “Banking Royal Commission,” or the
“Hayne Royal Commission” (after the Commissioner, the Hon. Kenneth Hayne AC QC).

29
 B ig Data , A rtificial I ntelligence and I nsurance

Act 2020 with the duty of disclosure replaced with a duty to take reasonable care not to
40

make a misrepresentation to an insurer.41

These reforms advance the cause of aligning the law and practice of insurance to mod-
ern circumstances and markets. It is beyond the scope of this chapter to examine the
innumerable issues and voluminous case law that the common law duty of disclosure
has engendered and the recent reforms.42 Suffice to say that the most significant problems
addressed in these recent reform initiatives relate to materiality, knowledge, basis of con-
tract clauses and remedies—particularly by opening the door to more graduated remedies
commensurate with and relative to the breach, including damages. These insurance law
reforms have had significant impact on the perceived information asymmetry and the
associated disclosure requirements of the consumer insured.

The future impact of AI-driven big data analytics on the duty of disclosure
It remains an open question as to whether the continuing evolution in the insurance market
hastened by the age of big data and AI analytics demands yet further reform to rebalance
information disclosure requirements (that is, in a world where the insurer actually knows
more detail more precisely than the insured). For example, in this evolving big data and AI
analytics-driven global insurance market, an insurer’s asymmetry of information relative
to any particular transaction being negotiated may be negated or, at least, be less signifi-
cant. This could conceivably lead to further reform to rebalance pre-contract information
disclosure requirements in the global insurance market. There is a question, in the world
of big data and AI analytics, as to whether insurers might be challenged on the basis that
“you can’t have your cake and eat it too.” That is, insurers should arguably not limit their
use of big data and AI analytics to pricing and marketing without passing on the benefits
to the insured by lessening the pre-contractual duty of disclosure (i.e. when the insurer
likely already knows all of the relevant information).
It remains to be seen to what extent the legislatures in countries such as the United
States, the United Kingdom and Australia or their courts will (a) re-focus their attention
on the insurer’s disclosure obligations as this asymmetric balance is substantially recon-
figured, or (b) address the required disclosures and rights of individual insureds as regards
automated decision-making and profiling, as is done in the European Union General Data
Protection Regulation (GDPR) and, post-Brexit, the UK GDPR.

What big data and AI analytics can deliver for insurers

Big data usually encompasses diverse datasets, often combined from different sources.
This could encompass anything from expanded transaction datasets to social media data.
The granularity of this data, when combined and analysed using AI, has the potential to
give insights into a variety of past, current and predicted future behaviours and incidents.

40 Section 20B.
41 These amendments apply to consumer insurance contracts entered into from 5 October 2021.
42 See however, R Merkin and O Gurses, “The Insurance Act 2015: Rebalancing the Interests of Insurer
and Assured” [2015] 78 MLR 1004; Julie-Anne Tarr, Transforming insurance law: A comparative review of
recent insurance law reform in the United Kingdom and Australia (2016) 28 Insurance Law Journal 10.

30
 B ig Data , A rtificial I ntelligence and I nsurance

This combination of big data and the power of AI-driven analytics can deliver significant
value to insurers in key areas such as:

• Targeted/personalised marketing;
• Fuelling more automated decision-making;
• Fraud detection;
• Determining the appropriate questions for consumer insureds (and the conse-
quences of their answers); and
• On-demand insurance and pricing risk.43

Targeted/personalised marketing
By definition, big data includes access to significant datasets in addition to an insurer’s
usual datasets. These additional datasets may include data scraped from the insured’s
social media, their interactions via chatbots or the enquiry line by voice to determine, with
an alarming degree of accuracy, the best of their other insurance (or other) products to
cross-sell. In addition, big data analytics using AI will assist with targeted and personal-
ised use of specific media or activities at specific stages of the potential insured’s journey
with specific insurance products based on the analysis of all prior customers’ behaviours.
For those that take out travel insurance, for example, the analysis could predict with a high
degree of accuracy the point at which they take it out and where they go to research it.
Using this information, an insurer can ensure that advertising is targeted online to those
relevant segments of the population at the relevant time in the relevant media when they
are most likely to be thinking about and purchasing travel insurance.
The benefits of this (especially for multiple brand/product insurers) should not be under-
estimated. Cross-selling an existing customer a product that the AI-driven big data analyt-
ics determines they actually want (or are at that time considering) has significantly more
chance of success/conversion than simply throwing in “do you need travel insurance?”
when they call up about their home and contents insurance, for example.
As discussed below, this profiling of existing insureds and potential customers based on
monitoring their behaviour is already expressly addressed in some privacy laws (e.g. the
EU and UK under the GDPR) and is likely to be adopted in many others. However, in those
privacy laws that do not currently expressly deal with profiling/monitoring online activi-
ties, it is more difficult to determine whether and on what conditions such is permitted and
how (and under what conditions) it may be carried out. For example, without the specific
requirements of the GDPR, in the United States, Australia and many other countries, the
existing data protection/privacy regimes need to be carefully considered in terms of the
crossover provisions regulating direct marketing and secondary use of personal data to
determine whether and how such use of personal information for profiling is permitted.

Automated decision-making
AI-driven analytics of big data can also fuel the automation of certain processes and, ulti-
mately, insurers’ decision-making—whether or not to issue a policy, what the premium should

43 Discussed in Chapter 3.

31
 B ig Data , A rtificial I ntelligence and I nsurance

be, whether to accept and payout on a claim and the like. It is only when (a) one can “trust”
the quality of the information and results gained from the analysis of the data (for example,
from AI-driven big data analytics); and (b) the results can be obtained quickly enough that
insurers can effectively use and rely on the outputs of automated processes/decision-making,
assuming the relevant algorithms are satisfactory and any bias has been removed.
Of course, there are ethical and societal issues with respect to automated/non-human
decision-making (as briefly touched on elsewhere in this chapter) such as bias (or rather
the prevention of bias). In addition to this and led by the express provisions in the GDPR,
there is a growing interest of and attention by privacy regulators and legislators as to
whether and on what conditions “automated decision-making” is a good or necessary (or
ethical) activity and whether such should be, at the option of the insured, able to be opted
out of (for example, as under GDPR).

Fraud detection
One of the areas where AI-driven analytics of big data has garnered the most interest from
and traction with insurers to date is the significant opportunity it provides to detect fraud in
real time with very high cost-effectiveness. In the United States, the FBI has estimated that
fraudulent insurance claims cost US insurers over US $80 billion each year.44 However, for
high-volume low-value claims fraud detection, apart from some high-level “things to watch
out for,” it is often considered too labour-intensive and costly to fully address all (or even
most) potential fraud. With resources stretched thin, the investigations teams at most insur-
ers usually do not have the capacity to review low-value claims and, instead, focus on high-
value claims. Of course, fraud in these low-value claims adds up due to their high volume.
In both high-volume low-value and high-value low-volume claims, AI-driven analytics
of big data can be used extremely cost-effectively to thoroughly examine all claims, detect
fraud and, in combination with automated decision-making, deny initial claims and flag
fraud concerns. AI analytics can easily detect patterns in the millions of insurance claims
that insurers receive each year, allowing insurers to see outliers and questionable claims
in real time. The main (often overlapping) ways that AI-driven analytics of big data is cur-
rently being used by insurers to detect and prevent fraud are as follows:
(1) Anomaly detection—Once thresholds or baselines for relevant incidents and/or
claims are set (often based on AI analysis of historical claims data), then when the
relevant threshold is exceeded, the event is reported with outliers or anomalies
used to identify existing or new (that is, previously unknown) fraud patterns;
(2) Network analysis—AI-driven analytics of big data can link multiple claims and
entries showing similar patterns or attributes which tend to suggest “organised
fraud.” This task is supported by the sophisticated AI analysis of social networks
to identify connections and patterns suggesting potential fraud;
(3) Predictive analytics—A significant future defence against claims fraud lies in
predictive analytics for early detection of fraud patterns. Predictive analytics (i.e.
AI-driven analytics of big data) can assess the fraud risk of particular types of
policyholders and provide early (or real-time) detection of potentially fraudulent

44 “Coalition Against Insurance Fraud, “The Impact of Insurance Fraud on the U.S Economy 2022,”
https://insurancefraud.org/research/.

32
 B ig Data , A rtificial I ntelligence and I nsurance

activity based on their profiles and prior behavioural patterns to determine if the
claim is suspicious and requires further investigation;
(4) Using NLP to analyse historical data—A significant benefit of integrating
AI-driven analytics of big data into the claims filing process is “natural language
processing” (NLP). In addition to the processing of very large amounts of informa-
tion around the clock, NLP can analyse historical data of fraudulent claims and the
individual policyholder’s past claims and behaviours by accessing recorded conver-
sations and other textual data types (such as emails and chatbot communications)
to discern patterns, behaviours and key “fraud markers.” Without using AI-driven
analytics, this would be almost impossible to do both in terms of resources to aggre-
gate all of the relevant information and to determine the relevant patterns emerging
from such. However, AI-driven analytics of historical data (including voice and
chat) will discover trends in a person’s claim history that the AI learns and can apply
to each individual insured, and if a particular request seems out of the ordinary, dif-
ferent or suspicious for that individual, it will flag it for further consideration;
(5) Advanced text analytics and data mining—This is where the AI-driven analyt-
ics of big data, despite the common misconception that such is limited to quan-
titative, structured and numerical data, can give clear insights from textual and
unstructured information such as claims applications, assessor notes, social media
searches and the like and;
(6) Real-time notifications—Given the speed and power of AI-driven analytics of
big data and its ability to ingest new data as it arises in “real time” and with the
AI analytics running around the clock, insurers can constantly monitor the habits
and behaviours of claims and policyholders. The AI will flag potentially fraudulent
activity as it is happening, in real time, to allow the insurer to quickly address any
fraud. Obviously, the earlier insurers are alerted to potentially fraudulent activity
the faster they can implement measures to address the fraud.

Consumer insurance “disclosure” questions

While the increasing use of big data and AI-powered analytics may further erode the
insured’s duty of disclosure in relation to consumer insurance, it will also assist insurers to
determine both what questions to ask consumers in place of their duty of disclosure and the
consequences of their answers. In circumstances where the obligation is imposed on insurers
to ask for the relevant information they require from consumer insureds, AI analytics of big
data will, based on historical and ongoing data held/obtained by insurers, help to determine
what information is required to assess and price risk in consumer insurance. Big data and AI
analytics can also predict the likely consequences of the relevant answers/disclosures made
by consumer insureds by finding patterns from past (and ongoing) data collected by insur-
ers in relation to consumer insurances. This would be further facilitated if the anonymised
datasets of multiple consumer products insurers were to be pooled and the resultant analyti-
cal insights made generally available to insurers (for example, via an industry association).

Balancing advantages and addressing risks

It is clear that recent (and likely ongoing) rapid advances in AI and the insights gained from
AI-driven analytics of big data have had, and will continue to have, a profound impact

33
 B ig Data , A rtificial I ntelligence and I nsurance

on the insurance industry. On-demand or usage-based insurance products, marketing and

fraud detection appear to be the key beneficiaries of these changes. The capabilities of
AI-driven analytics across big data will not only streamline the overall insurance claims
process but will also help insurers to access smarter and faster fraud detection without
added labour or costs. With AI-driven big data analytics, insurers can also quickly analyse
both structured and unstructured data from both internal and external sources providing
better insights into (and thus protections against) fraud for the insurer. AI-driven analyt-
ics of big data can provide significant cost-effective benefits to insurers with regard to
detection of fraud risk, NLP to analyse historical claims data, advanced data mining and
real-time alerts to allow insurers to better (and more quickly) identify and address fraud.
This “seismic tech driven shift”45 has the potential to streamline processes, lower costs
and exceed customer expectations for individualisation and dynamic adaptation. In pur-
suit of these outcomes, however, it must be recognised that there are also certain risks and
challenges that must be addressed, with data protection/privacy and cybersecurity risks
and concerns being some of the most significant.

Big data, AI analytics and data protection/privacy

The Geneva Association46 in its detailed consideration of big data acknowledges the significant
privacy concerns, including concerns about fairness and discrimination, intrusiveness and
contextual integrity of the personal data arising from the AI-driven analytics of big data. Also,
the Association notes other significant concerns relating to affordability of and exclusion from
insurance, implications for solidarity and risk pooling, and premium volatility and competition
issues in relation to potential abuses of market power and market transparency.47
However, before considering the potential reform initiatives and legislative responses to
these concerns, it is necessary to give further context to both the current data protection/
privacy regulatory background and the perceived problems.

What are the perceived data protection/privacy and cyber security issues?
There is a range of data protection/privacy and cyber security concerns and issues that
arise (and are likely to arise in the future) with AI-powered big data analytics (and with AI
generally). In respect of one of these “problems,” cybersecurity risks (and, in particular,
relating to the stores of big data which are often seen as “honey pots” for threat actors), the
concern is best summed up as follows:
Ransomware and cyber attacks are happening every single day. The increasing use of technol-
ogy, coupled with the radical shift in working patterns with hybrid models, means that the risk
around cyber incidents and information security are just incredible.
The day to day reality of cyber attacks is very apparent from our discussions. Incidents
involving Denial-of-Service (DoS) attacks, ransomware or trojan viruses are commonplace.
Instigating common policies and procedures across multiple countries and departments is a

45 McKinsey 2030 (n 11).

46 Benno Keller, “Big Data and Insurance: Implications for Innovation, Competition and Privacy,” The
Geneva Association, March 2018, www​.genevaassociation​.org​/sites​/default​/files​/research​-topics​- document​
-type​/pdf​_ public​/ big ​_data ​_ and​_insurance_-​_implications​_for​_innovation​_competition​_ and​_ privacy​.pdf.
47 Ibid, 16–30.

34
 B ig Data , A rtificial I ntelligence and I nsurance

difficult task, exacerbated by the growing volume of digital data and complexity of the infra-
structure within most organisations.48

However, it is not just increased cybersecurity risks associated with ever-increasing and
comprehensive centralised datasets (i.e. big data) that are of concern. Questions arise as
to the appropriateness of the data being utilised and analysed and the assumptions of the
predictive models (i.e. the AI) being deployed in delineating the scope of cover provided
or in determining whether cover is provided at all to certain individuals, groups or types
of individuals. For example, LexisNexis uses 442 non-medical personal attributes to pre-
dict a person’s medical costs. It is reported that:
(i)ts cache includes more than 78 billion records from more than 10,000 public and proprie-
tary sources, including people’s cellphone numbers, criminal records, bankruptcies, property
records, neighbourhood safety and more. The information is used to predict patients’ health
risks and costs in eight areas, including how often they are likely to visit emergency rooms,
their total costs, their pharmacy costs, their motivation to stay healthy and their stress levels.49

It is not contentious to generally use, for business purposes, AI-powered big data analyt-
ics on electronic medical records where such access has been approved and is consistent
with data protection/privacy law. However, using historical insurance claims and patient-
reported outcomes in determining access to health insurance and predictions as to health
costs where such decisions are based on “data about things like one’s race, marital sta-
tus, how much TV insureds watch and whether they pay their bills on time or even buy
plus-size clothing”50 raises real questions as to the fairness, bias and/or discrimination
that is built into the inputs utilised in predictive models.51 Also, in many countries, such
discriminatory behaviour (even if digital) is generally prohibited, if not in data protection/
privacy law then by anti-discrimination/human rights legislation.
Eric Siegel52 explores social and ethical concerns around blatantly discriminatory or biased
predictive models that base decisions partly or entirely on a protected class of data—includ-
ing race, religion, national origin, gender, gender identity, sexual orientation, pregnancy and
disability status.53 He states that, while direct model input bias is rare, inequitable model pre-
dictions may be produced where other variables serve as proxies to protected classes. Other
concerns he identifies include machine learning predictive models that infer sensitive attributes

48 Chief Ethics, Clyde &Co (n 7).

49 Marshall Allen, “Health insurers are vacuuming up consumer data that could be used to raise rates,”
Kaiser Health News, 17 July 2018, www​.healthleadersmedia​.com​/finance​/ health​-insurers​-are​-vacuuming​- con-
sumer​- data​- could​-be​-used​-raise​-rates.
50 Ibid.
51 David W. Bates et al., “Big Data in Health Care: Using Analytics to Identify and Manage High-Risk and
High-Cost Patients,” Health Affairs 33, no. 7 (July 2014), 1123–1131, comment:
“Ideally, predictive analytics will involve linking data from multiple sources, including clinical, genetic and
genomic, outcomes, claims, and social data. Many new sources of data are becoming available, such as data
from cell phones and social media applications. Aggregating these data for the purpose of achieving clinical
predictive analytics will require the adoption of standards, raise privacy and ethical concerns, and require new
ways to preserve privacy.”
52 Eric Siegel, “Six ways machine learning threatens social justice,” Big Think, 15 October 2020, https://
bigthink​.com​/technology​-innovation​/machine​-learning​- ethics​?rebelltitem​= 1​# rebelltitem1 (hereafter Siegel).
53 See also, Steve Lohr, “How Do You Govern Machines That Can Learn? Policymakers Are Trying to
Figure That Out,” The New York Times, 20 January 2019, sec. Technology, www​.nytimes​.com ​/2019​/01​/20​/
technology​/artificial​-intelligence​-policy​-world​.html; Charlie Warzel, “All This Dystopia, and for What?” The
New York Times, 18 February 2020, sec Opinion, www​.nytimes​.com ​/2020​/02​/18​/opinion ​/facial​-recognition​
-surveillance​-privacy​.html.

35
 B ig Data , A rtificial I ntelligence and I nsurance

such as sexual orientation and apply predatory micro-targeting to exploit vulnerable insureds
or potential insureds. An overarching problem is that of transparency, which is a core principle
of most data protection laws: with the basis and workings of the predictive models (i.e. the AI)
not being accessible to the public, there is potential for denial of due process and accountabil-
ity—such as the right to an explanation of the basis of the decision.54
More often than not, the consumer/insured is unaware that their data is being collected
and aggregated, particularly through apps, and what it will be used for. In this regard, it
is interesting to note that Apple introduced a requirement in 2020 for all app developers
that publish their apps through its App Store to include so-called privacy labels which list
the types of data being collected in an easily understandable format. Brian X Chen55 aptly
describes these labels as resembling “a nutrition marker on food packaging,” and they are
an attempt by certain technology providers (Apple in this case) to make data security and
privacy more understandable and transparent to those that use their products. However,
like the nutrition labels, they are not without their problems or critics.
The OECD56 acknowledges the benefits afforded by big data and AI-powered analyt-
ics in providing and analysing new sources of information for understanding prospective
insureds and fine-tuning risk classifications. However, the OECD also points to drawbacks
associated with greater risk classification in that the exclusion of (or difficulty in obtain-
ing a quote for) a high-risk insured could result in sub-optimal outcomes and undermine
the function of insurance in spreading risk across a population.57 This concern is further
exacerbated where the risk classification is based on biased, discriminatory or irrelevant
data and/or categorisations. Accordingly, the OECD considers that:
Understanding and drawing lines on what types of big data can be used will become an impor-
tant part of how insurance regulation ensures reasonable and appropriate use of big data.58

As both digital technologies and the digital economy develop the possibilities for big data
collection, the combination of datasets and the use of AI data analytics are almost limit-
less. However, the legal and moral obligations (in particular as regards data protection/
privacy) stemming from these developments are starkly highlighted in regulatory guid-
ance issued by the Information & Privacy Commissioner for Ontario, Canada:

These developments oblige us to revisit fundamental issues regarding our expectations of

privacy. We are called upon to once again fortify our defence of privacy, including respect
for activities that occur in public spaces, in order to ensure that this central tenet of freedom
remains protected in a manner that is consistent with our shared values.59

54 Siegel (n 51).
55 Brian X Chen, “What We Learned from Apple’s New Privacy Labels,” The New York Times, 27 January
2021, sec. Technology, www​.nytimes​.com ​/2021​/01​/27​/technology​/personaltech ​/apple​-privacy labels​.html​?sea​
rchR​esul​tPositi​on​= 14.
56 “The Impact of Big Data and Artificial Intelligence (AI) in the Insurance Sector,” OECD, 2020, www​
.oecd​.org​/fin‌‌‌‌​ance/​​Impac​​t​-Big​​-Data​​-AI​-i​​n​-the​​-Insu​​rance​​-Sect​​or​.ht​m (hereafter OECD 2020).
57 Public policy considerations limit access to certain sensitive and predictive data (such as health and
genetic information) that would decrease underwriting and pricing flexibility and increase antiselection risk in
some segments, see McKinsey 2030 (n 11).
58 McKinsey 2030 (n 11).
59 Ann Cavoukian, “Privacy and Drones: Unmanned Aerial Vehicles.” Ontario: Information and Privacy
Commissioner of Ontario, Canada, 2012.

36
 B ig Data , A rtificial I ntelligence and I nsurance

Origins of current data protection/privacy regimes

Most of today’s country-based data protection and privacy laws are the implementation
of (or are heavily influenced or inspired by) the OECD’s 1980 “Guidelines Governing the
Protection of Privacy & Transborder Flows of Personal Data” (OECD Privacy Guidelines).
Since their launch in 1980, the OECD Privacy Guidelines have been recognised as the
global “minimum standard” for data protection/privacy and, as noted, their influence
can be seen in the vast majority of country data protection/privacy laws today. In the
Explanatory Memorandum to the 1980 OECD Privacy Guidelines, the OECD noted the
“problems” that required the OECD to issue the Privacy Guidelines. These “problems”
included the following, which remain relevant (subject perhaps to a slight change of ter-
minology) today and, possibly, more relevant than they were in 1980:60
As far as the legal problems of automatic data processing (ADP) are concerned, the protec-
tion of privacy and individual liberties constitutes perhaps the most widely debated aspect.
Among the reasons for such widespread concern are the ubiquitous use of computers from
the processing of personal data, vastly expanded possibilities of storing, comparing, linking,
selecting and accessing personal data, and the combination of computers and telecommunica-
tions technology which may place personal data simultaneously at the disposal of thousands
of users at geographically dispersed locations and enables the pooling of data and the crea-
tion of complex national and international data networks. Certain problems require particular
urgent attention, e.g. those relating to emerging international data networks, and to the need
of balancing competing interests of privacy on the one hand and freedom of information on
the other, in order to allow a full exploitation of the potentialities of modern data processing
technologies insofar as this is desirable.

In 2013, the OECD launched a revised version of the OECD Privacy Guidelines, updated
to meet the significant changes in technology and the globalisation of information trans-
fers in the digital economy. In particular, among other changes noted, the changes driving
the need for revised OECD Privacy Guidelines were noted as:

• The range of analytics involving personal data, providing insights into individual
and group trends, movements, interests, and activities;
• The value of the societal and economic benefits enabled by new technologies and
responsible uses of personal data;
• The frequency and complexity of interactions involving personal data that indi-
viduals are expected to understand and negotiate;
• The global availability of personal data, supported and by communications net-
works and platforms that permit continuous, multipoint dataflows.61

Almost a decade later, the “significant changes” noted above requiring the revision and
update of the OECD Privacy Guidelines could be cited today in relation to the increasing
use of big data and AI-powered analytics to justify, in the same terms, a further uplift of
the OECD Privacy Guidelines.

60 OECD (Organisation for Economic Co-operation and Development). “The OECD Privacy Framework.”
(2013), 40–41.
61 OECD (Organisation for Economic Co-operation and Development). “The OECD Privacy Framework.”
(2013), 3–4.

37
 B ig Data , A rtificial I ntelligence and I nsurance

The “basic principles” of the OECD Privacy Guidelines (as revised in 2013) which are
the minimum privacy principles for adoption and implementation by OECD countries into
their national laws cover the following areas:

• Collection;
• Data quality;
• Purpose specification;
• Use limitation;
• Security safeguards;
• Openness;
• Individual participation and;
• Accountability.

In the pursuit of technology neutrality (to accommodate future innovations in technology),

these core “basic principles” are drafted such that they can be applied to the then-current
1980s, subsequent 2013, today’s and future innovations, developments and changed uses
impacting personal data. These principles and the guidance on their meaning and imple-
mentation in the OECD Privacy Guidelines will be familiar to all in most countries that
have data protection/privacy laws and, in general, at a high level reflect the key areas
of data protection globally. Below, some specific jurisdictions and their approach are
explored, in particular the role of the GDPR in introducing and consolidating the OECD’s
“basic principles” which will likely shape future global privacy reforms in respect of big
data, AI analytics and the use of AI generally.

What data protection/privacy principles generally apply to big data and

AI-powered analytics?
The legal concept of privacy centres on the right for an individual’s private life to remain
private if they wish it to be. Data protection (which is often also referred to as data pri-
vacy) is, based on the OECD Privacy Guidelines, the separate—but related—concept of
securing one’s personal information collected, used and disclosed by governments and the
private sector against the unauthorised collection, access and use, misuse, unauthorised
alteration and/or loss.62
While neither of these concepts is expressly referenced in the US Constitution, the
Fourth Amendment63 enshrines a right for people to be secure from unreasonable searches
and seizures of property by the government.
In Europe, the Charter of Fundamental Rights64 (Charter) provides that everyone has
(a) the right to respect for his or her private and family life, home and communications,65
and (b) the right to the protection of personal data concerning him or her.66 The Charter

62 See, for example, Juliane Kokott and Christoph Sobotta, “The distinction between privacy and data
protection in the jurisprudence of the CJEU and the ECtHR.” International Data Privacy Law 3, no. 4 (2013),
222–228.
63 US Constitution Amend. IV.
64 Charter of Fundamental Rights of the European Union [2012] OJ C326/3.
65 Ibid, Article 7.
66 Ibid, Article 8(1).

38
 B ig Data , A rtificial I ntelligence and I nsurance

further elaborates on the context of data protection by including in its text additional prin-
ciples based on the OECD Privacy Guidelines. These principles require that personal data
be processed “fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law.”67 Individuals also have rights
to access their personal data and to have errors in such data rectified, and for compliance
with such rules to be subject to oversight by an independent authority.68 These principles
are recognised and enshrined in EU law by the GDPR, which marked a fundamental shift
in the European (and global) approach to data protection regulation when it replaced the
Data Protection Directive69 in 2018 by confirming and expanding on the Charter’s core
data protection principles relating to the processing and protection of personal data. The
six core principles of the GDPR (GDPR principles) building and expanding on the OECD
Privacy Guidelines are as follows:
Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in
a manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered to be incompatible
with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which
they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which
they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is neces-
sary for the purposes for which the personal data are processed; personal data may be
stored for longer periods insofar as the personal data will be processed solely for archiv-
ing purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation in order to safeguard
the rights and freedoms of the data subject (“storage limitation”); and
(f) processed in a manner that ensures appropriate security of the personal data, includ-
ing protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures (“integ-
rity and confidentiality”).70

In addition, under the GDPR the “controller” of personal data (that is, the person or body
which, alone or jointly with others, determines the purposes and means of the processing
of personal data) is required to be able to demonstrate compliance with the above princi-
ples (“accountability”) when and as requested by the regulator.
The GDPR principles implementing the OECD Privacy Guidelines form the basis (and
are often looked to as the goal) of data protection/privacy legislation in many countries

67 Ibid, Article 8(2).

68 Ibid, Article 8(3).
69 Council Directive (EC) 95/46 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data [1995] OJ L281/31.
70 GDPR, Article 5(1).

39
 B ig Data , A rtificial I ntelligence and I nsurance

outside Europe. The Australian Privacy Principles (or APPs) are referred to by the national
privacy (i.e. data protection) regulator as “the cornerstone of the privacy protection frame-
work” in the Australian Privacy Act.71 They set out key pillars of openness and trans-
parency, accuracy and security that align strongly with both the GDPR principles and
the OECD Privacy Guidelines. Similarly, in Singapore, the Personal Data Protection Act
(PDPA) establishes requirements for lawful data processing and principles of transpar-
ency, purpose limitation and storage limitation both reflecting the GDPR principles and
the OECD Privacy Guidelines.72 State and national data protection/privacy laws in coun-
tries such as Canada, South Africa, Bahrain, Qatar and the United Arab Emirates, as well
as the Model Code for the Protection of Personal Information published in 1996 by the
Canadian Standards Authority,73 are all similarly both principles-based and incorporate
limiting repetition reflecting the GDPR principles and the OECD Privacy Guidelines.
In a broader commercial framework, enhanced disclosure obligations on entities such
as insurers in relation to big data and AI analytics, profiling and automated decision-
making are already grounded in express legislative interventions such as the GDPR. It is
expected this model will be the basis of changes to most countries’ data protection/pri-
vacy laws to deal with these matters over the next decade. For example, where automated
processing or decision-making occurs, the “data subject” (i.e. individual) has a right to be
informed of this even though, as Michèle Finck74 observes, the exact content of such dis-
closure is uncertain as several Articles of the GDPR impinge on what exactly such notice
should encompass. In any event, data subjects must be provided with concise, transparent,
intelligible and easily accessible information about the processing of their personal data.75
The data subject is also entitled to be informed about the existence of automated decision-
making (including profiling) and, at least in those cases, be given meaningful information
about the logic involved, the significance and the envisaged consequences of such pro-
cessing for them as the data subject.76 The same requirement also applies in circumstances
where their personal data was not obtained directly from them.77
In all OECD countries and other countries that implement the OECD Privacy Guidelines
as the basis for their national data protection/privacy laws, until express provisions are
enacted, the following key privacy principles should guide all insurers using (or wishing
to use) big data, AI-powered analytics and the insights that arise from such:

• unless an appropriate exception in the relevant data protection/privacy law is

applicable, only collect personal data directly from the individuals whose per-
sonal data it is;
• only collect and use personal data that is objectively reasonably necessary for the
performance of your usual business activities/functions and for which purposes

71 Privacy Act 1988 (Cth) Sch 1 (“Australian Privacy Principles”).

72 Personal Data Protection Act 2012 (No. 26 of 2012, Sing).
73 Canadian Standards Association, National Standard of Canada: Model Code for the Protection of
Personal Information (Canada: Canadian Standards Association, 1996).
74 Michèle Finck, “Smart contracts as a form of solely automated processing under the GDPR,” International
Data Privacy Law, vol 9, issue 2, May 2019, 78–94, https://doi​.org ​/10​.1093​/idpl ​/ipz004.
75 GDPR Article 12(1).
76 GDPR Article 13 (2) (f), 14, 15.
77 GDPR Article 14 (2) (g).

40
 B ig Data , A rtificial I ntelligence and I nsurance

you have notified the individual (and, in some jurisdictions, where you have
obtained consent to or have a legitimate basis for such processing);
• obtain consent for the processing of all sensitive data;
• de-identify or destroy all personal data once you have used it for the notified
purpose(s) of its collection once any legally required hold period has expired;
• be transparent about any analytics of personal data, profiling and automated
decision-making and the purpose(s) for which such is used and provide the right
(and mechanism) for individuals to “opt-out” of these;
• ensure there is no bias in the data, AI or predictive models used or resulting
decisions made and include some human review in all automated decisions;
and
• ensure appropriate information security measures (likely more than business-as-
usual) are in place for all big data stores and processes (i.e. encrypt at rest and in
transit and restrict access as a minimum).

The future of data protection/privacy regulation and AI-powered analytics

of big data
Regulatory issues arising specifically from big data and AI (including AI-powered
analytics), as well as wider considerations such as data/privacy protection, are under-
going intense scrutiny from regulators and legislators. For example, the National
Association of Insurance Commissioners (NAIC) in the United States has established
a working group on big data to look at the overall impact of insurers’ use of big data,
including how collected data is safeguarded and how consumer privacy is maintained.78
Similarly, the European Insurance and Occupational Pensions Authority (EIOPA), the
European Union financial regulatory institution, in recognising the potential social
and ethical questions arising from using big data, established a Consultative Expert
Group on Digital Ethics in Insurance in late 2019.79 These two bodies, NAIC and
EIOPA, have been discussing issues of big data80 and published a joint paper on the
European insurance market.
Going forward, the OECD81 has suggested a number of policy areas for policymakers to
consider in the insurance sector in relation to big data and AI:

• The insurance sector should be encouraged to engage actively with big data and
AI, and regulatory sandboxes or innovation hubs could be one way to support
this. In addition, addressing the skill shortage will be important for both the
regulator and the insurance industry as it becomes an increasingly mainstream
process;
• Insurance regulators and supervisors should strive to keep abreast of develop-
ments in big data and AI—including general regulation in these areas as well as

78 ​https:/​/content​.naic​.org​/cipr​_topics​/topic​_big ​_​data​.htm.
79 “EIOPA Establishes Consultative Expert Group on Digital Ethics in Insurance,” EIOPA—European
Commission, 17 September 2019.
80 EIOPA and NAIC (2018), EU-U.S. Insurance Dialogue Project Big Data Issue Paper.
81 OECD (Organisation for Economic Co-operation and Development). “The OECD Privacy Framework.”
(2013), 6–7.

41
 B ig Data , A rtificial I ntelligence and I nsurance

cooperate with the relevant competent authorities for privacy and data protec-
tion, where needed, and explainable AI—to ensure that the appropriate action
can be taken when necessary, in a timely manner;
• Technology can accelerate externalities and lead to oligopolistic market struc-
tures. Competition in the market should be monitored closely, depending on the
authorities’ mandates and in cooperation with the respective relevant competent
authorities, so that big data and AI do not only benefit certain market segments;
• Big Data could theoretically lead to risk classification that excludes certain
groups. While such a risk-adequate calculation is beneficial from an insurer’s
risk management perspective, insurance regulators could decide, based on soci-
etal/political considerations, to monitor policy offering to ensure that the vulner-
able population is not excluded from affordable insurance;
• The insurance sector could learn from the international guidelines on AI, and
regulators and supervisory may wish to consider the benefits of having a govern-
ance requirement related to AI; and
• International cooperation among insurance supervisory bodies and regulators in
the area of big data and AI would support the sharing of experiences, as well as
lead to the facilitation of their cross-border activities.

Most recently, EIOPA82 carried out a public consultation on “open insurance” for the EU
focussing on regulated forced access to and sharing of insurance-related personal data and
other data via Application Program Interfaces (APIs).83 The concept of “open insurance”
is that insureds can require access to and sharing of certain of their insurance-related data
(including personal data) between insurers, brokers and other intermediaries and third
parties in relation to a breadth and range of data, including their insurance policies, claims
history and relevant Internet of Things (IoT) data (e.g. health or driver data from an IoT
connected device) in a regulated secure environment. This broader access to insurance-
related data (in the hands and under the control of consumer insureds) is aimed at facilitat-
ing the development of innovation and tools such as insurance management dashboards.
As Claire Harrop, Eva Roney and Eugene McQuaid84 explain:
This [open insurance] would empower consumers to actively manage their policies and risks,
allowing for seamless switches between insurance providers if prices are better elsewhere.
Consumers could also start seeing bespoke policy recommendations based on specified life
events, such as having a baby or reaching a certain age.

They add that:

For businesses, open insurance offers increased efficiency, whilst fostering the adoption of
a consumer-centric innovation mindset. Businesses could benefit from reduced administra-
tive costs, as well as increased flexibility and speed in digital insurance sales. The detailed

82 https://www​.eiopa​.europa​.eu ​/consultations​/open​-insurance​-accessing​-and​-sharing​-insurance​-related​
-data​_en.
83 Defined as a “software intermediary that allows two applications to talk to each other.”
84 Claire Harrop, Eva Roney and Eugene McQuaid, “Open Insurance: what is it and why is it so exciting?,”
Freshfields, Bruckhaus Deringer, 23 March 2021, https://technologyquotient​.freshfields​.com​/post​/102gtvf​/
open​-insurance​-what​-is​-it​-and​-why​-is​-it​-so​- exciting.

42
 B ig Data , A rtificial I ntelligence and I nsurance

tracking of evolving consumer needs may drive insurance market players to develop innova-
tive products and services to meet those demands.85

Of course, the privacy concerns highlighted earlier in this chapter are potentially even
more acute in the context of an open insurance environment and EIOPA expressly rec-
ognises that the wider sharing of data with more parties raises the risks of a data breach,
misuse and fraud, including obtaining unauthorised knowledge about facets of consumer
insureds’ lives, including sensitive data concerning the customer insureds’ health, loca-
tion or financial status.86 Accordingly, regulators will have to carefully consider issues
pertaining to the use of and access to sensitive insurance-related information.
While one of the later adopters of “open banking,” Australia is set to be one of the first
(together with Brazil) to introduce “open insurance” (or the Consumer Data Right (CDR)
as it is known in Australia) which is expected to go live in 2025. Following the approach
taken in Australia’s open banking and other sectors of the economy currently adopting
the CDR regime, the open insurance (or CDR for insurance) ecosystem will be subject
to a more stringent set of privacy requirements known as the “Privacy Safeguards.”
Also, those wishing to receive the relevant consumer data must meet and be certified to
high standards of cyber security and compliance with Privacy Safeguards before being
able to engage in the CDR ecosystem. They also remain subject to ongoing assessment,
review and periodic re-certification. Of particular note as regards data protection/privacy
imposed in Australia’s open insurance, the Privacy Safeguards require clear, transparent
and express consent to be obtained for specific and clearly enunciated uses, which uses
must also be within the boundaries of the CDR regime. Strict timelines are also imposed
on how long the consumer data can be held by data recipients and even stricter prohibi-
tions are imposed on any “secondary uses” of the consumer data for purposes (a) outside
of the limited CDR authorised uses and (b) the specific uses for which consent has been
obtained from the consumer.
While the scope of the CDR data that will be subject to the CDR regime for open insur-
ance is yet to be finalised the expectation is that, based on the open banking experience, it
will be significantly more than insurers expect. Subject to an organisation’s ability to meet
and be certified to the onerous cyber security and Privacy Safeguard obligations, CDR
for insurance is expected to open up the insurance and insurance-related value-added
products market in Australia. In addition to encouraging insurtech, foreign insurers not
yet in the Australian market and intermediaries with value-added products, many existing
insurers in the Australian market will also likely be active participants (as data receivers)
to seek to entice insureds from their competitors.
The transportability of insurance-related consumer data about individual insureds via
APIs under the CDR regime/open insurance will also likely have a significant impact on
the duty of disclosure, especially given that the new insurer will be able to access (with
the consent of the insured) significant amounts of quality data collected by their previous
insurer, including claims history, premium payments, products obtained, risk assessments
and the like. Therefore, while likely to enhance competition open insurance is also likely
to, at least for consumer insurances, put another nail in the coffin of the insured’s duty of
disclosure.

85 Ibid.
86 Open Insurance (n 81) 22.

43
 B ig Data , A rtificial I ntelligence and I nsurance

Conclusions
The rapid advances in AI analytics and the growth of big data (and the “step change” in
the insights, predictions and the granularity of them obtained from their combination)
have had, and will continue to have, a profound impact on the insurance industry and
the way that insurance business is done. This seismic, tech-driven shift has the poten-
tial to substantially streamline processes, lower costs, exceed customer expectations,
and deliver individualisation and dynamic adaptation, not to mention the additional ben-
efits of enhanced cost-effective fraud detection, targeted marketing and the personalised
upselling opportunities that it can create.
Accordingly, it is both hard to imagine and to overestimate the potential opportunities
that big data and AI-powered analytics can deliver to insurers across all aspects of the
insurance business and processes in the next decade. Big data and AI analytics can deliver
significant uplift from determining what questions to ask consumer insureds; the likely
consequences of their answers; real-time, agile and cost-effective fraud detection and pre-
vention (even for low-cost high-volume claims); and through to on-demand insurance risk
assessment and pricing and automated decision-making (and much in between).
However, the explosion in the availability, collection, combination and use of big data
with AI-driven analytics for insights, predictions, decision-making, due diligence on con-
sumer insureds (in the absence of a duty of disclosure) and fraud detection also poses a
huge challenge for regulators. For example, non-governmental agencies may use drones
to collect data by aerial surveillance of a mining company’s resources or of a land devel-
oper’s properties. To counter these malpractices, Samantha Dorsey87 discusses the neces-
sity, in the context of the United States, of a nationally unified regulatory framework that
will designate and place restrictions on data collection, limit how that data may be used
and establish an accountability log that will provide individuals with the opportunity to
access their data that is being collected by a commercial drone entity. While the same
concerns and need for a regulatory response arise in other jurisdictions (and in relation
to other sources of data), outside the United States the existing data protection/privacy
regimes in many other countries are already substantially unified on a national or, in the
case of the EU, regional basis and provide a solid foundation from which to address the
increased risks of big data, AI analytics and AI in general.
There are also serious public policy considerations associated with big data and AI. From
an insurer’s perspective, for example, the use of increasingly accurate genetic data (if avail-
able to insurers) will inevitably create the ability for insurance underwriters to, in combina-
tion with other data, predict with far greater accuracy each individual’s expected healthcare
costs and the stage at which a life or disability policy may have to be paid. This, in turn,
creates an ability for insurers to reject candidates who are likely to prove too cost-ineffective
or to charge significantly higher premiums to those who the insurer’s AI-powered analysis
indicates have a pre-disposition towards a likely higher cost. As the Guardian astutely argued
in an editorial, “[i]nsurance depends on the pooling of risk but big data may drain that pool.”88

87 Samantha Dorsey, “They are Watching You: Drones, Data and the Unregulated Commercial Market”
(2018). Federal Communications Law Journal 70, 351.
88 “The Guardian view on big data and insurance: knowing too much,” Editorial, The Guardian, 27
September 2018. www​.theguardian​.com ​/commentisfree​/2018​/sep​/27​/the​-guardian​-view​- on​-big​- data​-and​
-insurance​-knowing​-too​-much.

44
 B ig Data , A rtificial I ntelligence and I nsurance

However, if insurers are not able to use genetic and other information in this way, for
example, or have only limited access to it, consumers who are aware of their heightened
need for medical services will, subject to their diminishing duty of disclosure, potentially
be able to access these insurance products at a substantially lower rate than would other-
wise be the case (that is, if the insurers had this information). Although attractive from the
individual insured’s perspective, the economic result in a commercial setting may be that
the majority of insureds are forced to pay significantly higher premiums than would oth-
erwise be assessed to cover those who will ultimately cost significantly more (that is, more
than the average without them). Accordingly, the interface between big data, AI-powered
analytics, the predictive nature of genetic testing and, possibly, insurance discrimination
touches on the fundamental nature of the insurance business as a commercial enterprise.
This will continue to be a recurrent theme when considering the impact of big data, AI
and predictive analytics.
It remains to be seen to what extent the legislatures in countries such as the United
States, the United Kingdom and Australia (or their courts) will re-focus their attention
on both the insurer’s and insured’s disclosure obligations as the asymmetric information
or knowledge balance is reconfigured by developments in the AI-driven analytics of big
data. However, enhanced disclosure obligations on entities such as insurers are already
grounded in express legislative interventions such as the GDPR where, for example, if
automated processing occurs the data subject has a right under the GDPR to be informed
about this fact. Although, as Michèle Finck89 observes, while the exact content of such
disclosure may be uncertain, data subjects must nonetheless be provided with concise,
transparent, intelligible and easily understandable information about the processing of
their personal data.90 The data subject is also expressly entitled under the GDPR to be pro-
vided with meaningful information about the logic involved in, and the significance and
the envisaged consequences of such processing.91 This requirement applies whether or not
the personal data was obtained directly from the data subject or from a third party.92 We
expect that this is likely to be the model adopted, at least as a starting point, in the data
protection/privacy regimes of most countries.
In an increasingly globalised and interconnected commercial world (and insurance
markets), many of the challenges and opportunities presented by big data, AI (including
AI-powered analytics and profiling), autonomous vehicles and drones, the IoT, distributed
ledger technology, genetic testing and epigenetics, to name a few (not to mention any new
innovations to come), have to be addressed simultaneously on a global basis and in a data
protection/privacy enhancing manner. This includes insurers always asking that “extra
question” when it comes to big data, AI-driven analytics and the use of the results of such
(e.g. the predictive insights)—“Should we?” That is, even if the law (as it then stands) does
not prohibit what the insurer is proposing, insurers must consider the ethical and other
concerns and ask “Should we use that data?” In other words, “with great amounts of data
and analytics capability comes even greater responsibility.”

89 Michèle Finck, “Smart contracts as a form of solely automated processing under the GDPR,” International
Data Privacy Law, vol 9, issue 2, May 2019, 78–94, https://doi​.org ​/10​.1093​/idpl ​/ipz004.
90 Article 12(1) GDPR.
91 Article 13 (2) (f) GDPR.
92 Article 14 (2) (g).

45
 B ig Data , A rtificial I ntelligence and I nsurance

There is no room for complacency. The global landscape in which insurance is trans-
acted continues to change at a rapid rate, particularly in relation to the availability, types
and amount of data (including personal and sensitive information) and the scientific/tech-
nological advances (such as AI and the digital economy) in its collection, analysis and
use. Asymmetry of information, access to and integrity of data (including personal and
sensitive information) and its provenance, determination of liability in novel technologi-
cal contexts, resulting insurance “discrimination” and data protection/privacy issues will
continue to challenge regulators, insurers and the wider community on a global basis.

46
 C hapter 3

On-Demand Insurance
Anthony A Tarr, Julie-Anne Tarr and Antton Peña

CON T EN TS
Introduction 48
On-demand insurance 51
The transactional process 57
Information disclosure and insurance fraud 59
Conclusions 62

DOI: 10.4324/9781003319054-3 47
 O n - D emand I nsurance

Introduction
As discussed in the preceding chapter, the availability of “big data” in conjunction with
technological advances in artificial intelligence (AI), predictive analytics and blockchain
opens doors to new and exciting opportunities within the insurance industry.
These technological advances can create the foundation, or launching pad, for new “on-
demand” insurance products that are emerging and will undoubtedly play a fundamental
role in the future of the insurance industry generally.
The National Association of Insurance Commissioners1 define on-demand insurance
products as including:
(P)roducts with continuous underwriting, microinsurance products, and products for the gig
(or sharing) economy workers.
Microinsurance refers to coverage of smaller risks via rapid underwriting including on-
demand products like travel or event insurance, renters’ insurance broken out for specific
high-value household items or pay-per-mile auto coverage.
Continuous underwriting is the use of constantly updated policyholder data to quickly
determine consumer risk and alter prices and policy terms accordingly.
Gig (or sharing economy) insurance refers to the rise of freelance or “gig” opportunities
such as Uber and AirBnB. Insurers are creating products to allow these independent contrac-
tors to be covered by swiping right when they need to be covered.

The demand and drivers for such instant and dynamic insurance cover are consistent with
the equivalent rising interest in “on-demand” services in other sectors: Video on demand
(VOD) has supplanted linear television as the primary media distribution system in many
market segments; on-demand software (also known as software as a service) is increas-
ingly the delivery model of choice for personal and enterprise software applications; and
build on demand (or manufacturing on demand) refers to the production of goods only as
and when they are required.
The on-demand hypergrowth is upon us. In the next 5 to 20 years most of the people will be
able to get anything within a 5-to-60-minute window.2

Alongside this desire for services as and when needed, the gig economy is one of the
fastest-growing sectors in many international markets,3 and there is a corresponding con-
sumer shift towards an “asset-light” existence. Businesses and individuals are owning
fewer capital assets and turning instead to shared ownership and renting. On-demand
insurance is a natural consequence of this changing economy as consumers require more
limited and personalised cover.
On-demand insurance is often used interchangeably with usage-based insurance,4 and,
in this chapter, usage-based insurance is treated as a type of on-demand insurance. There

1 Center for Insurance Policy and Research, “On-Demand Insurance,” content​.naic​.o​rg, 5 November 2022,
https://content​.naic​.org​/cipr​-topics​/demand​-insurance (hereafter CIPR On-Demand).
2 Gary Vaynerchuk, “Understand the On-Demand Economy and Is It Really Rising?,” Medium, 22
September, 2017, https://medium​.com/​@flexspace​/understand​-the​- on​- demand​- economy​-and​-is​-it​-really​-ris-
ing​-f22cb6562a18.
3 Marcin Zgola, “Will the gig economy become the new working-class norm?” Forbes, 12 August 2021,
www​.forbes​.com ​/sites​/for​besb​u sin​e ssc​ouncil ​/2021​/08​/12​/will​-the ​-gig​- economy​-become ​-the ​-new​-working​
-class​-norm/​?sh​= 42e404baaee6.
4 “Will on-demand insurance become mainstream?” KPMG, 2017, https://assets​.kpmg​/content​/dam ​/ kpmg​/
uk ​/pdf​/2017​/09​/will​- on​- demand​-insurance​-become​-mainstream​.pdf (hereafter KPMG 2017).

48
 O n - D emand I nsurance

are differences between the various types of on-demand insurance. In its “purest” sense,
on-demand insurance describes a situation where an insured activates their coverage by
way of a smart device or application, or the cover is automatically based on criteria such as
location, activity or context; the cover, similarly, is terminated manually or automatically,
and the customer can choose to turn on insurance from different providers at different
moments.5 In usage-based insurance, the connectivity between the customer or insured
and the insurer is more substantial; namely, the contractual relationship between the
insured and insurance company persists continuously (that is, also in times when the item
is not “in use”) because the usage-based component is often part of traditional insurance
coverage. A prominent example is usage-based insurance for cars, where basic liability
and theft insurance may be always in force, and additional premiums for liability and col-
lision cover are calculated upon usage (for example, based on distance travelled, countries
visited or driving habits).6
Research published by the International Underwriting Association (IUA) observes that
these so-called “pay-as-you-go” models of cover will allow customers to automatically
activate policies when and where they need them.7 As Tom Chamberlain, then Chair of the
IUA’s Developing Technologies Monitoring Group, explained:
In the future insurance will be based around whatever you are doing. You will be in your
house and your insurance will be active and when you leave your front door your premium
will step up as it is now unoccupied. You will then get into a shared economy car and your
phone will interact and automatically trigger your insurance for that journey. Your insurance
will follow you as you go and as your activity changes. It will no longer be a manual process
and could realistically work for everything you do requiring insurance.8

Chamberlain envisions a model of “always-on” insurance—or, at least, a highly connected

and integrated insurance ecosystem. In this context, access to big data and AI-driven ana-
lytics will be critical to transforming the insurance production process. As Jeff Goldberg
explains:
On-demand insurance requires data, if not in real time, then something close to it. If insur-
ers are only getting updates as to policyholder risks and scheduled items after an end-of-
term audit, then only a traditional approach will work. But as connected technologies and
the Internet of Things have created a continuing pipeline of data, a new approach emerges.
Insurers now have the ability to tap into discrete data points about coverages times and risks in
an automated fashion, including: When is someone driving their car for Uber vs. for personal

5 The term “on-demand” is open to various interpretations. For Scott Walchek, founding chairman and
CEO of pioneering on-demand insurance platform Trōv, it’s about “giving people agency over the items they
own and enabling them to turn on insurance cover whenever they want for whatever they want—often for just
a single item.” See Graham Buck, “Kiss Your Annual Renewal Goodbye; On-Demand Insurance Challenges
the Traditional Policy” 14 September 2018 (hereafter Buck 2018),
https://riskandinsurance​.com​/on​- demand​-insurance​- challenges​-traditional​-policy​- constraints/.
6 Angela Zeier Röschmann, Matthias Erny and Joël Wagner, “The Geneva Papers on Risk and Insurance—
Issues and Practice,” 2022, 47, 603–642 (hereafter Geneva Papers) See also Chapter 7 Autonomous Vehicles,
Liability and Insurance below.
7 Interview with Tom Chamberlain Allianz Global Corporate and Specialty IUA Developing Technology
Monitoring Group, “On-demand and Conquer: Is the future of insurance a pay as you go one?
IUA Publishes on demand insurance report,” IUA, 16 October 2019, www​.iua​.co​.uk​/ IUA​_ Member​/ Press​/
Press​_ Releases​_ 2019​/ IUA​_ publishes​_on​- demand​_insurance​_ report​.aspx​?WebsiteKey​= 84dca912​-b4fb​- 4a0f​
-a6e5​- 47ad899350aa (hereafter IUA Chamberlain 2019).
8 Ibid.

49
 O n - D emand I nsurance

use? When is a business stocking high amounts of valuable goods? What is monthly payroll
for workers’ comp?9

Big data and AI-driven analytics of it provide new sources of information and insight
into specific risks and the risks of individuals, groups and types of insureds and pre-
dictive analytics at an individual insured level to enable insurers to more accurately
(and quickly) predict and price risk. This enables more granular segmentation of
risks, increases the effectiveness of risk identification and also allows for pricing that
is both quicker and more risk-sensitive. For example, in relation to the pay-as-you-
fly insurance for drones, an insurer could combine real-time data with algorithmic/
AI risk assessments to predict the likelihood (“probability”) of any particular drone
flight resulting in a crash, as well as the associated cost (“severity”) of that crash.
Multiplying the probability of a crash with its associated severity gives the “techni-
cal insurance price” (or expected loss) of that drone flight with the insurer able to
provide an accurate premium quote upon request. The use of technology to facilitate
these calculations is the key enabler that allows the insurer to service these enquiries
efficiently and offer a sufficiently attractive premium for even a short flight. Similar
economies of scale are allowing companies to offer car insurance by the hour and
other highly tailored products.
On-demand insurance is growing rapidly with predictions that, by 2030, the global
insurance market will evolve to contain highly dynamic, usage-based products that
are tailored to individual customer behaviours. Alongside this product evolution, it
is expected that many consumers will transition away from the traditional annual
renewal model to a continuous cycle of insurance products that are tailored and con-
stantly adapt to individual behavioural patterns—driven by the application of data
and individualised risk models.10
The landscape of current market offers reveals that typical target customers of
on-demand insurance are occasional travellers and recreationists, low-frequency car
drivers, sharing economy participants and gig economy or self-employed workers.11
Examples include on-demand insurance being available for valuable personal pos-
sessions, drones, motor vehicles, homeowners and home-sharing hosts, travel and event
insurance, small business insurance, insurance offerings for workers in the gig economy12
and cover for digital businesses against loss due to employer’s liability, public liability,
professional indemnity, cyber liability and directors and officer’s liability.13
This convergence of new technologies and consumer demands is creating new and excit-
ing opportunities within the insurance industry, but also complex challenges including

9 Jeff Goldberg, “The 3 Pillars of On-Demand Insurance,” Insurance Thought Leadership, 19 June 2018,
www​.ins​u ran​ceth​ough​tlea​dership​.com​/the​-3​-pillars​- of​- on​- demand​-insurance/.
10 Tanguy Caitlin, “Insurtech-the Threat That Inspires,” McKinsey & Company, 2017, www​.mckinsey​
.com​/industries​/financial​-services​/our​-insights​/insurtech​-the​-threat​-that​-inspires (hereafter McKinsey 2017)
11 Geneva Papers (n 6)
12 Jeff Goldberg, “The 3 Pillars of On-Demand Insurance” 19 June 2018 “Gig economy insurance is most
familiar to those outside the insurance space: as more and more freelance and ‘gig’ opportunities like Uber
and Postmates emerge, carriers are developing products to keep these independent contractors covered in a
part-personal, part-commercial hybrid coverage”. www​.ins​u ran​ceth​ough​tlea​dership​.com ​/the​-3​-pillars​- of​- on​
-demand​-insurance/
13 Buck 2018 (n 5)

50
 O n - D emand I nsurance

determination of liability for harm or damage, privacy considerations, cyber security risks
and insurer solvency.
This chapter considers on-demand insurance and associated technological develop-
ments supporting its global growth and development.14 Attention is then given to actual
and prospective impacts on insurance law and practice, highlighting opportunities and
risks in navigating the changing or changed landscape.15

On-demand insurance
While on-demand insurance still only represents a small percentage of the global insur-
ance market,16 there has been a rapid rise in on-demand insurance products as economies
are shaped by digitisation and consumers demand more individualised services.
Globally, insurtech start-ups have taken the lead in addressing the demand for cus-
tomisable on-demand insurance.17 This is not surprising—start-ups are often focused on
market disruption and developing one killer application to take on a major opportunity.
However, large institutional insurers are responding to this trend “by leveraging emerging
technologies, investing in complementary partnerships, and exploring transformational
options to replace traditional services.”18
For example, consider Flock Cover, an app-based “pay-as-you-fly” drone insurance
product developed by Flock in conjunction with Allianz.19 This product launched in
Europe in January 2018 and allowed drone users to purchase insurance products through
a mobile app. The cost of “pay-as-you-fly” cover was based on levels of exposure, which
was assessed on a per-flight basis.20 The app worked as follows:
Users entered their flight details and received a quote that changed depending on a number
of factors, including the time of day, location and flight conditions, in real-time. It could be
utilised by both commercial and recreational drone operators.21

Through the mobile app, commercial and recreational pilots were able to purchase cus-
tomised equipment and liability insurance on demand (lasting from one to eight hours).
This pay-as-you-fly product marked a dramatic departure from traditional insurance,
using advanced data-driven analytics to quantify, mitigate and insure drone flight risk in
real time. In contrast to traditional insurance pricing, “exposure-based” pricing considers
risk on a per-event (or in this case, on a per-flight) basis.

14 Generally, see Julie-Anne Tarr and Anthony Tarr, “On-Demand Insurance and the evolving technologi-
cal and legal environment”, (2021) Journal of Business Law 535.
15 Ibid.
16 KPMG 2017 (n 4).
17 For example, Trōv, Verify Insurance Services, By Miles, Metromile, Cuvva, Flock, Slice Labs, Sure
Inc, Digital Risks.
18 See Padraig Floyd, “On-demand insurance: Challenges and opportunities for large insurance carri-
ers,” www​.the​- digital​-insurer​.com​/on​- demand​-insurance​- challenges​-and​- opportunities​-for​-large​-insurance​
-carriers/
19 For another example, see AXA’s partnership with Insurtech start-up By Miles, launching a pay-as-you-
go car insurance policy in the UK. The product is promoted as low-cost car insurance for drivers who travel no
more than 140 miles per week, or 7,000 miles annually, described “AXA Partners with Pay-By-Mile Insurtech
Start-up by Miles,” youTalk​-insurance​.c​om, 12 April , 2018, https://youtalk​-insurance​.com ​/news​/axa​- commer-
cial​-lines​-personal​-intermediary​/axa​-partners​-with​-pay​-by​-mile​-insurtech​-start​-up​-by.
20 Flock, “The Future of Insurance for Connected Drone Fleets” (Flock White Paper, 2019) https://landing​
.flockcover​.com​/enterprise​-whitepaper.
21 IUA Chamberlain 2019 (n 7)

51
 O n - D emand I nsurance

Advocates of exposure-based on-demand insurance also point to predictive risk-mitigation

advantages. As model sophistication evolves with the realisation of big data, insurers will
have the ability to provide transparent steps to mitigating risk and avoiding claim events.22 For
example, in the drone context, this is accomplished by accessing large amounts of informa-
tion and data from different sources, including weather data, building density and population
density, in a way which allows insurers to assess the risk posed by a certain drone in the
sky.23 As well as more accurate pricing, an insurer with visibility into a drone pilot’s real-time
exposure is able to provide actionable insights at the precise moment they are required, for
example by encouraging them not to fly in the wind or rain. Insurers are then able to offer
more comprehensive “risk management” solutions, rather than just insurance policies.24
Similarly, in the context of pay-as-you-drive motor vehicle insurance on-demand prod-
ucts, big data may permit insurers to monitor an insured’s activities in real time with the
data about the insured’s behaviours (such as speeding in an insured motor vehicle). In
principle, this would allow the insurer to vary the scope of the cover or premium payable
by way of real-time variations (such as policy terminating or premium increasing if cer-
tain driving behaviours occur).25
In the life insurance context, it is asserted 26 that the evolution toward continuous under-
writing, made possible by increased data and device connectivity, will present further
opportunities for personalisation through behavioural and wellness recommendations:
Currently, mortality underwriting suffers from two primary data gaps. First, it is constrained
to a single moment in time—the initial sale. The only data available at that point are past
morbidity and behavioral data on the customer. Second, it fails to account for a customer’s
lifestyle changes, which are significantly more controllable.
We envision underwriting evolving in four phases that will increase personalization and
customer engagement. Currently, insurers focus on automating the underwriting process to
improve efficiency gains and reduce inconsistencies (phase 1). Some insurers have advanced
to accelerated underwriting, for which applications are submitted digitally (phase 2). Doing
so dramatically reduces the need for invasive fluid and paramedical exams and results in near
auto-issuance for the majority of policies. Insurers will then graduate to microsegmentation and
personalization, for which individualized offers are generated using comprehensive internal and
external data sets with enhanced accuracy (phase 3). Finally, winning companies will provide
continuous “one-touch” underwriting, with dynamic adjustment based on customer behavior
and suggested personalized actions to significantly drive healthier behavior (phase 4). Together,
this four-phase evolution flips the underwriting approach on its head, with environment, health,
and lifestyle becoming primary inputs and medical data providing only one part of the picture.

Scott Walchek, then founding chairman and CEO of Trōv, explained that these on-demand
products “have a particular appeal to millennials who love the idea of having control via

22 IUA Chamberlain 2019 (n 7).

23 IUA Chamberlain 2019 (n 7) 5.
24 See also Finbarr Toesland, “Insurance moves from Reactive to Predictive,” Raconteur, 26 April 2018,
www​.raconteur​.net​/finance​/insurance​/insurance​-moves​-reactive​-predictive/.
25 See for example, “Motorists have agreed for their insurer to watch their driving patterns in return for a
discount,” The Courier Mail, 4 August 2019 www​.couriermail​.com​.au ​/moneysaverhq​/motorists​-have​-agreed​
-for​-their​-insurer​-to​-watch​-their​- driving​-patterns​-in​-return​-for​-a​- discount ​/news​-story​/915​b092​eb5a​047f ​7fb7​
72f9​115166146.
26 Pierre-Ignace Bernard et al. “The future of life insurance: Reimagining the industry for the decade
ahead,” McKinsey, September 2020, www​.mckinsey​.com​/industries​/financial​-services​/our​-insights​/the​-future​
-of​-life​-insurance​-reimagining​-the​-industry​-for​-the​- decade​-ahead

52
 O n - D emand I nsurance

their smart devices and have embraced the concept of an unbundling of experiences.”27
Paradoxically though, while these products’ initial appeal is to younger age groups, for
some on-demand products such as mileage-based insurance, it is actually older genera-
tions who are most likely to save money, as the use of their vehicles tends to decline.28
For enterprises and individuals seeking more tailored insurance solutions based on their
unique risk profile, future predictions are encouraging. As noted above, McKinsey29 predicts
that by 2030 the global insurance market will evolve to contain highly dynamic, usage-based
products that are tailored to individual customer behaviours and will transition from an annual
renewal model to a continuous cycle, with products that constantly adapt to individual behav-
ioural patterns—driven by the application of data and individualised risk models.
This transition is being supported by new insurance software platforms such as
Insurwave.30 As the world’s first blockchain-enabled platform, Insurwave facilitates or
enables connectivity between insurance buyers, brokers, insurers and reinsurers in rela-
tion to the placement, administration and servicing of speciality insurance contracts. For
example, in the marine insurance context, it integrates and secures the streams of dispa-
rate data sources involved in insuring shipments around the world where all parties in the
insurance value chain have the same risk data at the same time. Ernst & Young explain the
mechanics and benefits of such platforms as follows:31

The data is linked automatically to digital contracts which can trigger automated processes.
Everyone trusts the accuracy of the data and can share it easily. World-class encryption pro-
vides the necessary security, and there’s a clear, immutable audit trail to underpin end-to-end
underwriting and claims governance. In such a world, there would be a platform to enable
more collaboration and greater transparency. With many activities automated and some elimi-
nated entirely, administrative costs would fall. All players in the value chain could focus on
higher-value activities and delivering better client service. Insurers could better allocate their
costs to reinvest in underwriting new product lines. They would also benefit from greater vis-
ibility on the deployment of capital. The industry would become more efficient. Innovation
and profitable growth could flourish, despite difficult commercial circumstances.32

FLOCK’S CONNECTED MOTOR FLEET

INSURANCE: CASE STUDY
Background on Flock
Flock, as a United Kingdom-based insurtech managing general agent (MGA), traces its founda-
tions to 2016 when Ed Leon Klinger (M.Eng graduate from Oxford), the now chief executive

27 Buck 2018 (n 5).

28 Buck 2018 (n 5) quoting AXA UK’s head of telematics, Katy Simpson.
29 McKinsey 2017 (n 10).
30 “Insurwave: View Your Assets, Understand Your Risks, Protect Your Business,” Insurwave,
https://insurwave​.com/
31 “Insurwave: blockchain-enabled marine insurance,” Ernst & Young, EY, www​.ey​.com ​/en​_ au ​/insurance​
/blockchain​-marine​-insurance
32 “Better-working insurance: moving blockchain from concept to reality,” Guardtime and Ernst & Young,
2017, https://assets​.ey​.com ​/content​/dam ​/ey​-sites​/ey​- com ​/en​_ gl​/topics​/insurance​/insurance​-pdfs​/ey​-marine​
-blockchain​-pov​.pdf

53
 O n - D emand I nsurance

officer, was studying for an M.Phil in Technology Policy at Cambridge, focusing on drones, driv-
erless cars and AI. Klinger identified that a common factor limiting the growth of these industries
was risk; if real-time data could help to assess risk more accurately, these industries could grow
faster and more sustainably. Antton Peña, now Flock’s chief strategy officer, had already built
(whilst at Imperial College London) a real-time risk assessment platform for drones. They joined
forces to start Flock, which began as a risk quantification start-up for drone pilots.
In 2018, Flock launched the world’s first “pay-as-you-fly” drone insurance product, provid-
ing hyper-personalised pricing for commercial drone operators. It became the largest drone MGA
in Europe, servicing over 3,500 customers.
In 2019, Flock decided to launch into a much larger market than drones and resolved upon
insurance for commercial motor fleets to both capitalise on a larger economic opportunity and
to fully realise their vision of making the world quantifiably safer. In reaching this decision they
ran a comprehensive and highly analytical consultancy process to choose this next market. The
markets considered were scooters/e-mobility, commercial fleets (small, medium, large), coaches/
buses, aviation and cargo shipping. These markets were assessed against the following criteria:

• Top-down criteria (market size, compound annual growth rate (CAGR), vehicle telemat-
ics penetration, telematics penetration CAGR); and
• Bottom-up criteria (customer need for a flexible insurance product, which was informed
by hundreds of customer calls).

It was clear from the results of their deep dive that commercial motor insurance ticked every box: It
is a large industry, growing rapidly (6.6% CAGR) and heavily connected (33% telematics penetra-
tion), and this connectivity rate is growing too (17% CAGR). Customer calls demonstrated what
can be described as a “desperate product market fit” with customers confirming on the call that they
would be willing to purchase a policy that enables and rewards safer driving. As such they decided
to launch into the commercial motor industry with the support of their board and investors.
It quickly became clear that commercial motor insurance was the “winning horse” for Flock,
with the result that in late 2021, Flock placed their drone business into a runoff to focus 100% of
their efforts on the motor industry. Over 500 companies now use Flock’s connected fleet policies
to protect thousands of drivers and vehicles.

Commercial motor fleet insurance

Flock’s digital insurance platform is powered by their proprietary risk intelligence engine which
combines telematics and environment data to quantify risk on a per-second and per-metre basis.
This data-driven approach to underwriting takes into account driver behaviour, location and dec-
ades of crime and accident data. It allows Flock to provide prices that truly reflect risk on a per-
fleet basis plus insights to help fleets reduce risk over time by identifying high-risk drivers and
journeys.
Flock’s capacity partner is Aioi Nissay Dowa Insurance (ANDI),33 which is part of the
MS&AD group, one of Asia’s largest insurers. Commenting on their partnership with Flock,
ANDI UK chief executive officer Warren Hetz, observed as follows:

33 ​
w ww​.aioinissaydowa​.eu​/en​/ home​.cfm.

54
 O n - D emand I nsurance

The motor insurance industry is at a crossroads as insurance, technology and mobility converge,
and this is creating a world of opportunities to improve road safety as well as deliver more tailored
customer experiences. Our partnership with Flock heralds a new era in commercial insurance.
By combining Flock’s cutting-edge technology with our significant underwriting exper-
tise in connected vehicle technologies and insurance, along with our global distribution net-
works, we will be able to deliver an exceptional experience for fleets and their drivers.

The commercial motor industry is at a major inflexion point. Vehicles are increasingly connected,
and a range of new business models are on the rise such as next-day delivery services, short-term
rentals and electric vehicle subscription services. These new use cases and dramatic shifts in
vehicle usage are not factored into traditional underwriting models which can lead to pricing that
doesn’t truly reflect the risk of each individual fleet.
Flock’s connected approach to insurance allows fleets to be underwritten based on actual expo-
sure to risk rather than just historical data. Flock’s underwriting model continuously learns as more
data is ingested allowing it to continue improving as the world becomes increasingly connected and
autonomous. Aside from offering best-in-class transparency, price and ease, Flock’s intention is to
put customers’ needs first and embody this every day. Accordingly, their product team spends hours
each week with brokers and customers, conducting feature testing to ensure each new tool adds value.
Flock now protects tens of thousands of commercial vehicles across the UK and has seen
gross written premiums grow 30 times in the last 12 months while their net loss ratio remains
below 55%. They attribute this very good loss ratio to Flock’s ability to accurately price risks and
incentivise safer driving for their clients. Flock has now analysed over 60 million miles to insure
over 2 million individual journeys for a range of commercial fleets in the UK, and as they capture
more data, their underwriting model continues to evolve.

Safety and efficiency

Flock is on a mission to make the world quantifiably safer, by using real-time data to provide con-
nected vehicle fleets with insurance that proactively enables and incentivises safer driving. With
an ambition to become the world’s largest insurer for commercial fleets, Flock believes that the
most effective way to achieve this is by helping commercial motor fleets identify, understand,
quantify and mitigate risks, incentivising them to do so with lower insurance premiums. Further,
the best claims experience is no claim at all; the insurer of the future will exist not only to pay
claims but to proactively help customers mitigate risks and avoid claims entirely.
Flock recognises that vehicles are becoming increasingly connected as is the environment
around them. Accordingly, more data can be collected to accurately quantify, price and facilitate
the selection of good risks. Moreover, fleets prioritise safety (of vehicles and drivers) and care
deeply about price; accordingly, an insurance proposition that enables and rewards safer driving
will align itself well with market aspirations.
For example, Robert Heath Heating,34 an award-winning energy services company in the
UK, worked with Flock to harness Flock’s data-driven approach to risk insights and fleet per-
formance. The parties began running sessions together to review the telematics data that Flock
was collecting from the fleet. Flock turned this data into actionable insights, and over the course

34 https://robertheath​.co​.uk/.

55
 O n - D emand I nsurance

of several months, Flock and Robert Heath held several “risk insights” sessions to review the
behaviour of specific drivers or vehicles, as well as of the fleet as a whole.
Flock worked with the fleet managers of Robert Heath to turn data from their fleet of vehicles
into actionable insights designed to improve safety and review the contributing factors to risk—
driving at night, the choice of route driven and speeding. Based on telematics data, individual vehi-
cles that displayed these risky behaviours could be identified and linked back to the drivers. Robert
Heath could then deliver an intervention and make the driver aware that their behaviour was unsafe.
Beyond specific interventions, Robert Heath sends out emails to all of their drivers to make
them aware of risky driving behaviours. Over the course of the policy period, the metrics around
Robert Heath’s fleet safety have shown a strong improvement. For instance, looking at the pro-
portion of driving significantly over the speed limit (greater than 10% above the local speed
limit), there is a downward trend each month from July 2021 to July 2022. The proportion moved
from 6.8% to 4.3% over the period, a 36% decrease.
Macreconomic and behaviour shifts (migration into cities, car usership over car ownership)
are making fleets increasingly relevant, and as a result, the commercial motor fleet industry will
continue to evolve and grow at pace.
New business models (self-drive hire, next-day delivery, on-demand couriers, ride-sharing,
autonomy) are on the rise; they require innovative and flexible financial services, including new
insurance products and the need for a more flexible and digital approach to fleet insurance.
For example, THE OUT is a premium car rental service that lets customers hire vehicles and
get them delivered to their homes or offices in a couple of clicks. It was launched by Jaguar Land
Rover’s mobility venture capital arm, InMotion, in 2019. The usage-based fleet policy provided
by Flock means THE OUT will only pay for insurance when vehicles are on hire. This has
allowed THE OUT to embed insurance in its offering, meaning all vehicles arrive with customers
fully insured and ready to drive. Alongside a fully comprehensive insurance policy, THE OUT
also takes advantage of Flock’s risk mitigation technology engineered to reduce road accidents.
This technology produces insights that help Flock customers improve safety. Flock generates
these insights by combining data from vehicle telematics with a range of other datasets, including
decades of accident data, crime reports and real-time traffic flows.35
SME customers and brokers increasingly demand both speed and digitisation from their ven-
dors, which dictates that fleet insurance providers need to embrace technological solutions.
Businesses such as Amazon/DPD and Geotab are establishing increasingly trusting relation-
ships with fleets, and as a result, there is a big opportunity for a tech-savvy fleet insurer to distrib-
ute insurance via alternative means to brokers.36

Concluding Flock case study comments

Flock is reinventing insurance for commercial motor fleets and is now one of the fastest-growing
insurtechs in Europe.37

35 ​
w ww​.theout​.​com/
36 DPD collections with Amazon, www​.amazon​.co​.uk ​/gp​/ help​/customer​/display​.html​?nodeId​
= GJGHJJUBRQPAYUQG ; Geotab is the world’s largest connected fleet-tracking network, see, www​.geotab​
.com/
37 ​
https:/​/flockcover​.​com/ Since raising their $17M Series A led by Chamath Palihapitiya (Social Capital)
in 2021, Flock has grown premiums by over 11x in under 12 months. It now has 500+ commercial customers
such as Jaguar, Land Rover, Virtuo, and dozens of Amazon fleets.

56
 O n - D emand I nsurance

Mobility is changing fast: New vehicles are connected to the internet, and new business
models (next-day courier, flexible leasing) are on the rise. The $200 billion commercial motor
insurance market hasn’t changed in decades; however, insurers still use limited data and legacy
technologies. The result—in Flock’s opinion—is an overpriced, administratively heavy experi-
ence for customers and brokers.
Flock is a fully digital MGA that is reinventing fleet insurance by leveraging connected vehi-
cle data and geospatial data to accurately quantify driving risk. The intention is to enable its fleet
customers to drive safer with safety insights and incentivise safer driving with lower premiums—
with Flock, safer fleets pay less. Their dashboards dramatically simplify distribution for fleets
and brokers—quotes and policy changes take hours, not weeks.
Finally, Flock’s rapid growth is fuelled by distribution partnerships with over 100 leading
brokers, such as Marsh, Willis Towers Watson and Aon.

The transactional process

The US National Association of Insurance Commissioners (NAIC)38 reports that sim-
ple on-demand insurance transactions with no paperwork completed via smartphone are
increasingly commonplace:
On-demand insurance allows policies to be purchased online without directly interacting with
a broker or a company representative. Customers can buy insurance using their smartphones.
There are generally no long-term contracts, no lengthy forms and no need to speak to a rep-
resentative over the phone, making insurance coverage literally a simple swipe on a smart-
phone. Premiums for these micro-duration policies are paid in-app and claims are typically
filed using a mobile chat interface.39

Distributed ledger technology (DLT) or blockchain technology is of particular impor-

tance in this context.40 While often used interchangeably, DLT is broader in scope. DLT
is a digital record (or ledger) of information and/or transactions, shared instantaneously
across a peer-to-peer network of participants. Blockchain is a technical part of the digital
ledger and refers to the chain of transactions and to how data is stored on the ledger.41
This technology underpins a “smart contract” as a contract between two or more parties
that can be programmed electronically and is executed automatically via its underlying
blockchain in response to certain events encoded within the contract. The data needed to
execute the contract may be located outside the blockchain, and in this case, a new type
of trusted party known as an “oracle” pushes this information onto a certain position in
the blockchain at a given time. The smart contract reads the data and acts accordingly.42

38 CIPR On-Demand (n 1)
39 CIPR On-Demand (n 1)
40 Generally, see Julie-Anne Tarr, “Distributed Ledger Technology, Blockchain and Insurance: opportuni-
ties, risks and challenges” (2018) 29 Insurance Law Journal 254; see also Chapter 5.
41 See Allens Linklaters, “Blockchain Reaction- Nine Months On”, Report April 2017, www​.allens​.com​.au
McKinsey and Company, “Blockchain in Insurance—Opportunity or Threat?” July 2016 www​.mckinsey​
.com (hereafter McKinsey 2016) ; Australian Securities and Investments Commission, Evaluating Distributed
Ledger Technology Information Sheet 219, March 2017, www​.asic​.gov​.au.
42 PwC, “Blockchain: A catalyst for new approaches in insurance,” 2017, www​.pwc​.com​.au​/publications​/
pwc​-blockchain​.pdf

57
 O n - D emand I nsurance

As IBM explains:
43

By replacing human interventions which are currently embedded throughout the entire
risk transfer process, frictional delays and risks of human error are completely removed…
Blockchain, enables a single version of the truth (a ledger, copies of which are held by par-
ticipants in a network) that has the potential to make multiple types of financial transactions
more efficient and lower costs.

Various start-ups44 have successfully launched P2P flight insurance policies built on
blockchain with smart contracts. These smart contracts initiate payouts for insured flight
tickets when cancellations or delays are reported from verified flight data sources (via so-
called “oracles” for making external sources usable for smart contracts in the blockchain).
This automated payout process addresses the problem whereby passengers holding
travel or flight insurance policies did not claim on their cover, as the claims process requir-
ing the filing of all the information and evidence was cumbersome and time-consuming.
These flight insurance smart contracts endeavour to cut away the claim notification step by
the insured and process the claim automatically by verifying facts from external parties.45
Blockchain, therefore, may have a significant impact on the efficiency and processes of
data collection and sharing, and on the way certain insurance contracts are transacted and
how claims in relation to those contracts are managed. In the on-demand insurance con-
text, the standardisation of policy language, customs and practices facilitates automation
in the purchasing process with items such as cars, electronic devices or home appliances
having their own insurance policies registered and administered by smart contracts in a
blockchain network.46
Considering car insurance, Lamberti et al. outline on-demand car insurance as a com-
bination of “block-chain technology and sensors installed on a vehicle to (1) semi-auto-
matically modify car insurance coverage, (2) certify a coverage’s activation/deactivation,
and (3) attest to a vehicle’s status at a given time.”47 They argue that blockchain and smart
contracting would also enable the provision of on-demand insurance for smart homes.
These processes, and the data upon which they rely, are far removed from traditional
insurance contracting. As discussed in Chapter 2, this burgeoning volume of data and
information impacts traditional arguments around information asymmetry and advances
the cause of aligning the law and practice of insurance to modern circumstances and
markets by rebalancing pre-contract information disclosure requirements in the global
insurance market.48

43 IBM Global Business Services “Blockchain: Emerging Use Cases for Insurance,” May 2017.
44 Etherisc (winner of the “Blockchain” Oscar for most innovative Blockchain Start-up as part of
Blockshow Europe 2017) described by the Burnie Group, “3 Blockchain-based use cases changing the future
of insurance” www​.burniegroup​.com ​/3​-blockchain​- cases​- changing​-the​-future​- of​-insurance/ and InsureETH
referenced by McKinsey 2016 (n 41) 4.
45 See Chapter 5.
46 Ibid. See also Suzanne Barlyn, “AIG teams with IBM to use blockchain for ‘smart’ insurance policy”
Reuters, 15 June 2017, www​.reuters​.com​.article​/us​-aig​-blockchain​-insurance/.
47 Valentina Gatteschi et al, “Blockchain and Smart Contracts for Insurance: Is the Technology Mature
Enough?” Future Internet 2018, 10, no. 2 (2018): 20, www​.mdpi​.com ​/journal​/futureinternet, cited in Geneva
Papers (n 6).
48 Brendan McGurk, Data Profiling and Insurance Law (Bloomsbury Publishing, 2019) 163.

58
 O n - D emand I nsurance

Danny Baxter observes that underwriting standards and knock-out questions are
49

very important for on-demand products. Less control over the underwriting process, with
minimal ability to audit and review the applicant, can lead to riskier insureds being able
to obtain on-demand coverage when they haven’t been able to obtain coverage in the
standard market. Moreover, since the application process is typically through a mobile or
web application, it is difficult to audit the applicant’s responses for accuracy. Applicants
can answer questions dishonestly in order to pay a cheaper premium. Insurers need to cre-
ate better verification and auditing systems in order to ensure that risks are being priced
appropriately.50

Information disclosure and insurance fraud

On-demand insurance poses new challenges for insurers as the window for detecting and
stopping fraudsters is truncated. This is not particularly a problem with an on-demand
usage-based insurance model where a contractual relationship between insured and insur-
ance company persists continuously (i.e. also in times when the item is not “in use”). For
example, a fleet motor vehicle policy where basic liability and theft insurance may be
always in force and additional premiums for liability and collision cover are calculated
upon usage dictated by factors such as the number of kilometres and driving habits.51
Conversely, with short-term, ad hoc insurance coverage, Angela Zeier Röschmann,
Matthias Erny and Joël Wagner52 observe that:
Given the contiguity between the activation of cover and the coverage period, adverse behav-
iour may gain in importance. In addition, on-demand insurance may increase the risk of
fraud, especially if insureds can turn on their insurance after a loss event. Empirical evidence
supports the supposition that online-based insurance products and processes are more likely
to attract fraudsters and increase moral hazard. For example, … cheating can be more tempt-
ing when filing an anonymous damage report on an online platform compared to face-to-face
contact with an insurance agent.53

As the National Association of Insurance Commissioners54 comment, “since coverage

can be turned on and off easily with a swipe on a smartphone, the possibility of fraud
risks increases with consumers who only turn on their insurance when wanting to make
a claim.”55
Survey results procured by Angela Zeir Röschmann et al.56 support the proposition that
those intending to use on-demand insurance are also more likely to take financial risks—
accordingly, the results provide some evidence of the existence of adverse selection.
However, against the background that the delivery of on-demand insurance is typically

49 Danny Baxter, “On-Demand Insurance: Insurance for the Sharing and Gig Economies,” Perr&Knight,
28 January 2022, www​.perrknight​.com ​/2022​/01​/28​/on​- demand​-insurance​-gig​- economies/
50 Ibid.
51 CIPR On-Demand (n 1)
52 Geneva Papers (n 6)
53 See also V Köneke, H Müller-Peters, D Fetchenhauer, “Understanding the Climate for Managing
Consumer Insurance Fraud and Abuses,” (2015) Journal of Insurance Issues 34(2),82–120.
54 CIPR On-Demand (n 1)
55 See also, KPMG 2017 (n 4)
56 Amy Zeier Röschmann, Matthias Erny and Joël Wagner, “On the (future) role of on-demand insurance:
market landscape, business model and customer perception.” Geneva Pap Risk Insur Issues Pract 47, 603–642
(2022). https://doi​.org​/10​.1057​/s41288​- 022​- 00265-7

59
 O n - D emand I nsurance

data-driven and some products are even sensor-based, information asymmetry can be
argued to decrease as the use of technology powering on-demand offers matures. This
would allow insurers to charge higher premiums to individuals who present higher risks.
Such differentiation would, in theory, drive out high-risk individuals as premiums for
them would skyrocket.57
Also, it should be stressed that, practically, there are countervailing technological con-
straints on fraudulent behaviour. For example, in relation to pay-as-you-go motor vehicle
insurance, the fraudulent insured has little or no time to think up embellished answers
when the data the insurer needs comes from the telematics and sensor data in the car and
the insured’s mobile phone. Assuming complete cooperation in relation to data sharing
between insurers and motor manufacturers, insurers are able to determine a better picture
of what happened without the customer’s input. Similarly, with pay-as-you-fly insurance,
Flock used data directly from flight logs (drones) and telematics providers (motor) to vali-
date claims. It is very difficult for these records to be manipulated, especially as the data
is received in real time as an incident occurs.
Moreover, Ernst & Young58 are confident that DLT or blockchain can have a major
impact on fraud detection and risk prevention. They argue:
Thanks to its ability to provide a public ledger across multiple untrusted parties, blockchain
has the potential to eliminate errors and detect fraudulent activity. A decentralized digital
repository can independently verify the authenticity of customers, policies and transactions
(such as claims) by providing a complete historical record. As such insurers would be able to
identify duplicate transactions and those involving suspicious parties.

Examples of start-up initiatives directed at combatting fraud utilising DLT or blockchain

technology are Everledger and Blockverify. The former uses a blockchain to create a
global registry of precious stones recording 40 characteristics of every stone recorded
(cut, colour, clarity, etc.) that represent 40 metadata components which are then used to
create a unique serial number. This number is then laser engraved on the stone and added
to the relevant blockchain, making it difficult for sellers to dispose of stones if they can-
not provide encrypted proof of ownership.59 Similarly, Blockverify labels goods such as
electronics, pharmaceuticals and luxury items, storing the history and supply chain in the
blockchain; users are allowed to check for counterfeit products, diverted or stolen goods
and fraudulent transactions.60 These initiatives, by creating global, tamper-proof registries
are directed at authenticity, ownership and provenance of goods.
Of more general utility would be a distributed ledger for a network of insurers holding a
combination of external and customer data. This would allow insurers to more effectively
detect common fraud such as falsified injury or damage reports, and DLT in this context would
enable insurers to validate the authenticity of policy records; check the time and date of the
policy purchase or issuance; cross-reference customer records with past policy claims, police
reports and known identities to help detect potential patterns of fraudulent activity; confirm
the transfer of policy ownership or track other changes; and identify duplicate or multiple

57 Ibid.
58 “Blockchain in Insurance: applications and pursuing a path to adoption,” www​.ey​.com​/ Publication​/
vwLUAssets​/ EY​-blockhain​-in​-insurance/$FILE/EY​-blockhain​-in​-insurance​​.pdf
59 The Burnie Group, “3 Blockchain-based use cases changing the future of insurance,” www​.burniegroup​
.com​/3​-blockchain​- cases​- changing​-the​-future​- of​-insurance/.
60 McKinsey 2016 (n 41) 6.

60
 O n - D emand I nsurance

claims, as any claim raised would be shared in the network and verified by the participating
insurers.61 One obvious example where such a ledger would counter fraud would be in relation
to “crash for cash” frauds, where drivers deliberately stage or cause a motor vehicle accident,
and claims are then made by the various participants in this fraudulent activity. Where these
claims are made against multiple policies held by different insurers, it is obviously much more
difficult to detect fraud unless cross-industry data is shared, and this data is also augmented by
other sources—such as law enforcement and traffic records.62
The development of such a distributed ledger would, of course, require extensive coop-
eration between insurers and would have to navigate privacy and other data regulatory
constraints. However, regulators are keenly aware of the dual imperatives to improve
the data available in fraud databases and to extend data sharing between the insurance
sector and regulatory bodies as practical measures to combat fraud.63 Further, the insur-
ance industry through ventures such as the Blockchain Insurance Industry Initiative B3i,
launched in October 2016 by five of Europe’s biggest insurers,64 is collaborating in an
endeavour to get a better insight into the applicability of blockchain technology in the
global insurance and reinsurance market.
Finally, “open insurance” initiatives65 have the potential to assist insurers to detect
insurance fraud in the on-demand insurance environment and more broadly. Recently the
European Insurance and Occupational Pensions Authority (EIOPA)66 commenced a public
consultation on “open insurance,” focussing on access to and sharing of insurance-related
personal and non-personal data usually by Application Program Interfaces (APIs).67 The
concept of “open insurance” is that insureds can allow access and sharing of data between
insurers, brokers and other intermediaries or third parties in relation to a breadth and
range of data, including their insurance policies, claims history and Internet of Things
data. Broader access to insurance-related data could facilitate the development of tools
such as insurance management dashboards. As Claire Harrop, Eva Roney and Eugene
McQuaid68 explain:
This would empower consumers to actively manage their policies and risks, allowing for
seamless switches between insurance providers if prices are better elsewhere. Consumers

61 See Cubeform, “Blockchain insurance use case: lower costs, better transparency and security,” https://
cubeform​.io​/ blockchain​-insurance​-use​- case/.
62 See Deloitte, “Blockchain applications in insurance,” www2​.deloitte​.com​/ca​/en​/pages​/financial​-ser-
vices​/articles​/ blockchain​-in​-insu​rance​.html.
63 See, for example, Insurance Fraud Taskforce: Final Report, January 2016; Foreword by Harriett Baldwin
MP, Economic Secretary to the Treasury and Lord Faulks QC, Minister of State for Civil Justice.
64 This initiative was initially launched by Swiss Re, Aegon, Allianz, Munich Re and Zurich, but since
launch date in October 2016 has been joined by many other insurance and reinsurance companies. B3i Services
AG was incorporated in 2018 and is 100% owned by 21 insurance market participants around the world, https://
b3i​.tech​/who​-we​-are​.html.
65 See, for example, Ramona Delcea, “Open Insurance: Accessing and Sharing Insurance-Related Data,”
Eiopa—European Commission, 28 January 2021, www​.eiopa​.europa​.eu​/content​/open​-insurance​-accessing​
-and​-sharing​-insurance​-related​- data​_en. (herafter, Delcea, Open Insurance)
66 Delcea Open Insurance (n 65)
67 Defined as a “software intermediary that allows two applications to talk to each other,”
www​.mulesoft​.com>resources.
68 Claire Harrop, Eva Roney, and Eugene McQuaid, “Open Insurance: What Is It and Why Is It so
Exciting?,” Freshfields, Bruckhaus Deringer, 23 March 2021, https://technologyquotient​.freshfields​.com​/post​
/102gtvf​/open​-insurance​-what​-is​-it​-and​-why​-is​-it​-so​- exciting.

61
 O n - D emand I nsurance

could also start seeing bespoke policy recommendations based on specified life events, such
as having a baby or reaching a certain age.

They add that:

For businesses, open insurance offers increased efficiency, whilst fostering the adoption of a
consumer-centric innovation mindset. Businesses could benefit from reduced administrative
costs, as well as increased flexibility and speed in digital insurance sales. The detailed track-
ing of evolving consumer needs may drive insurance market players to develop innovative
products and services to meet those demands.69

Real-time data sharing/access to data will enable a more efficient flow and exchange of
information between insurers and their distribution network. Insurers will also have bet-
ter real-time oversight of distribution networks and the distribution of their products,
particularly in cross-border operations, enabling more robust handling of conduct risks,
including monitoring whether products are sold within the target market.70
Of course, the privacy concerns highlighted in Chapter 2 are potentially even more
acute in the context of an open insurance environment, and EIOPA expressly recognises
that the wider sharing of data with more parties raises the risks of a data breach, misuse
and fraud, including obtaining unauthorised knowledge about facets of consumers’ lives,
including sensitive data concerning the customer’s health, location or financial status.71
Accordingly, regulators will have to carefully consider issues pertaining to the use, access
and sharing of such sensitive insurance-related information.

Conclusions
There is no doubt that the new on-demand insurance products that are emerging will play
a fundamental role in the future of the insurance industry generally.
It should not be thought, though, that “one size fits all.” As KPMG72 observes, the per-
item or per-use rates of on-demand insurance may be significantly higher than an annual
policy for those with wider needs, or for those whose usage behaviours indicate higher
risk profiles. They state that:
regular travelers, high-mileage drivers, and others could end up not only paying more but
needing to deal with the burden of “insurance management”. On demand insurance will
definitely offer better value for many customers but will also mean higher costs for others.
Although it would arguably lead to fairer risk distribution, it could also lead to some existing
customers avoiding the switch to “on-demand” or “usage-” through a fear of revealing their
poor risk profiles and becoming “uninsurable”.

Angela Zeier Röschmann et al.73 make the following cogent observations:

Driven by the value proposition but also dependent on digital capabilities, the usage degree of
Internet of Things technology and automation varies among on-demand insurers with regard
to coverage activation, loss detection and loss payment.

69 Ibid.
70 Ibid.
71 Delcea Open Insurance (n 65) 22.
72 KPMG 2017 (n 4).
73 Geneva Papers (n 6)

62
 O n - D emand I nsurance

The potential for automation further depends on the access to risk-relevant data, the fre-
quency of data exchange and the willingness of customers to collect and share data about a
person’s or object’s location, activity and usage or context and environment. Smartphones,
wearables and installed devices are among the most frequently used mobile technologies to
collect data for insurance. Furthermore, data collected from social media could enable digital
transformation. For example, posts on social media platforms about the latest adventure trip
could flow into the risk scores of customers and lead to differentiated instant pricing.
Undoubtedly, (embedded mobile) technology is a key enabler of on-demand insurance.
While coverage activation and loss notification can also be initiated manually by customers
(for example, on-off button, uploading pictures) or semi-automatically based on a push notifi-
cation by a smartphone, embedded technology has the benefit of disburdening customers from
thinking about insurance coverage or having to file for a loss, to reduce the risk of fraud and
save operational expenses.
On-demand and usage-based products not only change the way insurance is established
and delivered, but their technological foundations and connectivity create significant ave-
nues and opportunities for risk mitigation and management. For example, as discussed
in the Flock case study above, the use of real-time data provides connected vehicle fleets
with insurance that proactively enables and incentivises safer driving. This is achieved by
helping commercial motor fleets identify, understand, quantify and mitigate risks, incen-
tivising them to do so with lower insurance premiums. As vehicles and the environment
around them become increasingly connected, more data can be collected to accurately
assess and manage risks.
Insurers offering on-demand insurance face particular challenges in relation to scale
and capital reserves. The flexible duration of on-demand insurance leads to shorter con-
tract periods compared to the traditional annual insurance period. Further, it is difficult
for the insurance company to foresee the contract duration. In the extreme, the possibil-
ity of swiping insurance on and off even allows for hourly insurance, hence leading to
micro-durations and small premium amounts.74 The Insurance Marketer observes75 that
insurers in the on-demand environment need a large client base to stay profitable because
while the on-demand offering has a higher per-use rate than a traditional annual policy,
giving the insurer a higher profit margin, the premium size is also lower, so if the volume
is not large enough, the insurers might end up losing revenue. Accordingly, they state that
on-demand insurance will only work if more people start buying these products and it
becomes a question of scale: “how many insurers can design and run a full insurance busi-
ness based on a model with lower premium size, higher risks and lower overall profit?”76
Moreover, they point out that a higher capital reserve is required where risk assessment
is more granular and pricing is more personalised and dynamic. Moreover, in relation to
traditional insurance pricing schemes, uncertainty regarding pricing and reserving fac-
tors is typically met by adding loadings to the premium or by reducing the risk with
deductibles, coverage limits and exclusions in the contract wording. However, the scope
for such actions is limited in the case of on-demand insurance given its small premium

74 Geneva Papers (n 6).

75 “What Is On-Demand Insurance?” The Insurance Marketer, 2 March 2021, www​.theinsurancem​.com​/
what​-is​- on​- demand​-insurance/
76 Ibid.

63
 O n - D emand I nsurance

instalments, reflecting micro-coverage and micro-duration, and a value proposition of

simple and convenient processes.77
Angela Zeier Röschmann et al.78 in their very detailed market study focusing on cus-
tomers in Switzerland, posed the question as to whether on-demand insurance creates
enough value for both customers and providers to develop from a niche phenomenon to a
new way of covering risks. Their findings indicated that:
On-demand insurance offerings address certain customer needs better than traditional insur-
ance offerings. In particular, on-demand insurance picks up the trend of instantly respond-
ing to a specific need and using digital technology to do so. In this way, buying insurance
feels more modern and gives customers more control over selected personal insurance needs.
However, our customer survey also suggests that individuals do not view on-demand insur-
ance as particularly more transparent or cheaper when compared to standard insurance poli-
cies on a yearly contract basis. From the perspective of insurance economics, we find that
underwriting profit is limited. Still, we observe that incumbents cooperate with on-demand
technology providers and on-demand insurers. We therefore assume that incumbents see
potential in the on-demand insurance business model beyond niche segments.

In 2017 KPMG79 posed the question “Will on-demand insurance become mainstream?”
Their response at that time was:
For many customers, on-demand insurance is an appealing proposition, providing conveni-
ence through an attractive customer interface, and offering flexibility of cover. Customers can
feel confident that they have the protection they need, while only paying when that coverage
is actually required. Sensors and other telematics devices, combined with powerful machine
learning algorithms, are already making the process more compelling than ever before. What
needs to be understood, however, is the number of customers likely to gravitate to this model
and whether they could form the majority. While “as-needed” coverage is convenient and
available at a better price, the per-item or per-use rates would be significantly higher than an
annual policy for those with wider needs, or for those whose usage behaviours indicate higher
risk profiles.

This response, in our opinion, remains an accurate summation of the situation today.
There are multiple economic and societal drivers towards on-demand products, including
insurance. There is already a range of successful products on the market, and the technol-
ogy is both increasingly powerful and accessible. The modern, tech-savvy consumer is
more likely to value the flexibility and cost-effectiveness of short-term insurance products
for specific needs over the greater certainty of broader and more comprehensive “tradi-
tional” cover.
However, as McKinsey caution:
Companies that fail to adapt will weaken under the pressure exerted by those that use digital
technology to slash costs and get better returns on their investments. And they will be left
floundering once digital’s relentless force ultimately breaches both the industry’s business
model and boundaries.
Auto manufacturers are arguably close to changing the game for insurers. The fitting
of connected devices as standard in cars is not far off, potentially giving manufacturers
unique access to data that could accurately ascertain the risk of their customers, as well as

77 Geneva Papers (n 6).

78 Geneva Papers (n 6).
79 KPMG 2017 (n 4)

64
 O n - D emand I nsurance

ready-made access to drivers in need of an insurance product. How would incumbents fare in
such an evolving ecosystem?80

Finally, in an increasingly globalised and interconnected commercial world, many of the

challenges and opportunities presented by on-demand insurance are within a broader
framework than a state-based insurance regulatory structure. Emerging issues related
to insurers or licensees leveraging new technologies to develop products for on-demand
insurance purposes can have global implications and impacts—including, but not limited
to, reviewing new products, cancellations, non-renewals, coverage issues, notice provi-
sions and policy delivery requirements.81

80 “Digital Disruption in insurance: Cutting through the noise,” McKinsey, 2017, 11, www​.mckinsey​.com ​/
industries​/financial​-services​/our​-insights​/digital​-insurance
81 CIPR On-Demand (n 1)

65
 C hapter 4

Embedded Insurance
Angus McDonald, Kirsty Paynter and Ernie Van der Vyver1

CON T EN TS
Introduction 67
What is embedded insurance? 67
Growth of embedded insurance 68
Reasons for growth 69
The technology behind the product 78
What are the key challenges, barriers and risks with embedded insurance? 80
Appropriate licensing 80
Regulation of compensation for services 81
Ensuring informed decision-making and policy awareness 82
Free choice versus embedded nature of the cover and anti-trust considerations 85
Averting bias when deploying artificial intelligence 86
Data protection and cyber risks 87
Ownership in and regulation of intellectual property 88
Tax considerations 88
Prohibitions on rebating or inducements 89
Advertising 89
Enforcement actions are extensive 90
Risk of over-regulation and stifling innovation 90
Conclusions 94

1 The authors acknowledge and express their appreciation for the contributions to this chapter by Amelia
Costa and Nicole Britton.

66 DOI: 10.4324/9781003319054-4
 E mbedded I nsurance

Introduction
There can be little doubt that the future is digital: Personal, social and business interac-
tions are increasingly conducted online, whether via the internet or in the metaverse. This
rapid shift in the perception, scope and scale of the digital space over the last 20 years
has had—and will continue to have—a radical effect on many industries. For insurers,
the impact is particularly transformative, not just in how they might transact business but
also in how they understand, assess and price risk. Digital technology has the potential
to generate substantial economic and societal benefits but can also give rise to challenges
and potential costs to customers.2
Insurance has been relatively slow to feel the full digital effect owing to regulation,
large in-force books and the fact that newcomers seldom have the capital needed to take
insurance risk onto their balance sheets.3 But, as McKinsey suggests, the industry is not
impregnable, and both incumbents and newcomers are looking to digital technology to
find a place in the industry, slash costs, get a better return on investments and provide
more choice and convenience to consumers.4
One of the new breeds of technologically-enabled offerings—embedded insurance—
while not a new concept, is undergoing major changes and has the potential to transform
the industry significantly in the next decade and help reduce the US $1.4 trillion global
protection gap.5

What is embedded insurance?

Embedded insurance is directly associated with non-financial products or services that
can be combined with relevant risk mitigation and insurance offers. More generally,
embedded insurance may be defined as:
Any insurance that can be purchased within the commercial transaction of another product
or service.6 The insurance is sold as an attachment or “addendum” to a primary product or
service.7

It is the technological integration that differentiates this digital development from its ana-
logue history.
The first attempt to reach customers through a non-traditional channel can be dated
back to the nineteenth century. The American insurer Hartford (established in 1810), in

2 Christian Schmidt, “Insurance in the Digital Age,” 6 September 2018, The Geneva Association, www​
.genevaassociation​.org​/publication ​/new​-technologies​-and​- data​/insurance​- digital​-age.
3 “Digital disruption in insurance: Cutting through the noise,” Preface, McKinsey Digital, www​.mck-
insey​.com/~ ​ / media ​ / mckinsey​ / industries ​ /financial​ % 20services ​ /our ​ % 20insights ​ / time​ % 20for ​ % 20insur-
ance​%20companies​%20to​%20face​%20digital​%20reality​/digital​- disruption​-in​-insurance​.ashx (hereafter
McKinsey Digital Disruption).
4 Ibid.
5 “PwC Insurance 2025 and Beyond,” PwC, 2022, www​.pwc​.com​/insurance2025, 4, the global protection
gap is the difference between actual and insured losses.
6 Scott Stice and Bob Bessio, “Embedded insurance, a brief overview,” Accenture, 19 August 2022, https://
insuranceblog​.accenture​.com​/embedded​-insurance​-brief​- overview. Embedded finance typically includes pay-
ments, card payments, lending, investments, insurance and banking although some references to embedded
finance do not include insurance.
7 “Reforms to the sale of add-on insurance products,” Proposal Paper, The Australian Government the
Treasury, 9 September 2019, 5, https://treasury​.gov​.au ​/consultation ​/c2019​-t408984.

67
 E mbedded I nsurance

an attempt to expand into new areas, announced that people who lived in areas where the
company had no agent might apply through the Post Office directly to the Secretary of the
company. Its efforts were unsuccessful. Apparently, people were not ready to buy this new
product (insurance) through the mail.8
The “first generation” of embedded insurance is well known to most and took the form
of an analogue style add-on insurance, for example, purchasing life insurance at the airport
before a flight.9 The models turned into incredibly profitable businesses. This developed
into options such as purchasing mobile phones with the right-after sales protection and
car dealerships with finance providers on-site and licensed to sell insurance. Customers
then began to seek the protection of extended warranties for increasingly expensive items
at the time of purchase.
With the evolution of technology and online commerce, web-enabled embedded insur-
ance developed to allow customers to purchase insurance online from non-insurance car
dealers and e-commerce retailers.
The final “style” of embedded insurance is insurance embedded into a purchase where
the customer does not have the opportunity to choose their carrier, the level of protection
or cost, such as insurance automatically included in the purchase of a ski pass.10
For a long time, the traditional mode of insurance put the burden of the work on the
consumer: When making a purchase, renting a property, booking a trip, etc. The consumer
would have to take on the additional step of calling an insurance agent, arranging insur-
ance via a website or seeking another means of adding protection to their transaction.
Embedded insurance removes this extra step and integrates protection in the initial trans-
action process. When done right, the result is a seamless customer experience that allows
the customer to easily see the benefit of adding protection to their transaction and to be able
to do so without much additional effort on their end. For businesses to successfully lever-
age embedded insurance, they must work with a partner that has the technology and expe-
rience to provide their customers with relevant, tailored protection in real time. As a result,
there is a multitude of regulatory and other risks which need to be successfully identified
and navigated to make sure the embedded process is a success for all parties involved.

Growth of embedded insurance

The predicted growth of the embedded insurance market is astonishing—it is anticipated
to be worth US $3 trillion by 2030.11 In the United States alone, the market value of

8 See, “Background on: Buying Insurance,” Insurance Information Institute, 21 December 2021, www​.iii​
.org​/article​/ background​- on​-buying​-insurance.
9 It was not uncommon for North Americans to encounter vending machines that would sell life insurance
policies for US $2.50, paid in quarters, before embarking on a flight. See, for example, Jill Gregorie “A look
back: Whatever happened to airport insurance vending machines?” Insurance Business Magazine, 27 May
2015, www​.ins​u ran​cebu​sinessmag​.com ​/us​/news​/ breaking​-news​/a​-look​-back​-whatever​-happened​-to​-airport​
-insurance​-vending​-machines​-22593​.aspx.
10 See, for example, “Epic Pass,” www​.epicpass​.com ​/info​/epic​- coverage​.aspx, described as “coverage
included at no charge for all pass holders,” providing a broad range of coverage from liability to visa rejections,
jury duty and mandatory stay at home orders.
11 See, Simon Torrence, “What is Embedded Finance and why does it create a new $7 trillion market
opportunity?”, 25 August 2021, www​.simon​-torrance​.com ​/ blog​/ What​_is​_Embedded​_ Finance (Simon is a
member of the World Economic Forum’s “Digital Platforms & Ecosystems” executive working group).

68
 E mbedded I nsurance

embedded insurance is estimated to reach US $70.7 billion by 2025.12 Further estimates

predict that embedded insurance has the potential to increase the size of the overall insur-
ance market (as a percentage of global GDP), potentially adding an extra US $1 trillion
of net new GWP to the industry by the end of the decade, mostly by leveraging the reach
of digital platforms in emerging markets.13 Gross premiums are forecast to grow by as
much as six times to US $722 billion by 2030, with China and North America expected
to account for more than two-thirds of the global market.14 Customers are seeking more
security when purchasing high-value goods in crisis times, hence the demand for insur-
ance products is expected to increase.
Deloitte’s 2022 insurance survey found that many buyers are seeking new types of poli-
cies, greater protection, greater flexibility in terms, pricing and payment options, as well
as more holistic loss control services.15 Deloitte’s 2023 insurance outlook paper goes on
to suggest:
More carriers should also be exploring potential partnerships to capitalize on the growing
embedded insurance market—with coverage purchased at the point of sale of some other
product or service.16

Often the business unit is a digital platform with a white-label (non-branded) insurance
provider designed to enable non-insurance companies to embed offers of property/casualty
insurance to their customers, increasing the distribution channels for selling insurance.
Insurers fall into the background and sacrifice their customer relationship to the chosen
distributor in order to access the customers of the non-insurance company. As embedded
insurance becomes mainstream and customers expect insurance-as-a-service,17 failing to
secure partnerships is likely to prove costly.

Reasons for growth

For insurers today, some of the key challenges are adapting to what Gen Z and millennial
consumers expect from insurance policies. Customer expectations are changing, and the
online world endeavours to accommodate more efficient navigation with efficient journeys
made possible by e-commerce, digital banking and food delivery.
Digitally native Gen Z and millennials perceive and interact with insurance very differ-
ently to older generations.18 That said, COVID-19 isolation encouraged older generations

12 “2022 Global Insurance Outlook, Achieving growth through people, purpose and technology.” EY,
2022, 12, www​.ey​.com​/en​_my​/alumni​/connect​-march​-2022​/2022​-global​-insurance​- outlook​-growing​-with​
-people​-purpose​-and​-tech.
13 See, “How and why insurers should increase investment in ‘Embedded Insurance 2.0,’” Embedded
Insurance Peer Group Report, June 2022, 7, www​.embedded​-finance​.io/.
14 Robin Merttens, “Insurance: To embed, or not to embed,” InsTech London, June 2021, cited in Karl
Hersch, Neal Baumann, Michelle Canaan and Sam Friedman, “2023 insurance outlook, Global industry at a
crossroads to shaping long-term success,” Deloitte Insights, 14 September 2022, 7 (Hereafter Deloitte Insights
2023).
15 Deloitte Insights 2023 (n 14), 6.
16 Deloitte Insights 2023 (n 14), 7.
17 “PwC Insurance 2025 and Beyond,” PwC, 2022, www​.pwc​.com​/insurance2025, 2.
18 See for example www​.insiderintelligence​.com​/insights​/millennials/; see also Kaylene C. Williams and
Robert A. Page, “Marketing to the Generations,” Journal of Behavioral Studies in Business (2011), vol 3, 30.

69
 E mbedded I nsurance

to learn digital skills and, in some cases, embrace digital transactions.19 The e-commerce
industry has continued to grow due to, in part, greater digital literacy and access as well as
a pandemic that forced more online business, work from home and online education, much
of which has continued. Digital natives and technology-backed business models fuelled
demand to embed insurance for an increasing number of use cases. As EY’s 2023 Global
Insurance Outlook explains:
Old-school policies and distribution networks obviously won’t work for digital natives who
always buy direct but don’t own their homes or vehicles. Partnerships with InsurTechs, popu-
lar retailers and large employers to support embedded insurance offerings may prove effective
for connecting with Generation Z and Millennials.20
One of the pressing societal needs is for insurers to offer ways to help close the protection
gap, being the gap between the amount of insurance that is economically and socially
beneficial for individuals, households and firms and the amount of cover actually bought.21
This gap is widening, exacerbated by soaring inflation, the frequency, magnitude and
effects of natural disasters, and post-COVID-19 effects. As outlined in the Cover Genius
case studies,22 insurtechs are able to customise their products and services by utilising
data collected by third-party providers. Customers can purchase insurance at the point of
sale, and insurers are more readily able to accurately reflect the real risk with the insur-
ance offering. Technology and data join together to give partnerships an opportunity to
aim to sell the best insurance product at the right time.
Embedded insurance can help to educate people by raising awareness of additional
coverage options. It can also aid in building inclusive insurance for the vulnerable, under-
banked and financially illiterate. The model of embedded insurance can help to identify
risks involved with a purchase or activity which may not previously have been realised
by the purchaser.23 Much like how fintech companies transformed the way businesses and
people manage their money,24 insurtechs will fundamentally change the way people think
about protection.
This is especially helpful for penetrating into historically underinsured markets, where
consumers may not find protection to be convenient or even accessible. As noted above,
the global insurance protection gap has hit a new record. Health protection, for example,
has reached a record high of US $747 billion in 2021, with two-thirds of the gap com-
ing from emerging markets.25 Closing this gap presents significant growth opportunities.
Embedded life and health insurance is widely considered the most relevant opportunity to
tap into new customer bases and reduce the life and health protection gap. The relatively

19 Peter Rindersud, “Seniors and technology during Covid-19: the latest insights,” Ericsson, 26 January
2021, www​.ericsson​.com​/en​/ blog​/2021​/1​/seniors​-and​-technology​- during​- covid.
20 “2022 Global Insurance Outlook, Achieving growth through people, purpose and technology.” EY,
2022, 26, www​.ey​.com​/en​_my​/alumni​/connect​-march​-2022​/2022​-global​-insurance​- outlook​-growing​-with​
-people​-purpose​-and​-tech.
21 See, for example the definition from Simon Torrence, “Embedded Insurance: a $3 Trillion market oppor-
tunity that could also help close the protection gap,” 9 December 2020, www​.simon​-torrance​.com ​/ blog​/embed-
ded​-insurance​-a​-3​-trillion​-market​- opportunity​-that​- could​-also​-help​- close​-the​-protection​-gap.
22 See below.
23 Third party liability risks when skiing, flying drones or using motorised scooters all expose the user to
high levels of third-party liability risk, often without an appreciation of the potential magnitude of the risks.
24 See Chapter 10, “The Rise of Fintech: Liability and Insurance.”
25 See, “Sigma, Resilience Index 2021: a cyclical growth recovery, but less resilient world economy,” Swiss
Re Institute, June 2021, www​.swissre​.com​/institute​/research​/sigma​-research​/2021​-resilience​-index​.html.

70
 E mbedded I nsurance

low insurance penetration in many emerging markets, such as Africa, coupled with the
ubiquity of mobile phones on the continent, has created one of the fastest-growing distri-
bution channels for embedded insurance that can reach previously underserved sections
of society and bring financial protection to more people. Regions such as Latin America
and Southeast Asia are also experiencing rapid digitisation, which is paving the way for
embedded protection to gain a significant foothold among consumers who are shopping
more and more online.26 Developed nations are also suffering from an insurance gap, and
according to the OECD, New Zealand has the third lowest penetration of insurance among
31 OECD countries.27 Hardening markets, rising inflation and an economic downturn are
likely to increase this gap. Lloyds reports that several countries have slipped into becom-
ing underinsured, including Japan (0.04% of GDP), Russia, the United Arab Emirates and
Sweden (all 0.1% of GDP).28 Research from The Geneva Association revealed major defi-
cits in how people perceive the insurance industry and its products,29 and the complexity
and lack of understanding.30 In turn, demand is likely to shift away from traditional meth-
ods of getting insurance—through agencies and brokers—and more towards embedded
technologies that facilitate a seamless and unified experience. When insurance is offered
as tailored and often for very small transactions, it is correspondingly cheaper than, for
example, a household policy covering all contents and more readily affordable to consum-
ers mitigating real risk. It provides some protection to consumers who may otherwise
have no form of protection at all. In this way, embedded insurance could be helpful in a
programme designed to get customer groups acquainted with insurance and its mechan-
ics, which could enhance access and take-up of insurance. Mobile insurance overcomes
barriers in access to insurance, as payments can be made easily without any need for cash
payments. In certain transactions, insurance payments can be activated by an event (such
as a delay or destruction of an insured phone), without the need for the insured to make a
claim.31 This type of transaction provides the obvious benefits of ease, speed and conveni-
ence but also prevents a missed claim opportunity by the insured.
With the flexibility to fit any marketplace, app or platform, embedded protection has
ample opportunity to grow and adapt to business and consumer needs. Subscription-based
warranties, AI-backed product recommendations, bundled or unbundled offers and claims
payments in any form (including app-specific vouchers) are just a few ways companies
have personalised protection to suit their business, made possible through embedded
insurance. The greater availability of more relevant data is likely to allow for highly accu-
rate pricing of risks down to the individual customer level, which, in turn, could challenge
the fundamental risk-pooling nature of insurance. Insurers may then be able to go beyond
risk transfer to engage further in risk mitigation and prevention.32 Legacy systems and

26 ​w ww​.globenewswire​.com ​/en ​/news​-release​/2022​/03​/21​/2406494​/28124​/en ​/ Latin​-America​-Embedded​

-Insurance​-Market​-Report​-2022​-2029​-Latin​-America​-is​-Witnessing​-an​-Evolution​-in​-Embedded​-Health​-Life​
-Insurance​-Tec​h nology​-by​-Insurtech​-Firms​.html; https://asia​.insuretechconnect​.com​/articles​/ bridging​-asias​
-protection​-gap​- embedded​-insurance.
27 ​https:/​/stats​.oecd​.org​/ Index​.aspx​?QueryI​d​= 25444.
28 “A world at risk: Closing the insurance gap,” Lloyds, 2018, 9, www​.lloyds​.com ​/worldatrisk.
29 Kai-Uwe Schanz, “Underinsurance in mature economies. Reasons and remedies,” Geneva Association,
2019 16.
30 Ibid, 17.
31 For example, see Chapter 5, “Distributed Ledger Technology and Blockchain.”
32 See, for example, Andrew Schwedel, Mark Judah and Camille Goossens, “The Future of Insurance: As
Risks Mount, Insurers Aim to Augment Protection with Prevention,” Bain, 8 November 2021, www​.bain​.com​

71
 E mbedded I nsurance

the lack of the insurers’ digital competence is often cited as a barrier to innovative and
digital insurance solutions, but it is evident that the market and the consumer are ready to
embrace new ways to reduce risk. Insurers have an immediate opportunity to write cover
for new types of risk that are emerging in a digital age33 and demonstrate agility in an area
which has often been described as slow to adapt. As McKinsey explains, “The spoils are
going to the boldest innovators.”34
Customers are presented with insurance coverage during transactions more regularly,
so embedded insurance can also address distribution challenges which pose one of the
biggest challenges and costs in the industry.
As described in the Cover Genius case study,35 certain claims can be paid almost instan-
taneously with the use of live data fed into dynamic and innovative systems.
Embedded insurance also offers the ideal platform to offer parametric type insurance
products. Parametric insurance differs from traditional indemnity insurance in that, rather
than compensating the insured for an actual loss they suffer, payment is triggered based on
a predefined event happening.36 Generally, a pre-agreed pay-out is also agreed in advance.
A major advantage of parametric policies is that it results in much faster claim pay-outs.
Parametric insurance is readily available and can be embedded in purchases where a suit-
able predefined trigger is identified, which can be anything from airline delays to earth-
quakes detected by government data.
For the insurer, there are a multitude of benefits. Embedded insurance provides the
insurer access to a new potential customer base exactly at a time when insurance as an
add-on is likely to be of great benefit to the customer. Customers purchasing goods or ser-
vices from a non-financial institution primarily do so as a result of established trust placed
in the brand of the service provider. By leveraging the established customer base of the
non-financial institution, the insurer gains access to a new customer base and essentially
gains easier customer acquisition. Equally, access to new customers serves to bridge the
protection gap as the insurer will have access to customers that typically are either not
insured or underinsured, as the case may be.
In addition, a clear advantage for insurers involved in embedded insurance is a reduc-
tion in costs. By using digital distribution and digital onboarding, the insurer saves costs
including marketing and operational costs (e.g. employing staff to deal with new applica-
tions), and this could fundamentally have a cost-saving element for the customer.
Through the use of technologies such as AI and smart data analytics, businesses can
generate deeper customer insights that can be applied to customise offerings, improve
services and improve the customer journey. As Lord Mansfield explained in the case of
Carter v Boehm:
Insurance is a contract upon speculation. The special facts, upon which the contingent chance
is to be computed, lie most commonly in the knowledge of the insured only: the under-writer
trusts to his representation, and proceeds upon confidence that he does not keep back any

/insights​/the​-future​- of​-insurance​-as​-risks​-mount​-insurers​-aim​-to​-augment​-protection​-with​-prevention/​?gclid​
= EAIaIQobChMIlq​_ X1f​qm9A​I Vw3​w rCh​2p7g​TaEA​AYAS​A AEgIez​_ D​_ BwE.
33 McKinsey Digital Disruption (n 3), 28.
34 Ibid.
35 See below.
36 See Chapter 6 for a detailed description of parametric insurance.

72
 E mbedded I nsurance

circumstance in his knowledge, to mislead the under-writer into a belief that the circumstance
does not exist, and to induce him to estimate the risque, as if it did not exist.37

If available data is used correctly, insurers and the insured will have the benefit of more
accurate underwriting. For example, electronic tools could be utilised which are capable
of identifying similarities and discrepancies in the manner in which disputes with similar
characteristics have been resolved, and in this way, insurers and embedded insurance
partners (EIPs) can establish a more streamlined treatment of conflicts with similar char-
acteristics, with results which better satisfy the justice requirement.38 Similarly, available
data could assist the insurer in identifying trends in claims and dispute resolution, and
enhancing the insurer’s fair treatment of their customers
In addition, claims handling is an integral part of the insurance process, and embedded
insurers who use data throughout the insurance process can record accurate data from the
claims process in a format that is searchable and reportable so they can know their claims
handling performance and detect issues or areas for improvement early.39 This early detec-
tion is crucial in such an advanced technological area of insurance.
The benefits of embedded insurance for the non-financial institution include generat-
ing new revenue from a different source. By partnering with an insurer, the non-financial
institution or the technology company (if not one and the same) may, depending on the
arrangement, generate additional revenue streams such as intellectual property fees, roy-
alty fees and/or regulated commissions (if suitably licensed).
Moreover, non-financial institutions provide customers with easy (and seamless access)
to related transactions, specifically insurance, and this value-add may attract loyal cus-
tomers of the insurers to the non-financial institutions’ products. Accordingly, the non-
financial institution similarly gains access to a new customer base.
Additionally, due to the extensive regulation of insurance (as explained more fully
below), non-financial intuitions bypass barriers to entry by partnering with an established
insurer. The non-financial institution therefore is able to mitigate against the initial market
barriers such as obtaining an insurance licence and maintaining the solvency require-
ments imposed on insurers.

COVER GENIUS
Case studies

Background on Cover Genius

The driving vision of Cover Genius, being the insurtech for embedded protection, is to protect the
global customers of the world’s largest digital companies. Its award-winning global distribution

37 Carter v Boehm (1766) 3 Burr 1905; 97 ER 1162, 1164 [1909].

38 For an excellent overview of the advantages of online dispute resolution, see A Christofilou,
“Online Dispute Resolution and Insurance,” in The “Dematerialised” Insurance P Marano, I Rokas and P
Kochenburger (eds) (Springer 2016), https://doi​.org​/10​.1007​/978​-3​-319​-28410​-1​_12.
39 See generally, Daniel Wood, “Claims handling is a financial service,” Insurance Business Australia, 25
January 2022, www​.ins​u ran​cebu​sinessmag​.com​/au​/news​/ breaking​-news​/claims​-handling​-is​-now​-a​-financial​
-service​-323037​.aspx.

73
 E mbedded I nsurance

platform XCover can distribute any line of insurance or other types of protection and handle
claims in almost any country, currency or language, all through a single API.
Cover Genius offers embedded protection across all industries including airlines, travel and
rental companies, retail, financial services, real estate, logistics, ticketing, gig economy and bene-
fits companies and more. With licences or authorisations in more than 60 countries and all 50 US
states, Cover Genius works with its partners to co-create truly global solutions that streamline
operations and boost customer satisfaction and revenue.
Cover Genius’ tailored solutions are available to a multitude of businesses, including Booking
Holdings, owner of Priceline and Booking​.co​m, Intuit, Hopper, Ryanair, Turkish Airlines,
Descartes ShipRush, Zip and SeatGeek. Its solutions are also available at Amazon, Flipkart,
eBay, Wayfair and SE Asia’s largest company, Shopee.
The following sections provide two Cover Genius case studies written by Angus McDonald,
CEO and co-founder of Cover Genius, to assist readers in understanding practical applications of
the technology driving embedded protection.

Cover Genius case study I

Luxury Escapes drives

86% year-over-year growth in revenue

In the wake of COVID-19, travel insurance has become a must-have for travellers to respond
to unprecedented risks and uncertainties. A recent Cover Genius case study shows that world-
wide travellers are six times more likely to attach insurance40 than they were at the beginning
of the pandemic, an increase that has been sustained in the “post-pandemic” period. This rapid
change in demand for travel protection has provided Cover Genius’ global travel partners, such
as Booking​.co​m, Hopper, Ryanair, Agoda, Icelandair, Turkish Airlines, TourRadar and more,
with an opportunity to provide tailored products to protect their customers.
Luxury Escapes is a global travel company with a presence in Asia Pacific, Europe and the
United States. They focus on luxury packages ranging from bucket-list destinations to dream
honeymoons, experiences, flights and quick weekend breaks that are popular with small groups,
singles and couples. Against the backdrop of the pandemic, Luxury Escapes was driven to pro-
vide customers with the peace of mind they required as regulations continued to evolve. As a
partner with a global reach, Cover Genius helped Luxury Escapes launch embedded insurance
solutions in their biggest markets, including Australia, New Zealand, India, Singapore, Malaysia
and Thailand.
Before launching with XCover,41 Cover Genius’ platform for global insurance distribution,
Luxury Escapes had a “one-size-fits-all” travel insurance solution provided by a traditional
insurer which failed to meet the needs of a diverse set of itineraries. Attach rates were conse-
quently low.
The seamless integration of XCover has enabled Luxury Escapes to develop customised,
end-to-end insurance solutions that are built into the booking path, demographically suitable for

40 https://covergenius​.com ​/protection​-and​-the​-pandemic​- case​-study/.

41 https://covergenius​.com​/xcover/.

74
 E mbedded I nsurance

older outbound travellers and dynamically bundled to give customers full flexibility. The com-
pany has seen positive results in attach rates, leading to 86% year-over-year growth in revenue
from travel protection and an increase in customer satisfaction and loyalty.

Delivering a seamless experience

To facilitate a simpler and more intuitive purchase experience, Cover Genius worked with
Luxury Escapes to replace jargon and friction with straightforward, easy-to-understand lan-
guage. Travellers are given increased flexibility with new features such as a date picker to add
coverage for non-package dates. As part of a tech-first approach, customers no longer need to
re-enter their travel details to obtain a quote or make a booking, nor to make a claim—the seam-
less integration utilises stored customer data throughout the customer journey. These details are
also used to automatically fill out the necessary fields when customers need to make a claim.
Having a customer-centric and tech-driven approach has helped Luxury Escapes streamline the
booking experience.

A better distribution model

Data from Cover Genius’ Travel Insurance Report42 conducted by Momentive​.​ai suggests 42% of
customers would prefer to switch from credit cards and direct-to-consumer insurance to embed-
ded insurance that they can buy from agents, suppliers or airlines. When asked why, survey
respondents worldwide nominated “convenience” as their number one reason.
The report also examined the claim outcomes for customers and once again found that
embedded insurance topped the Net Promoter Score (NPS) charts, with exceedingly low NPS43
scores recorded for those who relied on online insurers and corporate policies (both minus 28)
and those with free policies from credit cards (minus 32).
Through the XCover integration, Luxury Escapes customers now enjoy a faster claims experi-
ence44 with instant pay-outs of approved claims in 90+ currencies, backed by an industry-leading
NPS of +65 (the score includes any type of claim and claim outcome across our partner network
except for those partners with less than 30 claims and those not assessed by Cover Genius).

Navigating COVID-19
When the pandemic struck, Cover Genius collaborated with Luxury Escapes to co-create a solu-
tion for the changing landscape. According to Cover Genius’ Travel Insurance Report,45 20% of
customers who made a claim for pandemic-related reasons were not covered despite ​​purchasing
travel insurance for pandemic coverage. In the United States and Mexico, the figure was 27%,

42 https://covergenius​.com​/embedded​-insurance​-travel​-global/.
43 Net promoter score, or “NPS,” is a way of measuring customer satisfaction. For an overview of the “gold
standard” of customer experience metrics, see, “What is NPS? Your ultimate guide to Net Promoter Score,”
Qualtrics,
www​.qualtrics​.com ​/au ​/experience​-management​/customer​/net​-promoter​-score/.
44 https://covergenius​.com​/xclaim/.
45 https://covergenius​.com​/embedded​-insurance​-travel​-global/.

75
 E mbedded I nsurance

however, discrepancies in wording aren’t a problem unique to markets that require policies to be
filed with regulators—the UK recorded 39%, Spain 67%, Australia 50% and Brazil 27%.
Timed for the return of vacation packaging, Cover Genius tailored the COVID Cover46 solu-
tion that was earlier launched with some of the airline and OTA Cover Genius partners, thereby
keeping travellers protected from unpredictable COVID-19-related risks from anywhere in the
world. Luxury Escapes customers were given the confidence to book travel again as their primary
areas of concern were addressed.

Future growth
Cover Genius is working with Luxury Escapes to continue to innovate and improve the insurance
experience for travellers. The roadmap includes optimising pricing and product recommenda-
tions through XCover’s data analytics and experimentation framework.47 Cover Genius’ focus is
to improve Average Booking Value through dynamic pricing and offering unbundled products.

Cover Genius case study II

AXS case study—growing ticket revenue using dynamic pricing

The way we live and work is changing dramatically. It’s only natural that the way we make deci-
sions is coloured by world events. Consumers are prioritising peace of mind and are naturally
gravitating to brands that can offer a safety net for their lives. This is particularly true when it
comes to large value purchases such as tickets and events, which are often booked far in advance
and carry some risk of interruption, especially if you want to check off seeing your favourite artist
on your bucket list.
It’s no surprise that the protection of assets is more important than ever to today’s risk-
conscious consumer. Studies from industry thought leaders such as McKinsey and Cover Genius’
BrightWrite team48 point to a significant and sustained increase49 in the take-up of insurance and
warranties. These have been driven partly by the pandemic and supply chain uncertainty but also
by the rapid adoption of leading-edge insurance technologies and the deprecation of traditional
insurance integrations and legacy platforms.
Consumers want protection options at the right time and place, namely at the same time
they’re buying. Where locking down Super Bowl tickets might once have seemed like a no-
brainer, our signals overload with what-ifs. Cover Genius’ BrightWrite data analytics team
recently examined data from their partner AXS, an online ticket sales platform, to compare vol-
umes prior to—and post-integration to see what best practice means for live events companies
looking at add-on alternatives.

46 https://covergenius​.com​/covid​- cover/.
47 ​
https:/​/covergenius​.com​/ brightwr​ite/.
48 https://covergenius​.com​/ brightwrite/.
49 https://covergenius​.com ​/coronavirus​- case​-study/.

76
 E mbedded I nsurance

A tech-led approach to insurance

AXS powers the ticket-buying experience for over 350 worldwide partners including teams,
arenas, theatres, clubs and colleges—to maximise the value of all their events and create joy for
fans. In response to the need for a more scientific approach to pricing and the technical capability
to deliver growth (as encouraged by Oliver Wyman50), AXS has integrated the XCover distribu-
tion platform and jettisoned traditional insurers. Legacy systems of those traditional insurers
have led to offline processes that restrict the live event industry with fixed-rate pricing, poorly
performing creative and an inability to bundle their products with what customers actually need
(for instance, travellers to an event might need basic travel medical and cancellation insurance to
cover their whole stay). This leads to slow or no growth.
By integrating XCover, all AXS customers can now buy tickets and book events with con-
fidence knowing that if something forces a change of plan, their bank account won’t suffer the
same blow. By bringing an insurtech approach and tailored insurance offerings, the Cover Genius
XCover platform has delivered average growth in attach rates of 200% within a few short months
of replacing an incumbent insurer.

Tiered pricing extracts more revenue

The team of data scientists at Cover Genius examined AXS’ historical sales data and identified
opportunities to increase yield.51 Cover Genius always starts with certain hypotheses based on
their experience—whether in the same industry or another—and principles of data science.
In the case of AXS, they were previously charging a flat rate on insurance with a fixed pre-
mium to be earned from each sale. The Cover Genius team looked at the different price bands that
existed for historical ticket purchases and created a hypothesis on tiered pricing using cognitive
bias, otherwise known as anchoring.
Working closely with AXS, Cover Genius’ BrightWrite data analytics platform was deployed
to run synthetic tests on anchoring. Customers in almost all industries are very open to paying
an insurance rate that is relative to the price they are paying for the underlying item, this being
especially true when moving up through higher price bands. Customers value increased protec-
tion for greater spending/greater risk.
Utilising the dynamic pricing capabilities of XCover, AXS has extracted a previously
untapped source of additional revenue, with increased margins at the higher price points. On
average, higher rates for higher prices have tripled yield.

Activity-based pricing
As a global insurance company with licences or authorisations in 60+ countries and 50 US states,
Cover Genius is required to understand the regulatory environment against dynamic pricing.
Typically, the first step is to establish floor prices that are adjusted in real time by adding a target
premium to the loss ratio. In markets where pricing discretion is available, the experts at Cover

50 Oliver Wyman—Impact-Driven Strategy Advisors, www​.oliverwyman​.com.

51 Yield is defined in this context as either insurance yield (average insurance revenue per quote) or, more
typically, total yield (average gross revenue per quote).

77
 E mbedded I nsurance

Genius then run multiple experiments based on attributes retrieved from partners who integrate
the XCover API.
For retail pricing, Cover Genius does not use demographic data, and instead, the team relies
on behavioural data, especially the decisions made by the same customer (or fingerprint ID if the
user is anonymous) on prior visits. Behavioural data is also pivotal for BrightWrite’s dynamic
product recommendations (for instance, a different product or different coverages is offered at
cheaper rates to users who are historically disinclined to add insurance). Analysis of attributes for
the ticketing industry showed the attribute with the highest correlation to price inelasticity was
TTV (total transaction value, as described in the above section), followed by the event type. For
instance, music concerts have high price elasticity while sports events have low price elasticity
(from an insurer’s perspective, there is often higher risk too given the travel requirements and
longer lead times).
While Cover Genius also applies advanced machine learning tests that never sleep, price test-
ing like this has delivered AXS a 78% increase in yield in 14 weeks.

The technology behind the product

Embedded insurance is enabled by advances in technology: Modular software, artificial
intelligence (AI), big data52 and particularly the use of APIs,53 which have allowed for
the sophisticated embedding of products without the need for expensive tech builds or
disruptions to purchase flows. A major challenge is the ability to move data between
organisations and systems. This is an area where APIs can come into play to improve con-
nectivity. The technology can stay ahead of customer needs via agile models and digital,
cloud-based platforms. Over the next decade, these will automate much of the industry,
reduce costs and diversify the way buyers acquire consumer products.
Embedded protection in the form of tech-driven solutions can also open up new growth
opportunities for businesses. The right partner can utilise customer data effectively to
tailor products to their unique needs, so protection is dynamic rather than one-size-fits-all.
Transaction monitoring allows retailers to offer their customers real-time, relevant pro-
tection at checkout or post-purchase. With emerging technologies such as natural lan-
guage processing (which can process text similar to how humans would),54 these solutions
can accurately read the items in a customer’s cart and return a policy suggestion with pre-
cision and speed. Additionally, fintechs and digital banks are well-positioned to provide

52 Big data refers to the enormous datasets that insurers have been collecting for many years and can now
augment with other datasets and analyse for insights relevant to particular categories of risk, the risk profile of
individual insureds, potential fraud and for targeted personalised marketing. See Chapter 2.
53 API is the acronym for application programming interface. The API enables companies to open up their
applications’ data and functionality to external third-party developers and business partners, or to departments
within their companies. This allows services and products to communicate with each other and leverage each
other’s data and functionality through a documented interface. Programmers don’t need to know how an API
is implemented; they simply use the interface to communicate with other products and services. For more on
the technical aspect see, generally, “IBM Cloud Education,” 19 August 2020, www​.ibm​.com ​/cloud ​/ learn ​/api.
54 See, for example, the description in “Natural Language Processing,” IBM, www​.ibm​.com​/au​- en​/topics​
/natural​-language​-processing.

78
 E mbedded I nsurance

their customers with protection offers that match their purchases, as they understand their
transaction history and habits.
Companies offer consumers tailor-made insurance coverage at the point of sale with the
potential to provide customers with a simple, personalised purchasing experience as well
as supply insurance underwriters with more data to help predict losses, guide underwrit-
ing decisions and help with better pricing. Distribution partners are seeing increases in
revenue and customer retention, as the offer of insurance products can enable a longer-
term relationship with customers and policyholders. The non-insurance businesses can
participate in the property/casualty industry as EIPs. Very often, the distribution part-
ner embeds a specially designed widget for insurance calculations directly on their own
website. Embedded insurance options now extend to an almost endless list from buying
cover when booking cab rides or train tickets to furniture, home goods, shoes and hiring
clothes. Airline delays can utilise real-time flight data to provide consumers with immedi-
ate compensation.55 Workers in the gig economy (who are often the most vulnerable to job
loss or income reduction) can also reach out for coverage such as rental protection. With
the rideshare business Ola, Cover Genius offers a ride protection programme that covers
people against things such as losing a wallet or smartphone or being late to the airport
and missing a flight. Again, it is the rich data sources and technology available to insurers
which allow aggregation to provide instant tailored quotes to this segment of the work-
force. With the help of deep transaction-based data, sellers can deliver “hyper-relevant”
embedded insurance offers.
Perhaps it is inaccurate to view embedded insurance as a type of technological dis-
ruption, as it becomes a way to facilitate technological inclusion where customers and
insurance policies are brought together via platforms customers are already using. In this
context, embedded insurance can be seen as a tool to reduce the insurance gap and pro-
mote a culture of financial protection by insurance.
It is a frictionless insurance purchase by combining critical targeting, qualification,
risk, matching and conversion thresholds. By using data science to diminish the tradition-
ally heavy lift of underwriting requirements, embedded insurers and brands take advan-
tage of the “magic moment” where potential customers can be easily prequalified for an
insurance product and given a convenient opportunity to purchase coverage in real time.
By providing access to the right technology within the point of sale (PoS), it is possible
to ease the pain and expense of customer acquisition and distribution channel expansion
while improving the overall customer experience and mitigating the need for external.
Embedded insurance ideally shares the following characteristics—offers are:

• Digitally enabled and can be accepted or declined within a digital interaction.

The process can occur on a mobile phone, tablet or computer;
• Timely, logical and are made when the prospective consumer is buying or using
the EIP’s product or service;
• Accurate and time-saving, as the offer fills an actual need for protection and uti-
lises the customer data which is already input; and

55 See Cover Genius case study.

79
 E mbedded I nsurance

• Clear and easy to understand where the EIP and insurer work together success-
fully, offers are presented in ways that are easy to understand as there is only one
type of tailored insurance offered and the policy is easy to purchase and intuitive.

What are the key challenges, barriers and risks with embedded insurance?
It is clear from the section above, digital embedded insurance has the ability to offer insur-
ance in innovative new ways and be presented to customers at various points in a purchase
process. However, insurance and other relevant regulatory restrictions are complex, and
this is an evolving landscape, particularly in areas that are experiencing rapid growth due
to advances in technology. Embedded insurance opportunities raise a multitude of legal
and regulatory issues, and the involvement of multiple parties gives rise to several regula-
tory and supervisory considerations.56
Applicable laws, licences and registration requirements vary in each country, and in
some countries, requirements vary in each jurisdiction or state, such as in the United
States and in Australia.57
Policyholder protection and treating customers fairly remains the primary objective of
insurance regulation, and insurers and third-party providers must be able to successfully
navigate complex regulatory environments, codes of practice,58 principles59 and ethical
considerations.60
Some pivotal regulatory risks and challenges that any participant in the value chain of
embedded insurance should consider include the following:

Appropriate licensing
The first question when seeking to embed insurance is to address what insurance-related
licences are necessary. In this context, it is important to distinguish between licences
required by insurers and licences required by intermediaries and brokers.
In the case of insurers, there is a general prohibition in most jurisdictions that no person
may conduct insurance business unless that person is licensed as an insurer. Obtaining
an insurance licence is onerous: Most legislation requires insurers to comply with various
burdensome requirements such as having certain minimum capital and solvency require-
ments, minimum competence and operational abilities to conduct the business. This is one
of the primary reasons that most embedded insurance is offered by an established insurer
that partners with a non-regulated organisation, such as a retailer or technology company.

56 These issues are highlighted with regard to inclusive insurance which has the same relevance to embed-
ded insurance, see, “Issues Paper in conduct of business in inclusive insurance,” International Association of
Insurance Supervisors, November 2015, 30 (hereafter Issues Paper).
57 For example, as noted above, in the United States regulatory oversight and regulatory frameworks being
a composite of federal and state legislation differ in each of the 50 states.
58 See, for example, The General Insurance Code of Practice in Australia (1 January 2021), which sets
industry standards above those mandated by law.
59 See, for example, The International Association of Insurance Supervisors (IAIS), a voluntary mem-
bership organisation of insurance supervisors and regulators from more than 200 jurisdictions in nearly 140
countries.
60 See, for example, Chartered Insurance Institute, Code of Ethics, a “a set of principles ensuring we main-
tain high standards of integrity, probity and ethical fair dealing.”

80
 E mbedded I nsurance

For example, in the United States, insurance is regulated by each state and has been
since the McCarran-Ferguson Act in 1945. Any person or entity selling, soliciting or
negotiating insurance must be licensed as an insurance producer. Where activities are
transacted online, this typically means a licence is required in all US jurisdictions. There
are over 50 regulators in the insurance market, which is the biggest market in the world. In
the European Union, similarly to the United States, the conducting of insurance business
is subject to prior authorisation sought from the competent supervisory authority of the
relevant EU member state.61
In general, persons involved in the distribution of insurance policies will require an
appropriate licence. While, in general, the licensing obligations for intermediaries or bro-
kers are not as onerous as those applicable to insurers, certain minimum requirements as
well as obtaining and maintaining the licence will nonetheless be required.
The manner in which embedded insurance may be distributed can take place in many
different ways. For example online, either directly from the insurer’s website or through
a third party’s website, via mobile applications, over the phone or even face-to-face.
Depending on the distribution channel used, and the structure of the arrangement, licens-
ing requirements may apply not only to the insurer of the embedded product but also to
the parties responsible for distribution, which may include the retailer of the underlying
product that the insurance is embedded into.

Regulation of compensation for services

The remuneration payable to parties that participate in the distribution process of insur-
ance policies is often regulated, including regulating disclosure of the remuneration pay-
able and in certain cases limiting the nature, amount and/or the timing of the payment
of such remuneration. The primary objective of these restrictions is to avoid a conflict of
interest, namely to avoid any situation in which the provider of a service to customers has
a potential or actual conflict that may, in rendering the service to the customer, influence
the objective performance of its obligations or prevent it from rendering unbiased and
unfair services to that customer. Compensation for services that conflict with the cus-
tomer’s best interests would typically be prohibited.
As the OECD explain in their 2020 report entitled “Regulatory and Supervisory
Framework for Insurance Intermediation”62
As with all principal-agent relationships, the needs and goals of intermediaries and policy-
holders are sometimes different and sometimes conflicting.
Transparency and mandatory disclosure is arguably the most common way to protect
insureds by helping overcome information asymmetries.…
Technology-enabled intermediation is transforming the way insurance is distributed, pro-
viding efficiency, convenience and speed, while at the same time giving rise to new sources of
risks for insureds. Specific rules for digital intermediation are imposed in less than a third of
countries responding to the OECD survey.
Consumer protection safeguards may need to be considered by a wider range of countries
when it comes to insurance distribution through emerging digital intermediation channels.63

61 See, Directive 2009/138/EC on the taking-up and pursuit of the business of insurance and reinsurance
(solvency II).
62 www​.oecd​.org​/daf​/pub​lica​tion​sdoc​u ments​/publications​/76/.
63 Ibid., 7.

81
 E mbedded I nsurance

The regulation of intermediaries’ remuneration arrangements and associated disclosure

requirements vary from one jurisdiction to the next, ranging from limited reporting
around the existence of remuneration agreements to extensive requirements that might
even embrace limits on levels of compensation. For example, in certain countries, such
as South Africa, the remuneration amounts payable to intermediaries of insurance prod-
ucts are in certain instances subject to specific caps and may only be paid in prescribed
intervals.64
The key role-players in the value chain for embedded insurance should therefore ensure
that any compensation models adopted comply with the applicable laws, having regard to
their licences.

Ensuring informed decision-making and policy awareness

Embedded insurance is sold as an “add-on” to the purchase of a primary underlying prod-
uct. The consumer’s focus and awareness are therefore more specifically on the underly-
ing product and more often the sales process, especially in the digital environment of a
combined sales process, which may result in the consumer having little time or informed
thought about the insurance offering. Consumers typically have a degree of disengage-
ment in the sale process (i.e. not actively seeking the insurance) and have not thought of
their needs for the insurance.
This, coupled with the complex nature of some insurance products, may result in the
consumer having little understanding of the insurance, its costs and limitations, and
whether the product is likely to perform as the consumer would expect. Moreover, embed-
ded insurance is more often than not sold without any financial advice, increasing the risk
that a consumer is sold insurance that does not meet their needs.
To address the potential lack of consumer awareness of the embedded insurance and
to increase informed decision-making, some jurisdictions have responded with oner-
ous requirements to protect consumers that, at the same time, potentially place barriers
between the consumer and the offer of timely and tailored risk-spreading solutions.
In Australia, an industry-wide deferred sales model for embedded insurance has
been adopted,65 cited as “once-in-a-generation regulatory reforms to improve consumer
outcomes.”66 The deferred sales model introduced a four-day pause between the sale of a
primary product and the sale of an embedded insurance product. The purported reason for
this requirement is to help individual customers make informed decisions when purchas-
ing insurance.
When developing the deferred sales model, Australian regulators considered feedback
from consumer groups. Consumer groups raised concerns that the regulatory regime
for insurance was not adequate to minimise consumer detriment and some called for

64 See, for example, “Regulatory and Supervisory Framework for Insurance Intermediation,” OECD,
2020, 38–40 www​.oecd​.org​/daf​/pub​lica​tion​sdoc​u ments​/publications​/76/.
65 On 10 December 2020, the Australian Parliament passed the Financial Sector Reform (Hayne Royal
Commission Response) Act 2020 to implement an industry-wide deferred sales model for add-on insurance in
response to Recommendation 4.3 of the Royal Commission into Misconduct in the Banking, Superannuation
and Financial Services Industry (Royal Commission).
66 See comments from Andrew Hall, CEO Insurance Council of Australia, “Insurers ready for regulatory
changes,” Insurance Council Australia, 30 September 2021, https://insurancecouncil​.com​.au​/resource​/insurers​
-ready​-for​-regulatory​- changes/.

82
 E mbedded I nsurance

embedded insurance (also referred to as “add-on” insurance)67 to be prohibited or for the

introduction of an opt-in deferred sales model (discussed below) for all sales of add-on
insurance. The impetus behind the complaints from consumer groups and others was the
historic bad reputation caused by the sale of add-on financial products through car-yard
intermediaries, some who were less reputable, which was said to have caused widespread
and significant detriment to vulnerable consumers.68
Understandably, insurers and other stakeholders highlighted the risks and increased
vulnerability for the customer if a deferred sales model was adopted when purchasing, for
example, a motor vehicle or property.
The government responded and exempted from the deferred sales model several classes
of insurance products, such as travel insurance, postage and delivery of consumer goods
and motor vehicle insurance.69 Some notable products that have not been included in the
list of exemptions from the four-day pause include extended warranty insurance, insur-
ance for consumer goods such as mobile devices and laptops outside of a home and con-
tents insurance policy, and consumer credit insurance. Apple, for example, approaches
this potential gap in coverage caused by the deferred sales model regulation by providing
seven-day complimentary coverage with a new iPhone. Customers can then choose to
purchase Apple insurance after this coverage has expired.70
However, not all jurisdictions adopt a general industry-wide deferred sales model, as it
has been found that the deferral length if not long enough creates a “halo effect” of pur-
chasing (i.e. the primary product purchase has not worn off so the consumer is not able to
dispassionately assess their need for insurance)71 but if too long it would result in consum-
ers disengaging entirely from the decision about whether to buy the insurance.72
In the UK, a prohibition on opt-out selling (negative option selling, that is, the policy
is entered into unless the consumer opts out) and a ban on pre-ticked boxes for the sale of
embedded insurance is more commonly adopted, and, in the case of embedded guaran-
teed asset protection (GAP) insurance,73 an opt-in approach together with a deferred sale
process is implemented.

67 See, for example, the 43 page submission from the Consumer Action Law Centre, “Policy questions aris-
ing from Module 6—Insurance,” 25 October 2018, https://consumeraction​.org​.au ​/royal​- commission​-module6​
-submission/.
68 Submissions to the CP 339 Implementing the Royal Commission recommendations: The deferred sales
model for add-on insurance, related primarily to the sale of insurance via car dealerships and car yards.
69 Exemptions are identified and described in detail in Regulation 12A–12M of the Australian Securities
and Investment Commission Regulations 2001 and include compulsory third party (CTP) insurance for motor
vehicles, travel, third party property damage, fire and theft insurance for motor vehicles, comprehensive insur-
ance for boats, motorcycles, motorhomes, caravans, trucks, insurance sold within superannuation (including
group life insurance), postage and delivery of consumer goods insurance, home building insurance, home and
contents insurance, landlord insurance, add-on travel insurance products and business-related add-on insur-
ance products.
70 ​w ww​.apple​.com ​/au​/support​/pro​ducts/.
71 “Competition in the Financial System,” Productivity Commission, 2018, 429.
72 See comments in “Reforms to the sale of add-on insurance products,” Australian Treasury Proposal
Paper, 9 September 2019, 13.
73 Guaranteed asset protection (GAP) insurance is used to protect the insured party against any shortfall
between the purchase price, or total amount payable under a credit or hire agreement, and the amount an
insurer will pay out, which is usually linked to market value at the time of the loss.

83
 E mbedded I nsurance

Californian regulators have reacted in a similar way as the UK to GAP insurance sold
in the motor industry and have placed restrictions on GAP insurance sold.74 The new laws
became effective on 1 January 2023 to ban GAP waiver sales in certain instances. As with
the UK, the restrictions are only placed on GAP insurance. Other add-ons or embedded
products can be sold alongside the primary product, subject to any privacy and other
consumer-related laws.
Additionally, in an attempt to combat the lack of understanding of the insurance and
the no-advice model of sales, in many jurisdictions insurers (and their partners involved
in the distributions of the insurance) and other financial service providers are mandated to
comply with extensive disclosure obligations.75
In South Africa, for example, insurers are not only obligated to make pre-contract dis-
closure pursuant to statute76 and long-established common law,77 but they are also subject
to overarching disclosure and market conduct requirements. The Financial Sector Conduct
Authority (FSCA)78 introduced a regulatory framework entitled Treating Customers
Fairly (TCF) to ensure the fair treatment of customers is embedded within the culture
of regulated financial firms to ensure that specific, clearly articulated fairness outcomes
for financial services consumers are delivered by financial institutions. These outcomes
must be demonstrably delivered throughout the product life cycle, from product design
and promotion, through advice and servicing, to complaints and claims handling—and
throughout the product value chain.
In the United Kingdom, specifically in the case of GAP, insurers are required to provide
retail and commercial customers with prescribed information to encourage them to shop
around and be more engaged when making decisions about purchasing GAP products.79
Notably, for a disclosure regime to be effective, it should aim for tangible outcomes—
that is, consumers understand financial products and only buy the products that they need
and that are best suited to them.80 Insurers need to provide information that “a person
would reasonably require for the purpose of making a decision, as a retail client, whether
to acquire the financial product.”81 Disclosure should focus on quality rather than quantity,
as there is a risk that if the disclosure becomes too voluminous then the customer may be
less likely to read the material and understand the important messages when customers

74 Assembly Bill 2311 (“AB 2311”) and Senate Bill 1311 (“SB 1311”) were signed into law by Governor
Gavin Newsom on 13 September and 27 September 2022, respectively.
75 See, for example, Basel Committee on Banking Supervision Joint Forum Point of Sale disclosure in the
insurance, banking and securities sectors—final report April 2014,
www​.bis​.org​/publ​/joint35​.pdf.
76 See Financial Advisory and Intermediary Services Act 37 of 2002; Long-term Insurance Act 52 of 1998;
and Short-term Insurance Act 53 of 1998.
77 See, for example, D Millard and B Kuschke, “Transparency, trust and security: an evaluation of the
insurer’s precontractual duties” Potchefstroom Electronic Law Journal 17 6 2014 2412-2450.
www​.scielo​.org​.za​/scielo​.php​?script​= sci​_ arttext​&pid​= S1727​-37812014000600006; and
Paul Kruger, “Adviser obligations regarding disclosure of material terms and conditions of a policy,”
10 February 2022, www​.moonstone​.co​.za​/adviser​- obligations​-regarding​- disclose​- of​-material​-terms​-and​- con-
ditions​- of​-a​-policy/.
78 See FSCA, “Treating Customers Fairly,”
www​.fsca​.co​.za​/ Regulatory​%20Frameworks​/ Pages​/ Treating​- customers​-fairly​.aspx.
79 Published in PS15/13.
80 See discussion in the Consumer Action Law Centre in “Policy questions arising from Module 6—
Insurance 25 October,” 2018, 8, https://consumeraction​.org​.au ​/royal​- commission​-module6 ​-submission/.
81 One example of a definition of the objective of the disclosure regime is found in the Australian legisla-
tion, Corporations Act 2001 (Cth) s 1013D(1).

84
 E mbedded I nsurance

are focused on their primary purchase. There is a heightened requirement for disclosure
as the product could be described as being “sold to” customers rather than “bought by”
customers.82
In some jurisdictions, regulating the term of the insurance policy in order to create
policy awareness has emanated. Restricting the maximum term length (as is the case of
some microinsurance-specific legislation proposed in India) and the need for frequent
renewal that it entails may also help in creating awareness of the policy.83
In addition, most jurisdictions regulate the insurance terms and conditions in order to
protect the customer. Regulating unfair contract terms is not novel, but there has been an
increase in regulation prohibiting unfair contract terms as can be seen by the Australian
Securities and Investments Commission (ASIC), which in April 2021 announced amend-
ments to the existing framework regulating unfair contract terms, such that terms that, for
example, gave insurers a unilateral discretion to do something are now not permitted. In
most jurisdictions, the regulation of unfair contract terms applies to contracts with natural
persons or small businesses, both constituting a consumer.

Free choice versus embedded nature of the cover and anti-trust considerations
A further consumer protection concern with embedded insurance is the principle that the
customer should have a right to a “free choice,” which denotes that the consumer has the
right to select suppliers.
Essentially, the principle of free choice entails that a supplier may not require, as a
condition of offering to supply or supplying any goods or services, or as a condition of
entering into an agreement or transaction, that the consumer must purchase any other
particular goods or services from that supplier (i.e. insurance), that a consumer must enter
into an additional agreement or transaction with the same supplier or a designated third
party, or that a consumer must agree to purchase any particular goods or services from a
designated third party.
While there may be exceptions to the aforesaid, such as where the supplier can demon-
strate that the bundling of the insurance with the underlying purchase has a convenience
or an economic benefit to the consumer or that the goods or services are offered both
together as a bundle and also individually, it is important that the bundling of the insur-
ance with the underlying purchase does not impugn a consumer’s right to free choice.
Closely linked to free choice is whether the embedded nature of the insurance will cre-
ate anti-trust risks. Typically, if it is structured on the basis that it is a prerequisite (i.e. a
condition) for the customer to take out the insurance in order to purchase the underlying
goods or services, such may result in anti-trust considerations on the basis that it con-
stitutes an exclusionary act. To the extent that the exclusionary act of selling goods or
services on condition that the buyer purchases separate goods or services unrelated to the
object of a contract, or obliging a buyer to accept a condition unrelated to the object of a
contract (that is, the internationally recognised practice of “tying and bundling”), this is
frequently prohibited by dominant firms in various jurisdictions. Mostly, and subject to

82 As described by Consumer Action Law Centre in “Policy questions arising from Module 6—Insurance
25 October,” 2018, 8, https://consumeraction​.org​.au ​/royal​- commission​-module6 ​-submission/.
83 Issues Paper (n 56) 24.

85
 E mbedded I nsurance

jurisdictional variations, in order for the embedded insurance to avoid falling foul of com-
mon anti-trust provisions, the arrangement between the retailer and the insurer should not
be structured subject to a condition that it is a prerequisite for the customer to take out the
insurance in order to purchase the underlying goods or services.
Similarly, constraints may exist under the umbrella of exclusive dealing rules. For
example, in Australia, exclusive dealing happens when one business trading with another
puts conditions on the other’s freedom to choose what it buys or sells, who it does business
with or where it trades.84 Notably, exclusive dealing is only a breach of the Competition
and Consumer Act 2010 if the restriction is likely to have the purpose, effect or likely
effect of substantially lessening competition.85

Averting bias when deploying artificial intelligence

The benefit of AI is to leverage substantial amounts of data in order to predict trends.
Developers of AI build or develop algorithms using data; however, the benefit of the
data to predict trends is only as good as the data used to develop the algorithm.
Since the algorithms are developed by human involvement and human involvement
manages the categorisation of data used in AI technology, AI and the data it develops for
trends are susceptible to bias. The bias in the data sets which are used to develop the AI
has the potential to unfairly disadvantage certain groups or to over-focus (or under-focus)
on certain activities to the detriment of others, and analytics derived from the AI can
inherit these biases.
The impact of biased AI can be substantial. Nicole Turner Lee, Paul Resnick and Genie
Barton have stated:
Bias in AI algorithms can emanate from unrepresentative or incomplete training data or the
reliance on flawed information that reflects historical inequalities. If left unchecked, biased
algorithms can lead to decisions which can have a collective, disparate impact on certain
groups of people even without the programmer’s intention to discriminate.86

The risk of unfairness, particularly in a consumer fairness-centric insurance landscape, is

high, and AI bias may result in the enforcement action set out more fully below.
Given the known potential that human biases may have in AI, not only should develop-
ers account for (and insurers consider) common human biases in development of the AI,
but there also needs to be some “appropriate level of human judgment” in the AI process.87
The human element in reviewing and assessing the data as well as the data used in the

84 Exclusive Dealing Notification Guidelines, ACCC, December 2022, www​.accc​.gov​.au​/system​/files​/

Exclusive​%20dealing​%20guidelines​.pdf, The Competition and Consumer Act 2010 (the Act) allows a business
to obtain legal protection to engage in exclusive dealing conduct that might otherwise breach section 47 of the
Act.
85 ​w ww​.accc​.gov​.au​/ business​/competition​/misuse​- of​-market​-power#:~​:text​= Tying​%20and​%20bundling​
&text= ​​For​%2​​0exam​​ple​%2​​C​%20a​​%20pr​​inter​​%20su​​pplie​​r​,are​​%20bo​​​ught%​​20as%​​20a​%2​​0pack​​age.
86 Nicol Turner-Lee, Paul Resnick and Genie Barton. “Algorithmic bias detection and mitigation: Best
practices and policies to reduce consumer harms.” Brookings, 25 October 2019.
87 See generally, Eric Talbot Jensen, “The (Erroneous) Requirement for Human Judgment (and Error) in
the Law of Armed Conflict,” International Law Studies, vol 96, no 1, 2020, 37–42 (summarising the views of
several states on why human control is necessary) cited in Milaninia, N. (2020). “Biases in machine learning
models and big data analytics: The international criminal and humanitarian law implications.” International
Review of the Red Cross, 102(913), 199–234. doi:10.1017/S1816383121000096.

86
 E mbedded I nsurance

development of the AI will assist. However, the lack of diversity in human judgement will
not cure the bias. It is therefore incumbent on insurers when developing the insurance
product and the AI designer to ensure it applies design diversity. The AI used by the role-
players in embedded insurance is only as good as the data fused in the algorithms.
In addition, AI models should be tested to identify any potential bias. For example,
when analysing the personalised insurance quotes offered to customers, testing should
be carried out on both policy issues and quotes that did not result in a policy to reveal the
outcomes of insurers’ marketing algorithms and, consequently, whether those marketing
algorithms produce racially or other biased outcomes.88
Parties in the embedded insurance value chain also subscribe to fair and ethical out-
comes in the use of AI and big data in underwriting and pricing to ensure data is accurate
and models are not biased in any way that may be discriminatory.89

Data protection and cyber risks

In order to embed insurance products into seamless customer journeys multi-stakeholder
technology platforms need to be able to “talk to each other” and exchange data, which
is commonly done through the integration of multiple APIs. This integration of APIs
and other technologies heightens cyber risks. The aforesaid, coupled with insurers using
archaic operating systems and software which is no longer supported, escalates cyber
incidents.
Before utilising APIs, insurers and platform providers should conduct rigorous due dili-
gence reviews of potential partners, to ensure (amongst other things) compliance with at
least cyber security and cyber resilience best practices and intellectual property rights as
discussed above. Amongst other things, contractually, the parties should impose obliga-
tions on the platform providers to need to adhere to any regulatory requirements and inter-
nal policies and standards which set a party’s risk tolerances and regularly review that
such policies are being implemented to mitigate against cyber threats. Certain cyber resil-
ience fundamentals should be considered, including certain notable fundamentals, such as
adopting cyber security hygiene practices e.g. multi-factor authentication (MFA), malware
protection and network perimeter defence protocols in line with industry standards.90
Failure to understand the potential risks of APIs and guard against cyber incidents
may result in loss of data if the data path is not controlled, and may also result in revenue
losses, negative impacts on business growth and a loss in credibility.
Establishing responsible use of data in the insurance industry, including considering
the upsurge of threat actors and cyber criminals, and the increased scrutiny from regula-
tors, establishing and using big data with some sort of “techno-morals” and transparency
is key. In addition, digital platforms are borderless in their reach, operating beyond the
jurisdictions where they are established and thereby data flows regularly on a cross-border
basis.

88 See, “Joint meeting of the innovation, cybersecurity, and technology committee and the NAIC con-
sumer liaison committee,” NAIC, 14 October 2022, 44.
89 See, generally, “Fairness criteria,” discussed in Xi Xin and Fei Huang, “Anti-Discrimination Insurance
Pricing: Regulations, Fairness Criteria, and Models,” 10 November 2022, https://ssrn​.com​/abstract​= 3850420.
90 See Chapter 11, “Cyber Risk and Insurance” for a detailed description of risks and mitigation strategies.

87
 E mbedded I nsurance

Ownership in and regulation of intellectual property

For each role player in the value chain of embedded insurance, the protection of each
party’s intellectual property is of paramount importance.
While insurers may develop systems and intellectual property in-house, at the heart of
embedded insurance is collaboration between the insurer, the non-financial institution and
the technology provider. A key risk in collaborating is the risk of losing control over one’s
own intellectual property or “background intellectual property” (intellectual property
that the respective parties own prior to collaborating, or that is developed or conceived
independently of the collaboration) and the rights in respect of any jointly developed intel-
lectual property or “foreground intellectual property.”
Each role player must critically consider and agree on terms that set out the rights of
the parties to own and exploit background and foreground intellectual property, including
(amongst other things) (i) suitable warranties and indemnities regarding ownership (in
particular, that each of the parties is entitled to grant the rights and that the background
intellectual property does not infringe the intellectual property rights of any third parties);
(ii) whether any exclusivity rights and restraints will apply to use of the intellectual prop-
erty; and (iii) if any fees will be payable to use such intellectual property.
In addition, the parties should agree to specific confidentiality provisions to ensure that
neither party discloses the intellectual property of the other party to a third party.
It is common that the role-players are not all situated in the same territory. In some coun-
tries, the cross-border transfer of intellectual property may be subject to certain exchange
control restrictions, such as the transfer of intellectual property from a resident to a non-
resident, and any royalty payments for an inbound licence of intellectual property.
For example, in the European Union, intellectual property has to be registered in terms
of national laws of each country belonging to the EU and the EU regulation of cross-
border transfers and strategies assists European inventors to receive compensation for
their intellectual property rights.91

Tax considerations
In addition, tax is often payable on licence royalties. In a cross-border transaction, a
licensor is usually liable to pay tax to the tax authority in the licensee’s jurisdiction. The
amount of tax depends on the local law in the licensee’s jurisdiction and any double tax
treaties between the relevant countries.92 The licensor can usually obtain a tax credit so
that it is not double-taxed by the tax authority in its own jurisdiction.93 Another important
consideration is that in certain jurisdictions, the provider of the technology may (in addi-
tion to the licences aforesaid) trigger certain tax obligations and registration obligations
to account for tax.94

91 Communication from the commission to the European Parliament, the Council and the European
Economic and Social Committee Trade, growth and intellectual property—Strategy for the protection and
enforcement of intellectual property rights in third countries COM/2014/0389 final, https://eur​-lex​.europa​.eu​/
legal​- content​/ EN​/ TXT/​?uri​= CELEX​:52014DC0389.
92 ​https:/​/ca​.practicallaw​.thomsonreuters​.com​/6​-519​-5891?_​_lrTS​= 20180121091505886​&​contextData= (sc.
Default)&transitionType=Default&firstPage=true.
93 Ibid.
94 Ibid.

88
 E mbedded I nsurance

Prohibitions on rebating or inducements

Many jurisdictions prohibit or restrict forms of rebating where something of value is given
to sell the policy that is not provided for in the policy itself. An example of rebating is
when the prospective insurance buyer receives a refund of all or part of the commission
for the insurance sale.
The primary reason for the prohibition on inducements is to ensure the fair treatment of
consumers, to apply the insurance in a non-discriminatory manner and to avoid the con-
sumer entering into insurance that is not needed or suitable, simply to acquire the benefit
or the inducement. In some jurisdictions, whether an inducement is prohibited or not will
be determined with reference to whether the offer constitutes a valuable consideration or
a consideration above a certain minimum threshold.
This prohibition becomes particularly relevant with embedded insurance and, for
example, tying a discount to the underlying purchase should the consumer purchase the
embedded insurance offered.
For example, in South Africa, there is an express prohibition on inducements that applies
not only to insurers, brokers and intermediaries but to any person who provides, or offers
to provide, any valuable consideration as an inducement to a person to enter into, continue,
vary or cancel a policy. In the United States, specifically in New York, a rebate or unlawful
inducement to the making of insurance is prohibited by N.Y. Ins. Law § 2324(a).95

Advertising
Insurers and third parties need to ensure their promotional material relating to their
embedded products complies with the regulatory requirements pertaining to the advertis-
ing of insurance products. The regulations generally seek to ensure that the identity of the
insurer is clearly disclosed, that any comparative marketing is factual and that marketing
does not mislead customers.
Where an insurance product is white-labelled and sold under co-branding or the insur-
er’s branding identification is removed, the customer is encouraged to view the insurer
and third-party partner as one entity. Customer concerns with the insurance policy may be
incorrectly attributed to the third-party partner and cause reputational damage.
Insurers and EIPs should identify whether information on the website constitutes adver-
tising and, if so, review and agree on the language and terms used and remove anything
which may breach current laws.
Opinions such as quotes should be current and superlatives such as “all,” “best,” “supe-
rior” and “guarantee” should be used cautiously to avoid the potential to mislead consumers.
Liability is likely to stay with the insurer whose products are being promoted, and all parties
must maintain a system of review to reduce legal and regulatory exposure.
Marketing must be cautiously monitored so that it does not become a so-called “manu-
factured vulnerability” or manipulative marketing. This type of marketing consists of
website elements that manipulate users into making decisions they aren’t aware of or
didn’t want to make. Dark patterns are built around insights into how we behave and react
in certain situations. They can also be as simple as using very small letters, less visible

95 ​
w ww​.dfs​.ny​.gov​/insurance​/ogco2000​/rg000211​.htm.

89
 E mbedded I nsurance

colours and placing information within long terms and conditions. If embedded insurance
is to prove itself to be a valuable option to customers it must be sold within an ethical
framework. Insurers have often led the way with customer protection initiatives, and this
focus needs to continue.
The UK has introduced initiatives such as “Smarter Consumer Communications.”96
These create the foundations for how the regulator should use its supervisory technologies
to detect and close down poor practices in high-volume, low-premium lines of business.
In the United States, a privacy bill in California deems any information obtained
through the use of dark patterns to be without consent.97 The Federal Trade Commission
published a report on dark patterns, seeing them as a sophisticated version of unfair or
deceptive trade practices. The Federal Trade Commission has taken enforcement actions
(including imposing fines) on companies for experimenting with deceptive marketing
designs.98
An insurer’s website in some jurisdictions can discuss the terms of the insurance offer-
ing; however, a non-licensee’s website may be subject to certain restrictions. Insurers are
often required to maintain adequate records of their advertising records and are advised
to catalogue each piece.

Enforcement actions are extensive

Regulators actively enforce the laws and have the power to impose penalties. Penalties for
a regulatory breach may include licence revocation, restrictions or non-renewal; cease and
desist orders; civil penalties and full or partial refunds to consumers; corrective advertis-
ing and disclosures to correct misinformation in original adverts; and criminal penalties
for certain breaches.
Reputational damage to both the insurer and the EIP also has the potential to cause
adverse financial outcomes, loss of consumer trust and brand deterioration.

Risk of over-regulation and stifling innovation

It is clear from the growth and enablement that insurance technology (insurtech), which
enables embedded insurance, is transforming the financial services sector. It holds the
potential to improve efficiency and reduce operating costs for insurers, allows seam-
less, real-time customer transactions, and drives hyper-personalisation by improving an
understanding of the needs and behaviour of customers. Supporting the development of
insurtechs provides accessible and appropriate financial products at scale.
As with all things, while there are benefits, with innovation comes risks, including the
potential impacts from reduced face-to-face contact, insufficient consumer understanding
of the product or service and its provider, risks in the security and potential misuse of
increasing amounts of consumer data and potential exclusion for some consumers.

96 FS16/10: Smarter Consumer Communications, www​.fca​.org​.uk ​/publications​/discussion​-papers​/smarter​

-consumer​- communications​-further​-step​-journey.
97 See California Privacy Rights Act (CPRA) § 1798.185. The regulation states that the link to the consent
page cannot, among other things, “use any dark patterns.”
98 ​w ww​.ftc​.gov​/news​- events​/news​/press​-releases​/2022​/09​/ftc​-report​-shows​-rise​-sophisticated​- dark​-pat-
terns​- designed​-tr​ick​-trap​- consumers.

90
 E mbedded I nsurance

While customer protection concerns require a particularly strong emphasis on the conduct
of business regulation in embedded insurance, there is a danger of protecting customers out of
the market, meaning that the regulatory burden imposed by strict conduct of business require-
ments “pushes” up distribution costs to such an extent that insurers may not find distribu-
tion to the low-income market viable, or may streamline distribution to entail no or limited
advice.99 This may defeat the purpose of the conduct of business regulation in terms of cus-
tomer empowerment, disclosure and prevention of mis-selling outcomes envisaged.100
While it is generally accepted that regulation is necessary to respond to the significant
risk that rapid increases in technology used in financial services create, the regulations
need to be drafted and enforced in a manner that manages these risks in a way which does
not significantly stifle innovation.101
For example, while using data presents potential concerns as noted above, in the future,
regulators may choose to make a distinction whether data is used for underwriting pur-
poses or for additional services such as prevention and prediction. This could include
setting limits on which data is strictly necessary, depending on the area (health insurance,
motor insurance, home insurance, etc). This may justify creating an authority that over-
sees data purpose limitations and what data is strictly necessary for the provision of vari-
ous services. It will be useful for regulators to require any insurance product using data
sets from third-party sources to disclose both the sources and the exact types of personal
data used to determine cover and price.102
Regulation has often reinforced slow and narrow innovation.103 Excessive regulation of risks
identified with innovation and technology will undoubtedly increase barriers to entry.
Proportionality to regulation and flexibility in licences, capital and scope may be a
preferred approach to regulation.
By following a risk-based approach, regulators may seek to differentiate requirements
for low-value purchases and need to decide if consumers should be afforded the same lev-
els of protection regardless of the type or size of purchase or activity. For regulators, a key
challenge is understanding who is doing what in the chain to understand the reallocation
of the rights and responsibilities along the “new” value chain to track the different players
within the individual approaches. Regulators may find it useful to introduce or enhance
existing minimum requirements on reporting and transparency. Decisions to introduce
new regulations must be taken holistically and with due care. Any initiatives and guidance
should consider the impact of other regulations such as AI and data privacy requirements
to avoid duplication or conflicting requirements.104
As highlighted in the Cover Genius case studies, embedded insurance can offer tailor-
made solutions that eliminate the need for customers to take it upon themselves to search
for and choose protection offers after their purchases.

99 See generally Issues Paper (n 34), 33.

100 Ibid.
101 See, generally, “Fintech Scoping in South Africa,” Genesis Analytics, October 2019, 25.
102 “(Re)insurance value chain and new business models arising from digitisation: Feedback statement to
the discussion paper” Feedback Proposals, EIOPA, EIOPA-BoS-21-219, 9.
103 See, report at n 13 which notes that insurance products have not changed much in decades with other
industries exploiting technology and data much better.
104 Responses to the EIOPA survey on insurance value chain and new business models digitation also
advise on the importance of these requirements, www​.eiopa​.europa​.eu ​/media​/news​/eiopa​- consults​-reinsur-
ance​-value​- chain​-and​-new​-business​-models​-arising​- digitalisation​_en; see generally Chapter 2.

91
 E mbedded I nsurance

Regulators and stakeholders need to monitor new provisions, new ways of working and
advances in technology regularly to assess whether they are effective and to find ways
to streamline and improve the customer journey. Whether more restrictive measures in
Australia achieve the aim to provide customers with better protection or if the measures
restrict customer choice and heighten the risk of financial hardship for those who need
insurance the most, remains to be seen.
As embedded insurance demonstrates value in bridging the insurance gap and as con-
sumers become more familiar with insurance as a risk management tool, further flex-
ibility and innovative approaches from the partnerships may be encouraged with lower
regulatory requirements and sandbox-style experimentation.
Further, regulations that do not cater for the fast changes that a digital environment cre-
ates, and that are therefore stagnant and slow to change due to the extent of regulations,
may inadvertently increase the protection gap and strain social cohesion.105 Excessive reg-
ulation that is used to mitigate against a lack of understanding of technology and its risk
equally poses problems. Cognisance of regulatory arbitrage must be considered.
Regulators need to review risk through dedicated market surveys and incident report-
ing and should have ways in which they can link any incidents triggered by the innova-
tive technologies underpinning embedded insurance. The technology and the powerful
relationships between parties have the opportunity to scale up at a far faster rate than
companies in the past, and regulators need to be able to understand and where possible,
anticipate, the ways in which the nature of risks will change.
As the OECD explains:
Regulation directly affects the innovative process, while innovation and technical change
have significant impacts on regulation. To be successful, regulatory reforms must take into
account the linkages between regulation and innovation.106

The International Association of Insurance Supervisors (IAIS) has described this bal-
ance as a “moving target in a moving environment.”107 So the critical question is how to
improve the positive regulatory effects on innovation without jeopardising the original
regulatory objectives.108
There is no single answer to this question. However, the following approaches have
proved useful in striking the balance:109
1. Understand and be vigilant to changes in innovation and impacts on regulations.
Globally, regulators have adopted regulatory sandboxes110 as an attempt to test and

105 See, generally, Stefanie Zinsmeyer, “Insurtech, rising to the regulatory challenge, a summary of IAIS-
A2ii-MIN Consultative Forums 2018 for Asia, Africa and Latin America,” 2018, IAIS, 13.
106 See Foreword, Organisation for Economic Co-operation and Development. Reports (Paris), and
Joanna R. Shelton, “The OECD report on regulatory reform. Organisation for Economic Co-operation and
Development,” 1998.
107 See, Stefanie Zinsmeyer, “Insurtech, rising to the regulatory challenge, a summary of IAIS-A2ii-MIN
Consultative Forums 2018 for Asia, Africa and Latin America,” 2018, IAIS.
108 This is a recurring question in regard to regulatory objectives; see Joanna Shelton, “The OECD report
on regulatory reform,” Organisation for Economic Co-operation and Development, 1998, 8.
109 See, Issues Paper (n 56), this section draws on and builds upon suggestions raised the IAIS issues paper
and are equally relevant to the success of embedded insurance, 29–30, pages highlighted where relevant.
110 See, for example, the types of firms in the Regulatory Sandbox in the UK, www​.fca​.org​.uk​/firms​/inno-
vation​/regulatory​-sandbox​/accepted​-firms.

92
 E mbedded I nsurance

more fully understand the potential risks which emanate from the innovation and
attempt to regulate risk more proportionately;
2. Interagency coordination. The insurance regulators should coordinate with
authorities and regulators in other spheres where channels not traditionally under
the jurisdiction of insurance supervisors are leveraged for insurance distribution
purposes;
3. Attempt to streamline regulations in the interest of economic efficiency and inno-
vation and harmonise with international principles. Regulations and regulatory
reform should seek to remove duplicative, onerous and inefficient regulations and
monitor new developments both within and outside the insurance industry to pro-
tect interests;
4. Regulators should become “digital-intelligence-led.” Supervising in a digital
world requires different skill sets. Interdisciplinary supervisory teams will be vital
in a digitalised world. Regulators should be technologically and numerically liter-
ate and understand the risks associated with data. Supervisors will need new skills
to identify, monitor and assess new applications of technologies, for understand-
ing market structures and the activities of new participants, and for understanding
consumer outcomes. In this respect, supervisory authorities and insurers will need
to reconsider what qualifications and skill sets they need to become “fit for the
future;”
5. Regulators should consider how to embrace new technologies to help carryout
supervision, also referred to as suptech solutions.111 Suptech is the use of techno-
logical innovations (or fintech) by supervisory authorities.112 Regtech is the use of
technological innovations (or fintech) for compliance purposes and reporting by
regulated financial institutions;113
6. Regulators should consider issuing guidelines. To help promote the responsible
use of new technologies by insurers and intermediaries and safeguard the fair
treatment of customers, regulators should issue guidelines (binding or non-bind-
ing) to explain the approach of the regulators to changes in the landscape and how
it applies to the different role-players involved in embedded insurance;
7. Regulators will also need to deal with non-insurance entities with different
entity structures and approaches. Regulators must furthermore engage with new
entrants into insurance and financial services who may not have experience or
knowledge of financial services regulation. These new entrants may have different
entity structures and approaches to consumer-related risk than incumbents his-
torically monitored by supervisors. Unlike incumbents, the general compliance
awareness, risk culture and ability to comply with regulatory requirements may
differ significantly for these non-traditional firms.114 This may require a proactive
strategy for outreach and engagement with these new entrants to inform and edu-
cate them on relevant supervisory matters and the proper compliance attitude;
8. Delegated supervision. The demands placed on supervisory capacity by a multitude
of additional distribution outlets means that the potential delegation of the registration

111 Issues Paper (n 56), 25.

112 Issues Paper (n 56), see description in footnote 27 of the IAIS document.
113 Issues Paper (n 56), 25.
114 Issues Paper (n 56), 27.

93
 E mbedded I nsurance

and/or supervision of the sales force to insurers becomes a relevant consideration. This
could mean that the insurer is held accountable for the actions of all persons selling its
insurance policies. Insurers may be asked to keep a register of salespersons and to train
and oversee them, so as to ensure appropriate conduct of business;
9. Accountability of entities. How and to what extent can all entities in the value
chain be made accountable to the insurance supervisor? This is an important ques-
tion which needs to be asked by regulators. While the institutional regulation of
new entities in the value chain will remain with the respective other authorities,
their incorporation under the functional jurisdiction of the insurance supervisor in
terms of their role in insurance distribution continues to be an important consid-
eration as highlighted in the IAIS report.115

Conclusions
As demonstrated above, digital growth and innovations can change and potentially
improve the customer experience. Equally, such innovation can (amongst others) reduce
insurers’ costs and expand client access and help reduce the gap. However, digitalisation
may have an impact on consumer protection.
The IAIS has stated that “To adjust to the digital age and foster innovation, supervisors
should consider how to ensure that new innovation does not come at the expense of protec-
tions for policyholders and the integrity of the insurance sector as a whole.”116
Insurers play a significant role in the digitalisation of economies by helping to cover
the new risks of a digital society and lowering the protection gap. We are likely to see
requirements for the role-players in the value chain to open their infrastructure—i.e. open
insurance (using open source code)—just like we have seen in embedded finance.
The key reason that embedded insurance is making a real difference is that it can reach
new areas of the market and provide insurers with access to potential policyholders who
may never have taken out a policy of insurance. Embedded insurance raises awareness of
risks in a wider marketplace, and the partnerships can help move insurers into preventers
rather than payers.
Embedded insurance, if it continues on its current trajectory, can offer relevant, afford-
able and personalised insurance to people when and where they need it the most.117
The relevant issue is not only how to address and manage the short-term growth to
capture opportunities but also how to ensure an appropriate framework that is compat-
ible with the continuous evolution that can be expected in the future. Digital natives and
technology-backed business models will fuel demand to embed insurance for an increas-
ing number of use cases, and regulators need to strike the right balance.
What is clear is that if embedded insurers and their partners can continue to offer insur-
ance with a focus on value and transparency and use personalisation to improve the out-
comes for the customer, embedded insurance can be an incredible tool.
The future of embedded insurance is boundless. As long as the best interests of the
customer remain at the centre of innovation, its long-term success is guaranteed.

115 Issues Paper (n 56), 29.

116 “Issues Paper on Increasing Digitalisation in Insurance and its Potential Impact on Consumer
Outcomes,” IAIS, November 2018, 34.
117 ​
w ww​.simon​-torrance​.com ​/ blog​/ What​_is​_Embedded​​_ Finance.

94
 C hapter 5

Distributed Ledger Technology and Blockchain

Insurance

Lee Bacon and Julie-Anne Tarr

CON T EN TS
Introduction 96
What are DLT and blockchain? 97
What is a smart contract? 100
Public v private blockchains 101
Blockchain and insurance—potential uses and advantages 102
Efficiency 102
Fraud protection 103
New markets and tools 106
Possible future use cases 109
Concluding comments: Uses and advantages 109
Challenges in the insurance world 111
Ledger transparency 111
Blockchain cyber risks 112
Legal risks and issues with DLT/blockchain 114
Legal implications and areas of development 116
Dispute resolution 122
Standardisation 123
Emerging markets 124
Conclusions 125

DOI: 10.4324/9781003319054-5 95
 D istributed L edger T echnology and B lockchain

Introduction
This chapter1 reviews the developments and initiatives driven by distributed ledger tech-
nology (DLT) or blockchain technology within the insurance industry.2 Since the very
first moves in 2017/18, much progress has been made and many mistakes remedied. In
order for the insurance industry to capitalise on the very real benefits, however, progress
towards standardisation (of practices, systems and databases) is required along with a
willingness for intra-market cooperation to foster ecosystems. If achieved, the prospects
for the insurance industry in utilising this technology to help embed itself as part of the
wider digital economy, are bright.
Broadly, the activities undertaken by insurers and reinsurers to date fall into three
camps. First are those more prosaic initiatives designed to improve efficiency, lower the
costs of transaction processing and improve data quality and transparency. Second, fraud
detection, risk prevention and “smart” contracting3 are at the forefront of several col-
laborative efforts undertaken within the industry or in conjunction with major external
technology entities. Third, and most interesting, is the development of new markets and
tools for risk management and sharing.
These opportunities are not without their corresponding challenges and risks, tech-
nological, legal and otherwise. Key challenges and risks to be considered in the context
of existing legal frameworks relate to security and privacy, governance, scalability and
standardisation. While this new technology may enhance data security, it is not free of
risk and may commonly give rise to three major types of potential liability risk: Ledger
transparency risks, cyber risks and operational risks.
One of the strengths of distributed ledgers is the enhanced level of transparency,
whereby every node operator has access to data stored on a distributed ledger, which
also facilitates re-personalisation of data stored on a distributed ledger or enables nodes
to make an informed guess as to identities entering into certain transactions. This in turn
leads to two main legal risks: Data privacy, and insider trading and market abuse.

1 Generally, see Professor Julie-Anne Tarr “Distributed Ledger Technology, Blockchain and Insurance:
Opportunities, Risks and Challenges” (2018) 29 Insurance Law Journal 254–268.
2 In this fast-moving area of innovative technology, there is little consensus on the precise definitions, even
of key terms (such as the term “blockchain” itself). Accordingly, in general terms,
• Bitcoin—a finite digital currency created and held in purely electronic form. As with most modern currencies,
it has a fluctuating exchange rate. It is not issued by any bank or sovereign state. Bitcoin first appeared in a
paper published online in 2008 by Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic cash system,” 2008,
https://bitcoin​.org​/ bitcoin​.pdf, cited by Kevin Werbach and Nicolas Cornell, “Contracts Ex Machina” (2017)
67 Duke Law Journal 313, 314.
• Blockchain—in a narrow sense, the database of every bitcoin transaction ever made. More loosely, the term
is used to describe the style of database, which sees information stored in a series of “blocks” and “chained”
together. Copies of the database, or “ledger” are stored on a number of servers in a decentralised fashion.
• Distributed ledger technology—see “blockchain” above. The broader use of the term blockchain. Blockchain
is one example of distributed ledger technology, although the terms are often used interchangeably.

See, for example, IBM, “What is blockchain technology?” www​.ibm​.com​/au​- en​/topics​/what​-is​-blockchain

(hereafter Definitions).
3 Smart contracts are simply programs stored on a blockchain that run when predetermined conditions are
met. They typically are used to automate the execution of an agreement so that all participants can be imme-
diately certain of the outcome, without any intermediary’s involvement or time loss. They can also automate a
workflow, triggering the next action when conditions are met.
See IBM, “Smart contracts defined,” www​.ibm​.com ​/au​- en ​/topics​/smart​- contracts.

96
 D istributed L edger T echnology and B lockchain

Regulators globally have to date largely taken a “light touch” approach to the question
as to whether existing legal frameworks are sufficient to meet the technological challenges
posed by distributed ledger technology (DLT) or blockchain technology. This chapter
considers industry initiatives within the existing legal framework and reviews some of the
challenges in extending and applying private law and regulation to blockchain applica-
tions. We conclude that while adaptations need to be made, there are no insurmountable
hurdles in making such adaptations to ensure that the legal and regulatory framework
supports the development of such technology.
At a macro-insurance market level, of more general utility would be a distributed
ledger for a network of insurers holding a combination of external and customer data.
This would allow insurers to more effectively detect common fraud such as falsified
injury or damage reports, and DLT in this context would enable insurers to validate
the authenticity of policy records; check the time and date of the policy purchase or
issuance; cross-reference customer records with past policy claims, police reports and
known identities to help detect potential patterns of fraudulent activity; confirm the
transfer of policy ownership or track other changes; and identify duplicate or multiple
claims, as any claim raised would be shared in the network and verified by the par-
ticipating insurers.4 One obvious example where such a ledger would counter fraud
would be in relation to “crash for cash” frauds where drivers deliberately stage or
cause a motor vehicle accident, and claims are then made by the various participants
in this fraudulent activity.
Where these claims are made against multiple policies held by different insurers, it is
obviously much more difficult to detect fraud unless cross-industry data is shared, and this
data is also augmented by other sources—such as law enforcement and traffic records.
The adoption and facilitation of such a tool are far from straightforward but can build
upon existing intra-market cooperation and certainly within jurisdictions.

What are DLT and blockchain?

A blockchain is simply a database or ledger. Given its broad meaning, it can be a database
of virtually any recordable information. Simply put, blockchains store data in “blocks”
and “chain” them together to form a cohesive, unbroken record of that information. For
instance, the creation and transfer of bitcoins on the first blockchain.
The joint operation of two features in particular makes blockchain revolutionary.
First, identical copies of the particular blockchain (or ledger) are stored on and accessed
from many (sometimes in the thousands or more) computers around the world. Any
attempted addition or change to the information is authenticated by the entire network
of servers, and any validated change to one ledger automatically updates the others.
This is what makes it a form of DLT. Second, together with this decentralised ledger
system, the cryptographic technology that validates information stored and edited on
the blockchain is said to make information kept on it extremely difficult to attack or
corrupt.

4 See Cubeform, “Blockchain insurance use case: lower costs, better transparency and security,” https://
cubeform​.io​/ blockchain​-insurance​-use​- case/ (hereafter Cubeform).

97
 D istributed L edger T echnology and B lockchain

DLT can be designed and configured in a variety of ways, but key characteristics typi-
cally include:
(a) A distributed general ledger that allows data to be stored and exchanged on a peer-
to-peer (P2P) basis across a decentralised network of computers, without the need
for a central registry or clearing house;
(b) A network of participants, also known as “nodes,” connected to the network with
levels and types of access to the ledger depending upon the particular configura-
tion and governance arrangements of the DLT ledger;
(c) Decentralised validation whereby consensus is achieved through an algorithm or
set of algorithms nodes executed to verify and agree on records that are posted to
the ledger; new data is packed into blocks that can only be added to the blockchain
after consensus is reached on the validity of the transaction;
(d) Immutable storage whereby each stored block is linked to its previous block in the
chain and registered in the blockchain by date and time; and
(e) Encryption whereby digital signatures based on pairs of cryptographic private and
public keys put network participants in a position to authenticate which partici-
pants initiated a transaction, registered data in the blockchain, signed a contract
and so forth.
This shared method of validating information—known as the consensus mechanism—
largely dispenses with the need for a trusted authenticating third party for many types of
transactions. Blockchain and associated technologies allow contractual counter-parties—
without independent verification—to know that a certain event has happened and auto-
matically trigger the relevant contractual consequences.
The detail of the technology behind blockchains is not the subject of this chapter, and
it is sufficient to note that there are a variety of different blockchain technologies—some
providing a publicly available platform, others a bespoke private platform. The levels of
technological sophistication and complexity in large part turn on the intended use. There
are two main types of blockchain systems:

• Public (think of Ethereum5 and Bitcoin);

• Private (or permissioned), in which only certain parties can participate.

The differences are discussed in more detail below. Broadly, within public blockchain,
some run a consensus mechanism of proof of work (the use of complex cryptography to
validate user access by private and public keys) and some on proof of stake (essentially run
on the premise that users of a system are incentivised to act for the greater good and with
penalties in place for bad actors).
By enabling trust between contracting parties, the technology has the disruptive poten-
tial to herald a flourishing new pattern of commercial behaviour and relationships. It is
this “disintermediation”6 that has some referring to DLT as the most disruptive invention

5 https://ethereum​.org​/en/.
6 Disintermediation—the process of reducing the use of or need for intermediaries. In this context, it refers
to the reduced need for trusted third party intermediaries to validate and facilitate transactions, especially in
the finance industry. See, for example, www​.investopedia​.com​/terms​/d​/disintermediation​.asp.

98
 D istributed L edger T echnology and B lockchain

since the internet. Hyperbole or not, the potential of blockchain and the associated plat-
forms may be realised by the internet and in particular the Internet of Things (IoT).7
The emergence of the cryptocurrency “Bitcoin”8 and “Blockchain,”9 the key technolog-
ical innovation that facilitates its usage, has had, and will continue to have, a significant
impact on financial and commercial markets worldwide. The focus of much of the litera-
ture and reporting is upon Bitcoin and other cryptocurrencies, and this is not surprising
given well-publicised examples of extreme price volatility,10 assertions of Ponzi or fraudu-
lent investment schemes11 and multi-million-dollar hacks.12 Furthermore, Trevor Kiviat13
makes the valid observation that the facts, reading as they do like a science fiction novel,
encourage sensationalism:
A pseudonymous inventor releases a cryptographic technology that incentivizes armies of
supercomputers to mine digital assets that can be traded for real world goods and services.14

The market turmoil at the end of 2022 has seen a more rigorous and sceptical approach to
the cryptocurrency sector, which promises to herald new and more stringent regulation.15
This is likely in the long term to be positive, helping to promote standardisation and trans-
parency into often opaque exchange and platform providers.
This chapter is concerned not with cryptocurrencies per se, but rather with the potential
the underlying technology affords for transactional improvements, cost savings and inno-
vation within the insurance industry and within an existing legal framework.
As is explained in a European Banking Institute Working Paper:16
Rather than relying on the hub-and-spokes model of centralised ledgers, in distributed ledgers
many data storage points (nodes) are all connected with each other, and store data simultane-
ously, and together constitute the common ledger. DLT requires consensus of those nodes
rather than just the confirmation by one hierarchically structured storage device, as with a
centralised ledger…. Blockchain refers to how data are stored on the ledger. Rather than being
stored individually, data are stored in a block bundled with other data. The block serves as a
container of multiple data points, and all blocks are stored in a specific order (the “chain”).

It is not surprising that “blockchain” or “blockchain technology” are the descriptors most
commonly deployed in the literature to describe the more general area of DLT. Indeed,

7 The term IoT, or Internet of Things, refers to the collective network of connected devices and the tech-
nology that facilitates communication between devices and the cloud, as well as between the devices them-
selves; AWS, “What is IoT?” https://aws​.amazon​.com ​/what​-is​/iot/.
8 Definitions (n 2).
9 Definitions (n 2) and discussion below.
10 See for example, “5 things you need to know about bitcoin volatility,” Stake, www​.cryptocompare​.com/.
11 See, for example, Matt O’Brien, “Bitcoin isn’t the future of money—it’s either a Ponzi scheme or a pyra-
midscheme,” Washington Post WonkBlog, 8 June 2015, www​.washingtonpost​.com ​/ blogs​/wonkblog​/wp​/2015​
/06​/08​/ bitcoin​-isnt​-the​-future​- of​-money​-its-​eithe​​r​-a​-p​​onzi-​​schem​​e​- or-​​a​-pyr​​amid-​​schem​e>.
12 See, for example, Amir Mizroch, “Large Bitcoin Exchange Halts Trading After Hack,” Wall Street
Journal: Digits Blog, 6 January 2015, http://blogs​.wsj​.com​/digits​/2015​/01​/06​/ large​-bitcoin​- exchange​-halts​
-trading​-after​-hack.
13 Trevor Kiviat, “Beyond Bitcoin: Issues in Regulating Blockchain Transactions,” (2015) 65 Duke Law
Journal 569 (hereafter Kiviat).
14 Ibid.
15 Aditya Narain and Marina Moretti, “Regulating Crypto,” International Monetary Fund, www​.imf​.org​/
en ​/ Publications​/fandd ​/issues​/2022​/09​/ Regulating​- crypto​-Narain​-Moretti.
16 Dirk A. Zetzsche, Ross P. Buckley and Douglas W. Arner, “The Distributed Liability of Distributed
Ledgers:Legal Risks of Blockchain,” European Banking Institute Working Paper Series 2017, number 14, 15
August 2017 (hereafter Zetzsche, Buckley and Arner).

99
 D istributed L edger T echnology and B lockchain

much of the literature in this area focuses on Bitcoin and other cryptocurrencies as
opposed to blockchain, which is the Bitcoin platform’s key technological innovation.
DLT, blockchain and blockchain technology are each variously described as more than
a “buzzword,”17 “the greatest revolution since the advent of the internet”18 and the “hot-
test topic in the rapidly changing world of Fintech.”19 This chapter examines from a legal
perspective the opportunities and challenges for the insurance industry in embracing,
adapting and refining DLT.

What is a smart contract?

A smart contract is a computer program or a transaction protocol that is intended to auto-
matically execute, control or document events and actions according to the terms of a
contract or an agreement.
It is a self-executing contract with the terms of the agreement between buyer and seller
being directly written into lines of code. The code and the agreements contained therein
exist across a distributed, decentralised blockchain network. The code controls the execu-
tion, and transactions are trackable and irreversible.
Smart contracts permit trusted transactions and agreements to be carried out among
disparate, anonymous parties without the need for a central authority, legal system or
external enforcement mechanism.20
There is no consistent or agreed lexicon of terms in this area, which continues to con-
tribute to both uncertainty and a certain mystique.
For example, some market participants draw a distinction between (a) simple “smart
contracts” being the decentralised applications that operate using blockchain, which are
essentially coded instructions within a system and need not have any wider functionality
or status as a contract; and (b) “smart legal contracts” which do not necessarily need to
use blockchain “smart contracts” to automate or otherwise digitise their operations. In
appropriate circumstances, smart legal contracts may be enhanced by using blockchain
technologies. For example, data about the performance and operations of a contract may
be on a shared and tamper-resistant blockchain network. In addition, the computation that
automates compliance with the terms of a contract may be run on a blockchain to enhance
visibility and trust. These varying implementations can be accomplished from a single
template without redrafting, demonstrating the importance of a universal specification.
Given the absence of an agreed or common lexicon, it is difficult to discuss the appli-
cation of such terms in a broad sense. For the balance of this chapter, we use the phrase
smart contract to describe the automated mechanism by which a DLT or blockchain sys-
tem communicates within itself and to its participant members. Given the scope of this
chapter, it is not helpful or necessary to draw any distinction between categories (if such
exist) between different types of smart contracts, or their legal status.

17 Bernard Marr, “Blockchain implications every insurance company needs to consider now,” Forbes, 31
October 2017, www​.forbes​.com​/sites​/ bernardmarr​/2017​/10​/31.
18 “Blockchain Technology,” National Association of Insurance Commissioners, www​.naic​.org​/cipr​_top-
ics​/topic​_blockchain​.htm.
19 IBM Global Business Services, Point of View, “Blockchain: Emerging Use Cases for Insurance” May
2017, (hereafter IBM Emerging Use 2017).
20 See, for example, IBM, “Smart contracts defined,” www​.ibm​.com ​/au​- en ​/topics​/smart​- contracts.

100
 D istributed L edger T echnology and B lockchain

Public v private blockchains

There are multiple variations of blockchain, or DLT. These range from the “pure” fully
decentralised Ethereum and Bitcoin-based blockchains to various types of private and
permissioned systems, a distinction which turns on the accessibility of membership and
data, as well as the mechanism used to verify transactions and obtain consensus. Fully
decentralised networks are akin to a public park, which is publicly accessible, and at the
other, a private-gated park open only to residents, where information might not even be
shared within the entire park but on a need-to-know basis only. The applicable use case
will determine which type of network is most appropriate to any particular project.
Information stored on public or permissionless networks is visible to all participants
in an encrypted format, albeit the publicly available information can be limited and sen-
sitive data encrypted (see the discussion below). Such networks rely on participants to
verify transactions and record data on the network, based on a selected consensus proto-
col referred to as “proof of work,” which rewards participators with tokens in exchange
for completing computationally complex tasks through a process known as “mining.”21
Participators in the Bitcoin verification process are referred to as “miners.” Other con-
sensus-based protocols that are available for both public and private blockchains include
“proof of stake,” which involve “validators” who take a stake in the system and receive
transaction fees in direct proportion to their stake by validating blocks. While “proof of
work” requires high computational power and expends large amounts of energy, “proof
of stake” does not.
By contrast, private or permissioned networks restrict the level of data access and trans-
action rights to participants, which is made possible through the operation of “trusted”
nodes or system administrators that control access and rights onto the network. As with
public blockchains, transactions can be verified using any one of the many consensus
protocols available. Typically, they opt for mechanisms that don’t require incentives for
participants, such as “proof of authority,” which uses identity as the sole verification of the
authority to validate and does not require mining.
A disadvantage of public blockchains is that sensitive data has to be encrypted to ensure
privacy. However, encrypted data cannot readily be used by smart contracts, so flexibility
is limited. Within a private blockchain, this does not present an issue insofar as partici-
pants consent to their data being shared and accessed by other members in the network. In
addition, private blockchains are able to maintain data confidentiality, which also allows
them to comply with regulations, something that is not possible under the conditions of
complete anonymity of open networks.
While it is possible to imagine a public blockchain in the insurance sector, for instance,
to process payments between an insurer and reinsurer, it is likely that this will present
issues related to data confidentiality. For this reason, private blockchains are more suit-
able for most commercial sectors including insurance. However, once there is a more
standardised public blockchain infrastructure and regulations are suitably updated, public

21 “Mining” in public blockchains such as bitcoin is part of the consensus protocol referred to as “Proof
of Work.” Mining is the process by which transactions are added to the large distributed public ledger. It is
itself connected to the incentive given to “miners” in exchange for the energy spent validating transactions and
enhancing stability, security and safety on the network. See Roshan Raj, “What exactly is Blockchain mining?”
https://intellipaat​.com​/ blog​/tutorial​/ blockchain​-tutorial​/what​-is​-bitcoin​-mining/.

101
 D istributed L edger T echnology and B lockchain

blockchains have a number of advantages over private blockchains in this respect: They
are not only considered to be more secure but also encourage greater user participation,
innovation and throughput.
It may well also be the case that as interoperability between systems and networks
improves, this debate between public and private blockchain infrastructure will become
somewhat anachronistic, with (from the user perspective) a smooth transition between
different systems akin to the use of mobile data and telephony.22
In terms of practical implementation, successful blockchain projects are gradual and
start by leveraging process efficiencies in existing business models. Accordingly, it may
be more appropriate to utilise private or semi-private blockchains, which are closer to rela-
tional databases currently in use in large companies, to start pilot testing the application
and viability of specific use cases.

Blockchain and insurance—potential uses and advantages

The phrase “insurance market” is used, cognisant of the inadequacy of such a constrained
description to cover the variety of personal lines and commercial insurances. However,
there is a consistency of risk transfer throughout these sectors and types of cover. The
nature of risk transfer is dependent upon the identification of and agreement as to the
insured interest and the perils such an interest faces, alongside the parameters of the risk
which is transferred.
Thus, at the heart of all insurance is a need for clarity of communication prior to and
after the happening of an insured event or loss.
The use cases and advantages of DLT and blockchain for the insurance market can be
grouped into three broad categories.

• First, those more prosaic initiatives designed to improve efficiency, lower the
costs of transaction processing and improve data quality and transparency;
• Second, fraud detection, risk prevention and “smart” contracting are at the fore-
front of several collaborative efforts undertaken within the industry or in con-
junction with major external technology entities; and
• Third, and most interesting, the development of new markets and tools for risk
management and sharing.

Efficiency
The category of efficiency benefits can of itself be broken down into different types. There
are those areas that are common to different sectors across financial services and those
that relate to some of the unique or defining features of the insurance market.

22 For a detailed consideration of the characteristics of private versus public blockchains, see, “Study
on the application of Blockchain and Smart Contracts in emerging energy markets,” September 2021, pre-
pared by Clyde & Co LLP (Lee Bacon and George Bazinas) with the assistance of the European Bank for
Reconstruction and Development (Vesselina Haralampieva and Luciia Baumann), www​.ebrd​.com ​/documents​
/legal​-reform ​/ blockchain​-report​.pdf.

102
 D istributed L edger T echnology and B lockchain

As PwC observe,23 in the insurance and banking industries and the public sector, the
requirement to compile documentation on customers and stakeholders (“Know Your
Customer,” or KYC) is a costly, time-consuming process which could well be transformed
by DLT. Instead of documentation being compiled for a given customer by each organisa-
tion, blockchain technology would facilitate the pooling of processes through a shared,
encrypted database. A prototype KYC database developed jointly by PwC and Z/Gen
contemplates the storage and encryption of verified customer data as well as any changes
made, such as marriage, with the customer given an individual encryption key which s/he
chooses whether to make available to the relevant financial institution.24
Blockchain technology in this context does have the potential to reduce costs by
decreasing the need for personnel focused on KYC tasks, shortening processing time and
therefore improving the customer experience.
The use of “smart contracts” in underwriting and claims management processes is
another important innovation in the blockchain environment.
This latter aspect has particular relevance for the subscription insurance markets—
in which a particular risk or set of risks is shared between different insurers in agreed
shares. Currently, this market operates predominantly with manual processes alongside
electronic market systems. Significant cost is incurred in reconciliation between layers
and with a “lead” underwriter having to be established with responsibility for such tasks.
Similar considerations apply in the reinsurance space, which exists to share risks within
the broader insurance market, and again requires significant effort in back-office func-
tions. Having a DLT or blockchain-driven solution that allows information to be verified
a single time and then trusted by all participants in the risk value chain could generate
significant efficiency savings and reduce the risk of errors.

Fraud protection
Fraud costs the insurance industry a huge amount of money. As insurers pour time and
money into know-your-customer checks and other compliance, blockchain poses signifi-
cant promise for near-immediate ID verification and fraud prevention, though the precise
method of achieving this with blockchain is still being debated.
The endemic nature of fraud in insurance claims is well documented with its economic
impact felt worldwide. For example, the Federal Bureau of Investigation (FBI) estimates
that the total cost of insurance fraud in the USA is more than US $40 billion per year,
costing the average family between $400 and $700 per annum in the form of increased

23 PwC, “Blockchain, a catalyst for new approaches in insurance,” www​.pwc​.com​/gx​/en​/industries​/finan-

cial​-services​/publications​/ blockchain​-a​- catalyst​.html (hereafter PwC Blockchain).
24 As an example of savings potentially available, Goldman Sachs, “Blockchain—putting theory into
practice,” www​.goldmansachs​.com/, which estimates that consistent, coordinated use of blockchain technol-
ogy in banking could save the industry between US $3 billion and US $5 billion a year in KYC; and anti-
money laundering costs, McKinsey and Company, “Blockchain in Insurance—Opportunity or Threat?” 1 July
2016, www​.mckinsey​.com​/industries​/financial​-services​/our​-insights​/ blockchain​-in​-insurance​- opportunity​- or​
-threat, (hereafter McKinsey 2016), see p 3; McKinsey cites the example of Tradle, a start-up working on KYC
data whereby the customer grants a company access to pre-verified identity data when necessary for contract
closure.

103
 D istributed L edger T echnology and B lockchain

premiums. Similarly, in the United Kingdom, financial losses attributed to insurance

25

fraud are very significant. The Insurance Fraud Taskforce26 reported as follows in 2016:
Insurance fraud is a serious issue, which has been estimated to cost policyholders up to
50 pounds each per year, and the country more than 3 billion pounds. The costs of fraudulent
claims are passed on to customers, pushing up the prices of essential products, such as motor
and home insurance, with consequences for everyone through an increased cost of living, and
valuable public resources, such as those in our National Health Service and in the courts, are
spent on dealing with fraudulent cases. Insurance fraud is also a source of funds for organised
crime. It is socially corrosive, with opportunistic fraud often undertaken by otherwise honest
individuals.

The position in Australia is very similar with the current estimate being that insurance
fraud costs more than AUD $2 billion annually, the cost of which is a significant compo-
nent of today’s insurance premiums paid by individual policyholders.27
Ernst & Young28 are confident that DLT can have a major impact on fraud detection and
risk prevention. They argue:
Thanks to its ability to provide a public ledger across multiple untrusted parties, blockchain
has the potential to eliminate errors and detect fraudulent activity. A decentralised digital
repository can independently verify the authenticity of customers, policies and transactions
(such as claims) by providing a complete historical record. As such insurers would be able to
identify duplicate transactions and those involving suspicious parties.

Examples of start-up initiatives directed at combatting fraud utilising DLT or blockchain

technology are Everledger and Blockverify. The former, as noted in Chapter 3, uses a
blockchain to create a global registry of precious stones recording 40 characteristics of
every stone recorded (cut, colour, clarity, etc.) that represent 40 metadata components
that are then used to create a unique serial number. This number is then laser engraved
on the stone and added to the relevant blockchain, making it difficult for sellers to dispose
of stones if they cannot provide encrypted proof of ownership of the specific stone. This
technology is essentially sector agnostic and is being applied to a variety of different
products including, for example, the nascent ‘farm to fork sector’ involving the tracing of
specific food products such as organic chickens and beef cows at every stage of the food
supply chain process.
Similarly, Blockverify labels goods such as electronics, pharmaceuticals and luxury
items storing the history and supply chain in the blockchain; users are allowed to check
for counterfeit products, diverted or stolen goods, and fraudulent transactions.29 These
initiatives, by creating global, tamper-proof registries, are directed at the authenticity,
ownership and provenance of goods.

25 See FBI, Insurance Fraud, www​.fbi​.gov​/stats​-services​/publications​/insurance​-fraud.

26 HM Treasury, “Insurance Fraud Taskforce: Final Report,” January 2016, foreword by Harriett Baldwin
MP, Economic Secretary to the Treasury, and Lord Faulks QC, Minister of State for Civil Justice (hereafter
Insurance Fraud Taskforce). See also Versloot Dredging BV v HDI Gerling Industrie Versicherung AG [2016]
UKSC 45 at [56], per Lord Hughes.
27 Insurance Fraud Bureau of Australia, www​.ifbaintelligence​.com/.
28 Ernst & Young, “Blockchain in Insurance: applications and pursuing a path to adoption,” www​.ey​.com​
/Publication ​/vwLUAssets​/ EY​-blockhain​-in​-insurance/$FILE/EY​-blockhain​-in​-insurance​​.pdf (hereafter Ernst
& Young, Applications).
29 McKinsey 2016 (n 24) 5.

104
 D istributed L edger T echnology and B lockchain

Another area already strongly on the radar for blockchain development is health care.
Health insurers and regulators in the United States view blockchain as a powerful tool for
combatting Medicare fraud, and individual insurers and the industry as a whole have been
urged to work proactively with broader healthcare consortiums to facilitate the develop-
ment of blockchain-enabled interoperable data repositories.30
The development of such a distributed ledger would, of course, require extensive coop-
eration between insurers and would have to navigate privacy and other data regulatory
constraints. However, regulators are keenly aware of the dual imperatives to improve the
data available in fraud databases and to extend data sharing between the insurance sector
and regulatory bodies as practical measures to combat fraud.31
Of more general utility would be a distributed ledger for a network of insurers hold-
ing a combination of external and customer data. This would allow insurers to more
effectively detect common fraud such as falsified injury or damage reports, and DLT
in this context would enable insurers to validate the authenticity of policy records;
check the time and date of the policy purchase or issuance; cross-reference customer
records with past policy claims, police reports and known identities to help detect
potential patterns of fraudulent activity; confirm the transfer of policy ownership or
track other changes; and identify duplicate or multiple claims, as any claim raised
would be shared in the network and verified by the participating insurers.32 As noted
above, one obvious example where such a ledger would counter fraud would be in
relation to “crash for cash” frauds where drivers deliberately stage or cause a motor
vehicle accident, and claims are then made by the various participants in this fraudu-
lent activity. Where these claims are made against multiple policies held by different
insurers, it is obviously much more difficult to detect fraud unless cross-industry data
is shared, and this data is also augmented by other sources—such as law enforcement
and traffic records.33
One suggested model involves storing personal identification data on a blockchain con-
trolled by a trusted body such as a government. The verification process would be under-
taken in its normal fashion only once. Individuals can then elect to share some or all of
that verified data with companies—such as insurers—when the company needs to iden-
tify the customer. The same blockchain-stored information could be shared with anyone
the user wishes, for example, a bank or law firm. While this model seems workable, it does
not achieve the disintermediation which blockchain was partially designed for, nor does it
provide customisation for the insurance industry.
An alternative model that addresses both shortcomings is the notion of a shared insur-
ance industry, perhaps a broker-led blockchain that stores indisputable, detailed records
of insureds as well as their policies, insured risks and claims. Where an insured takes out
its first policy with an insurer, the usual verification process can take place, but rather
than storing that information on a centralised server that only the insurer may access (and
which may be amended), the information is stored on a shared, industry-wide blockchain.

30 Ernst & Young, Applications (n 28); “Blockchain applications in insurance,” Deloitte US, 2016 (here-
after Deloitte 2016).
31 See, for example, Insurance Fraud Taskforce (n 26).
32 See Cubeform (n 4).
33 Deloitte 2016 (n 31)

105
 D istributed L edger T echnology and B lockchain

While such an approach would give rise to data protection and regulatory concerns, these
need not be insurmountable.

• The insured would need only to verify themselves once and subsequently can
simply provide a reference to their already verified ID on the blockchain. We are
already at the point where such a reference may be biometric; voice recognition,
for example, is already considered accurate enough to be used by Australian
governmental departments for identity verification over the phone;
• For the insurer, in addition to saving time and money, there is the added benefit
of having a complete and reliable record of the insured’s claims history. It would
be evident on the shared blockchain if a fraudulent insured sought to claim more
than once for the same loss. The relevant insurers would then be alerted to the
attempted fraud. Similarly, if a valuable artwork (the details of which would also
be on the blockchain) was insured under two separate policies, a claim under one
would be recorded on the claimant’s file and alert insurers of any second claim
on that same artwork. Such a system could virtually eliminate many types of
common insurance fraud.

New markets and tools

Largely as a by-product of the first two factors identified, increased efficiency and
protection against fraud, blockchain technology can also facilitate the use of new
markets and underwriting tools. In particular, areas in which speed of processing,
and the disintermediation of referencing and verification of data by automated and
pre-programmed smart contracts, mean that risks which were previously too small
or too cumbersome now become commercially viable. This is particularly the case
in transactions where there is a large volume of risks and where the insured obtains
value from fast payment.
Three tangible examples will serve to illustrate the scope and potential for smart con-
tracting and smart contracts utilising blockchain technology, and at contrasting ends of
the value chain.
1. Catastrophe swap and catastrophe bonds
By utilising blockchain technology, traditional processing and settlement between
insurers and others, such as investors, in the area of natural catastrophe insurance
may be accelerated and simplified by reducing or eliminating human input. PwC34
cites the smart contracting arrangements adopted by Allianz since June 2016 in their
natural catastrophe swap, whereby automatic execution of all catastrophe insurance
contracts occurs when predefined conditions are satisfied: That the event is declared
as a natural catastrophe, and the location of the insured event must correspond to
the region recorded as having suffered a natural catastrophe. PwC states that the aim
was “to avoid a repeat of Storm Xynthia (February 2010), when most victims were no

34 PwC Blockchain (n 23) 25.

106
 D istributed L edger T echnology and B lockchain

longer in possession of documents needed to submit their claims and had to wait over
a year to receive their insurance payout.” 35
As IBM36 explains:
By replacing human interventions which are currently embedded throughout the entire
risk transfer process, frictional delays and risks of human error are completely removed…
Blockchain, enables a single version of the truth (a ledger, copies of which are held by par-
ticipants in a network) that has the potential to make multiple types of financial transactions
more efficient and lower costs.

What this means in practice, is that a marketplace of real-time risk transfer based on
objective and pre-assessed metrics can become viable, and a number of projects are under-
way which will enable fractional shares of such risks to be traded.
2. Flight insurance
Various start-ups37 have successfully launched P2P flight insurance policies built on a
blockchain with smart contracts. These smart contracts initiate pay-outs for insured flight
tickets when cancellations or delays are reported from verified flight data sources (via so-
called “oracles” for making external sources usable for smart contracts in the blockchain).
This automated payout process addresses the problem whereby passengers holding
travel or flight insurance policies did not claim on their cover, as the claims process requir-
ing the filing of all the information and evidence was cumbersome and time-consuming.38
These flight insurance smart contracts seek to cut away the claim notification step by the
insured and process the claim automatically by verifying facts from external parties.39
3. Weather risks
By leveraging parametric policies,40 smart contracts can automate both the performance
and payment element of a contractual agreement by reference to an external set of dynamic
or live conditions, such as the fluctuation of the market price of goods, the exchange rate
or even the weather. The appropriate weather condition can be imputed as a component
in the contract terms, and the smart contract can then be added to the blockchain. Upon
the occurrence of the event, which is verified by an external third-party data source (or
“oracle”), the smart contract can then automatically self-execute and direct payment or
contractual performance to be carried out in accordance with the terms and conditions.41

35 PwC Blockchain (n 23) 25.

36 IBM Emerging Use 2017 (n 19).
37 Etherisc (winner of the “blockchain” Oscar for most innovative blockchain start-up as part of
BlockshowEurope 2017) described by the Burnie Group, “3 Blockchain-based use cases changing the future
of insurance” www​.burniegroup​.com ​/3​-blockchain​- cases​- changing​-the​-future​- of​-insurance/, at p 3; and
InsureETH referenced by McKinsey and Company, “Blockchain in Insurance—Opportunity or Threat?” July
2016 ​w ww​.mckinsey​.c​om, at p 4.
38 See Chapter 4, “Embedded Insurance.”
39 IBM Emerging Use 2017 (n 19) 8.
40 Generally, see Chapter 6 Parametric Insurance.
41 For example, Clyde & Co has built a smart contract for use in the renewable energy sector and which can
provide a hedge to fluctuations in solar or wind generation. The technology start-up EHAB, https://ehab​.co/ has
built a not dissimilar platform for the management of weather risk in multi-party construction contracts and
which has the clear scope for an insurance layer to be added.

107
 D istributed L edger T echnology and B lockchain

Numerous examples of actual or prospective smart contracts underpinned and sup-

ported by DLT or blockchain may be cited. Willis Towers Watson42 cites the obvious appli-
cations of this technology in the marine insurance environment where the standardisation
of policy language, customs and practices could facilitate automation in the purchasing
process and in claims adjusting and payment.
Blockchain technology may also be combined with IoT devices for process automation
purposes for claim reporting, handling and payment, reducing administrative and opera-
tional costs. It is foreshadowed that cars, electronic devices or home appliances could have
their own insurance policies registered and administered by smart contracts in a block-
chain network, automatically detecting damage and then triggering the repair process, as
well as claims and payments.43
It is beyond the scope of this chapter to fully canvass the complete range of develop-
ments and initiatives driven by the emerging blockchain technology within the insurance
industry. It is clear from the burgeoning literature describing this innovation that there
are real opportunities to improve efficiency, lower the costs of transaction processing,
enhance customer satisfaction and improve data quality and transparency. These oppor-
tunities are not without their corresponding challenges and risks, technological, legal and
otherwise.
As Kevin Werbach and Nicolas Cornell44 comment:
The reaction to these new possibilities runs the gamut, from gleeful triumph to killjoy scepti-
cism. Supporters claim smart contracts will obviate the need for contract law, revolutionize
business arrangements and restructure property ownership. Sceptics see the blockchain foun-
dation as little more than a Ponzi scheme…. Upon inspection, the story is complex. Smart
contracts may or may not transform the world, but they provide real benefits and seem likely
to enjoy significant adoption over time. They represent the mature end of the evolution of
electronic agreements over several decades.45

As a final thought in this section, while the use of distributed ledger and blockchain tech-
nology is still largely in its infancy, or perhaps in the first phase of development and
application, such steps are in themselves beginning to create new business models. For
example, Nexus Mutual provides risk transfer protection against smart contract failure
and exchange hacks. Built on a mutual model, the model is to seek to share the risk of
the technology itself, or more accurately the application of the technology, not meeting
expectations.46
There are also a variety of initiatives to provide cover for cryptocurrency and exchange
risks. As an interesting dynamic, these initiatives sit alongside and to some degree comple-
ment efforts to restrict or constrain cover within existing insurance products (for example

42 “Blockchain ledgers and smart contracts: the future of marineinsurance?” www​.willistowerswatson​

.com.
43 IBM Emerging Use 2017 (n 19) 8; see also Suzanne Barlyn, “AIG teams with IBM to use blockchain
for ‘smart’ insurance policy” Reuters, 15 June 2017, www​.reuters​.com​.article​/us​-aig​-blockchain​-insurance/.
44 Kevin Werbacj and Nicolas Cornell, “Contracts Ex Machina,” (2017) 67 Duke Law Journal 313, at p 317;
see also Kiviat (n 13) 573.
45 See also Harry Surden, “Computable Contracts,” (2012) 46 UC Davis Law Review 629.
46 See for example, Henry Gale, “Sharing risk through smart contracts: mutual protection against crypto
hacks,” 6 August 2021, www​.instech​.co​/insight​/sharing​-risk​-through​-smart​- contracts​-mutual​-protection​
-against​- crypto​-hacks.

108
 D istributed L edger T echnology and B lockchain

Directors and Officers or Financial Institutions cover) from inadvertently providing cover
for crypto-related risks.

Possible future use cases

The concepts of smart contracts and decentralised autonomous organisations represent
two of the most exciting capabilities of blockchain technology—such code written into the
blockchain is said to hold enormous potential in both day-to-day life and on a larger scale.
Common to the adoption of new technologies, the instinct is to seek to apply the technol-
ogy to existing models, when the real value is in the prospect of new models.
Imagine the automatic renewal of a motor vehicle policy at the start of a new coverage
period, with pricing based on a far more detailed driving record than mere age and driver
history. The IoT will (and already does) allow cars to transmit information to a blockchain.
Data could be collected in real-time on the number of miles you cover in a year, the aver-
age speed you drive at, the time of day you drive and the types of roads you drive on. Cars
with sensors will “talk” to each other (much in the way that driverless cars already do),
providing data on how close to other cars drivers remain. Insurers could know who drives
less, slower and on safer roads, and who keeps a greater distance from hazards. All of this
would allow policies to be priced accordingly. Leading up to the expiration of a policy,
renewal could occur entirely automatically via the execution of a smart contract. The con-
cept is not new, but the execution would be far more elegant.
To expand this very realisable scenario, and if the claims process could be automated
to some extent, a series of smart contracts entering into and paying out on insurance poli-
cies could operate on a blockchain as a decentralised organisation (although perhaps not
entirely autonomous for some time yet). The same communication streams which transmit
information about the car’s driving history could inform the decentralised organisation of
physical damage to the car. The car could sense and report a collision, or hail damage, and
the claim could be paid out accordingly without the need for human input to the claims
process. Admittedly, this would require individual parts of the car to be “smart” enough to
sense and report damage accurately. Alternatively, decentralised organisations (through
their human programmers) could elect trusted mechanics who could inspect the car and
log their quote onto the organisation’s blockchain, which would in turn automatically and
immediately release the appropriate funds to the insured.
The appropriate use of such technology could see the following benefits: Improved
fraud detection; lower costs through disintermediation (P2P insurance); more accurate
underwriting (through data/IoT); more efficient claims handling; accurate agent commis-
sions; more accurate triggering of reinsurance (blockchain allowing synergy between
insurer/reinsurer); overall efficiency gains; and reduced risk of human error.

Concluding comments: Uses and advantages

McKinsey & Company47 identifies the biggest challenges to insurance industry-wide
implementation of DLT or blockchain as being “facilitating collaboration between market

47 McKinsey 2016 Opportunities (n 24) 7.

109
 D istributed L edger T echnology and B lockchain

participants and technology leaders, succeeding in operational transformation and shap-

ing a stimulating regulatory environment.”
These views were echoed by insurers and reinsurers when launching their blockchain
initiative in 2016 entitled Blockchain Insurance Industry Initiative (B3i).48 Aegon, Allianz,
Munich Re, Swiss Re and Zurich49 agreed to cooperate on a pilot project, using anonymised
transaction information and anonymised quantitative data, in order to explore whether
blockchain technology could be used to develop standards and processes for industry-
wide usage and to catalyse efficiency gains in the insurance industry. This, it was hoped,
would be the forerunner to shared and transparent records of contract-related informa-
tion to facilitate DLT across the entire insurance industry value chain. Unfortunately,
however, B3i recently ceased operating, with executives citing lack of profitability and
the need for an end-to-end view. Christian Mumenthaler, Group Chief Executive Officer
(CEO) of Swiss Re, said that there could be a way to be successful, but in his view:
You would need all insurance companies to basically create smart contracts at the beginning,
at the origin. And then, based on that you could of course then construct a digital reinsurance
contract that can be traded afterwards. And then you have the full efficiency end-to-end, and
as claims come in, you would automatically pass them through to the reinsurer, for example.
So, that’s very visionary, but it would imply that all insurers have to switch all IT systems and
create smart contracts.50

Another recent example of collaboration, this time between an insurer and a major tech-
nology provider, is the establishment by AIG and IBM of a smart contract multi-national
policy for Standard Chartered Bank PLC.51 This arrangement establishes a master policy
in the United Kingdom but allows for local variations in the United States, Singapore and
Kenya that cater for varying rules, documentation and payment rules. The blockchain
technology deployed allows all parties to simultaneously share all data and documents
and is said to streamline complex international dealings. These initiatives are important
steps towards optimising DLT’s applications and uses.
By replacing or reducing human interventions which are currently embedded through
the entire risk transfer process, through DLT and associated smart contracts, there is con-
siderable potential for frictional delays and the risks of human error to be removed or
reduced—with a commensurate impact upon the on the speed, efficiency and cost of pro-
cesses. Dante Disparte52 observes that:
when we shine a light on the actual elemental levels of the risk transfer value chain—the
process in which insurance flows through origination, quoting, binding, policy issuance all

48 “Insurers and reinsurers launch Blockchain initiative B3i,” Allianz SE, 19 October 2016, www​.allianz​
.com ​/en ​/press​/news​/commitment ​/sponsorship​/161018​-insurers​-and​-reinsurers​-launch​-blockchain​-initiative​
-b3i​.html#:.
49 Since launch date in October 2016, it was joined by another ten insurance and reinsurance companies.
Achmea, Ageas, Generali, Hannover Re, Liberty Mutual, RGA, SCOR, Sompo Japan Nipponkoa Insurance,
Tokio Marine Holdings and XL Catlin are the additional consortium members.
50 Luke Gallin, “B3i conceptually interesting, but required end-to-end view: Swiss Re execs,” 29 July
2022, www​.reinsurancene​.ws​/ b3i​- conceptually​-interesting​-but​-required​- end​-to​- end​-view​-swiss​-re​- execs/.
51 Suzanne Barlyn, “AIG teams with IBM to use blockchain for ‘smart’ insurance policy,” Reuters, 15 June
2017, www​.reuters​.com​/article​/us​-aig​-blockchain​-insurance​-idUSKBN1953CD.
52 Dante Disparte, “Blockchain could make the insurance industry much more transparent” Harvard
Business Review, 12 July 2017, https://hbr​.org​/2017​/07​/ blockchain​- could​-make​-the​-insurance​-industry​-much​
-more​-transparent.

110
 D istributed L edger T echnology and B lockchain

the way through to claims and renewals—it suffers from an enormous drag coefficient and a
troubling trust deficit.

The use of DLT/blockchain in the insurance space remains nascent but has moved beyond
initial exploration and the first phase of use cases. There is now a recognition that the
benefits arise in market-wide, or risk-specific tools, which have a combination of multiple
players from different organisations, and where data from multiple and external sources
drives decision-making. If these factors are combined, the following benefits can be
leveraged:

• Increased efficiency (through data/oracles/overall efficiency and cost savings);

• Faster pay-outs (enabled by smart contracts, oracles and less arduous claims pro-
cesses); and
• Reduced fraud risk.

If these factors are used at speed and scale, then the benefits are enhanced, and the para-
digm is developments in which these benefits themselves enable new use cases.

Challenges in the insurance world

Core risks that are inherent in the blockchain area include ledger transparency risk (trans-
parency brings with it data privacy and insider trading risks) and cyber risk (greater risk
of hacks due to IoT/data).53
In addition, there are several barriers to market adoption, which largely turn on a lack
of standardisation and the need for champions of innovation within certain sectors. Within
any competitive industry, genuine collaboration amongst peers is difficult to achieve.

Ledger transparency
DLT and blockchain promise immutable and shared ledgers, while the insurance market
has to balance this with longstanding commitments and obligations in respect of confiden-
tiality and anti-trust and competition law considerations.
Due to the consensus-based validation mechanisms and the continuous replications, as
well as the ever-growing amount of stored data, the scalability of blockchain technology
is a challenge. McKinsey & Company54 state that “(e)ven if there are newer implementa-
tions of blockchain that have fewer performance restrictions, high speed/high volume
transactions, real-time data capture, and storage of large volumes of data are not the
intended domains of blockchain.” These cautionary words are perhaps carefully consid-
ered by insurers as they contemplate areas such as the IoT and product development. Ernst
& Young55 refer to the auto or motor vehicle insurance market and invite consideration
as to “how encrypted data gathered about driving times and distances, acceleration and

53 See, for example, Laila Metjahic, “Deconstructing the DAO: The need for legal recognition and the
application of Securities laws to decentralized organizations” (2018) Cardozo Law Review vol 39, 1533 http://
cardozolawreview​.com ​/wp​- content ​/uploads​/2018​/07​/ METJAHIC​.39​.4​.pdf (hereafter Metjahic).
54 McKinsey 2016 Opportunities (n 24) 6.
55 Ernst & Young, Applications (n 28).

111
 D istributed L edger T echnology and B lockchain

braking patterns, and other behaviours can be used to identify high-risk drivers, validate
information included on applications and give customers more control over their premi-
ums.” Managing the sheer volume of data and logic is a challenge that on a cost-benefit
basis is likely to put a rational brake upon theoretical new product development options.

Blockchain cyber risks

One of the inherent strengths of a DLT or blockchain system is that because the ledgers
are shared, and consensus is vital before any information is added, the ledgers themselves
are inherently secure. A “hack” of one ledger is not effective without each ledger being
hacked. However, other risks arise.
On 17 June 2016, US $150 million was siphoned from Ethereum’s first decentralised auton-
omous organisation (DAO).56 The affected DAO is simply (albeit confusingly) called “The
DAO,” a digital, autonomously run investment fund, which, like traditional mutual funds,
allows investors or “members” to purchase shares and enjoy returns based on its performance.
As part of the heist, the attacker shifted the ether to a “Child DAO,” a kind of subsidiary
of The DAO itself. Immediately following the attack, the ether remained in the Child DAO
and, in accordance with its programming, could not be used for 28 days from the date of the
attack. Members of Ethereum and the broader blockchain communities are emphasising that
the exploited vulnerability was in the coding of smart contracts within The DAO; the underly-
ing Ethereum platform (as well as blockchain technology) is, they say, faultless in the incident.
From a liability and insurance perspective, the incident demonstrates a real-life exam-
ple of the issues around this technology. Who bears the liability or risk for the loss in cases
like this? While the answer of course depends on explicit agreements between the parties
(captured in the smart contract or underlying traditional contracts), many have pointed out
that the legal status of DAOs is not clear.
Several other questions arise, including:

• Will programmers who write flawed code have to respond to negligence claims
brought by members of DAOs?
• Who can be insured against such liability? If insured, can insurers who pay out
relevant insureds bring a subrogated claim in negligence against those coders or
others?
• What is the true classification of an attacker’s conduct in such circumstances?
While embezzlement and misappropriation of funds are familiar crimes in tradi-
tional company law, this analogous situation occurs in the unregulated realm of
smart contracts and DAOs; and
• If liability could be determined with confidence, jurisdictional issues surface.
DAOs do not exist on one server within one jurisdiction; rather, as the name sug-
gests, they are decentralised and operate across many. So where would a claim-
ant commence an action against a particular DAO, and who, if anyone, would
represent it?
• What could the extent of their liability be?

56 Phil Daian, “Analysis of the DAO exploit” 18 June 2016, https://hackingdistributed​.com ​/2016​/06​/18​/
analysis​- of​-the​- dao​- exploit/.

112
 D istributed L edger T echnology and B lockchain

Each question only seems to raise more issues. Some in the blockchain community will
argue that such a traditional analysis of liability and the law is misplaced and serves only
to subject the technology to the oversight of the very establishment they were formed in
response to. At any rate, if aspects of a case like this are litigated, courts may provide
some much-needed clarification and guidance on how we should view these entities and
their participants.
The attack also raises issues around the regulation of DAOs. If DAOs are to become
common investment vehicles, will they eventually be subject to regulation in the same
way as other financial products upon which livelihoods depend?57 While blockchain tech-
nology itself is still considered highly secure, The DAO attack shows that individual smart
contracts operating upon blockchains may still be vulnerable. From an insurer’s perspec-
tive, where insureds participate in DAOs, the question is whether it is time to consider
appropriate premium pricing where policies protect against theft or loss arising out of
third-party negligence.
While The DAO attack may in hindsight be viewed as a mere teething problem for
the wider adoption of smart contracts, it serves as a reminder that the robustness of the
blockchain architecture itself may not always prevent security breaches of flawed smart
contracts.
For the moment, the community (and some outside it) will keenly follow any fallout
from the attack. Some will hope that any resulting legal disputes may give rise to the first
judicial commentary on blockchain and its related technologies.
The sector has sought to identify lessons from this event. First, robust governance
arrangements and voting mechanisms must be carefully formulated in DLT to determine
in advance how a consensus is to be formed in a crisis or dispute. This is particularly nec-
essary in the absence of any centralised leadership or implementation process. Second,
smart contracts (or any software) are only as good as the code in which they are written.
Thirdly, the authors observe that fully decentralised ledgers carry very real risks regard-
ing control of outcomes on the ledger, and, as a consequence, consortiums should consider
the benefits of partly centralised or private ledgers, and scale at an appropriate pace.
Problems such as these are perhaps unique to the blockchain area; however, existing
systems, with different fault patterns, have similar themes.
In February 2016, hackers compromised the Society for Worldwide Interbank Financial
Telecommunication’s (SWIFT) systems and issued instructions requesting the transfer
of almost US $1 billion from Bangladesh’s central bank.58 Approximately US $100 mil-
lion worth of those transactions succeeded, the majority of which was channelled into
casinos in the Philippines. It is believed that if it were not for the misspelling of the word
“Foundation” in some messages, a much larger amount would have been stolen. As Haley
Sweetland Edwards of Time Magazine noted, it was not the amount of the heist that caused
a stir, but “what shook the banking community was the breach of trust.”59 This attack

57 See discussion in, for example, Metjahic (n 52).

58 See, for example, “Swift: fraudulent messages sent over international bank transfer system” The
Guardian, 26 April 2016 www​.theguardian​.com​/technology​/2016​/apr​/26​/international​-bank​-transfer​-system​
-hacked​-swift​-group​-admits.
59 Haley Sweetland Edwards, “A New Generation of Bank Robbers Infiltrates Global Finance,” Time, 2
June 2016, https://time​.com​/4354752​/swif​-victim​-bank​-robbery/.

113
 D istributed L edger T echnology and B lockchain

followed a similar breach in January 2015 in which approximately US $12 million was
stolen through the use of SWIFT credentials to modify transaction details.
Disputes will doubtless arise out of these SWIFT heists, and insurance policies will
be called upon to respond. Proponents of the use of blockchain technology in the finance
sector could hardly ask for a better advertisement of its advantages vis-à-vis the current
system. After all, the enabling of trust between anyone, and blockchain’s robust security
against cyber-attacks are two of its key advantages.
In light of the inevitable claims, it has to be considered if current mainstream dispute
resolution avenues are appropriate for technology disputes, and whether they will be suit-
able to deal with the even more alien concepts of blockchain, smart contracts and decen-
tralised autonomous organisations.

Legal risks and issues with DLT/blockchain

While not as combative as was seen at the beginning of the blockchain and crypto space,
the debate as to whether “code is law” still marks a dividing line between those who take a
fundamentalist view of the decentralised, anti-government future of blockchain and those
who are involved in its day-to-day commercial application.
The position is in our view clear. While there is an intrinsic debate as to how far an
agreement can be simply expressed by or devolved to the code, DLT and blockchain tech-
nology are bound by general legal principles, including the law of contracts, torts, prop-
erty, privacy, intellectual property, partnerships and companies, enshrined in legislation
and case law. It seems inevitable that in a global economy in which it can be said that
every company will be a digital company, an increasing amount of decision-making and
analysis will be devolved to code and executed by smart contracts.
However, the overarching legal framework and regulatory environment might be rel-
evant or asserted across this very broad spectrum. International dimensions of DLT pose
particular compliance challenges in areas such as privacy where international transfers
of personal data will be subject to varying standards under national law. Further, as dis-
cussed above, with data distributed among many ledgers, legal risks arising out of data
transparency and identity theft may be exacerbated. The European Banking Institute
Working Paper60 makes the observation that: “DLT does not make inaccurate data accu-
rate. Inaccurate data stored via DLT remains inaccurate. The ‘garbage in, garbage out’
dilemma holds.” Not only does this raise the general spectre of claims sounding in con-
tract or tort for breach of duty, but various DLT projects may well be found, by courts, to
constitute joint ventures with liability spread across all owners and operators of systems
serving as distributed ledgers.61
As we have seen smart contracts represent the delivery system and the action-ena-
bling component of DLT and blockchain systems. The use of smart contracts, howsoever
defined, is the messenger system between the DLT blockchain and the external inputs and
outputs, whether as the mechanism by which external data is accessed, distributed and
actioned, or the payment request outcome of a calculation performed on such data. Thus
the status of smart contracts in any operating system needs to be clear.

60 Zetzsche, Buckley and Arner (n 16) p 13.

61 Ibid, 28.

114
 D istributed L edger T echnology and B lockchain

Kevin Werbach and Nicolas Cornell62 observe that while “smart contracts will force
courts, legislators and other legal actors to confront difficult questions about the applica-
tion of basic contract doctrines” they will “not replace contact law.” The authors comment
as follows:
Contract law is a remedial institution…. If the parties do not or cannot represent all possi-
ble outcomes of the smart contract arrangement ex ante, the results may diverge from their
mutual intent. The parties’ expression may also not produce legally sanctioned outcomes, as
in the case of duress, unconscionability, or illegality. Promise-oriented disputes and griev-
ances will not disappear, but their complexions will shift. In such scenarios, either the parties
or the state will seek to reintroduce the machinery of contract adjudication. Once one properly
appreciates what is—and what is not—the function of contract law, it becomes evident that
reports of its death are “greatly exaggerated.”

Moreover, as Max Raskin comments, the courts do not need to “upend extant jurispru-
dence to accommodate smart contracts.”63 However, it is clear that there will be challenges
in extending and applying private law and regulation to blockchain applications involving
poly-directional relationships among its various nodes, where those linkages are solely
through a software platform.64
Broad issues can be identified at a practical level when transacting with smart contracts:
1. Can they execute complex instructions?
2. Liability for errors with the contract—where does it lie? Is it standardised globally?
3. What percentage can be amended, and what percentage cannot once coded?
4. How reliable are your oracles?
5. What is the ADR process?
6. Can you codify “duty of good faith?”
7. Insurance is heavily regulated, smart contracts not so much-so how will these
mesh?
8. They remove control from the insured. Could an event trigger the smart contract
but not necessarily result in a claim?
These considerations then need to be over-layered with the knowledge that the volume of
data involved may reduce transaction speed.
In practice, we have seen the majority of commercial projects operate at a two-speed
level. The day-to-day functions are delegated to, or assumed within, a smart contract-
driven system which is capable of drawing down data, performing any necessary calcula-
tion or assessment and resulting in outputs. However, the core contractual elements such
as law and jurisdiction, and the respective duties of the participants are recorded in a
traditional contract “wrapper.” This is a method of contracting with which the insurance
market is familiar as it is similar to the process of issuing a schedule or slip setting out
the core risk details, sitting alongside a detailed policy wording. In the DLT/blockchain
space, the detailed policy wording is replaced by the smart contract-driven DLT/block-
chain network.

62 Kevin Werbach and Nicolas Cornell, “Contracts ex machina,” Duke Law Journal 67 (2017) 313, 318.
63 Max Raskin, “The Law and Legality of Smart Contracts” (2017) 1 Geo L Tech Rev 305, 341.
64 Philipp Paech, “The Governance of Blockchain Networks” (2017) 80 Modern Law Review 1073, 1099
(hereafter Paech).

115
 D istributed L edger T echnology and B lockchain

Legal implications and areas of development

Zetzsche, Buckley and Arner65 observe that:
from a technological perspective, DLT is generally seen as offering unbreakable security,
immutability and unparalleled transparency, so law and regulation are seen as unnecessary.
Yet while the law may be dull and the technology exciting, the impact of the law cannot be
simply wished away.66

Moreover, there will always be interests outside any particular blockchain, financial or
other network that general laws and social norms need to protect. As Philipp Paech67
observes, blockchain financial networks create risks that might have an impact on the
wider market, notably by transmitting systemic risk, discriminating between market actors
and facilitating illegal activity that requires them to be within the regulatory perimeter.
These sentiments are echoed by Sandrine Cullaffroz-Jover,68 Lawyer and Director at
PwC Societe de’Avocats, who states that:
we need to be wary of the term “legal vacuum” when talking about blockchain, because even
though no specific regulations have been introduced for the technology, there are legal prin-
ciples that, in the initial phase, facilitate innovation and the development of new applications.
So the blockchain—like all new technologies—exists within a legal framework.

From a common law perspective, it seems clear that there is a wide degree of flexibility
and latitude in applying existing principles to DLT and blockchain. As an example, two
judgments of the English High Court have respectively held that cryptocurrency should be
classified as property (with all that this entails in law) and that service of court proceed-
ings can happen effectively on-chain. These are pragmatic and sensible small steps.
Regulators globally have to date largely taken a “light touch” approach to the question
of whether existing legal frameworks are sufficient to meet the technological challenges
posed by DLT. There are examples of active restriction or prohibition upon the use of DLT
(in UAE and Nigeria, for instance), but these efforts are largely focused on limiting the
use of cryptocurrencies in these jurisdictions rather than on prevention of broader DLT
applications. More commonly, regulators have adopted a “wait-and-see” attitude and have
declined to intervene prematurely and to stifle innovation. For example, the Australian
Securities and Investments Commission49 declared in 2017 that at this stage it considered
existing regulatory frameworks able to accommodate the DLT use cases it had consid-
ered, but that as DLT matured, additional regulatory considerations might arise.
The broad approach has been to seek to regulate the use of the technology and not the
technology itself, which given the pace of change seems prudent.
For example, the European Securities and Markets Authority (ESMA) has stated that
it considers the current regulatory framework adequate for adopting and developing DLT
in the short term.69 ESMA expressly recognises that DLT may bring numerous benefits
to financial markets, including more efficient post-trade services, enhanced reporting

65 Zetzsche, Buckley and Arner (n 16).

66 Paech (n 64) 1078.
67 Ibid.
68 PwC Blockchain (n 23) 29.
69 European Securities and Markets Authority, “Report on Distributed Ledger Technology Applied to
Securities Markets,” 7 February 2017; ESMA50-1121423017-285, www​.esma​.europa​.eu​/document​/report​- dis-
tributed​-ledger​-technology​-applied​-securities​-markets.

116
 D istributed L edger T echnology and B lockchain

capabilities and reduced costs. However, ESMA also cautions the technology’s advocates
and developers as follows:
The development of new technology, such as DLT, does not liberate users from complying
with the existing regulatory framework, which provides important safeguards to ensure the
stability and proper functioning of financial markets.70

The experience in the United States is more uneven in terms of approaches adopted fed-
erally and across the various states, but the focus is on the technology’s application as
a virtual currency. At a federal level, several government agencies71 have offered guid-
ance in relation to virtual currency, but there is no comprehensive federal regulation for
virtual currencies.72 The response at the state level ranges from New York creating a
“BitLicense”73 and California considering a licensing fee for digital currency enrolment,
on the one hand, to Illinois declaring it will not regulate cryptocurrencies and Delaware
launching a blockchain initiative to implement DLT into some governmental and regula-
tory functions, on the other.
Delay in amending or adjusting the governance framework at an early stage could be
counter-productive, as disruptive blockchain technology does threaten the effectiveness
of the existing governance framework for financial markets in certain circumstances.
Philipp Paech74 cites as an example the necessity for transfers of money and other assets
through blockchain financial networks to be subject to functionally equivalent rules pre-
venting money laundering and other illegal activities.
In November 2021, the US Securities and Exchange Commission75 published an article
from Commissioner Caroline Crenshaw which was largely supportive and understanding
of the framework for using smart contracts and associated technological developments.
My respect for innovation does not lessen my commitment to help ensure all our financial
markets are sustainable and offer average investors a fair chance of success. Decentralised
Finance (DeFi) is a shared opportunity and challenge. Some DeFi projects fit neatly within our
jurisdiction, and others may struggle to comply with the rules as currently applied. It is not
enough to just say it is too hard to regulate or to say it is too hard to comply with regulations.
It is a positive sign that many projects say they want to operate within DeFi in a compliant
way. I credit their sincerity on this point, and hope they commit resources to collaborating
with the SEC staff in the same spirit. For DeFi’s problems, finding compliant solutions is
something best accomplished together. Reimagining our markets without appropriate inves-
tor protections and mechanisms to support market integrity would be a missed opportunity,
at best, and could result in significant harm, at worst. In conceiving a new financial system, I
believe developers have an obligation to optimize for more than profitability, speed of deploy-
ment, and innovation. Whatever comes next, it should be a system in which all investors
have access to actionable, material data, and it should be a system that reduces the potential
for manipulative conduct. Such a system should lead capital to flow efficiently to the most

70 European Securities and Markets Authority, “ESMA Assesses DLT’s Potential and Interactions with
EU Rules,” 7 February 2017, www​.esma​.europa​.eu​/press​-news​/esma​-news​/esma​-assesses​- dlt​%E2​%80​%99s​
-potential​-and​-interactions​- eu​-rules.
71 For example, FinCEN, the Internal Revenue Service (IRS), Securities Exchange Commission (SEC),
Commodity Futures Trading Commission (CFTC) and the Consumer Financial Protection Bureau (CFPB).
72 See Kiviat (n 13) 588–597.
73 N.Y.Comp.Codes R.& Regs, title23, s200 (2015); discussed in detail by Kiviat (n 13), 597–602.
74 Paech (n 63) 1099.
75 US Securities and Exchange Commission, “Statement on DeFi Risks, Regulations, and Opportunities,”
9 November 2021, published in The International Journal of Blockchain Law vol 1, November 2021, www​.sec​
.gov​/news​/statement​/crenshaw​- defi​-20211109.

117
 D istributed L edger T echnology and B lockchain

promising projects, rather than being diverted by mere hype or false claims. It should also
be designed to advance markets that are interconnected, but with sufficient safeguards to
withstand significant shocks, including the potential for rapid deleveraging. In decentralised
networks with diffuse control and disparate interests, regulations serve to create shared incen-
tives aligned to benefit the entire system and ensure fair opportunities for its least powerful
participants.

To date, however, the SEC has adopted a cautious, and perhaps sceptical, wait-and-see
approach.
Key challenges and risks to be considered in the context of existing legal frameworks
relate to security and privacy, governance, scalability and standardisation.
While DLT may enhance data security, it is not risk-free and may commonly give rise
to three major types of potential liability risk: Ledger transparency risks, cyber risks and
operational risks.76 The authors of the European Banking Institute Working Paper77 point
to the fact that, paradoxically, the enhanced level of transparency whereby every node
operator has access to data stored on a distributed ledger enables the re-personalisation
of data stored on the distributed ledger or enables nodes to make an informed guess as
to identities entering into certain transactions. This in turn leads to two main legal risks:
Data privacy, and insider trading and market abuse. Data protection laws in most juris-
dictions as well as prohibitions against insider trading and market manipulation carry
significant civil and criminal penalties, which means that DLT initiatives have to tread a
cautious path in managing data security and transparency.
A number of core legal concerns readily arise in respect of this area. Each jurisdiction
and body of law will respond differently to these, and the purpose of this chapter is not to
provide a definitive review.
1. Jurisdictional and applicable law issues—where servers are decentralised and
can be spread around the world, pinpointing where a breach or failure occurred
(and taking the appropriate cross-border action) will be complex.
This is one of the most difficult areas that arise. The pragmatic response is to look at the
parties to the network. If a problem arises in respect of which a party needs to take legal
proceedings, it should look to the jurisdiction of the owner/beneficiary/operator of any such
network, or that of any party in default. That does not create certainty. A practical option,
therefore, is to put in place a contractual wrapper which specifies the agreed law and jurisdic-
tion. In many jurisdictions, including that of England and Wales, it is possible to do so within
the code, but this would only result in difficulties in enforcing such an agreement elsewhere.
In terms of operation, a party operating in a particular jurisdiction or jurisdictions will
have the onus to ensure that it is doing so in a manner compliant with all applicable laws
and regulations.
The owners and beneficiaries of any network will also have the obligation to ensure
that the network is compliant with laws and regulations in all jurisdictions, including
any regulatory restrictions on non-authorised entities providing insurance or insurance-
related services, in which it operates, and in the event of doubt should take steps to restrict
access in such jurisdictions.

76 Zetzsche, Buckley and Arner (n 16) 13.

77 Zetzsche, Buckley and Arner (n 16) 14.

118
 D istributed L edger T echnology and B lockchain

2. The legal status of decentralised autonomous organisations (DAOs)78 as entities—

where the entity is essentially self-governing software engaging in or facilitating
commerce, what legal status will attach to DAOs? Are they simple corporations or
something else?
Conceptually, the idea of a separate operating entity is not new, but the specific nature of
the technology raises a number of questions. Some jurisdictions, such as Malta, have cre-
ated a distinct legal entity status for a DAO. Others, including England and Wales, have
entered into a period of review.
The appropriate response in most instances is to look for the substance of how the DAO
operates and the responsibilities for its instigation and maintenance. As a default position,
common law jurisdiction may revert to principles relevant to the running of trusts.
3. What, if any, is the liability of DLT and blockchain and their creators? Who or
what is claimed against in the case of a legal dispute?
This issue will very much depend on the nature of the blockchain used, and in particu-
lar whether public or private, permissioned or permissionless, and it is very difficult to
generalise.
4. The legal enforceability of smart contracts—we consider the wholesale adoption
of the phrase to be unhelpful, as the term “contract” invites the traditionally asso-
ciated concepts such as offer and acceptance, certainty and consideration, which
are unlikely to be relevant to many coded programmes.
In most jurisdictions, the principles of smart contracting are no different than for other
contracts and the traditional rules can apply. As an example, the UK taskforce review of
smart contracts and digital assets79 confirmed that there is no impediment to a contract
written in code being legally enforceable.
As a practical matter, however, complying with established rules or practices in the
insurance sector may be more difficult. For example, in many civil law jurisdictions, any
exclusionary clauses have to be highlighted (and this is usually done so in bold). Or in the
marine and trade area, bills of lading carry with them property rights and records of title,
which pass with the hard copy document. It is difficult to see how this concept could apply
in the smart contract space, and indeed the answer is probably in ensuring that the cover
provided is clearly constrained and understood.
5. Privacy and data security on public blockchains (GDPR)80
A whole chapter could be devoted to this issue.81 Essentially the concerns arise out of
seeking a balance between a decentralised and disintermediated system, and the require-
ments for privacy, the right to be forgotten (where it exists) and data control.

78 Decentralised autonomous organisation or DAO (also known as decentralised autonomous

corporations)—a digital entity which, once pre-coded to function in a certain way, operates with minimal or
no human input. It is an emerging form of legal structure that has no central governing body and whose mem-
bers share a common goal to act in the best interest of the entity, see www​.investopedia​.com​/tech​/what​- dao/.
79 ​w ww​.lawcom​.gov​.uk ​/project​/smart​- cont​racts/.
80 General Data Protection Regulation (EU) 2016/679.
81 Generally, see Chapter 2.

119
 D istributed L edger T echnology and B lockchain

There are a number of technological answers, including that of maintaining sensitive

data “off-chain” and only allowing the necessary gateway decision-making drivers to be
accessible “on-chain.”
However, embedded legal protections for records to be destroyed or altered are at odds
with many of the perceived benefits of such systems.
Some of the solutions posited in the market are also potentially at odds with the prin-
ciple of anonymity that is embedded within many data protection laws and regulations
(including that of GDPR in the EU). The traditional blockchain approach, if it is now ripe
to use the word “traditional” in the blockchain space, is one of privacy by way of pseudo-
nymity. Anonymity means that an individual cannot be identified and the entity does not
collect personal information or identifiers. A pseudonym is a name, term or descriptor that
is different to an individual’s actual name.
The European Parliamentary Research Service published a paper in 201982 which con-
cluded as follows:
(T)he study has formulated three broad policy recommendations, which have been broken
down into various elements. First, it was suggested that regulatory guidance on the interpreta-
tion of certain elements of the GDPR when applied to blockchains should be provided to gen-
erate more legal certainty in this area. Second, it was recommended that codes of conduct and
certification mechanisms should be encouraged and supported. Third, it was recommended
that funding be made available for interdisciplinary research exploring how blockchains’
technical design and governance solutions could be adapted to the GDPR’s requirements, and
whether protocols that are compliant by design may be possible.

The regulatory and parliamentary review is ongoing, and caution has to be applied to any
platform hosting private data on a blockchain.
6. Protection against bad actors
In any decentralised system protections must be put in place in case of misfeasance by one
or more participants.
There are cryptography methods, for example, Byzantine fault tolerance schemes,
which can achieve this. Put very simply, the term comes from a hypothetical called the
Byzantine Generals Problem.83 This logical dilemma is about a group of Byzantine gener-
als. Each general has an army and a location surrounding a fortress, and they must decide
as a group whether to attack or retreat. If they all make the same decision, they are suc-
cessful. But if there’s a miscommunication or treachery causing some generals to attack
while the others retreat, then the battle is lost. These types of problems are known as
Byzantine faults. Byzantine fault tolerance can be achieved if the loyal (non-faulty) gener-
als have a majority agreement on their strategy. There can be a default vote value given to
missing messages.
The typical application of this story to blockchain systems is that the nodes are the
generals, and their digital communication system links are the messengers. Although
the problem is formulated in the analogy as a decision-making and security problem, in

82 Michèle Finck, “Blockchain and the General Data Protection Regulation, can distributed ledgers be
squared with European data protection law?” European Parliamentary Research Service, July 2019, www​
.europarl​.europa​.eu​/ RegData​/etudes​/STUD​/2019​/634445​/ EPRS​_ STU(2019)634445​_EN​.p​df.
83 See “Byzantine Generals Problem in Blockchain,” Geeks for Geeks, 8 August 2022, www​.geeksfor-
geeks​.org ​/ byzantine​-generals​-problem​-in​-blockchain/.

120
 D istributed L edger T echnology and B lockchain

electronics, it cannot be solved by cryptography alone, because failures such as incorrect

voltages can propagate through the encryption process. Thus, a component may appear
functioning to one component and faulty to another, which prevents forming a consensus
as to whether the component is faulty or not.84

7. Anything involving money transfer will be subject to anti-money laundering and

“Know Your Client” rules.

While there are again a number of service providers with offerings to link these areas in
the blockchain space, we revert to the lack of standardisation and agreed lexicon (let alone
processes) that are probably needed for this sector to thrive as it can.
These are some detailed considerations. As stated, it is difficult to generalise. At this
stage of the market, first principles can be a helpful tool. In light of economic devel-
opment, complicated trading structures and arrangements have arisen in order to allow
parties to transact where the level of familiarity and trust that existed between parties
is absent. The new digital technologies—where suitable—can cut through some of that
complexity and build in familiarity and trust and which can mean that the need for some
of the old certainties can fall away.
Many projects to date have been driven by a desire to use, or often to be seen to use,
these new technologies for their own sake, or as part of an innovation for innovation sakes
agenda, and which have failed, often because of a lack of commercial value, sometimes
because of a lack of surrounding infrastructure or community of users.
Successful projects start with the issue to be addressed—the matter of transacting—
and then seek to open-mindedly consider how the new technologies can strip out layers in
the value chain. This approach adopts a forensic focus on the underlying rationale of the
transaction and questions incumbent execution methods.
Conversely, the technology is often dismissed because it does not fit within existing
structures, rather than because it cannot create value. The value proposition for new
entrants and start-ups is that they are able to think afresh without being encumbered by
dogma. For example, sophisticated commercial insurers who query how the technology
for automating contractual changes can be applied in a co-insurance market but who do
not take the next step of querying how the efficiencies created can change the nature of a
risk being placed and displace the need for co-insurance if, for example, sufficient reinsur-
ance capital can be deployed directly, or in the trade and commodities world, those who
rightly identify that bills of lading cannot be transferred other than by the paper copy,
without considering how contractual arrangements can be overlaid to bypass the current
state of the law.
When entering into a blockchain or smart contract-based agreement or network, the
core considerations are:
a) Clarity as to the agreement;
b) Responsibility for the code—writing and maintenance;
c) Clarity as to any input data (quality, accuracy and reliability);

84 See, for example, Cointelegraph, “How does blockchain solve the Byzantine general’s problem?” https://
cointelegraph​.com​/ blockchain​-for​-beginners​/ how​- does​-blockchain​-solve​-the​-byzantine​-generals​-problem.

121
 D istributed L edger T echnology and B lockchain

d) Understanding of the outputs—for example, are they to be fully automated, or

with an in-built pause or review mechanism; and
e) Agreement as to applicable law and jurisdiction in the event of a dispute or change
in circumstance.

Dispute resolution
Technology-related matter lists in civil courts are now common. The English courts
for example have both an Intellectual Property Enterprise Court and a Technology and
Construction Court. Such divisions acknowledge and reflect the specialist knowledge
these areas require, as well as the procedural peculiarities they may demand. Judges are
selected for these lists that have the requisite understanding of unique concepts to apply
the law correctly; however, there is of course no guarantee a judge will be familiar with a
particular issue, and parties have little say in who will adjudicate their dispute.
Technology disputes demand a certain knowledge base, and by way of arbitration, the
parties’ selection of the tribunal allows for greater specificity of expertise than a court
technology list. Additionally, where decentralised organisations run on a blockchain
housed on servers in different countries, the appropriate forum and applicable law are
likely to raise significant jurisdictional issues.
All of these factors will be critical once the time comes to adjudicate disputes concern-
ing blockchain, smart contracts and DAOs. A suitably drafted arbitration agreement will
likely make it easier to resolve a dispute in the parties’ preferred manner. To illustrate,
consider the well-referred to example of insurance policies for drought insurance that,
utilising blockchain and smart contracts, auto-execute claim payments to insureds where
rainfall over a defined period drops below a certain threshold.85 Trusted data sources upon
which these smart contracts rely (known as oracles) feed information (in this case rainfall
data) to the smart contract. However, if the oracle was to provide inaccurate information,
an entire bundle of policies (via their smart contracts) may incorrectly respond caus-
ing significant loss to the insurer. Would the insurer have any recourse in such a case?
Against whom?
The answer depends, of course, on the terms of the policies and those within any con-
tract with the oracle. The first option is that the insurer may recover amounts from indi-
vidual insureds (for unjust enrichment or mistake for example). An arbitration agreement
to resolve the disputes could be embedded in (or in parallel to) the smart contract arrange-
ment; however, that course would likely be inefficient and costly given the number of
separate actions that would need to be commenced.
Assuming the insurer had a contractual relationship with the oracle (and no exclusion
of liability provision), it is far more likely to pursue the oracle for damages in negligence
and/or contract.
Where the insurer was, for example, incorporated in England, yet the oracle was incor-
porated in the United States, arbitrations’ cross-border advantages would render it an ideal
vehicle for the insurer to pursue its claim. An effective arbitration agreement will gener-
ally be recognised by and enforceable in the domestic courts of the parties, while attempts

85 See Chapter 6, “Parametric Insurance.”

122
 D istributed L edger T echnology and B lockchain

to instigate domestic court proceedings in those jurisdictions would likely fail. Finally, the
insurer would have a greater ability to enforce any arbitral award.
Despite arbitration’s suitability to technology disputes, the major arbitral institutions
are yet to really adapt through the development of governing rules or procedures, and
while specialist technology institutions and rules exist, they generally still lack the reputa-
tion and resources to handle large-scale matters. Certain procedural aspects of the arbitra-
tion could benefit from tailoring where an agreement or part thereof is written in code or
some urgency is required for interim issues. One of the most developed responses to this
area is the Digital Dispute Resolution Rules published by the UK Jurisdiction Taskforce.86
Broadly these rules:

• Can be incorporated into a contract, digital asset or digital asset system by

including reference (which may be in electronic or encoded form) to the rules;
• Seek to provide a rapid procedure, with the tribunal to use its best endeavours to
resolve the dispute within 30 days from its appointment; and
• Include various provisions specific to digital technologies including, where the
relevant network enables such functionality, optional anonymity for parties and
enabling on-chain implementation of decisions by giving the tribunal powers in
relation to digital assets.

However, these are yet to be tested in action or applied at scale and they are sector agnostic
rather than being tailored to the insurance sector.
For parties to technology disputes (or potential disputes), the arbitration agreement,
as always, deserves consideration. As regards the choice of institution, rules which cater
for emergency arbitrators and accelerated tribunal formation may benefit from disputes
which have time-sensitive elements. Further, the need for experts and an appropriate tri-
bunal could lend itself to holding the hearings in a hub likely to contain or at least attract
such specific personnel.
As with many of the complexities surrounding blockchain technology, it is at this early
stage easier to raise issues than to solve them. Arbitration teams globally are actively
investigating appropriate forums for handling blockchain-related disputes, consider-
ing effective drafting of arbitration clauses and how (if at all) to include them in smart
contracts.

Standardisation
Standardisation is mentioned by most participants or parties involved in DLT87 as being
important to realise sustainable benefits from various shared and distributed ledgers and/
or associated smart contracts. This need is accentuated by the international dimensions of
DLT and differences in national law. Accordingly, in addition to agreements or consensus
protocols aimed at organising governance between the parties, a series of internationally
standardised technical rules could help facilitate transactions in view of the diversity of

86 ​https:/​/resources​.lawtechuk​.io​/files​/2.​%20UKJT​%20Digital​%20Disupte​%2​0Rules​.pdf.
87 McKinsey 2016 Opportunities (n 24) 30.

123
 D istributed L edger T echnology and B lockchain

the geographical regions and parties using smart contracts.88 In this regard, it is noted that
the International Organization for Standardisation has approved Standards Australia’s
proposal to develop new international standards on blockchain and DLT to support inter-
operability and data interchange among users, applications and systems.89
The Accord Project,90 based in London and New York, is a non-profit, member-driven
organisation that develops universal specifications backed by open-source code libraries
for smart legal contracts for use by transactional attorneys, business and finance profes-
sionals, and other contract users. The Accord Project was established by industry partici-
pants to provide and maintain a common and consistent legal and technical foundation
for smart legal contracts that can be applied in any contracting context. The Project’s
contributors, partners and members include over 40 of the world’s most prominent global
law firms, leading distributed ledger providers such as IBM, R3, Digital Asset, and
organisations ranging from the International Association for Contract and Commercial
Management to the Institute of Electrical and Electronics Engineers (IEEE). The pur-
pose of the Accord Project is to oversee the production of a common format for smart
legal contracts that can operate across any technology platform: Cloud, IoT, blockchain, or
otherwise. This enables universal agreement on the technical implementation of a smart
legal contract without the technical issues of implementing that agreement—much like
the “.doc” format for word-processed contract documents today.
Open source means that anyone can use and contribute to the code and documenta-
tion and use it in their own software applications and systems free of charge. The Accord
Project has developed a framework for connected contracting by providing the fundamen-
tal technology building blocks for smart legal contracts. This fundamental technology
consists of a standardised approach to modelling the deal terms of agreements and coding
the logic of legally binding contractual obligations.
As a practical matter, these industry-led initiatives, which tend to be more flexible and
able to change more quickly, are more likely to make progress towards standardisation
than top-down regulatory or governmental-led initiatives.

Emerging markets
Blockchain and smart contracts are an area, such as mobile telephones in the past, where
if adopted broadly and sensibly, emerging markets can see very real benefit and even leap-
frog more developed economies. In jurisdictions where there are no coherent or consistent
established bodies of regulatory guidance and law, the putting in place of new systems,
processes and market initiatives can not only happen more quickly than jurisdictions
struggling with legacy systems but can also provide much greater benefits.
For example, a number of countries in Africa have seen rapid technological develop-
ment in recent years, as exemplified by mobile internet deployment across Uganda and
Tanzania. This is largely due to a lack of existing infrastructure and regulation allowing
for new technologies to leapfrog traditional solutions and for policy frameworks to be
implemented in conjunction with new products. This results in stable macroeconomic

88 See PwC Blockchain (n 23) 30.

89 “Blockchain Reaction,” Allens Linklaters, Report April 2017, www​.linklaters​.com ​/en ​/insights​/publica-
tions​/allens​-insights​/2017​/ blockchain​-reaction​-nine​-months​- on, 6.
90 https://opensource​.legal​/projects​/AccordProject.

124
 D istributed L edger T echnology and B lockchain

environments which now see countries, such as Kenya, as favourable markets for tech
investors.
Blockchains and other decentralised systems are likely to be the next technology to
capitalise on this “test and learn” approach as they are well suited to manage data, finan-
cial assets and B2B transactions without the need for intermediaries. As a core principle,
blockchains improve the quality, reliability and accessibility of data, and for this rea-
son, they have the potential to alleviate various issues which can arise when conducting
business.
While recognising that there will be regional and national level nuances to blockchain’s
implementation, this report highlights how the technology is expected to affect business
across the continent. By no means exhaustive, the examples below represent areas in
which blockchain is likely to have a significant impact in the short to medium term.
Due to their codified nature and automatic execution, blockchain contracts have the
potential to provide greater transparency over contractual compliance—thereby acting as
a trust mechanism for contractual relationships and alleviating a significant business risk.
In addition, the distributed nature of the data across multiple nodes ensures that infor-
mation cannot be held by single organisations/institutions, nor can data be altered or its
accuracy challenged. This will assist with the information imbalance which exists when
dealing with many public bodies.
Additionally, smart contracts can have the capacity to track every dollar spent. This
will be of particular benefit to lending institutions and will ultimately allow entities that
are more risk-averse to invest in the African market. Bit Fury (an American-based com-
pany) is currently assisting with this process through its involvement with African Bitcoin
payment providers such as BitPesa,91 mentioned above.
As demonstrated above, blockchain has enormous potential to revolutionise business
in Africa and its implementation is compelling. Although in its early stages, we are see-
ing exponential growth in the technology’s foothold in the continent, and initial trials are
proving successful. Furthermore, governments appear to be actively engaging in block-
chain implementation, which is crucial for technologies to be successfully deployed in a
country.

Conclusions
DLT, smart contracts and blockchain technology have the potential to facilitate a signifi-
cant chain in the insurance sector. In many ways, the insurance sector seems ready-made
to make the most of the promise of decentralisation and disintermediation offered by DLT
and blockchain.
In particular, the technology may enable a move to faster, more efficient and more sus-
tainable decentralised solutions for existing products and can also help unlock unrealised
economic value for new products and connectivity with the digital economy.

91 See Wendy Kwayesa, “Bitfury announces investment in Bitpesa Pan-African Universal Payment and
Bitcoin Trading Platform,” 29 February 2016, https://bitfury​.com​/content​/downloads​/2​_ 29​_16​_ release​_bitfury​
_announces​_investment​_in​_bitpesa​.pdf.

125
 D istributed L edger T echnology and B lockchain

In order to harness the benefits of these enabling technologies, investment has to be

leveraged appropriately, and policy, legal and regulatory frameworks need to be tailored
to promote efficiencies via decentralisation.
Across the insurance sector, policymakers, regulators and other industry stakeholders
are faced with a series of emerging trends and challenges, including legacy market-wide
systems, flat or declining demand, and the integration of variable generation technologies.
Against this background, the deployment of digital smart contracts and blockchain
technology presents a tremendous challenge but also a very tangible opportunity for the
insurance market, in both established and nascent markets. There are a number of promis-
ing, high-impact use cases—these include micro-insurance at one end of the scale, lev-
eraging parametric insurances, and catastrophe bond-related insurance-linked securities
(ILS) arrangements at the other end.
This chapter has identified the main challenges, many of which highlight the conflict
with existing business models of traditional insurance markets. These include the lack of
baseline digital and standardisation in place to support blockchain’s integration, and the
lack of clear policy and legal and regulatory frameworks to accommodate blockchain and
smart contracts in the current legal ecosystem, as well as the cost of integrating block-
chain within legacy systems.
DLT and blockchain, powered by smart contracts, provide an avenue for the insurance
markets to embed themselves within the digital economy and to create a bridge or bridges
that transcend current intra-market structures that are not fit for purpose for interaction
within digital structures.
Thus, the insurance markets need to embrace, as many are doing, DLT, blockchain and
smart contract technologies as a bridge between the markets and the digital economy.

126
 C hapter 6

Parametric Insurance
Wynne Lawrence, Julie-Anne Tarr, Nigel Brook,
Meg Chaperon and Arnaud Sorel

CON T EN TS
Introduction 128
The anatomy of a parametric policy 130
The basis risk problem 131
Advantages of parametrics over indemnity-based products 134
Efficiencies and cost savings 134
Contract certainty 136
Reduction or elimination of moral hazard and fraud 137
Insuring “hard-to-insure” and emerging risks 138
Types of parametric policies 140
Pure parametric policies 140
Parametric index insurance 142
Aggregate loss index insurance 142
Sovereign disaster risk management and parametrics 144
Regulatory and legal challenges 148
The problem for regulators 148
Insurable interest 149
The indemnity principle 150
Consumer concerns 152
Drivers of the parametric insurance industry’s growth 153
Conclusion 155

DOI: 10.4324/9781003319054-6 127

 Parametric I nsurance

Introduction
The increasing severity and frequency of natural catastrophes over the last decade have
driven the need for effective, streamlined insurance solutions to disaster preparedness and
resilience to the forefront of government, consumer, industry and regulatory dialogue.
A significant protection gap exists worldwide, with the amount of insurance pay-outs
for natural disasters far outstripped by the scale of uninsured losses. An estimated US
$163 billion of assets are underinsured in the world today with global average annual
loss from disasters expected to increase from around US $260 billion in 2015 to US $414
billion by 2030.1 The problem is being magnified by climate change. In this context, and
in the many other areas discussed below, parametric insurance is rapidly emerging as a
key protection gap mitigation tool due to its fast, transparent, flexible and cost-efficient
capabilities.
Parametric insurance is also well-suited to non-traditional or “difficult to insure” risks,
such as pure financial loss, business interruption (BI), financial risks related to renewables
or risks related to the growing market in intangible assets.2
Indemnity insurance is the “traditional” form of insurance protection designed to pro-
vide compensation based on the policyholder’s actual losses, often assessed by a loss
adjuster. Greater damage means a higher pay-out. The vast majority of insurance is
arranged on an indemnity basis. In the context of natural disasters, indemnity insurance
is generally considered best suited to longer-term reconstruction as the loss adjustment
process can take many weeks, months, or (in some cases) years.
In contrast, parametric insurance pays out a pre-agreed amount immediately upon a
specified, predetermined event (that is, flood, cyclone, earthquake, etc.) that occurs as
measured by a specified parameter or index such as rainfall or wind speed, or a combi-
nation of factors. Driven by objective data and real-time monitoring from ground-based
sensor technologies, radar and satellite imagery, parametric insurance provides a means
to guarantee liquidity via swift and direct pay-out, following a qualifying event.
By decoupling the pay-out from a damage and loss assessment process, pay-outs are more
predictable and faster. A clear advantage of parametric insurance is delivering predicted pay-
ments at points in time when cash flow is likely to be most problematic for insureds.
In their article “Application of parametric insurance in principle‐compliant and innova-
tive ways” Xiao Lin and W Jean Kwon3 provide a very useful summation that captures the
crucial differences between traditional and parametric insurance. In particular:

1 Nigel Brook, Bill Marcoux, Wynne Lawrence et al., “Technology and Innovation: Tools to help close
the Protection Gap in Microinsurance Markets,” Insurance Development Forum, 28 November 2020, www​
.insdevforum​.org​/ knowledge​/idf​-reports​-publications​/idf​-paper​-the​-power​- of​-technology​-to​- close​-the​-micro-
insurance​-protection​-gap/ (hereafter, IDF Report).
2 “Comprehensive Guide to Parametric Insurance,” SwissRe, 2023, https://corporatesolutions​.swissre​.com​
/dam ​/jcr​:0cd24f12​- ebfb​- 425a​-ab42​- 0187c241bf4a​/2023​- 01​- corso​-guide​- of​-parametric​-insurance​.pdf (hereaf-
ter SwissRe 2023).
3 Xiao Lin and W Jean Kwon, “Application of parametric insurance in principle‐compliant and innovative
ways.” Risk Management and Insurance Review 23, no. 2 (2020) 121–150, https://onlinelibrary​.wiley​.com​/doi​
/abs​/10​.1111​/rmir​.12146 (hereafter Lin and Kwon); see also D Brettler and T Gosnear, “Parametric Insurance
Fills Gaps Where Traditional Insurance Falls Short,” Insurance Journal, 9 January 2020, www​.insurancejour-
nal​.com ​/news​/international​/2020​/01​/09​/553850​.htm.

128
 P arametric I nsurance

• The trigger for the insurance claim being loss or damage to the subject matter
for indemnity insurance versus the occurrence of a covered event for parametric
insurance; and
• The insurer obligation being the actual repair or replacement of the actual dam-
age sustained or reimbursement of the actual loss sustained under indemnity
insurance versus predetermined payment for parametric insurance with no
actual loss requirement, except when local applicable laws require actual loss.

With these features, parametric insurance policies are being hailed as the ultimate
“first responder” of risk management tools for individuals and businesses, but also for
governments.

• Financial resilience is a critical component of disaster management for sover-

eigns because the immediate availability of funds to finance the necessary dis-
aster response and recovery is critical to take appropriate action.4 Accordingly,
parametric insurance is increasingly viewed as a solution to foster resilience,
sustained growth and enhanced financial strategy capacities for both developing
and industrial countries, particularly in the face of the increasing physical and
financial risks of climate change;
• As corporate budgets and market capacity tighten amidst mounting year-after-
year extreme weather losses and continued uncertainty from climate change and
the global inflation crisis, parametric insurance is gaining ground as a preferred
alternative to traditional insurance products. An increasing number of brokers
and their clients are judging parametric products to be more relevant to their
needs due to price, certainty and assurance of what is covered in their policies.

The Global Parametric Insurance Market is making rapid inroads into that traditionally
occupied by indemnity policies. Valued in 2021 as US $11.7 billion, by 2028 the paramet-
ric market is expected to reach $21.4 billion, rising at a market growth of 9.6% CAGR
during the forecast period.5
Interspersed in the more detailed consideration of parametric insurance in the sections
below are parametric insurance case studies provided by parametric solutions provider
Descartes Underwriting.6 These case studies serve to illustrate the scope, variety and
operation of parametric insurance policies.

4 “G20/OECD methodological framework on disaster risk assessment and risk financing,” OECD, www​
.oecd​.org​/finance​/g20​oecd​f ram​ewor​k for​disa​ster​r isk​mana​gement​.htm.
5 “Global Parametric Insurance Market 2022–2028,” Research and Markets, 30 January 2023, 3, www​
.globenewswire​.com ​/news​-release​/2023​/01​/30​/2597433​/0​/en ​/ The​-Worldwide​-Parametric​-Insurance​-Industry​
-is​-Expected​-to​-Reach​-21​- 4​-Billion​-by​-2028​-at​-a​-9​- 6 ​- CAGR​.html.
6 See https://des​cart​esun​derw​r iting​.com ​/about/
Founded by a team of insurance veterans and climate scientists, Descartes Underwriting operates globally,
offering data-driven parametric insurance against climate risk, deploying new data sources, including internet
of things (“IoT”), satellite imagery, stationary sensors, radar and third-party data and proprietary algorithms.

129
 Parametric I nsurance

The anatomy of a parametric policy

A parametric insurance policy consists of (1) the “parametric trigger” that crystallises
payment when the requisite threshold, or index, is satisfied; and (2) a pay-out mechanism.
The trigger mechanism in any insurance policy (indemnity or parametric or valued) is
the specific, predetermined event or condition that must occur before payment is made.
In other words, the trigger determines when the obligation to pay arises. In a parametric
context, triggers will typically be tied to an external data source or measurement, such as
weather data, earthquake readings or financial market indices.
The key criteria for an insurable trigger are that: (a) It is fortuitous; (b) it can be inde-
pendently monitored and reported; and (c) it can be modelled.7 Trigger events can be
anything the parties agree upon that offers the above features. The goal of a trigger event
is to provide a clear, objective and verifiable basis for determining when and how much a
policyholder will be compensated.
Trust in the authenticity of the data is critical to well-calibrated outcomes for the parties
to a parametric contract. Precision and veracity of the information gathered are necessar-
ily paramount, as well as the capacity of the insured (or an auditor or court) to confirm the
accuracy of the data to validate that the trigger has been activated under proper circum-
stances. As policies may incorporate a matrix of data points, and agreed policy pay-out
levels may vary in accordance with specified standards, ensuring triggers are properly
designed and understood is essential to avoid subsequent disputes.
Independent verification and reliable, highly credible data sources are the gold stand-
ards for parametric insurance triggers. Data source integrity can directly impact the
premium since the cost of uncertainty loading is factored in. Generally, insurers aim to
use data from government meteorological agencies or independent data providers. In the
case of Redicova,8 a wind-based peril cover for severe tropical cyclones described further
below, the reference point is the Australian government’s weather tracking system with
its data points identified within this context and contingency provisions set out for dealing
with malfunctioning data sources.
Contingency planning for alternative triggers is particularly relevant where reporting
points are situated in an environment frequently impacted by natural catastrophes; sen-
sors and data-collection systems may themselves be impacted by the fortuity they were
designed to measure. Similarly, data sources and data-collection processes need to be
regularly reviewed and maintained, and appropriate steps need to be taken to avoid tam-
pering and enhance security. Automatic recording of data, as opposed to manual record-
ing, is generally preferable (but requires a higher upfront investment). As with most other
contract-based transactions, keeping clear records of the data and trigger processes will
help to avoid or resolve disputes.
After the relevant trigger is designed, the amount of payment is predetermined and may
be indexed by reference to a formula based on the potential value of loss to the insured that
may be occasioned by the magnitude of the trigger event, or which corresponds with an
insured’s estimated needs for responding to the event and maintaining business continuity.
By their nature, parametric policies are most readily deployed to respond to risks aris-
ing in relation to weather (where triggers can be readily designed to respond to indices

7 SwissRe 2023 (n 2).

8 https://redicova​.com​.au/.

130
 P arametric I nsurance

such as temperature, precipitation and windspeed), natural catastrophes (based on the

severity of the event such earthquake magnitude, hurricane wind speed, flood water depth
or precipitation amounts), pandemics (in which case, severity references the number of
confirmed cases, hospitalisations, deaths or government civil authority orders such as
closure announcements) and in domains such as agriculture (by reference to crop yields,
commodity prices and soil moisture levels) and infrastructure (performance or mainte-
nance of critical infrastructure, such as power plants, bridges and pipelines), particularly
renewable energy, where the lack or volatility of solar radiation or wind can cause finan-
cial loss.
However, parametric policies are readily customisable to meet the specific needs of a
policyholder, with triggers and pay-outs varying widely as to the type of policy and cir-
cumstances covered. Provided there is a strong enough correlation between the index and
the insured’s losses, theoretically any index-based insurance product can be possible. For
example, in response to the challenges of the COVID-19 pandemic, Lloyd’s of London in
2020 launched a new BI policy for small and medium-sized enterprises (SMEs) that uses a
parametric trigger to protect against IT disruption or downtime. It removes the traditional
indemnity trigger used by most policies and instead relies on parametric triggers that
automatically pay out if a customer’s critical IT services are disrupted.9 Innovative com-
mercial policies have also been designed to respond to simple binary trigger events which
are readily verifiable, such as flight delays or cancellations.10 Parametric solutions have
also been utilised to provide protection for goods in transit, sometimes on a blockchain-
enabled, smart contract basis. Through the use of the Internet of Things (IoT), parametric
insurance can also be designed to respond to automatic fault codes issued by domestic
appliances, triggering pay-out for repair or replacement. Parametrics thus form part of
a continuum of technology-enabled solutions for real assets which might support a more
circular, sustainable and service-based economy based on rental, repair and maintenance
(vs ownership and disposal).11

The basis risk problem

Basis risk is common to all insurance products. In the context of indemnity policies, it can
be expressed as the difference between the loss incurred by the insured and the amount
indemnified by the insurer taking into account relevant deductibles, loss adjustments,
coinsurance, policy limits and relevant exclusions.12 Generally, the insured’s familiarity
with deductibles and the risk assessment processes means that basis risk is reasonably
well understood in the context of traditional indemnity products (albeit coverage dispute
resolution statistics may not fully support this position).
Basis risk in parametric insurance refers to the potential discrepancy between the
actual claim payment made in accordance with the product design and the anticipated
payment by reference to the actual loss suffered. The deviation can be either pro-insured

9 See www​.reinsurancene​.ws​/ lloyds​-launches​-parametric​-policy​-for​-business​-interruption/.

10 SwissRe 2023 (n 2).
11 “The butterfly diagram: visualising the circular economy,” Ellen Macarthur Foundation,
https://ell​enma​cart​hurf​oundation​.org​/circular​- economy​- diagram.
12 See, for example, Dana A Kerr, “Understanding basis risk in insurance contracts.” Risk Management
and Insurance Review 9, no. 1 (2006) 37–51.

131
 Parametric I nsurance

(a windfall where the pay-out is greater than the loss suffered) or pro-insurer (negative
basis risk whereby the insured is not fully indemnified) and is a result of the variance in
the distribution of the insured’s losses given a specific value of the index. Basis risk arises
because of the inherent uncertainty and unpredictability around the relationship between
the index and the insured’s loss.
Positive basis risk arises when the insurer pays claims that are not affected by a loss
event or pays more than the actual loss. The downside is of course the under-pricing of
risk and increased solvency issues for insurers. There may also be regulatory issues where
an insured does not suffer any loss at all. To address this, various jurisdictions have imple-
mented measures such as requiring claimants to confirm the occurrence of a loss through
means such as a text message or a signed statement of loss (attestation), depending on the
specifics of the policy. Negative basis risk occurs when insurers underpay claims to those
insureds who have paid premiums but whose losses fall short of the index thresholds.
Negative basis risk can result in heightened customer dissatisfaction and reduce policy
renewal rates. It suggests the failure of an insurance programme aimed at closing pro-
tection gaps and poses a reputational risk to insurers that may also impact sales of other
products more broadly.13
Imperfection of the model (if risk variables are not properly conceptualised and cap-
tured in the first instance) and poor data quality (through inputs being incomplete or inac-
curate) can both contribute to basis risk.
If the trigger point is not accurately defined or measured, it can result in either over-
payment or underpayment of the claim and may, by extension, undermine the policy’s
efficacy in addressing the intended risk. Overpayment can result where a policy sets trig-
ger levels so low that relatively minor events not causing great loss can trigger payment.
When multiple data points are included, the trigger may become even more problematic,
both in application and for the insured’s understanding of what risk will be covered by
the policy. For example, if a policy is triggered by a certain level of rainfall, disputes may
arise if the measurement of rainfall is inaccurate or inconsistent or if the data sources
and data-collection processes are not properly reviewed and maintained. In the context
of a policy intended to pay out for losses arising out of wind speeds in a certain location
surpassing a predetermined trigger level, confusion may result when data can be sourced
from multiple locations and discrepancies arise across these readings. This can happen in
remote and rural areas where there are limited sensors belonging directly to a government
or equivalent source. Mitigation of the issue of multiple sources is generally achieved
through techniques such as data reconciliation and data quality checks for accuracy and
consistency. These types of disputes may decrease as technology becomes increasingly
sophisticated and more data points become available.
The African Risk Capacity (ARC) is one of the leaders in parametric trigger model-
ling and capacity-building—in its first three years, ARC paid out over US $34m to sup-
port communities affected by drought, assisting over two million people.14 However, in
2016, a policy issued to Malawi was not immediately triggered even though there was
a widespread crop failure. Subsequent investigations by ARC revealed that farmers in

13 “Weather Index Insurance for Agriculture : Guidance for Development Practitioners,” Agriculture and
Rural Development Discussion Paper No. 50, World Bank, Washington, DC, November 2011, https://open-
knowledge​.worldbank​.org ​/ handle​/10986​/2688.
14 See www​.arc​.int​/arc​-limited.

132
 P arametric I nsurance

Malawi had switched to a different crop with a shorter growing cycle and a different “rain
window.”15 When this data was put into the model, it created a more accurate estimate of
the drought-affected population and triggered a pay-out to Malawi from the ARC fund.16
Modelling is key to ensuring that any gap between losses and insurance pay-out is as
small as possible, and this means insurers must take care to partner with knowledgeable
bodies on the ground to ensure the triggers and calculations conform as closely as pos-
sible to actual loss experience. In time, basis risk may be minimised by more detailed and
accurate modelling and greater availability of data, including through remote sensing and
land-based sensors. For example, in 2015, AIG launched Compass Re II 2015-1, a cat bond
with a parametric trigger designed to respond to a storm’s radius, maximum wind speed,
and latitude and longitude at landfall.17 Another example of innovation in modelling is the
Kenya Livestock Insurance Program, supported by Swiss Re and the World Bank, which
uses satellite images to monitor grazing conditions and delivers parametrically-triggered
insurance payments directly to pastoralists via mobile phones.18 The costs of developing
better parametric models are also likely to significantly decrease as enabling data and
software are increasingly shared as an open resource. For example, NASA’s Global Flood
Monitoring System19 provides real-time satellite data and hydrological runoff analysis
as an online resource, and the OpenQuake Platform 20 allows modelling analysts to share
datasets and tools to assess earthquake risk. Rapidly increasing sophistication in the mod-
elling space may help mitigate basis risk in the future, but no model can entirely predict
future outcomes and there is always an inherent risk that idiosyncratic features of indi-
vidual insureds’ exposures will impact the perceived value of parametric insurance.21
Although there may be no deficiencies in product design, model or malfunction in trig-
gers, there can still be gaps in the insured’s expectations which will be based on an under-
standing of indemnity insurance as opposed to the parametric-enabled pay-out. These
residual issues are perhaps not true “basis risk” but may be understood as an expectation
gap that is part of the same continuum and can lead to disputes. Such issues are best man-
aged through engagement and education. Fairness, transparency and upfront discussion
of basis risk can support the insured in understanding the relationship between the index
and the actual loss. If an insured does not fully understand this gap it can lead to disputes
over payment amounts, as well as broader concerns about the stability and reliability of

15 IDF Report (n 1) 20.

16 Ibid.
17 “Compass Re II 2015-1 cat bond grows to $300m for AIG,” Artemis, 22 May 2015, www​.artemis​.bm​/
news​/compass​-re​-ii​-2015​-1​- cat​-bond​-grows​-to​-300m​-for​-aig/.
18 “Successful Kenya Livestock Insurance Program schemes scales up,” SwissRe, www​.swissre​.com ​/our​
-business​/public​-sector​-solutions​/thought​-leadership​/successful​-kenya​-livestock​-insurance​-program​-scheme​
.html.
19 “Global Flood Monitoring System (GFMS),” University of Maryland, http://flood​.umd​.edu/; for a full
list of NASA Disasters Mapping Portal products for floods, see https://appliedsciences​.nasa​.gov​/join​-mission ​/
publications​-resources​/nasa​- disasters​-mapping​-portal​-product​-guide.
20 https://platform​.openquake​.org/; the web-based platform offers an interactive environment in which
users can access, manipulate, share and add data, and explore models and tools for integrated assessment of
earthquake risk.
21 For a more detailed discussion of these and other technology enabled parametric solutions for sover-
eigns, see Nigel Brook, Wynne Lawrence, Edward Langlier and Bill Marcoux, “How Technology can Help
Bridge the Protection Gap,” Insurance Development Forum, 29 November 2019, www​.insdevforum​.org​/
knowledge​/idf​-reports​-publications​/idf​-paper​- on​-how​-technology​- can​-help​-bridge​-the​-protection​-gap/ (here-
after IDF Bridge the Protection Gap).

133
 Parametric I nsurance

the insurance market. In response to this potential market risk, regulators have imposed
certain requirements or restrictions on parametric insurance, such as minimum capital
requirements or limits on the types of indices that can be used or additional disclosure
requirements22 (see further below regarding regulation).

Advantages of parametrics over indemnity-based products

In particular situations, there are a number of potential advantages in moving from
indemnity-based policies to the parametric model. Some of these benefits are “consumer-
friendly” traits that enhance transparency, flexibility and efficiency. Others centre on the
reduction of “classic” insurance problems indemnity frameworks face such as moral haz-
ard, adverse selection and fraud.

Efficiencies and cost savings

While it should be acknowledged that the upfront costs of designing bespoke parametric
insurance are usually higher than those for creating a conventional indemnity policy, the
elimination of post-event claims assessment and adjustment processes essential to indem-
nity policies helps both insurers and insureds realise savings.
For insureds, the speed of pay-out is a key attraction of parametric insurance, providing
much-needed cash flow in the face of the triggering event. For example, unlike traditional
covers where BI elements, in particular, can take an average of 18 months or more to be
settled, parametric claims are paid in the same accounting year as the loss, often even just
days following the event. This swift liquidity reduces the insured’s balance sheet volatil-
ity, with losses and receivables both occurring in the same accounting period. Receiving
revenue as if operations had continued as normal also supports the business in retaining
staff and paying operational and supply chain costs seamlessly.23 The speed of the para-
metric claims process also provides benefits against cumulative factors that worsen in
time during high inflationary periods.
For insurers, these technological combinations translate to cost savings through
increased visibility of business analytics related to the performance of a parametric prod-
uct, such as around weather; automatic creation of an audit trail of contract performance
and claims obligations; and reduction in the overall administrative cost as compared with
more “manual” management of claims. Data capture and analytics are related and impor-
tant attributes of parametrics. By integrating policies with distributed ledger technologies,
efficiencies of automated processing can capture in-built audit functions and display data
in graphical form for users to visualise and dynamically analyse contract data in real time.
Another fundamental benefit of parametrics is that they can be triggered not by the
calamity that directly affects the insured (such as crop failure or the resulting hunger)
but by its forebear (such as inadequate rainfall), which can minimise the wider human

22 See Ben Dyson, “Could the basis risk ‘bogeyman’ threaten the rise of parametric insurance?” S&P
Global Intelligence, www​.spglobal​.com ​/marketintelligence​/en ​/news​-insights​/ latest​-news​-headlines​/could​-the​
-basis​-risk​-bogeyman​-threaten​-the​-rise​- of​-parametric​-insurance​-56295810;
“Parametric Disaster Insurance,” Center for Insurance Policy and Research, NAIC, 10 February 2023,
https://content​.naic​.org​/cipr​-topics​/parametric​- disaster​-insurance.
23 Ibid.

134
 P arametric I nsurance

and financial impact and costs.24 For example, there is a crop policy that is triggered on
satellite images of grazing land—where a lack of greenery or yellow land indicates the
crop is failing. If funds can be made available promptly to a vulnerable region in this
way, resources can flow to feed both people and livestock before famine and displacement
strike, reducing loss and damage overall.25
Technology-enhanced smart contracts26 can facilitate rapid payments by using software
and data sources to automatically calculate claims obligations. Stored on a blockchain that
links external software systems and data sources to the agreement, a connected contract
can be coded to run when the predetermined conditions are met. Based on a digital agree-
ment clause and tied to real-world data links, payment to an insured is automatically trig-
gered to a predesignated account when the nominated threshold is crossed. Additionally,
a connected contract can enable data produced to feed into other platforms, which may,
for example, trigger reinsurance recoveries or manage the transmission of power from the
insured to its customers under a “take or pay”27 system.
For instance, a solar energy provider’s parametric insurance cover against unfavour-
able weather causing a shortfall in expected energy generation exemplifies the block-
chain/smart contract/parametric interface. The policy, which consists of a data model, a
logic code and a supporting natural language contract, is triggered to pay out when the
agreed neutral third party’s data passes the designated point, measured in solar irradia-
tion or “lux.” When there is insufficient irradiation to satisfy predetermined production
thresholds, parametric insurance on a blockchain can automatically calculate and report
on loss and make payment. The benefit is dual: The insured receives rapid payment and
does not have to go through the process of demonstrating loss, and the insurer saves
time and costs around the investigation stages. In the solar context, where installation
of solar farms is generally highly leveraged, a properly designed parametric insurance
product can provide certainty of revenue and thereby facilitate investment in renewable
resources. This is another way in which parametric insurance can support the climate
transition.
Ultimately, cost is usually a—if not “the”—key factor in decision-making. By making
better use of technology, parametric insurance can cut administrative costs and make
products more affordable. Allowing infinite customisation, parametric structures can

24 For an overview of this type of remote sensing, see, generally, “Using Satellite Data to Improve Index
Insurance,” Columbia Climate School, International Research Institute for Climate and Society, https://iri​
.columbia​.edu​/our​- expertise​/financial​-instruments​/using​-satellite​- data​-to​-improve​-index​-insurance/, and C S
Murthy, Malay Kumar Poddar, Karun Kumar Choudhary, Varun Pandey, P. Srikanth, Siddesh Ramasubramanian
and G. Senthil Kumar (2022) “Paddy crop insurance using satellite-based composite index of crop perfor-
mance,” Geomatics, Natural Hazards and Risk 13:1, 310–336, DOI: 10.1080/19475705.2021.2025155.
25 IDF Report (n 1) 11.
26 A smart contract is a computer program or a transaction protocol that is intended to automatically
execute, control or document events and actions according to the terms of a contract or an agreement.
It is a self-executing contract with the terms of the agreement between buyer and seller being directly writ-
ten into lines of code. The code and the agreements contained therein exist across a distributed, decentral-
ised blockchain network. The code controls the execution, and transactions are trackable and irreversible. See
discussion in Chapter 5.
27 Take or pay is a provision in a contract stating that a buyer has the obligation of either taking delivery of
goods from a seller or paying a specified penalty amount to the seller for not taking them; see explanation, Eric
Estevez, “What is Take or Pay?” Investopedia, 28 November 2022, www​.investopedia​.com​/terms​/t​/takeorpay​
.asp#:~​:text​= by​%20Eric​%20Estevez-​,What​%20Is​%20Take​%20or​%20Pay​%3F​,seller​%20for​%20not​%20tak-
ing​%20them.

135
 Parametric I nsurance

match a wide array of budgets and exposure means. This is important regardless, but
even more so in the current environment where many insureds suffer financially from
the pandemic and inflation. All of this is compounded by the market hardening in the last
couple of years.

Contract certainty
The rise in exclusionary language used in traditional policy wordings due to the pandemic
and market hardening has brought unease and frayed trust in conventional insurance.
Comparatively, parametric policies and their straightforward structure provide potentially
greater transparency that rebuilds confidence for clients in “what they see is what they
get.” This is core to the value proposition of parametric insurance—the ability to increase
the certainty between a loss event taking place and a pay-out being made, quickly, accu-
rately and without frictional costs.28
Advances in smart contract technology can enable this. As discussed in more depth
in Chapter 5, blockchains are defined as decentralised, immutable, transparent and
cryptographically enhanced digital ledgers. Secured by “consensus,” they are crypto-
graphically linked record lists that are able to be rapidly evaluated and reviewed. In
the parametric insurance context, when twinned with smart contracts, the need for the
added complexities of hard copy documents, underwriting records and voluminous
documentary disclosures may be eliminated in favour of entries on an immutable
blockchain ledger. Doing so means insurers and insured agree to upload, sign, store,
secure and share access to the policy, including the application and disclosures, vari-
ations, endorsements and renewals (where relevant). This can mitigate unilateral mis-
takes and provides chronological visibility and readily available records for auditors,
regulators and (potentially) courts.
Subject to potential complications around the underlying risk modelling, the multipage
terms and conditions of traditional policies may be reduced. Scope for disputes around
ambiguous terms or relevant cover may also be reduced, although, again, ensuring clear
expectations on the part of the insured of exactly what risk is addressed under the policy
and that payment is not intended to indemnify actual losses that may be suffered are foun-
dational to supporting consumer confidence around these products.
Eliminating the claims assessment and adjustment stages also removes subjectivity and
delay, which can reduce the risk of potential disputes arising from quantum assessment
and late payment damages. Delays may nevertheless arise in the context of a complex
multifactorial index. Even when pay-out figures are not in contention, overly complex
designs of the matrix of variables for the trigger payment can result in delay. For example,
the World Bank Pandemic Emergency Financing Facility’s parametric catastrophe bond
pay-outs attracted significant criticism 29 when its payments to 77 of the world’s poorest
countries took more than 40 days to calculate. Tied to publicly available data as the deter-
minant for what level of payments should be released, triggers were based on outbreak
size (the number of cases of infections and fatalities), outbreak growth (over a defined

28 See, for example, discussion at Descartes, https://des​cart​esun​derw​r iting​.com ​/about/.

29 Euan Ritchie and Mark Plant, “A Good Idea Executed Badly: Why the World Bank Should Not Renew
the Pandemic Emergency Facility Insurance Window,” 9 April 2020, www​.cgdev​.org​/ blog​/good​-idea​- executed​
-badly​-why​-world​-bank​-should​-not​-renew​-pandemic​- emergency​-facility​-insurance.

136
 P arametric I nsurance

time period) and outbreak spread (with two or more IBRD/IDA countries affected by the
outbreak). Pay-out occurs once all three were met and required countries in this respect
meet a slew of conditions:
(1) A rolling daily average of at least 250 cases; (2) the virus to exist for at least 84 days; (3)
total confirmed deaths to be greater than 250 cases (for class B issuances) or 2,500 cases (for
class A issuances); (4) an exponential growth rate; and (5) geographic spread of the virus.30

As discussed above in the context of basis risk, disputes may also arise where there is
ambiguity in the trigger (where there may be more than one arbiter of the triggering event)
or a trigger fault (such as a failure of an arbiter, such as a weather sensor). There can also
be disputes where the trigger has not responded in the face of loss or responded where
there was no loss, or the pre-agreed payment does not reflect the insured’s actual loss, in
other words, where “basis risk” is acute.

Reduction or elimination of moral hazard and fraud

Parametric insurance may reduce moral hazard in an insurance transaction. Moral hazard
refers to the situation where the presence of insurance cover encourages insured parties
to engage in riskier behaviour, as they expect their insurance providers’ final payment
figure to indemnify them in full. A textbook example is a driver insured with automotive
cover driving more recklessly, reasoning their insurance will cover any accident costs.
Arguably, parametric cover removes moral hazard from the equation because an insured’s
behaviour cannot change the pay-out figure. Pay-outs are tied to systemic conditions out-
side of individual control, reducing the incentive for insured parties to take excessive
risks. On the other hand, separating losses from pay-outs may result in a decreased deter-
rent effect compared to indemnity insurance.
Adverse selection occurs when individuals who are exposed to risk purchase insurance
cover at a higher rate than those who are less exposed to risk. This is a factor of infor-
mation asymmetry between the policy purchaser and the insurer wherein the would-be
insured has a better understanding of their own risks and adjusts the cover accordingly.
The provider, lacking this knowledge, is unable to adequately structure their pricing. Left
unchecked, this leads to a shrinking and/or shifting of the risk pool towards individuals
more likely to suffer losses, ultimately undermining the benefits of pooling risk and pos-
ing a threat to the financial stability of insurance systems. Using pre-agreed parameters
as triggers for pay-outs, rather than valuing actual losses, means insurers need to assess
only the specific risks as agreed by the parties. By relying on parameters that are easily
observable and publicly available, parametric insurance can provide transparent pricing,
regardless of the level of risk a particular insured faces. Adverse selection risk is accord-
ingly reduced because the insurer is not providing cover for risks that are not accurately
priced, and insured parties are not incentivised to hide information as to their specific
risk circumstances. In theory, therefore, parametric insurance policies can create more

30 Vaasavi Unnava, “Understanding Parametric Triggers in Catastrophe Insurance,” Yale School of

Management, Program on Financial Stability, 17 June 2020, https://som​.yale​.edu ​/ blog​/understanding​-para-
metric​-triggers​-in​- catastrophe​-insurance; see also A Gross, “World Bank pandemic bonds to pay $133m to
poorest virus-hit nations,” Financial Times, 20 April 2020, www​.ft​.com​/content​/c8556c9f​-72f7​- 48b4​-91bf​
-c9e32ddab6ff.

137
 Parametric I nsurance

balanced and stable risk pools that provide greater financial stability for insurers and fair
protection for insureds.
Parametric policies are generally considered to be more fraud-resistant than traditional
indemnity policies since triggers are based on independently verified data. Again, smart
contracts and blockchain can further enhance security and prevent fraud by providing a
transparent and objective trigger mechanism. Fraud risk cannot be entirely eliminated,
and it should be acknowledged that parameters themselves can be susceptible to manipu-
lation, misrepresentation or in-built ambiguity. For example, fraud risk could be reintro-
duced in crop policies if the insured had the capacity to tamper with wind or precipitation
gauges.

Insuring “hard-to-insure” and emerging risks

Parametric products can cover risks that are not otherwise easily insurable, as they allow
for more scientific pricing of products that respond to specific isolated risks, rather than
losses which might be occasioned by any number of a wide range of occurrences.
It can be argued that some risks are better suited by their nature to parametrics. It is
also arguable that the traditional principle of insuring against a factory catching fire and
its subsequent loss of output as BI until the factory is repaired is no longer fit for purpose.
The evolving operating models of businesses place increased importance on their intan-
gible values—such as consumer attraction or revenue—which now account for a greater
proportion of overall value than ever before. Parametric insurance is more effective at
covering where there is no property damage trigger for BI claims, including in cases of
indirect losses of revenue, contingent BI and additional costs of working.
Just over a decade ago in Japan, retail groups saw their revenue severely impacted
following the Tōhoku earthquake and tsunami.31 Yet in the absence of direct material
damage to the storefronts, only a minor fraction of this loss was covered by traditional
insurance. Likewise, the exceptional market demand experienced by the semiconduc-
tor industry illustrates the need for a new approach to BI.32 Whereas traditional poli-
cies pay based on a company’s average revenue, in a year with supply shortages the
actual loss could be considerably higher. The flexibility of a parametric cover enables
the client to recover their true exposure, customised to market conditions and their
individual needs.
Throughout global markets we see capacity continuing to diminish for some assets that
risk carriers consider tricky to insure or uninsurable due to their frequency or other char-
acteristics. This is especially true for natural hazards and extreme weather exposures such
as wind, solar and rainfall yield volatility. It is also the case for assets such as underground
networks, offshore and coastal properties, overhead transmission and distribution lines,
transportation networks and others.

31 See, for example discussion in, “Two years after tsunami, Japan’s small business owners stuck in limbo,”
CS Monitor, 11 March 2013, www​.csmonitor​.com​/ World​/Asia​-Pacific​/2013​/0311​/ Two​-years​-after​-tsunami​
-Japan​-s​-small​-business​- owners​-stuck​-in​-limbo.
32 Ondrej Burkacky, Julia Dragon and Nikolaus Lehmann, “The semiconductor decade: A trillion-dollar
industry,” McKinsey, 1 April 2022, www​.mckinsey​.com​/industries​/semiconductors​/our​-insights​/the​-semicon-
ductor​- decade​-a​-trillion​- dollar​-industry.

138
 P arametric I nsurance

Loss-stricken accounts are much harder to place in the traditional market due to the
methodology used by traditional insurers to price the risk, which is heavily weighted on
historical losses. However, the use of advanced technology combined with this forward-
looking approach means that parametric insurance can extend to new industries that are
rapidly developing in remote areas of the region without historical loss records, such as
solar plants or offshore wind farms.
With a growing and extensive product offering against a variety of Nat Cat perils,
parametric insurance provides a means to supersede gaps in the traditional marketplace
and better protect global markets and businesses against climate change. In this way,
parametrics can also help overcome some of the entry barriers insurance companies can
face when entering new and developing markets. For example, local regulators can be
wary of foreign entrants while, at the same time, there are risks for foreign insurers in
working in jurisdictions with less well-developed insurance laws and less sophisticated or
experienced regulators. In short, there can be a trust deficit. Governments in developing
markets can also have concerns about international insurers entering markets to compete
with local insurers for standard business. These barriers tend to be less problematic when
international players can demonstrate value-add by helping to insure what was previously
considered “uninsurable.” By their nature, parametric products set up to cover perils such
as drought, flood, earthquake or wind damage provide this.

CASE STUDY: HIGH HAIL EXPOSURE FOR SOLAR

DEVELOPMENT IN A REMOTE AREA OF TEXAS, USA
Problem33
As the energy and renewables market evolves, climate risks carry significant impacts for energy
production and infrastructure. Offshore or on land, natural hazard coverage has proven to be a
challenge for traditional insurance. This challenge is particularly acute when there is a lack of
historical claims data, as is often the case for renewables or perils previously considered uninsur-
able, such as hail.
In one example, a photovoltaic (PV) plant was developed at a remote location where existing
hail data maps lack precision due to poor data availability. The traditional market responded by
imposing high deductibles and reduced limits after similar PV plants suffered US $80 million
in losses in 2019 due to a single storm with tennis ball-sized hailstones. Parametrics enabled by
remote and on-the-ground sensing technology provided a cost-effective solution. Regardless of
where a given solar farm is located, technology advances related to the reporting and detection
of hail events (e.g. doppler radar, satellite imagery, on-site sensors, etc.) enable parametric insur-
ance providers to more accurately model and underwrite hail risk. The parametric approach also
incorporates asset-specific factors and models the underlying phenomenon directly rather than
pricing policies based on limited historical loss data. This overcomes shortfalls in the traditional
marketplace, minimises basis risk and provides renewable clients with swift pay-out and fairly-
priced coverage that most closely represents their experience during a hailstorm.

33 Descartes Underwriting case study 1.

139
 Parametric I nsurance

Types of parametric policies

Parametric policies can be classified into three main types: Pure parametric, parametric
index insurance and aggregate loss index insurance. The differences between these arise
from their focus on individual versus aggregate losses and the extent of assessment of
losses involved in determining pay-outs. The choice between these three types of index
or parametric policies depends on the specific needs and risk tolerance of the policyholder
and any regulatory requirements.

Pure parametric policies

A pure parametric policy provides cover based on the occurrence of a specific param-
eter—wind speed or earthquake magnitude—and pay-out once triggered is for the pre-
agreed amount under the relevant index formula.
Pure parametric policies provide more targeted coverage as the policyholder only
receives a pay-out if the specific parameter they are insured against is triggered.
Pure parametric policies are most commonly used in weather-sensitive industries, such
as wind energy and sports events, or those operating in high-risk areas, such as hur-
ricane-prone coastal regions, earthquake-prone belts or areas prone to drought/extreme
temperatures. For example, New Zealand offers an earthquake policy designed to pay-out
within five days of a strong event as tracked in real time by GeoNet data,34 and California
property owners meeting trigger event parameters receive a payment within 72 hours
of an insured earthquake, regardless of loss.35 Another example derives from Northern
Australia, an area with a history of major tropical cyclone events such as the Larry (2006)
and Yasi (2011), where a Lloyd’s Disaster Risk Facility-backed pure parametric product,
Redicova,36 offers wind-based peril cover for severe tropical cyclones. Designed to pro-
vide assistance within three business days of a claim being lodged through the company’s
portal, payment to a nominated bank account is automated. No proof of physical loss
beyond a self-attestation of the event is required—as indeed is no actual loss necessary.
No assessment process is involved, and pay-outs are independent of any other cover or
insurance that homeowners may hold as well as able to be used as the insured sees fit.
Pure parametric insurance policies are not tailored to the individual needs of policy-
holders, as the pay-outs are solely based on the data collected from the specified parame-
ters. However, used in conjunction with other types of more traditional policies to provide
limited “first responder” assistance as support while broader claims assessments are
undertaken may become increasingly common.
It may be asserted that a disadvantage of these types of policies is that, given no assess-
ment of personal loss is involved, there is no incentive for policyholders to mitigate their
risk. In traditional contexts—and arguably from a public policy perspective—this can
create a moral hazard, where policyholders are less likely to take steps to minimise their
risk, given pay-outs will automatically be made regardless. However, most parametric

34 ​w ww​.lloyds​.com ​/about​-lloyds​/media​- centre​/press​-releases​/ lloyds​-launches​- pioneering​- parametric​

-earthquake​-insurance​-polic​y​-in​-new​-zealand.
35 ​https:/​/dvhb​.com​/insuran​ce/; www​.jumpstartinsurance​.com​/earthquake​-insurance.
36 https://redicova​.com​.au/; see also Daniel Wood, “Can parametric insurance save Australia’s natural dis-
aster zones?” Insurance Business Magazine, 1 Dec 2021, www​.ins​u ran​cebu​sinessmag​.com ​/au ​/news​/ breaking​
-news​/can​-parametric​-insurance​-save​-australias​-natural​- disaster​-zones​-318377​.aspx.

140
 P arametric I nsurance

providers, including Descartes, require a notification of loss prior to issuance of pay-

ment. This loss, of course, does not have to be physical property damage or BI only. It can
include any other economic damage a client sustains from a triggering event, including
financial impacts on their clients, vendors or suppliers. Similarly, disincentive arguments
can equally be raised in relation to traditional policies, where underwriting and premium
pricing do not incorporate any mitigative measures put in place by the client. For example,
flood-exposed riverside businesses are not incentivised to put up a levy, as this will have
no impact on their traditional premium (which can’t account for such measures as the
model is based on historical loss records when the levy did not exist). Parametric products
easily incorporate such measures, leading to reductions in pricing.
A more significant issue in public policy contexts however is the concern these products
may be used for speculative purposes rather than for risk mitigation. As many countries,
for purposes of distinguishing insurance policies from gambling, have framed their insur-
ance laws to require an actual loss to be shown by someone with an insurable interest,
the binary simplification of these policies may raise legal enforceability concerns beyond
those that reflect public morality issues.
In particular, when this type of policy is used in the commodity market to protect
against price swings based on triggers such as the price of specific commodities, to deter-
mine pay-outs, the lines between its role as a derivative or other product become blurred.
As financial products are subject to different prudential requirements and oversight from
those of insurance, it is likely this issue will need greater regulatory and stakeholder cer-
tainty agreement—including legislative reforms—before it can be used effectively beyond
the broader catastrophe/weather event scenarios set out.37
Finally, adjustments or negotiations around the policies are rarely, if ever, viable—and
would indeed arguably defeat the functionality this product seeks to deliver. Again, it
is likely that for this reason combined with other factors above, the “best use” of pure
parametric policies is for rapid assistance with a traditional indemnity product providing
added recovery support for actual losses suffered.

CASE STUDY: BRISBANE-BASED CLIENT FORCED

TO SELF-INSURE YEAR-OVER-YEAR LOSSES,
PARAMETRIC PRODUCT FILLED THE GAP IN
THE TRADITIONAL MARKETPLACE38
Flood is Australia’s costliest natural-hazard-related disaster in terms of both tangible and intan-
gible loss. Following the February and March 2022 floods in Queensland and New South Wales,
there was a shortage of loss adjusters and specialist hydrologists needed to determine if the
resulting damage was from fluvial or pluvial floods. This had major implications on the sub-
limits and deductibles of insureds’ traditional property policies. Fluvial flood cover was subject
to a separate sub-limit and deductible, whereas the pluvial was not. This resulted in a six-month
delay in hydrologist review before a claim determination could be made.

37 See further discussion below.

38 Descartes Underwriting case study 2.

141
 Parametric I nsurance

Parametric products do not have these complications, as both types of flood would have been
covered under the policy. Therefore, claims settlement would be a much quicker process, with no
questions about what was and wasn’t covered.
In one example, a hospitality business in Brisbane with high-value outdoor assets suffered
losses during the 2011 and 2015 floods. The business had invested heavily in protecting its assets
from flood—installing flood protection barriers and using flood-resistant building materials in a
recent renovation. Hard market conditions and past losses left them with significant rate hikes, so
they opted to fully self-insure in recent years.
With awareness of their ongoing exposure, the client and their broker transferred their flood
risk to a parametric policy with Descartes Underwriting in 2020. The parametric flood cover uses
proprietary models to assess the client’s specific flood risk. It is structured to pay out when water
levels surpass a predefined threshold on-site, measured in real time by a connected sensor. The
thresholds are set to reflect the client’s view of the risk and their ongoing investments in flood
prevention. Descartes then monitors their exposure in real time through a combination of public
river gauge data and IoT devices installed on-site, notifying the client and providing indemnifica-
tion within days if the policy triggers. If the 2022 flood events surpassed the predefined policy
thresholds and again hit their site, they would have received a rapid insurance pay-out to cover
repair costs and bridge the BI impacts on their balance sheet.

Parametric index insurance

The parametric index policy is similar to an aggregate loss index policy in that both pro-
vide cover based on the value of a predefined index or indicator that is correlated with the
insured event. The distinction lies in how losses are determined and paid.
Once an event meets the trigger criteria, a pay-out is determined by the value of the
index or indicator at the time of the event. Unlike indemnity insurance, the pay-out is not
based on actual losses sustained by the policyholder but on the value of the predefined
index or indicator, making it both fast and predictable. It is particularly useful in areas
where the actual loss would be difficult to assess, such as in a natural disaster.
The index insurance contract is the most widely used because of the balance between
simplicity and accuracy it offers through its use of parameters to determine pay-outs while
also factoring in some assessment of individual losses.

Aggregate loss index insurance

An aggregate loss index policy provides cover based on the total losses incurred by a
specific geographic area or industry sector. These types of policies pay out based on some
aggregate of losses incurred as a result of a defined event in an area or region. The aggre-
gate figures serve as a proxy for an individual’s loss. Aggregate loss policies are premised
therefore on the assumption that a sufficient number of homogeneous risks in the area
and resulting individual losses will make the average loss roughly equivalent.39 Pay-outs

39 Jerry Skees, “The Potential of Parametric Insurance Solutions for Managing Natural Disaster Risk to
Reduce Poverty and Improve Economic Development in Emerging Economies.” Lexington (US) (2012).

142
 P arametric I nsurance

are made when a predetermined threshold of aggregate losses is reached, as agreed by

the policyholders and insurers in advance. Triggers such as temperature, wind speed and
magnitude set the “parameters” under which pay-outs are made, as against reliance on
assessment of individual claims. It is not specific to individual insured’s losses or circum-
stances, with pay-outs to a policyholder determined by a formula based on the aggregate
losses incurred by the area or sector.
As recovery is tied to cumulative losses, payments may not equate to actual losses suf-
fered by an individual policyholder. The figure determined may be harder for policyhold-
ers to understand as calculations of the aggregate loss index can be complex, potentially
involving data sources that are not readily available or may be less reliable. Payments
are generally slower than in other types of parametric policies, as all losses must first be
aggregated as part of the aggregate loss index post the trigger event.
Traditionally associated with farmers and agricultural producers,40 parametric prod-
ucts of this type achieved traction in the 1990s when area-yield crop insurance contracts
became part of the US federal crop insurance programme and were subsequently taken
up by United Nations agencies41 as livestock and agriculture-indexed based insurance
programmes.
Consider, for example, a farmer who pays premiums for an aggregate index policy for
crop loss against cyclone damage. The insured may suffer significant damage but, absent
the losses cumulatively for the region reaching the threshold, pay-outs will not be forth-
coming for his/her loss. A pure parametric policy would avoid this problem potentially
but, again, the index variables may severely limit the scope of coverage, leaving payments
to be well below full indemnity—assuming an affordable premium exists. Alternately, in
referencing the policy discussion above, for an insured whose property lies just beyond
the 5 km radius but suffers damage, a lack of familiarity with the policy terms may cre-
ate equal frustration, albeit more in line with those experienced around traditional policy
exclusions.
Private businesses seeking to use these types of policies to manage their financial risks
around particular risks would typically need to use a more comprehensive measure of the
managed risk. For example, a transport industry pool seeking to manage the financial
risks associated with fluctuations in fuel prices would typically use a more comprehensive
measure, such as the average fuel price across a region or the average price of multiple
types of fuel, to determine when a pay-out is triggered. The advantage of this approach is
that it can provide a more comprehensive and nuanced picture of the risk associated with
fuel prices, which can help to align the policy with the specific industry needs. As tech-
nology further advances data-collection and increased modelling capabilities, it is more
likely to see these types of policies moving into the commercial landscape.

40 Lin and Kwon (n 3) 4; Jerry Skees, Roy Black and Barry J Barnett. “Designing and rating an area yield
crop insurance contract,” American journal of agricultural economics 79, no. 2 (1997) 430–438.
41 B Collier, B Barnett and J Skees, “Data requirements for the design of weather index insurance.
State of Knowledge Report,” Lexington, KY: GlobalAgRisk, Inc 2010; see Jerry Skees, “The Potential of
Parametric Insurance Solutions for Managing Natural Disaster Risk to Reduce Poverty and Improve Economic
Development in Emerging Economies.” Lexington (US), 2012, for a summary of a number of parametric/index
insurance programs for either agricultural development or disaster relief, covering cases in Mexico, India,
Ethiopia, China, Canada, the United States, Ukraine, Brazil, Mongolia, Vietnam and Peru.

143
 Parametric I nsurance

Sovereign disaster risk management and parametrics

The growing impact of climate change has pushed aggregate loss index insurance schemes
onto broader policy platforms for disaster risk reduction and climate change adaption.
Capacity to acquire this type of cover is proving to be of particular importance at country-
wide levels in regions vulnerable to natural catastrophes but with limited capacity for
more traditional risk cover, which is either cost-prohibitive or unavailable. Parametric
insurance offers speed, certainty and the ability to plan ahead. This is particularly use-
ful in developing countries where it’s far more effective to respond before a loss event
has turned into a humanitarian and economic crisis, with lives and livelihoods at severe
risk and a nation’s development potentially put back years. Government agencies, NGOs,
donors and other stakeholders have made use of parametrics to support disaster risk man-
agement and climate change adaptation mandates.
Parametric products can be offered at the sovereign or “macro” level where one or more
governments are the purchaser(s) and beneficiary (see examples cited above). Parametrics
also have important applications that can close the protection gap at the micro level (where
products are targeted at and purchased by individuals and small enterprises, potentially
with donor or government sponsorship or subsidy) or at the meso level (where mid-level
groups, entities and other subnational organisations might be the main client and an
alternative channel to deliver a form of protection to micro levels). All are facilitated by
technology. For example, the World Bank Group’s Global Index Insurance Facility42 has
proven particularly significant, enabling the development of risk management around dis-
aster, agriculture and food security.
To date, buyers of parametric insurance have often been governments or aid agencies
with shared exposures and shared cover structured in a risk pool. Some of the earliest pro-
ponents of parametrics were the Caribbean nations which came together after the devasta-
tion wreaked by Hurricane Ivan to create a regional risk pool against severe weather, now
known as CCRIF—the Caribbean Catastrophic Risk Insurance Facility.43 The Caribbean
Catastrophe Risk Insurance Facility (CCRIF SPC—“the Fund”) represents a particularly
good example. Set up in 2007 as the world’s first sovereign catastrophe risk pool,44 it
offers parametric insurance products to 22 Caribbean and Central American member gov-
ernments and three electric utility members.45 Development partners and donors have
included, amongst others, the World Bank, European Union, and nine governments.46
Participating members pay annual premiums based on the amount of risk transferred.
CCRIF products include insurance policies covering tropical cyclones, excess rainfall
and earthquakes, with indices based on wind speed and storm surge, rainfall volume and

42 The Global Index Insurance Facility (GIIF) is a dedicated World Bank Group’s program that facilitates
access to finance for smallholder farmers, micro-entrepreneurs and microfinance institutions through the pro-
visions of catastrophic risk transfer solutions and index-based insurance in developing countries; see www​
.ifc​.org​/wps​/wcm​/connect​/industry​_ext​_content​/ifc​_external​_corporate​_ site​/financial​+institutions​/priorities​/
access​_essential​+financial​+services​/global​+index​+insurance​+facility.
43 ​ w ww​.ccrif​.o​rg/.
44 The Fund was reorganised in 2014 as a segregated portfolio company and is regulated by the Cayman
Islands Monetary Authority. Pay-outs to member countries from 2007–2022 are set out along with governance,
vision and other history, www​.ccrif​.org​/about​-us.
45 ​ https:/​/unfccc​.int​/topics​/adaptation​-and​-resilience​/resources​/​S​-N​/CCRIF.
46 Ibid.

144
 P arametric I nsurance

ground shaking, respectively. Between 2007 and 2022, 58 pay-outs amounting to US

47

$260 million have been made, with payments arriving generally within 14 days of the
catastrophic trigger event.48
The benefits of parametrics have been highlighted in CCRIF’s response to hurricanes
Irma and Maria where the facility was able to pay out over $50 m to countries such as
Dominica, Antigua and Barbuda, and Turks and Caicos within 14 days.49 In contrast,
the ex-post relief provided by international development partners would normally take
between four and twelve months to mobilise.
Beyond cyclones and storms, 2020 saw the Fund launch a new parametric insurance
product for the Caribbean’s electric utility sector to provide cover for wind impact causing
direct damage to transmission and distribution (T&D) components of the electric power
system. Its objective in extending coverage beyond sovereign entities to the private sector
was to ensure electric utility companies have ready access to financial liquidity when a
trigger event occurs. An important initiative for the region as well as for product develop-
ment more broadly, it answered a fundamental problem Caribbean electricity providers
faced in relation to traditional indemnity policies wherein the premiums for this cover
were cost-prohibitive or unavailable.50
But the CCRIF is not isolated, and further examples are discussed below.51
Mexico is a world leader and pioneer in the use of parametrics. In 1996, the Mexican
government created a national fund for natural disasters—FONDEN—to which it trans-
fers budgetary funds for disaster relief and reconstruction efforts.52 FONDEN uses various
financial instruments to support local states and entities in responding to natural disasters,
including reserve funds and risk transfer solutions.53
In 2006, FONDEN issued a US $160 million catastrophe bond (called “CatMex”) to
transfer Mexico’s earthquake risk to the international capital markets. It was the first para-
metric cat bond issued by a sovereign.54
More recently, the African Risk Capacity (ARC) was launched in 2014.55 Designed to
provide an immediate financial response if there is a drought, the pool started with four
countries as policyholders but is aiming to cover over 20 within four years. The ARC risk
pool combines the risk of a disaster occurring across several countries to take advan-
tage of the natural diversity of weather systems across Africa.56 Cover is triggered by a

47 “CCRIF Annual Report 2021/22,” CCRIF SPS, iii, www​.ccrif​.org​/publications​/annual​-report​/ccrif​-spc​

-annual​-report​-2021​-2022 (hereafter CCRIF Annual Report).
48 CCRIF Annual Report (n 47) ii.
49 “CCRIF to Make Payout to Dominica of US$19 million Following the Passage of Hurricane Maria,”
CCRIF, 22 September 2017, www​.ccrif​.org ​/node​/11921.
50 “Electric Utilities Policy,” CCRIF, 2 October 2020, www​.ccrif​.org ​/node​/12272​?language​_content​
_entity​=en.
51 See Chapter 14 “Climate Change and Insurance” and Chapter 15 “Climate Change: Liability Insurance.”
For a fuller history of the evolution of these bodies in the context of climate change and catastrophe cover, see
J Horton, “Parametric insurance as an Alternative to Liability for Compensating Climate Harms,” Carbon &
Climate Law Review, (2018) 12, 4, 285–296.
52 See, World Bank review, “FONDEN : Mexico’s Natural Disaster Fund—A Review,” World Bank,
Washington, 2012, https://openknowledge​.worldbank​.org ​/ handle​/10986​/26881 (hereafter FONDEN).
53 FONDEN (n 52) v.
54 FONDEN (n 52) 35.
55 ​w ww​.arc​.int​/a​bout.
56 “How the African Risk Capacity works,” ARC, www​.arc​.int​/ how​-arc​-works.

145
 Parametric I nsurance

parametric index developed with the World Food Program based on staple crop rainfall
requirements, with rainfall measured by a network of satellites.
In addition, at the end of 2015, the ARC announced a plan to double its insurance cover
through a new replica coverage initiative. The initiative will allow international organisa-
tions such as United Nations agencies and NGOs to take out ARC policies that match those
already provided directly to African governments, expanding each country’s coverage.57
It is estimated that in Kenya, Rwanda and Tanzania alone there are now 1 million farm-
ers covered by parametric insurance. In December 2022, the ARC launched a parametric
insurance product against high-impact epidemic risks and announced Senegal’s participa-
tion as the first African country to join this new innovative financing mechanism.58
In 2017, the World Bank also developed the Pacific Catastrophic Risk Facility (PCRAFI),
a risk insurance pool of five small Pacific islands.59 The project builds on shared experi-
ences from similar catastrophe risk pools in Africa and the Caribbean. Four pay-outs have
been made for an aggregate amount of more than US $11 million which helped to reduce
the financial impacts in the aftermath of natural disasters, including major cyclones,
earthquakes and tsunamis.60 These pay-outs, all received immediately post-disaster(s),
were the first financial injections of emergency funds made into each country.61
Although the ARC and CCRIF regional schemes cover different regions and (currently)
respond to different types of peril (e.g. catastrophic drought in Africa; earthquake, tropi-
cal cyclone and excess rainfall in the Caribbean), they have in common the use of para-
metric triggers which rely on satellite data to enable rapid release of funds. A number of
sovereign risk transfer mechanisms rely on this type of high-tech application, sometimes
built on “smart” contracts and/or blockchain, and use the power of cognitive computing to
crunch large amounts of data from satellites or other sensors.62

CASE STUDY: CAT-IN-A-CIRCLE STRUCTURE—FILLING GAPS

IN A HOSPITALITY CLIENT’S TRADITIONAL PROGRAMME63
As year-over-year losses mount, typhoon exposure is becoming increasingly challenging to
insure and recover from. Material impacts—including wind or water damage, wave shocks and
destruction of high-value/high-vulnerability assets such as outdoor fittings—prove costly both
in terms of repairs and renewals, as recent losses tend to lead to premium hikes. In addition,
typhoons often leave lasting direct and indirect impacts on immaterial assets and balance sheets.
These include loss of revenue, attraction, denial of access or facilities interruption, emergency
response or relocation costs, and increased labour and raw material costs.
As a result, the Nat Cat64 protection gap is widening, leading more companies to seek creative
and credible solutions to avoid fully self-retained risk.

57 “ARC Replica,” ARC, www​.arc​.int​/arc​-replica.

58 “Updates,” ARC, 8 December 2022, www​.arc​.int​/news​/african​-risk​- capacity​-launches​-its​-first​-para-
metric​-insurance​-product​-against​-high​-impact.
59 ​ https:/​/pcric​.o​rg/.
60 Ibid.
61 Ibid.
62 IDF Bridge the Protection Gap (n 21) 23.
63 Descartes Underwriting case study 3.
64 Natural Catastrophe.
146
 P arametric I nsurance

Parametric insurance offers fresh capacity as an alternative insurance coverage, as brokers,

companies and public entities look to fill the gap left in their traditional programmes and mitigate
against evolving windstorm exposures.
Parametric covers leverage near-real-time data on a typhoon’s track and wind speed, using
modelling techniques and data sources that result in better risk assessment and overall insurance
product design. The diffusion of technology throughout a parametric product not only more accu-
rately captures a client’s exposure to future storms, but it also enables near real-time monitoring of
specific events and can prove to be an informative tool for mitigating decision-making, leading to
reduced total losses. Coming from trusted third-party providers, such as the Japan Meteorological
Agency or NOAA,65 brokers and clients have unfiltered access to the parameters set in the para-
metric structure and certainty of what they will receive in light of a triggering typhoon event.
Through extensive use of data for pricing, parametric insurance radically simplifies the under-
writing process, eliminating embedded costs and reducing the amount of time required to quote
and bind a policy. Claims settlement is agreed upon in advance, allowing for rapid disbursement
of cash to businesses and communities facing insolvency in the wake of extreme weather events.
This immediate infusion of capital helps prevent lasting economic impacts.
Alternative risk transfer insurance products leverage these data to structure “cat-in-a-circle”
covers, providing a simple and transparent solution against typhoon risk. When a cat-in-a-circle
policy is deployed, pay-outs are triggered when the typhoon of a given strength passes within a
predefined distance from the insured location(s).
In one example, a large hospitality group went to the market on their typhoon programme for
a number of properties located in the Philippines. They were looking for an insurance structure
with varying pay-out levels yet scrambling for coverage. Their traditional carrier severely low-
ered their typhoon sub-limits, while increasing rates following Typhoon Chanthu. The capacity
market for windstorms also underwent a severe crunch.
Despite the market circumstances that often arise in the wake of catastrophic events, the
robustness of parametric models ensures a consistent and reliable policy structure for brokers
and clients. The parametric approach enabled the closing of the deal with favourable terms for
all parties. Given the simplicity of the cover, the policy was appropriately priced to match the
client’s budget and ensure a full-limit cover.

CASE STUDY: WIND-AT-LOCATION STRUCTURE—

COVERING A FOOD AND BEVERAGE COMPANY’S
MULTI-SITE TYPHOON EXPOSURE66
Wind footprint maps provide “wind-at-location” data allowing for the event’s intensity to be
assessed at the insured location(s). Such datasets improve typhoon wind field and terrain inter-
action models, contributing to better data and, ultimately, better parametric product design.

65 National Oceanic and Atmospheric Administration, www​.noaa​.gov/.

66 Descartes Underwriting case study 4.

147
 Parametric I nsurance

“Wind-at-location” data also enables the expansion of parametric insurance policies into regions
and geographies where data limitations impeded previous coverage.
A large food and beverage client managed multiple facilities across Asia, including several
high-value sites in more remote locations. The insured’s concern was that their small claims
could not be paid due to a large deductible in a global programme.
A parametric typhoon cover for deductible buydown and the destruction of assets was able to
meet the client’s specific needs. The cover, based on “wind at location,” utilised wind speed data
on a high-resolution grid, allowing the client to have a much more precise estimate of damage
costs. Moreover, the customised cover was designed to consider the structural resistance to wind
at each site and adapt the pay-out structure accordingly. The client was able to attain full cover-
age against their typhoon exposure, with full certainty of the swift pay-out they would receive if
an event exceeded a certain wind threshold at identified insured locations.

Regulatory and legal challenges

Regulatory certainty fosters market growth. For parametric risk transfer solutions
to become widely accepted globally, regulatory support is necessary. In light of rapid
advances in technology, financial regulators must consider whether current legal and reg-
ulatory frameworks in many jurisdictions are fit for purpose.
Even though parametric insurance has an established track record in many countries,
regulatory and legal uncertainty remains. Often, such insurance is still regarded as a nov-
elty and not referred to in statute. What’s more, whatever regulatory controls exist are not
firmly codified and are largely untested.

The problem for regulators

Parametrics also pose challenges to regulators’ own capacity, and there is a recognised
need for capacity-building in supervisory circles. For example, as described above, pay-
out structures of parametric insurance products can be complex, with multiple triggers
and conditions affecting the pay-out amount. This complexity can make it difficult for
regulators to assess the risk posed by these products and to ensure policyholders are ade-
quately protected against loss or paying a fair premium, in line with their supervisory
mandate. Consumer protection will remain a critical watching brief for regulators, and so
the industry is working on methods of educating insureds and regulators alike to ensure
a better understanding of the operation of these products and the circumstances in which
they will make payment.
The use of technology in the delivery and management of parametric insurance prod-
ucts also creates new regulatory risks that are not present in more traditional insurance
products. For example, instead of precipitating or exacerbating a loss, fraud may instead
focus on manipulation of triggers.67 The use of data analytics and artificial intelligence

67 See discussion in Chapter 2.

148
 P arametric I nsurance

in pricing and underwriting can introduce new and potentially discriminatory biases.
Similarly, the quality, capacities, security and maintenance of data sources vary signifi-
cantly regionally and globally, with basis risk increasing where there is paucity or cor-
ruption of data. With technology rapidly helping to create new data sources and refine
capacities to harvest live time information, this situation, too, can be expected to diminish
but not disappear.
The rapid growth of parametric products has outstripped the development of legal and
regulatory frameworks, as has commonly been seen in relation to a number of emerging
technology areas, such as drones and autonomous vehicles. The result is two-fold: (1) As
parametric insurance policies are not sufficiently defined in most jurisdictions, regula-
tors and stakeholders are still catching up with the risks these products may pose, and (2)
absent dedicated governance frameworks, parametric products by default fall under the
same legal framework as conventional indemnity insurance. With statutes and case law
generally framed to respond to several hundred years of indemnity-based coverage, poli-
cies that eschew actual loss requirements may require law reform to best protect insureds
and beneficiaries, in line with supervisory mandates. Against this backdrop, it’s not sur-
prising that any significant body of case law has yet to be developed that would inform an
understanding of how these types of policies will operate and be enforced.
However, it should be acknowledged that many improvements on the regulatory front
have been made and that the pace of those improvements is not slowing down. What has
already been accomplished makes parametric covers more competitive and appealing.

Insurable interest
In jurisdictions where insurance law references principles of indemnity or contingency,
non-alignment of pure parametric policies with these foundations may be particularly
problematic.
For example, under English law, insurance is a contract whereby for consideration one
party promises to pay another if a specified event occurs that is adverse to the interests
of the insured. There is nothing within this traditional definition to preclude a contract
based on a parametric trigger—the agreed parameters would simply be the arbiter of the
“specified event.” However, parametric insurance products may cause legal or regulatory
uncertainty in jurisdictions where: (1) The insured must have an “insurable interest” at
the time the policy is underwritten and/or at the time the loss occurs; and (2) the size of
the insurance pay-out must correspond to the actual loss suffered by the insured. This
“indemnity principle” can mean that in certain jurisdictions, an insurer may only restore
insureds to their pre-loss financial position, such that losses must be valued or assessed
before claims can be paid.
As described above, parametric insurance protections are increasingly arranged by
sovereigns or sub-sovereigns as a means of ex-ante disaster finance and are becoming
increasingly popular with disaster relief and humanitarian organisations. Under English
law, it seems readily arguable that local, regional or even national governments have a
direct insurable interest in the effects of a natural disaster on their populations since with-
out insurance backing they would have to fund the full cost of the disaster recovery from
state funds and could be expected to suffer losses in tax revenue, for example. A non-
governmental organisation (NGO) might have plans in place to intervene in a crisis (for

149
 Parametric I nsurance

example if crops were to fail) even though it is not the NGO itself that is suffering the loss
directly. Here the “insurable interest” may be slightly more tenuous, although on balance
such a purchaser would likely be able to show a legitimate interest in the cover, rather
than it representing mere speculation. Some jurisdictions may take a wide view and find
an insurable interest of a government in its territory and population or of an NGO in the
people and places within its scope of operations.68
There are other interesting potential workarounds. For example, in China, parametric
insurance products providing protection against drought have been arranged collectively
at a regional government level and reinsured by international players. Protection is then
sold at a subsidised premium to individual farmers, who effectively become the policy-
holders and receive pay-outs directly. The farmers themselves clearly have an insurable
interest although it is the government purchaser who has arranged and subsidised the
insurance as a means of building local resilience within its populace.69

The indemnity principle

English law has long recognised the concept of valued policies whereby the insurer agrees
to pay a fixed sum once the loss is established, without a need for further adjustment or
valuation at the time of the loss. However, the indemnity principle can potentially create
regulatory and legal challenges in jurisdictions where codified insurance law does not
traditionally permit “contingent contracts,” requiring instead that any losses are subject
to valuation. This has the potential to undermine two of the key benefits of parametric
products: Speed and certainty of pay-out.
In India, there has been a relatively widespread take-up of parametric products particu-
larly covering agricultural risks such as crop failure due to drought or flood. For example,
a number of the larger multinational insurers including AIG, Sompo Canopius and Tokio
Marine—in conjunction with their Indian partners—came together under the umbrella
of the Agriculture Insurance Company of India Limited to offer parametric solutions
that are generally purchased by farmers as a requirement of their lenders.70 However,
because of Indian regulation and law around contingent contracts, the insured needs to

68 “Parametric Insurance: Closing the Gap—Legal Considerations,” Clyde & Co, 20 April 2018, www​
.clydeco​.com ​/en ​/reports​/2018​/04​/parametric​-insurance​- closing​-the​-protection​-gap;
see Rachel Hillier, “The Legal Challenges of Insuring Against a Pandemic,” in María del Carmen Boado-
Penas, Julia Eisenberg, Şule Şahin‬‬‬ (editors), Pandemics: Insurance and Social Protection (Springer,
2022), 267 (hereafter Hillier).
69 Rachel Hillier, ibid; see for example, “Parametric insurance launched for farmers in China, backed
by Swiss Re,” Artmeis, 3 August 2016, www​.artemis​.bm ​/news​/parametric​-insurance​-launched​-for​-farmers​-in​
-china​-backed​-by​-swiss​-re/; “Parametric solutions for natural catastrophe insurance in China,” SwissRe, 8
November 2016, www​.swissre​.com​/institute​/research​/topics​-and​-risk​- dialogues​/economy​-and​-insurance​- out-
look ​/ Parametric​-solutions​-for​-natural​- catastrophe​-insurance​-in​- China​.html; Gong Yufei, Muhammad Umer
Arshad, Guo Xinya and Zhao Yuanfeng, “An empirical study of the key factors affecting herders’ purchasing
decision on weather index insurance—A case study from inner Mongolia autonomous region, China.” Heliyon
8, no. 11 (2022) e11881.
70 ​ w ww​.aicofindia​.com​/AICEng​/ Pages​/ Bus​ines​sPro​file​AllI​ndia​.aspx; see also “Parametric Insurance:
Closing the Gap—Legal Considerations,” Clyde & Co, 20 April 2018, 19, www​.clydeco​.com​/en​/reports​/2018​
/04​/parametric​-insurance​- closing​-the​-protection​-gap.

150
 P arametric I nsurance

prove to the insurer what the loss has been. This has, at times, slowed down the payment
process and thereby somewhat dampens one of the key benefits of parametric cover.71
Debate exists in a number of jurisdictions, depending on the relevant governing law,
as to whether the absence of “an insurable interest” makes a parametric insurance prod-
uct capable of recharacterisation as a derivative contract.72 The CFA Institute defines a
derivative as a contract between two or more parties based upon the asset or assets, with
its value determined by fluctuations in the underlying asset.73 The contract entered into
between the parties could be framed as either insurance or a derivative, depending on
the customer’s insurance interest and the provider’s authorisation. Derivatives offer the
advantage of bypassing the insurance indemnity/insurable interest issue in most juris-
dictions, making it possible to bring parametric risk transfer products to the market.
Unsurprisingly, professionals with expertise in modelling exposure and trigger design
can move between insurance and derivatives, and some insurance groups have divisions
that specialise in derivative instruments. Parametric insurance and derivatives can also be
used together: After issuing parametric insurance policies, insurers can hedge their risk
exposure through derivatives or insurance-linked securities products.
The UK and Scottish Law Commissions 2016 Insurable Interest and Parametric Policies
Paper74 noted the blurred line and implications:
[D]erivatives and insurance may achieve the same economic effects and there may also be
very little to distinguish them from each other. However, the regulatory regime is separate.
Insurers are only permitted to write insurance contracts, while banks are prohibited from
doing so, and institutions providing these products must know that they are appropriately
regulated to conduct their business.75

The significance of this boundary between insurance contracts and derivatives contracts
was argued to be important so as to avoid “certain classes of derivative being recharac-
terised as contracts of insurance (which may have regulatory and tax implications).”76 As
noted by the Law Commissions, the fact that laws in some jurisdictions prohibit insurers
from offering non-insurance products and limit their use of derivatives to hedging cre-
ates difficulties for insurers to provide risk-hedging instruments for perils that affect their
solvency.
The rapid emergence of parametric insurance and the complexity of many of the
emerging regulatory issues and dynamics mean that ongoing review and potential law
reform are the order of the day. For example, the US National Association of Insurance

71 Generally, see Dimple Gupta, “Agriculture Insurance Company Introduces Parametric Insurance to
Protect Farmers Against Weather Vagaries,” Krishi Jagran, 19 November 2021,
https://krishijagran​.com​/agriculture​-world​/agriculture​-insurance​- company​-introduces​-parametric​-insur-
ance​-to​-protect​-farmers​-against​-weather​-vagaries/; Agriculture Insurance Company of India, “Sampoorna
Ritu Kawach Prospectus,”
www​.aicofindia​.com​/AICEng​/General​_ Documents​/Sampoorna​%20Ritu​%20Kawach​_ Prospectus​.pdf.
72 “Insurable interest and parametric policies,” Law Commission and Scottish Law Commission, Joint
Review of insurance contract law, April 2016, www​.scotlawcom​.gov​.uk​/ law​-reform​/ law​-reform​-projects​/joint​
-projects​/insurance​-law/ (hereafter Law Commission 2016).
73 “Derivatives,” CFA Institute,
www​.cfainstitute​.org​/en​/advocacy​/issues​/derivatives​#sort= ​%40pubbrowsedate​%20descending.
74 “Insurance Contract Law: Insurable Interest,” Law Commission (UK), www​.lawcom​.gov​.uk​/project​/
insurance​- contract​-law​-insurable​-interest/; see also, Law Commission 2016 (n 72).
75 Law Commission 2016 (n 72) para 1.11.
76 Law Commission 2016 (n 72) para 1.19.

151
 Parametric I nsurance

Commissioners produced a 2021 white paper with a discussion paper of regulatory

77

issues and potential reforms to be finalised in 2023. Regulatory priorities foreshadowed

three overlapping responsibilities for the regulator—covering prudential risk, consumer
protection and creating an enabling environment for innovation to protect society.78

Consumer concerns
Regulators for consumer insurance products (offered at the micro or meso level) are
understandably uncomfortable with the possibility of basis risk, as it may undermine
consumers’ and businesses’ trust in the value of insurance and has the potential to leave
policyholders out of pocket if their losses exceed the modelled pay-out.79 Consumer edu-
cation can help policyholders better evaluate the benefits and costs of parametric insur-
ance as compared to indemnity insurance; otherwise, a lack of understanding about how
and when a policy will respond has the potential to inflate consumer dissatisfaction and
the perception of basis risk.
Protecting policyholders’ interests is the intended purpose of the insurance product,
although several centuries of precedent evidence the matrix of difficulties that may
obstruct this goal. In response, regulators have increasingly sought to strengthen con-
sumer protection regimes around traditional insurance products by legislating more user-
friendly language, sales processes, resolution mechanisms and rights awareness. Avoiding
misunderstandings as to various aspects of the underlying risk is therefore a significant
challenge for a new product such as this. The International Association of Insurance
Supervisors (IAIS)80 considered ramifications of parametric insurance in particular for
inexperienced insureds, pointing out that low-income consumer groups may have particu-
lar vulnerabilities around parametric products given possibly reduced capacity to absorb
or sustain an adverse experience, or heightened risk of harm from their surrounding envi-
ronments if disaster strikes, or lack financial literacy around financial products (or more
broadly). One particular area of potential conflict arises around misunderstanding as to
when losses are suffered but the required threshold is not achieved under the index (nega-
tive basis risk). In this respect, the IAIS suggests the consideration of incorporating a
ladder of progressive triggers to explain the option of a higher premium for the lower
trigger level and the lack of claim payment below a higher trigger to potential clients.81 As
has been the case for credit insurance and other financial products, this may require more
focused regulation that aligns with prudential oversight aims.
It should be noted, of course, that a significant percentage of parametric insurance cov-
ers are bought by medium and large companies, which commonly are advised by a bro-
ker and oftentimes have a dedicated risk management team. Accordingly, many buyers
have a sophisticated understanding of their insurance needs. And sometimes when the

77 https://content​.naic​.org​/sites​/default​/files​/national​_meeting​/ Materials​- C​%20Cmte​_1​.pdf.

78 See Jerry Skees, “Introducing Parametric Disaster Risk Financing,” National Association of Insurance
Commissioners, 3 June 2021, 34,
https://content​.naic​.org​/sites​/default​/files​/inline​-files​/GP​_ Slides​.pdf.
79 IDF Bridge the Protection Gap (n 21) 67.
80 “Issues Paper on Index Based Insurances, particularly in inclusive insurance markets,” IAIS, June 2018,
16–17, paras 57–62, www​.iaisweb​.org​/uploads​/2022​/01​/180618​-Issues​-Paper​- on​-Index​-based​-Insurances​-par-
ticularly​-in​-Inclusive​-Insurance​-Markets​.pdf (hereafter Issues paper).
81 Ibid, Issues paper 18, para 69.

152
 P arametric I nsurance

clients are less sophisticated (take the example of farmers in developing countries), devel-
opment institutions play a role to guide and support parametric covers which can also be
simple and easily (automatically actionable) and can also limit risks of corruption.

Drivers of the parametric insurance industry’s growth

By 2028 the parametric market is expected to reach US $21.4 billion, rising at a market
growth of 9.6% CAGR during the forecast period.82
A number of factors have driven the rapid escalation of the parametric insurance indus-
try, with new providers (such as Descartes Underwriting83 and AXA Climate84) focused
exclusively or extensively on parametric products, start-ups (such as FloodFlash85 and
BlinkParametric86) leveraging parametric-enabling technology to enter the world of
insurtech87 and the rapid expansion of product offerings by industry incumbents (Swiss
Re,88 Allianz,89 Chubb90 and Munich Re91 have developed non-traditional or alternative
risk transfer product offerings, including parametric products).
The rapid growth of the parametric insurance market has been enabled by exponential
leaps in supporting technology areas. For pricing and pay-out calculations, artificial intel-
ligence (AI), building off deep and machine learning capacities, has refined modelling
forecast capacities to better match insured events to indices. Blockchain, smart contracts
and the IoT have similarly delivered streamlined policy pay-out timelines while reducing
transaction costs.
The COVID-19 pandemic has been particularly significant for the evolution of this
industry over the last five years in a number of respects (see further discussion regarding
the impact of the pandemic on insurance markets in Chapter 13). The pandemic’s impact
on the insurance industry and its consumers has dynamically reshaped contemporary
landscapes around risk and resilience management planning. The pandemic also offers a
case study on the strengths of parametric policies as against traditional indemnity con-
tracts as well as the challenges of new technological capabilities in the face of new risks.
Growing frustration with the complexities and time-consuming steps inherent in tra-
ditional indemnity policies, as well as the legal challenges inherent in non-damage BI in
property insurance, was brought very much to the fore.92 At a time when cash flow was at a
premium for pandemic-impacted businesses, the insurance industry struggled to respond.
Settlement periods could be as long as many months to far more extended periods as

82 “Global Parametric Insurance Market 2022–2028,” Research and Markets, 30 January 2023, 3, www​
.globenewswire​.com ​/news​-release​/2023​/01​/30​/2597433​/0​/en ​/ The​-Worldwide​-Parametric​-Insurance​-Industry​
-is​-Expected​-to​-Reach​-21​- 4​-Billion​-by​-2028​-at​-a​-9​- 6 ​- CAGR​.html.
83 https://des​cart​esun​derw​r iting​.com/.
84 https://climate​.axa/.
85 https://floodflash​.co/.
86 https://blinkparametric​.com/​#1.
87 For example, Kettle offers reinsurance for climate change risk with an initial focus on wildfires; see for
example, Rob Toews, “These Are the Startups Applying AI to Tackle Climate Change,” Forbes, 20 June 2021,
www​.forbes​.com ​/sites​/robtoews​/2021​/06​/20​/these​-are​-the​-startups​-applying​-ai​-to​-tackle​- climate​- change/​?sh​
=64d373277b26.
88 https://corporatesolutions​.swissre​.com ​/innovative​-risk​-solutions​/parametric​-solutions​.html.
89 ​
w ww​.agcs​.allianz​.com ​/solutions​/alternative​-risk​-trans​fer​.html.
90 https://about​.chubb​.com ​/stories​/chubb​-pandemic​-business​-interruption​-program​.html.
91 ​
w ww​.munichre​.com ​/en ​/solutions​/for​-industry​- clients​/parametric​-solu​tions​.html.
92 For detailed discussion, see Chapter 13 “Pandemics and Insurance.”

153
 Parametric I nsurance

insurers struggled to manage dramatic escalations in claims, interpretation of widely

divergent policy wording around the basis for indemnity and exclusions, and protracted
litigation processes for clarification and settlement. Even in cases of uncontested liability,
indemnity policies’ requirements around causation and resulting loss verifications can be
time, labour and cost-intensive.
Many small and medium-sized businesses (SMEs) discovered their all-risks commer-
cial business insurance cover excluded pandemics. BI policies in particular were criticised
by insureds for failing to deliver in the window of time in which they were arguably most
needed.93 Multiple points of contention arose ranging from whether “damage” losses had
to flow from physical impact (vs a local authority order to close), whether microbial pres-
ence constituted physical damage, through to the meaning of “notifiable disease.”
Around the world test cases were filed to attempt to provide clarity. The UK’s Financial
Conduct Authority (FCA), inundated with complaints by SMEs, filed a test case in the
English High Court to clarify common policy wordings. Eight insurers’ policies with a
representative sample of 21 policy wordings were challenged as to whether losses flowing
from COVID-19 closures fell within the policy BI section coverage. Similar test cases
were considered in Australia94 and France,95 to name a few. As one commentator observed:
[T]he dichotomy of understanding between the insured and insurer and the resulting court
cases that ensued across the world … (meant) … the insurance industry has not covered itself
in glory by refusing to pay claims under these policies and taking claims through to the bitter
end of the court processes in many countries.96

Even for insureds with policies that responded, calculating losses was complex and pay-
ments were protracted in arriving. Unsurprisingly given the substantial challenges and
difficulties encountered by insureds and insurers, multiple initiatives globally have been
convened to consider possible solutions going forward for BI losses from future pandem-
ics. Parametric solutions are amongst these options being considered at both governmen-
tal97 and private levels by commercial stakeholders.98
As these new products become more cost-efficient and better understood by the market,
parametric insurance products allow for more flexible pricing structures than that of tra-
ditional products which, in turn, further drives market use.

93 Hillier (n 68) 267.

94 See for example, Swiss Re International v LCA Marrickville [2021] FCA 1206.
95 See, for example, the AXA France Decision RG 2020017022 of Paris’s commercial court ordering AXA
SA unit AXA France IARD S.A. to pay €45,000 to Maison Rostang SAS over restaurant closure; for trans-
lation, see www​.aaimco​.com ​/wp​- content​/uploads​/AXA​-France​-Decision​- 05222020​.pdf; see also, “Insurer
AXA must pay restaurant’s COVID-19 losses, French Court rules,” Reuters, 23 May 2020, www​.reuters​.com ​/
article​/ health​- coronavirus​-insurance​-axa​-idCNP6N2D205Q.
96 Hillier (n 68).
97 “OECD Policy Response to Coronavirus, Responding to the COVID-19 and pandemic protection gap in
insurance,” 16 March 2021, https://read​.oecd​-ilibrary​.org​/view/​?ref​= 133​_133327​-3tdsqdiu7y​&title​​= Resp​​ondin​​
g​-to-​​the​- C​​OVID-​​19​-an​​d​-pan​​demic​​-prot​​ectio​​n​-gap​​-in​-i​​nsura​​nce; EIOPA, “Issues Paper on resilience solutions
for pandemics,” European Insurance and Occupational Pensions Authority 2020, www​.eiopa​.europa​.eu​/con-
tent​/issues​-paper​-resilience​-solutions​-pandemics​_en; A Gross, “World Bank pandemic bonds to pay $133m
to poorest virus-hit nations,” Financial Times, 19 April 2020, www​.ft​.com​/content​/c8556c9f​-72f7​- 48b4​-91bf​
-c9e32ddab6ff; “InsurTech solutions to support COVID-19 response, recovery and future-resilience,” Lloyds
Lab, 2021, www​.lloyds​.com​/news​-and​-insights​/ lloyds​-lab​/previous​- cohorts​/cohort​-5.
98 For example, Lloyd’s of London; see www​.reinsurancene​.ws​/ lloyds​-launches​-parametric​-policy​-for​
-business​-interruption/.

154
 P arametric I nsurance

Conclusion
Rapid technological advances combined with economic and strategic challenges have
positioned parametric insurance as a significant disruptor for some traditional insurance
markets and for financial regulators. For developing and developed nations as well as
for commercial and personal portfolio risk management, leveraging AI-related disruptive
technologies—big data, IoT, deep and machine learning, blockchain-enabled smart con-
tracts and satellites—revolutionises data analysis and can address information asymme-
try and support more accurate forecast modelling. At local, regional and national levels,
uninsurable or cost-prohibitive risks can be more manageable through a parametric policy
or its combination with traditional products. Further, the rapid dispatch of payment in the
immediate aftermath of the nominated event provides critically needed cash flow at the
point in time it is most needed.
In doing so, parametric insurance can support both international institutions’ and
governments’ disaster protection risk planning portfolios as well as private enterprises’.
Insurers are innovating to generate risk transfer products for new sectors and to advance
technological know-how. Examples range from policies that cover pandemic tied BI to
cyber and terrorism risks for SMEs,99 flight cancellation and domestic appliance and IoT-
impacted issues arising out of increased/decreased energy interruption. Still in the early
stages, as this form of insurance becomes more familiar in the market, further innovation
can be expected to reshape its scope and application, making risks that are currently com-
mercially uninsurable both viable and attractive.
How legislatures and policymakers around the world structure regulatory oversight
of parametric insurance to ensure responsible rollout and governance will, however, be
critical to maximising its efficacy going forward. Despite the dramatic acceleration of this
product over the last two decades globally, insurance law across most jurisdictions still
largely addresses traditional indemnity-based insurance law frameworks. The historical
problem of “speculation” around insurance products, including interpreting “insurable
interest” in the parametric insurance context, remains to be addressed as do multiple
issues around consumer protection more broadly.
Key challenges in fostering the legal certainty to support parametric insurance cover
include:
1. Basis risk: Correctly modelling actual losses to align as closely as possible with pay-
out figures and advancing the hybrid design of parametric products in conjunction
with traditional indemnity tools will deliver value maximisation for insureds and
insurers. Continuing to refine data-collection capabilities will enhance the granular-
ity of measurements for better alignment of pre-modelling loss calculations while
ensuring the complexities of index design and uses are kept to simple language in
user-friendly contracts, which will support consumer confidence. Similarly, as data is
the cornerstone for pay-outs, ensuring that nominated data sources are not subject to
impact themselves from weather or disaster events, or that appropriate contingency
planning is factored into products, may require further consultation.

99 Matthew Grant, “Parametric Insurance, 12 Firms to Know,” Insurance Thought Leadership, 20 May
2020, www​.ins​u ran​ceth​ough​tlea​dership​.com​/emerging​-technologies​/parametric​-insurance​-12​-firms​-know.

155
 Parametric I nsurance

2. Design, drafting and marketing: For insurers, legal advisors and regulators, ensur-
ing contracts and support documents are properly designed and clearly communi-
cated is essential. Transaction costs can be minimised and long-standing concerns
over the density of traditional policy terms can be substantially mitigated by para-
metric insurance policies. Minimising the need for dispute resolution so as to avoid
increasing transaction costs will be widely beneficial, but how policies incorporate
settlement options such as arbitration or mediation to ensure consumers understand
the implications of these processes should be considered.
3. Regulation: Driving uniformity of regulations across jurisdictions will be increas-
ingly important for functionality and transactional certainty purposes. Clarifying
distinctions between financial services such as derivatives and parametric insur-
ance products to protect against potential abuses will, again, simplify oversight
and consumer confidence.
4. Education: All parties involved with parametric products must understand both
the limits and value proposition of this product. Still in the early stages of develop-
ment, clarity and communication with the buyer, with regulators and with other
stakeholders will help fully capture the resilience value offered.
Trust building is the common element uniting all of the above. Success to date has been in
substantial part due to insureds’ needs for timely payments, certainty of terms, and trans-
action simplification. Technology has now substantially enabled each of these, making the
parametric policy an essential tool for effective risk management over the coming century.
However, there are necessarily issues of trust, security and data protection inherent in
technology-enabled solutions.100
As of publication, this new generation of insurance products complements and (in some
instances) can replace traditional insurance at a premium that fits within contracting
budgets. With no on-the-ground loss adjustment required, a parametric cover can keep
costs low while offering precise protection. Its approach empowers clients to new levels
of risk management, for new and emerging risks, including those of a changing climate.

100 See further discussion in Nigel Brook, Wynne Lawrence, Edward Langlier and Bill Marcoux, “How
Technology can Help Bridge the Protection Gap,” Insurance Development Forum, 29 November 2019, www​
.insdevforum​.org​/ knowledge​/idf​-reports​-publications​/idf​-paper​- on​-how​-technology​- can​-help​-bridge​-the​-pro-
tection​-gap/.

156
 C hapter 7

Autonomous Vehicles

Liability and Insurance

Julie-Anne Tarr and Anthony A Tarr

CON T EN TS
Introduction 158
Regulation 159
Liability, risk and insurance 162
United Kingdom 162
Ensuring clarity about automated driving and assisted driving 164
Establishing new schemes for regulating vehicle safety 165
Combatting misleading marketing 166
Mandating the sharing of collision data 166
Civil liability 167
Product liability 167
Criminal liability 167
Germany 168
Australia 171
United States 173
Product liability 175
Insurance industry dynamics 178
Conclusions 181

DOI: 10.4324/9781003319054-7 157

 Autonomous V ehicles

Introduction
The insurance industry is in a period of rapid and fundamental change with the availabil-
ity of “big data” in conjunction with technological advances in artificial intelligence (AI),
predictive analytics and machine learning, IoT and blockchain creating the foundation and
operational capacity for new products, practices and services.
Nowhere are the challenges and changes to insurance law and practice more likely to
manifest than in relation to Connected and Automated Vehicles (CAVs),1 being vehicles
that are capable of automated driving and connectivity with other vehicles or road users,
the road infrastructure and the cloud.2 Thus, CAVs are distinguished by driving automa-
tion and connectivity, and as the New South Wales Government observe in their report
“Transport for NSW: Future Transport Strategy 2056,”3 the next 40 years will see more
technology-led transformation than the past two centuries, with rapid innovation bringing
increased automation4 for bus, train, car and truck transportation.5
The widespread adoption of autonomous vehicles will necessarily bring with it major
impacts on the motor vehicle insurance industry. These impacts, which are addressed
in the sections below, include decreased private ownership of vehicles, reduction in the
number and severity of accidents and insurance claims, liability allocation shifts from
the driver to the manufacturer of the vehicle and associated technology providers, third-
party liability risks, cyber liability, infrastructure insurance and assessment of risks and
premiums.
Autonomous vehicles (AVs) have exited science fiction and are a reality. Multiple coun-
tries have testing and development programmes underway, with many aiming for com-
mercial use in the next two to ten years.6 As of 2022, China’s Wuhan and Chongquing
Yongchuan districts offer fully operational driverless ride/hail taxis.7 In the United States,
although still in testing mode, self-driving 18-wheel trucks between Dallas and Atlanta
cut delivery times in half, covering 6,300 miles in five days in lieu of the ten needed for
manned transport.8 An IKEA in Texas similarly uses a heavy-duty automated truck for
24/7 product transport over the 300 miles between its warehouse and Frisco store, sav-
ing not only operating time but also fuel consumption (–10%) and enabling its traditional

1 Hereafter “Autonomous Vehicles” (or “AVs”), unless the context demands otherwise.
2 Jacopo Guanettia, Yeojun Kima, Francesco Borrellia, “Control of Connected and Automated Vehicles:
State of the Art and Future Challenges,” 5 March 2018, https://pdf​.sciencedirectassets​.com​/271897.
3 See New South Wales Government, “Transport for NSW: Future Transport Strategy 2056” (March 2018),
(Hereafter NSW Strategy).
4 NSW Strategy (n 3) 8.
5 NSW Strategy (n 3) 66.
6 Policy papers and target dates for various countries, see Law Commission, “Automated Vehicles Joint
Report,” Law Commission of England and Wales and the Scottish Law Commission, 3 February 2022,
www​.lawcom​.gov​.uk​/project​/automated​-vehicles/ (hereafter Joint Report 2022); see also Law Commission,
“Remote Driving Issues Paper,” 2022, https://s3​- eu​-west​-2​.amazonaws​.com ​/ lawcom​-prod​-storage​-11jsxou-
24uy7q​/uploads​/2022​/06​/ Remote​- driving​-LC​-Issues​-paper​.pdf (hereafter Issues Paper 2022).
7 “Baidu Granted China’s first-ever permits for commercial fully driverless ride-hailing services,” PRN
Newswire, 8 August 2022, www​.prnewswire​.com​/news​-releases​/ baidu​-granted​- chinas​-first​- ever​-permits​
-for​- commercial​-fully​- driverless​- ride​- hailing​- services​-301601296​. html#:~​: text= ​% 2D​% 20Baidu​% 20has​
%20become​%20the​%20first​,and​%20Wuhan​%20during​%20the​%20daytime.
8 Cade Metz, “The Long Road to Driverless Trucks,” The New York Times, 28 September 2022, sec.
Business, www​.nytimes​.com ​/2022​/09​/28​/ business​/driverless​-trucks​-highways​.html see also https://kodiak​.ai/,
more than 6,300 miles were travelled to cover four round trips and deliver eight loads of freight.

158
 A utonomous V ehicles

supply chain operations to be slimmed down to direct shipper/seller connectivity.9 By

2035, US freeways are expected to carry 23 million AVs,10 and the UK government antici-
pates 40% of all new cars on the road will have a self-driving capability. In advance of
this, and because of its declared intent to be the world’s first to allow self-driving vehicles
at slow speeds on motorways, the UK is making major advancements towards introduc-
ing automated lane-keeping systems (ALKS) and revising its regulatory highway codes.11
Industry “pioneers” are diverse and highly competitive, with Waymo (Alphabet/
Google), Tesla, Cruise Automation (GM), Uber, Nvidia and Baidu amongst the best
known. Traditional car manufacturers such as Ford, Mercedes-Benz, BMW and Volvo are
similarly heavy investors in driverless technology and, in some instances, have formed
partnerships with tech sector players. New players and projects emerge regularly and,
should a heuristic be needed for the dynamic growth in this space, patent activity over the
last decade provides a good snapshot: From 2010 to 2017, 5,800 auto-driving patents were
filed worldwide; in 2021 alone that number more than tripled.12
Regulators and insurers face significant challenges in addressing and responding to the
diverse and complex issues that arise in this emerging era of the driverless car. Addressing
these issues and choosing between competing solutions is, as the discussion below exem-
plifies, no easy task and has profound implications for insurance law and practice in all
jurisdictions.13 These questions are addressed below.

Regulation
Regulators and policymakers are still grappling with what the regulatory environment and
framework for autonomous vehicles should encompass. Although it is generally accepted
that regulatory intervention ideally needs to tread a path that does not stifle innovation
and is not so “heavy-handed” as to stifle growth,14 how that will play out remains subject
to various interpretations.
Sensitivity to this measured approach was strongly evidenced in the December
2020 European Commission’s Communication to the European Parliament15 wherein the
necessity to put European transport on track for the future was emphasised. Further, the

9 Kodiak Team, “Kodiak Moves IKEA Products in Texas,” Kodiak, 18 October 2022, https://kodiak​.ai​/
news​/ kodiak​-moves​-ikea​-products​-in​-texas/.
10 Lawrence Karp et al., “Insuring Autonomous Vehicles: Opportunity between now and 2025,” Stevens
Institute of Technology and Accenture (2017) (hereafter Accenture 2017).
11 Issues Paper 2022 (n 6); See also Nick Carey, “UK Government Green Lights ‘Self-Driving’ Cars on
Motorways,” Reuters, 27 April 2021, www​.reuters​.com ​/ business​/autos​-transportation ​/uk​-government​-green​
-lights​-self​- driving​- cars​-motorways​-2021​- 04 ​-27.
12 See Patent, Site, www​.lexisnexisip​.com ​/solutions​/ip ​-analytics​-and​-intelligence​/patentsight/.
13 See, for example, Julie-Anne Tarr, Anthony Tarr and Amanda George, “Autonomous vehicles: regula-
tory, insurance and liability issues” (2021) 49 Australian Business Law Review 171.
14 See, for example, Kyle Bowyer, “The Robotics Age: Regulatory and Compliance Implications for
Businesses and Financial Institutions,” The European Financial Review, 21 April 2018, www​.eur​opea​n fin​anci​
alreview​.com​/the​-robotics​-age​-regulatory​-and​- compliance​-implications​-for​-businesses​-and​-financial​-institu-
tions/ (hereafter Bower): “Regulation needs to strike a balance between controlling risk and stifling growth.
Interestingly, the call for regulation often comes from innovators and thinkers such as Elon Musk and Bill
Gates and it is becoming increasingly evident that existing laws regulating product liability, consumer rights,
property law, intellectual property and tort law, to name but a few, may not be adequate to manage and control
the risks associated with rapidly advancing AI.”
15 See, for example, European Commission, Communication from the Commission to the European
Parliament, the Council, The European “Economic and Social Committee and the Committee of the Regions,

159
 Autonomous V ehicles

importance of a coordinated European approach to connectivity and transport activity to

overcome crises such as the COVID-19 pandemic and to strengthen the European Union’s
strategic autonomy and resilience was underscored.16
In assessing the timing and nature of regulatory intervention, the various stages of
vehicle automation are critical. An international standard J3016 for autonomous vehicles
defined in 2014 by the Society for Automotive Engineers International (SAE) catego-
rises six levels of driving automation, from SAE Level 0 (no automation) to SAE Level
5 (full vehicle autonomy).17 Levels 1–3 require a human driver, but increasing levels of
automation are present; for example, at Level 2 at least two features such as braking and
cruise control will be automated, and at Level 3 the vehicle will be partially autonomous.
Levels 4 and 5 define the conditions when the automated driving system is in control,
with a human driver having limited or no capacity of being able to take over in some
circumstances.18
As noted above, Accenture and Stevens Institute of Technology19 predict that there will
be 23 million fully autonomous vehicles travelling US highways by 2035, but at present
even the most advanced vehicles in their migration to full autonomy may be categorised
as Level 2 or 3.20 As the New York Times21 reported in 2019: “The carriage may still be
horseless, but it’s hardly ready to be driverless.”
This in turn generates debate as to whether the regulatory focus should be upon fully
automated vehicles so as to avoid the fragmented liability issues which come with partial or
conditional autonomy, and consideration as to what changes are required now, and what can
be deferred.22 For example, in the United Kingdom, the Department for Transport and the
Centre for Connected and Autonomous Vehicles, while recognising arguments for changes
to product liability law to facilitate damages being directly recoverable from manufactur-
ers, were of the view that it was not a proportionate response at this stage when there were
a small number of autonomous vehicles in proportion to the whole vehicle fleet.23

Sustainable and Smart Mobility Strategy—putting European transport on track for the future” (Brussels 9
December 2020, COM 789 Final), (hereafter COM 789).
16 Ibid [1–5].
17 Jennifer Shuttleworth, “SAE Standards News: J3016 automated-driving graphic update,” 7 January
2019,
www​.sae​.org​/news​/2019​/01​/sae​-updates​-j3016 ​-automated​- driving​-graphic.
18 John Cusano and Michael Costonis, “Driverless Cars Will Change Auto Insurance. Here’s How Insurers
Can Adapt,” 5 December 2017, https://hbr​.org​/2017​/12​/driverless​- cars​-will​- change​-auto​-insurance​-heres​-how​
-insurers​- can​-adapt (hereafter Cusano and Costonis); Rick Huckstep, “Four Ways Autonomous Vehicles Will
Change Auto Insurance,” The Digital Insurer (hereafter Huckstep),
www​.the​- digital​-insurer​.com​/ blog​/insurtech​-impact​-autonomous​-vehicles​-auto​-insurance/.
19 Accenture 2017 (n 10) (out of about 250 million total cars and trucks registered in the United States).
20 John Cusano and Michael Costonis (n 18), “If we look at autonomous vehicle adoption as a spectrum—
with zero representing a universe consisting exclusively of traditional vehicles and five representing a world of
fully autonomous vehicles—we are somewhere between zero and one right now.”
Huckstep (n 18), “Tesla’s much vaunted Autopilot system is (only) at Level 2 today, even though they might
market themselves higher. The first production ready Level 3 car is expected later this year in the form of the
Audi A8.”
21 “Driverless Cars Are Taking Longer Than We Expected. Here’s Why,” New York Times, 14 July 2019,
www​.nytimes​.com ​/2019​/07​/14​/us​/driverless​- cars​.html.
22 Cusano and Costonis (n 18).
23 Department for Transport, “Pathway to driverless cars: Consultation on proposals to support Advanced
Driver Assistance Systems and Automated Vehicles Government Response,” Centre for Connected and
Automated Vehicles, January 2017, https://assets​.publishing​.service​.gov​.uk ​/government​/uploads​/system ​/
uploads​/attachment​_data​/file​/581577​/pathway​-to​- driverless​- cars​- consultation​-response​.pdf.

160
 A utonomous V ehicles

The attention of regulators must extend beyond traditional areas of concern in relation
to the operation of non-autonomous vehicles to embrace issues such as data protection,
competition policy and cyber security.
Autonomous vehicles have the capacity to generate large amounts of data as does sur-
rounding technology that may interface with them (CAVs), their owners and other related
entities. Protecting drivers, passengers and related parties’ privacy will raise key issues
that most existing privacy frameworks are ill-equipped to resolve.24 While the increasing
availability of data in conjunction with technological advances in AI analytics and the
resulting predictive insights simultaneously opens the door to new and exciting oppor-
tunities, significant data protection and privacy concerns may arise in respect of the per-
sonal data used (and created by AI analytics).
These concerns may transcend individuals and extend to market competition issues.
The value of the data accrued is potentially very valuable to manufacturers, users and
competitors. This has not only implications for the healthy market competition of industry
players, if not potential anti-trust ramifications, but it carries consequences at micro and
macro marketing levels and in societal planning contexts. Fabian Pütz et al.25 point out that:
(T)he increasing interconnection of modern vehicles could be a decisive game changer for
the competitive environment. This is because (automotive manufacturers) OEMs recognize
the interconnection of modern vehicles as a facilitator of telematics-based services, which
are used to increase customer touch points and to strengthen and extend the duration of the
active customer-relationship and the (digital) value co-creation process. Referring to motor
insurance, the possibility to access customers via a digital interface in the vehicle potentially
expands the already existing competition between OEMs and traditional insurers from the
new vehicle market also to the used car market. Given the expanded competitive relationship
between the actors, OEM-affiliated insurance companies generally have the advantage to link
the stand-alone insurance product to a comprehensive set of (physically) perceptible products
and services, which are based on telematics data.

Regulators need also to address cyber security issues. Autonomous vehicles are par-
ticularly vulnerable to cyber threats as a result of their dependency on external wireless
input channels, such as GPS, radiofrequency, radar, infrared and Wi-Fi sensors to operate
effectively. Like any internet-connected computer device or interconnected computer sys-
tem, the main security challenges are protecting the transmission of information between
authorised devices and preventing unauthorised users from accessing systems.
The European Union Agency for Cybersecurity (ENISA)26 recently reported that self-
driving vehicles are vulnerable to hacking because of the advanced computers they con-
tain and that the hacks could be dangerous for passengers, pedestrians and other people
on the road. The ENISA report found that automakers should guard against a range of
attacks, including sensor attacks with beams of light, overwhelming object detection sys-
tems, back-end malicious activity and adversarial machine learning attacks. Autonomous

24 See Chapter 2.
25 Fabian Pütz, Finbarr Murphy, Martin Mullin and Lisa O’Malley, “Connected automated vehicles and
insurance: Analysing future market-structure from a business ecosystem perspective.” Technology in Society
59 (2019) 101182 (hereafter Pütz et al.).
26 “Cybersecurity Challenges in the Uptake of Artificial Intelligence in Autonomous Driving,” European
Union Agency for Cybersecurity (ENISA) and the Joint Research Centre (JRC), 11 February 2021, www​.enisa​
.europa​.eu​/news​/enisa​-news​/cybersecurity​- challenges​-in​-the​-uptake​- of​-artificial​-intelligence​-in​-autonomous​
-driving.

161
 Autonomous V ehicles

cars could be attacked by AI systems that could damage the automobiles in ways that
humans would find hard to detect, the report says. To prevent such attacks, carmakers will
have to continually review the software in self-driving cars to make sure it hasn’t been
altered.27
Finally, it is important to recognise that “standards-based regulatory systems presup-
pose that the regulated products execute only well-defined functions in known, stable
contexts for which performance benchmarks can be defined and assessed.”28 As David
Danks and Alex John London observe:

This approach is generally adequate for the regulation of automatic systems, or systems that
perform a delineated set of operations within a well-defined and relatively static context to
achieve specific goals. In contrast, autonomous systems move beyond mere automation, as
they make meaningful decisions about which tasks to perform in uncertain or ambiguous
contexts. Uncertainty about context can arise for multiple reasons, including changes over
time or ambiguous signals about key indicators. Regardless of the source of the uncertainty, a
necessary condition for autonomy is the ability to identify contexts in a fluid environment and
then select and execute appropriate functions in ways that conform to relevant and potentially
context specific norms, constraints, or desiderata. However, this ability creates a prima facie
challenge to any attempt to develop performance standards for autonomous systems, because
standards presuppose known contexts. Recognizing this challenge is a necessary step toward
evaluating alternative models of oversight for novel autonomous systems.29

Liability, risk and insurance

For the insurance industry, clarifying how liability attaches to accidents involving auton-
omous vehicles will be critical to understanding how to position its risk management
products. Compensation as it currently stands rests on a combination of traditional legal
doctrines of contract, negligence and fault supplemented in various ways by the jurisdic-
tion’s structuring of third-party liability insurance.
A fundamental question that arises in relation to autonomous vehicles is who should be
liable for injury or damage caused to the owner, driver or any other person in any acci-
dent. Other associated questions, challenges and issues include determinations around
automated driving and assisted driving, regulating vehicle safety, product liability and
data sharing and management.

United Kingdom
One solution in relation to autonomous vehicles, automated vehicles or driverless cars is
that adopted in the Automated and Electric Vehicles Act 2018 (UK), which extends com-
pulsory motor vehicle insurance to cover the use of automated vehicles in automated

27 Ibid. Note that the International Standards Organization and SAE International (ISO/SAE) have devel-
oped a Draft International Standard 21434: Road vehicles cybersecurity engineering. The standard can serve
as a baseline for vehicle manufacturers and suppliers to ensure that cyber security risks are managed efficiently
and effectively and is closely related to ISO 5112 Road vehicles—Guidelines for auditing cybersecurity engi-
neering, www​.iso​.org​/standard ​/70918​.html.
28 David Danks and Alex John London, “Regulating Autonomous Systems: Beyond Standards,” IEEE
Intelligent Systems, January 2017, http://inseaddataanalytics​.github​.io​/ INSEADAnalytics​/OtherArticles​/ Dan​
ksLo​ndon ​Regu​lati​ngAu​tonomy​.pdf.
29 Idem.

162
 A utonomous V ehicles

mode. As such, any victim(s) (including the “driver”) of an accident caused by a fault
in the automated vehicle itself is covered by the compulsory insurance in place on the
vehicle. The insurer is initially liable to pay compensation to any victim, including to
the driver who legitimately handed over control to the vehicle. The insurer then has the
right to recover costs from the liable party under existing common law and product
liability law.30
A strong justification for this approach is that United Kingdom law on compulsory
motor insurance has focused historically on ensuring that victims of road traffic collisions
are compensated quickly and fairly. In the case of an automated vehicle being operated
in automated mode, however, accidents could take place not as a result of human fault
but because of a failure in the vehicle itself, for which the only recourse available to an
otherwise uninsured victim might be to sue the manufacturer through the courts. Such a
process would more likely be expensive, cumbersome and drawn out.
Accordingly, the Act prescribes compulsory insurance for automated vehicles via a
“single insurer” model, and following an accident, insurers of an automated vehicle will
be liable for damage caused to the insured or any other person when the vehicle was driv-
ing itself.31 The insurer or owner of the automated vehicle will not be liable to the person in
charge of that vehicle where the accident caused was wholly due to the person’s negligence
in allowing the vehicle to drive itself when it was not appropriate to do so.32 Moreover,
an insurer may exclude or limit its liability for damage suffered by an insured where the
accident occurs directly as a result of software alterations that are prohibited under the
policy, or a failure to install software updates which the insured knew or ought to have
known were “safety critical.”33 The Act expressly recognises the right of the insurer, or
owner of the vehicle, to claim against any other person responsible for the accident.34
Therefore, where the manufacturer of the vehicle, or another third party, is responsible for
the damage or injury, the insurer or vehicle owner will still have a liability to the injured
party—but it will be entitled to recover against that manufacturer under relevant existing
laws, including product liability laws.35
There is strong support from the insurance industry for the Automated and Electric
Vehicles Act 2018 (UK) approach of extending compulsory motor vehicle insurance to
include the use of automated vehicles. Importantly, this legislation aims to set out a clear
structure for liability, with car owners still required to purchase an insurance policy
that complies with road traffic rules.36 With many automated cars being able to switch

30 See Commentary on provisions of Bill/Act, Automated and Electric Vehicles Act 2018 (UK), www​.leg-
islation​.gov​.uk ​/ukpga​/2018​/18​/notes​/division ​/6​/index​.htm.
31 Automated and Electric Vehicles Act 2018 (UK), s2(1). Note that section 2(2) provides that where the
vehicle was driving itself and was not insured, the owner will be liable for the damage caused by the accident.
32 Ibid s 3(2).
33 Ibid s 4.
34 Ibid s 5.
35 Generally, see Chamika Hand and Stephan Appt, “Car insurance must evolve for autonomous vehicles”
26 November 2020. www​.pinsentmasons​.com ​/out​-law​/analysis​/car​-insurance​- evolve​-autonomous​-vehicles
(hereafter Hand).
36 Emma Kennedy “How do you insure a driverless car?,” CNN Business, 21 March 2019, https://edition​
.cnn​.com ​/2019​/03​/21​/cars​/driverless​- cars​-insurance​-liability​- explained ​/index​.html.
See comments from Nicolas Jeanmart, head of personal insurance, general insurance and macroeconomics
at Insurance Europe in Euractiv, “EU considers new insurance laws for driverless cars,” 10 June 2016, www​
.euractiv​.com ​/section ​/digital​/news​/eu​- considers​-new​-insurance​-laws​-for​- driverless​- cars/.

163
 Autonomous V ehicles

modes—from automated to driver-controlled—insurers are concerned that any require-

ment to have two distinct insurance policies to cover each scenario is too complicated.37
Moreover, this legislation prioritises driver/insured recovery by ensuring “no gaps” arise
by placing strict obligations on the insurer to pay out in the event of an incident involv-
ing the insured vehicle, regardless of fault, before then being able to pursue recovery as a
secondary action.38
Notwithstanding this early, and broadly accepted legislative initiative to address
autonomous vehicle liability issues, the UK government recognised that a comprehensive
overarching review of the regulatory framework was necessary to manage this transport
revolution. Accordingly, in 2018, the government asked the Law Commission of England
and Wales and the Scottish Law Commission (the Law Commissions) to conduct a review
of legislation to prepare for the safe introduction of self-driving vehicles on Great Britain’s
roads.39 This review concluded in January 2022 with the publication of a report with
75 recommendations to government which, taken together, set out a new regulatory frame-
work for self-driving vehicles. The review involved extensive consultation across the self-
driving vehicle landscape, including manufacturers, insurers, academics and civil society,
generating a wealth of evidence. It provides international thought leadership on the way
in which self-driving vehicles should be regulated and the recommendations provide for
the world’s first comprehensive regulatory framework for self-driving vehicles. In August
2022, the UK government published a detailed response40 to the Law Commissions report
in which it commits to a new legislative framework for self-driving in Great Britain, and
which adopts the Law Commissions’ recommendations on an almost wholesale basis. The
response provided for a consultation period, which concluded on 12 October 2022, and an
implementation timeline of three years to conclude in 2025.
Kerris Dale and Alistair Kinley41 provide a summary of the principal recommendations
of the Law Commissions to be refined, developed and implemented for regulating the safe
deployment of self-driving or automated vehicles (AV) on British roads, which is detailed
in the following section:

Ensuring clarity about automated driving and assisted driving

The final report recommends a high test for a vehicle to be authorised as having self-
driving features: It must be safe even if a human user is not monitoring the driving

37 David Williams, technical director at AXA Insurance UK, as above (n. 22);
see also Nick Carey, Paul Lienert and Tina Bellon, “Britain’s Driverless Car Ambitions Hit Speed Bump
with Insurers,” Reuters, 21 April 2021, www​.reuters​.com ​/article​/us​-autos​-autonomous​-insurance​-insight​
-idUSKBN2C814K.
38 Huckstep (n 18).
39 ​ Autom​​ated-​​vehic​​les​-j​​oint-​​repor ​​t​- cvr​​- 03​​- 0​​2​-22.​​pdf www​.lawcom​.gov​.uk​/project​/automated​-vehicles/.
40 HM Government, “Connected & Automated Mobility 2025: Realising the benefits of self-driving vehi-
cles in the UK,” August 2022 (hereafter Connected & Automated Mobility 2025), https://assets​.publishing​
.service​.gov​.uk​/government​/uploads​/system​/uploads​/attachment​_data​/file​/1099173​/cam​-2025​-realising​-ben-
efits​-self​- driving​-vehicles​.pdf.
See Clyde & Co “Automated Vehicles: Government to adopt the Law Commissions’ recommendations”
23 August 2022, www​.clydeco​.com ​/en ​/insights​/2022​/08​/ccav​-response.
41 See Kerris Dale and Alistair Kinley, “The Law Commissions’ joint report: Automated Vehicles,” 31
January 2022; see also Mark Hemstead and Vikki Melville, “Law Commissions issue recommendations on
future regulation of autonomous vehicles,” Clyde & Co, 27 January 2022, www​.clydeco​.com ​/en ​/insights​/2022​
/01​/ law​- commission​-report​-autonomous​-vehicles​-2022.

164
 A utonomous V ehicles

environment, the vehicle or the way it drives. A user may be required to respond to a clear
and timely signal to take over driving (a “transition demand”) but otherwise must not be
relied on to respond to events or circumstances.
This approach would treat what was previously categorised as “conditionally auto-
mated” driving (Level 3 according to the Society of Automotive Engineers’ international
standard) as assisted driving; even if the technology offers a very high degree of assis-
tance, it is not “automated driving,” and the individual remains a “driver.”
Conversely, the person in the driving seat of a highly automated vehicle (Levels
4 or 5) will be known as a “user-in-charge” and is not a “driver” while the vehicle is
driving itself.
A user-in-charge is not responsible for the dynamic driving task but must nonetheless
be qualified and fit to drive because they will be required to take over following a transi-
tion demand from the automated vehicle.
A “user-in-charge” would become responsible for driving at the end of the transition
period whether or not they have taken control. If the user-in-charge fails to take over
the driving task, the recommendation is that the vehicle must complete a risk mitigation
manoeuvre and come to a controlled stop in a lane with hazard lights flashing.

Establishing new schemes for regulating vehicle safety

The final report recommends that section 1 of the Automated & Electric Vehicles Act 2018
(AEVA), concerning the listing of vehicles which the Secretary of State for Transport has
classified as being automated, should be replaced with a new authorisation scheme with
several elements.

• Type approval: An agency—currently the Vehicle Certification Agency (VCA)—

would grant vehicle type approval allowing the vehicle manufacturer (VM) to
produce and sell models that conform to the approved specification;
• Authorising self-driving: A new authorisation authority, likely to be the VCA,
would determine whether features of a type-approved vehicle can be legally
categorised as self-driving and, if so, whether a self-driving feature must be
used with (i) a user-in-charge, or (ii) no user-in-charge but supervised remotely
by a licensed operator. The agency would also specify the Operational Design
Domain (ODD) within which each self-driving feature could lawfully be used,
e.g. motorway driving only. The authorisation of a self-driving feature, which is
independent of prior type approval, means that the AV may be deployed, within
the permitted ODDs, to drive itself;
• An “in-use” regulator: This body—likely to be the Driver and Vehicle
Standards Agency (DVSA)—would be responsible for market surveillance,
evaluating the safety of AVs as against published safety standards and inves-
tigating traffic violations that would have comprised criminal offences if
committed by a (human) driver. It would have powers to administer a range
of regulatory sanctions to the Authorised Self-Driving Entity (ASDE) legally
responsible for the AV and to address any improvements required in the tech-
nology directly with the ASDE.

165
 Autonomous V ehicles

Combatting misleading marketing

To target misleading marketing, the final report recommends the creation of a new crimi-
nal offence of engaging in a commercial practice that involves the use of protected terms
such as “self-driving” or otherwise “likely to confuse drivers into thinking that an unau-
thorised vehicle does not need to be monitored.” Recognising the global reach of auto-
mated driving, the new offence would be subject to a limited due diligence defence where
the material targeted consumers outside Britain and the business had taken reasonable
precautions to prevent British drivers from being misled, e.g. by clarifying that the mar-
keting material related to specific jurisdictions only.

Mandating the sharing of collision data

The final report qualifies its conclusions on collision data by stating that further work is
required. It nevertheless makes a number of important recommendations and acknowl-
edges that a legal basis for sharing data will “allay fears” that customers might be forced
to take out insurance with a company tied to a VM.

• Introducing a new legal duty to disclose AV accident data: This would be as

part of the AV authorisation process with recipients of the data including insurers,
the authorisation authority, the in-use regulator and any road collision investiga-
tion branch. AVs cannot be authorised as self-driving unless “[they] can record
location data for detected collision events and ADS activation/deactivation” and
“[are] supported by a suitable ASDE which has demonstrated its ability to com-
ply with relevant laws (including laws on data protection…).” The final report
recognises that the disclosure of AV accident data to insurers is the legal quid
pro quo for motor insurers meeting claims in the first instance under AEVA’s
strict liability but then benefitting from the statutory right of recovery provided
by AEVA against any other liable party (such as the VM);
• Encouraging insurers and manufacturers to agree on an industry-level protocol
on data disclosure, in default of which the in-use regulator should have legal
powers to issue a code of practice. The final report acknowledges “some underly-
ing tensions between insurers and manufacturers” on this subject;
• To require vehicle systems to comply with data protection law: This would
place responsibility for compliance with the GDPR and the Data Protection Act
2018 on VMs, which is particularly important given that geo-location data is to
be included within the proposed dataset;
• To retain AV accident data for 39 months: This would run from the date the data
is recorded (that is, the accident date) and represents the usual limitation period
of three years plus an additional three months for late notification. “We do not
think that this would be unduly onerous. Although AVs have the potential to
generate huge quantities of data, the data required for the [Data Storage Systems
for Automated Driving] DSSAD is limited.” Although these recommendations
are welcome, they refer only to “detectible” collisions and do not seem to address
near misses or minor collisions (for example, in which the airbag is not deployed).
Further work appears necessary here.

166
 A utonomous V ehicles

Civil liability
The report considers that the imposition of strict liability on motor insurers under AEVA,
where an accident is caused by an automated vehicle driving itself, is “good enough for now.”
It indicates that most respondents agreed that the provisions in AEVA on causation and con-
tributory negligence do not need to be amended at present but should be kept under review:
Issues of causation and contributory negligence often defy easy answers… We do not see
legislative intervention as a priority at this stage … We hope that the UK Government will act
quickly to review the legislation if disputes under the Act are causing delays for claimants or
preventing insurers from pricing policies.

The report acknowledges a gap in respect of uninsured AVs and considers it would be
“unfair” to treat those injured by an uninsured AV differently from those injured by an
uninsured conventional driver. Unsurprisingly, there was “near unanimous agreement”
on this proposition, and the report recommends that government continues to work with
the Motor Insurers’ Bureau on necessary arrangements (and funding).

Product liability
There are no specific recommendations about insurers’ secondary or follow-on recovery
claims against other liable parties such as Vehicle Manufacturers (VMs) or software compa-
nies. These claims are akin to claims arising out of defective products under the Consumer
Protection Act 1987 (CPA) and would be made against those responsible for placing AVs into
circulation. However, certain limitations inherent in the CPA may complicate its use here: (i)
CPA applies only to consumer claims (rather than businesses), (ii) claims are subject to a ten-
year post-launch limitation period, (iii) claims are subject to a “state of the art” defence and (iv)
liability for damage to the product itself (that is, AV) is excluded.
Additional difficulties may arise given that AVs may change over time due to soft-
ware updates, whereas the CPA is generally aimed at physical consumer products that are
unchanged. Insurers will need to know about updates and when they are installed, but the
mechanism for this is unclear. Will DVSA (or DVLA) be informed? Would an insured be
under a duty of fair presentation to make appropriate disclosures at inception, renewal or
when updates are installed? Will the insured even know about automatic updates? The
report acknowledges that a general review of product liability law is “desirable,” not least
because the CPA is 35 years old, and connected products (such as AVs) receiving software
updates could not have been in contemplation in 1987. It also suggests: “a general review
of the law of software liability would appear to be a suitable project for one or both Law
Commissions.”

Criminal liability
Where an AV system is engaged and driving itself, the recommendation is that a user-
in-charge will no longer be responsible for offences associated with the dynamic driving
task, for example, dangerous or careless driving. This is subject to the proviso that the user
has not taken positive steps to override or alter the system or has otherwise interfered with
its functionality (for example, by installing unauthorised software updates). A user-in-
charge could nevertheless be subject to two new offences: 1. Using an AV in a dangerous

167
 Autonomous V ehicles

state, such that it involves a danger of injury to any person, which would be obvious to a
competent and careful user-in-charge; 2. Failing to respond to a transition demand where
they could reasonably be expected to do so, in which case their immunity from dynamic
driving offences also ceases. Additionally, the final report recommends the introduction of
a new defence where a user-in-charge has completed a handover from the vehicle but finds
themselves committing an offence, initiated by the ADS. The defence should be that the
standard of their driving did not fall below that of a reasonably competent driver.
In total, the Law Commissions’ final report makes more than 70 recommendations
aimed at further developing the legal and regulatory framework governing the use of AVs
on the UK’s roads. Implementing all of these in full would require significant legislative
time and resources as well as widespread consultation with stakeholders on technical
details. It remains unclear whether the UK government’s stated aim of enacting this new
framework by 202542 will be achieved.43

Germany
Given that the automotive industry continues to serve as a cornerstone of the German
economy, it is not surprising that automated driving functionality is becoming an ever-
increasing area of interest across the entire value chain in the German automotive
industry.44
In recognition of this, the legislature in Germany has already implemented major
amendments to its Road Traffic Act45 to integrate specific provisions relating to automated
and autonomous driving.
In 2017 the Road Traffic Act was amended to accommodate motor vehicles with highly
or fully automated driving functions (that is, for vehicles of SAE Level 3), and in 2021,
by means of the Autonomous Driving Act, to create a legal framework for motor vehicles
with autonomous driving function (that is, for vehicles of SAE Level 4) in defined operat-
ing areas.
Fabian Pütz et al.46 describe the 2017 amendments as mainly preserving the existing
liability and insurance framework, characterised by a combination of strict liability of
the vehicle owner and fault-based liability of the (human) driver.47 The Road Traffic Act
states that the person using a highly or fully automated vehicle remains still the driver of
the vehicle.48 Furthermore, according to the Road Traffic Act, the driver may turn away

42 Connected & Automated Mobility 2025 (n 40).

43 Dale and Kinley 2022 (n 41).
44 Norton Rose Fulbright, “Autonomous vehicles: The legal landscape in Germany,” 11 August 2016, www​
.nortonrosefulbright​.com ​/en ​/ knowledge​/publications​/0e91a75d ​/autonomous​-vehicles​-the​-legal​-landscape​-in​
-germany#.
45 Straßenverkehrsgesetz (StVG).
46 Pütz et al. (n 25).
47 A car’s owner and registered keeper are often assumed to be the same thing because they are usually
the same person, but in fact they can be different people. The owner is the person who bought the car or the
person who has been gifted the vehicle. The registered keeper is the main user of the car. A company car is
a common example of when a registered keeper and owner are different. The company owns the car and the
employee who drives the car is the registered keeper. See, for example, Trinity Francis, “Car registered keeper
vs owner: what's the difference?” Auto Express, 1 February 2022, www​.autoexpress​.co​.uk ​/tips​-advice​/356757​
/registered​-keeper​-vs​- owner​-whats​- difference#:~​:text​= The​% 20owner​% 20is​% 20the​% 20person​,car​% 20is​
%20the​%20registered​%20keeper.
48 Section 1a(4).

168
 A utonomous V ehicles

from the traffic situation and the control of the vehicle while driving but must remain
aware of the situation in such a way that he/she can immediately take control of the vehicle
again—either because the system prompts him or her to do so, or because he/she recog-
nises or must recognise, on the basis of obvious circumstances, that the prerequisites for
the intended use no longer exist.49 If the driver cannot prove that he/she has complied with
these obligations, his/her fault is presumed, and he/she is liable for damages to the injured
party according to the Act.50
This liability framework is coupled with obligatory insurance to be maintained by the
owner, covering liability costs of the owner, the driver and the titleholder of the respec-
tive vehicle. Original equipment manufacturers (OEMs) are not directly included in the
legal framework, with the legislator’s expectation that motor insurance companies will
examine and conduct subrogation claims under existing product liability law in the case
that a defect of the automated driving system causes an accident.51 The driver and regis-
tered owner of the vehicle are primarily and directly liable, instead of providing for a new
direct route through to the manufacturer when accidents have occurred during automated
mode.52
Conversely, the Autonomous Driving Act 2021, which legalised the use of vehicles with
autonomous driving functions within a defined operating area (SAE Level 4), removes
the user from any special duties.53 However, since Art. 8, paragraph 5bis of the Vienna
Convention on Road Traffic states that autonomous motor vehicles are only permitted if
there is at least a possibility of deactivation by a person—whether inside or outside the
vehicle—Germany introduced by its new law the new role of a “technical supervisor”
who is entrusted, inter alia, to deactivate (instead of the driver) the system.54 This new
actor is a natural person who can deactivate the motor vehicle during its autonomous
operation and activate driving manoeuvres for the vehicle. The registered keeper of the
motor vehicle acts as the technical supervisor and must ensure that passengers comply
with traffic regulations that are not related to vehicle control.
The technical supervisor is neither obliged to be present in the vehicle nor obliged to
constantly monitor the autonomous vehicle. Rather, the task of a supervisor is to per-
ceive emergency messages from the autonomous vehicle system and to decide whether
the vehicle should be deactivated or an alternative driving manoeuvre be initiated.55
Martin Ebers56 raises the pertinent question of whether this is compatible with the Vienna
Convention, as the Convention entrusts the deactivation or overriding to a “driver” who,

49 Section 1b.
50 Section 18(1)(1). See Martin Ebers, “Civil liability for autonomous vehicles in Germany” (5 February
2022). Available at SSRN, https://ssrn​.com​/abstract​= 4027594.
51 Pütz et al. (n 25).
52 See Dr Stephan Appt, “Germany Introduces law permitting automated vehicles” 14 July 2017,
www​.pinsentmasons​.com​/out​-law​/news​/germany​-introduces​-law​-permitting​-automated​-vehicles.
53 As examples of motor vehicles with autonomous driving capabilities, the explanatory memorandum to
the law names autonomous shuttle buses and the transport of goods by motor vehicles with autonomous driv-
ing functions.
54 Vienna Convention on Road Traffic 1968, BGBl. 1977 II, 809 (811), last amended by agreement of 24
March 2014, BGBl. 2016 II, 1306.
55 Martin Ebers, “Civil liability for autonomous vehicles in Germany,” 5 February 2022, SSRN https://ssrn​
.com​/abstract​= 4027594 (hereafter Ebers).
56 Ebers (n 55).

169
 Autonomous V ehicles

according to the common understanding of the statutory text and the general scheme of
the Convention, must be in the vehicle.
Technical requirements for autonomous vehicles are listed in the new section and must
be able to independently comply with the traffic regulations; independently bring the
motor vehicle into a minimal-risk state if travel can be continued only by violating road
traffic law; have an accident-avoidance system; immediately notify the technical supervi-
sor of any impairment of its functionality; and be capable of being deactivated by the tech-
nical supervisor at any time. The accident-avoidance system must be designed to avoid
and reduce damage and must, if an accident is unavoidable, give the highest priority to the
protection of human life. The duty to comply with traffic regulations that do not relate to
vehicle control and that a machine cannot perform, such as wearing a seat belt, rests with
the humans in the vehicle.57
The Autonomous Driving Act 2021 does not amend the liability rules for the tech-
nical supervisor in the Road Traffic Act. Therefore, the technical supervisor can only
be held liable under the general rules on civil liability laid down in the German Civil
Code (Bürgerliches Gesetzbuch). The most important provision in the area of tort law is
section 823(1) Civil Code, which generally requires fault on the part of the tortfeasor. In
particular, the legislator rejected a proposal to impose liability for presumed fault on the
technical supervisor, similar to the liability of a driver according to section 18(1)(1) Road
Traffic Act. Martin Ebers58 comments that:
The German Government argued that the potential dangers of activities carried out by a tech-
nical supervisor differs considerably from that of a conventional vehicle driver, as the techni-
cal supervisor can only intervene in the driving situation if he/she has been requested to do so
by the vehicle. Even after being requested to do so by the vehicle, the technical supervisor can
either only release certain driving manoeuvre that are suggested by the vehicle or deactivate
the vehicle and put it into a risk-minimising condition. These possibilities of intervention are
fundamentally different from those of a classic vehicle control, in which the vehicle is exclu-
sively controlled by the driver. In contrast to the driver’s liability according to section 18(1)(1)
Road Traffic Act, the fault of the technical supervisor must therefore be proven by the injured
party for a claim based on section 823(1) Civil Code. In view of this liability requirement and
the fact that liability against the vehicle keeper continues to be strict liability, the injured party
will probably only make a claim against the technical supervisor in rare cases.

Changes to the legal framework for autonomous driving can also be expected in the
future. In their coalition agreement, the new government which took office in December
2021 stated that the law on autonomous driving should be improved by clarifying liability
issues and ensuring the data sovereignty of users.59

57 Generally, see Ebers (n 55).

58 Generally, see Ebers (n 55).
59 SPD, BÜNDNIS 90/DIE GRÜNEN and FDP, Koalitionsvertrag, 52, www​.spd​.de​/fileadmin​/ Do​
-kumente​/ Koalitionsvertrag​/ Koalitionsvertrag ​_ 2021​-2025​.pdf cited in Ebers (n 55).

170
 A utonomous V ehicles

Australia
Australia’s position is unresolved at this time,60 but the National Transport Commission,61
the statutory body responsible for coordinating national roads policy, reported in October
2019 that Australia’s Transport Ministers have agreed, as in the United Kingdom, to bring
automated vehicles under the umbrella of the various state and territory compulsory motor
vehicle third-party liability schemes. The Insurance Council of Australia has expressed its
support for this position as being the most suitable model through which reform should be
implemented, with the existing schemes providing the framework necessary for people to
have timely access to treatment, care and financial support.62
In June 2020, the National Transport Commission (NTC) drafted a decision Regulation
Impact Statement (RIS) on the in-service safety framework for automated vehicles, which
resulted in decisions made by infrastructure and transport ministers on the key elements of
the framework including the establishment of a new national law (the Automated Vehicle
Safety Law (AVSL)) and regulator. The AVSL will regulate Automated Driving System
Entities (ADSEs) and have a responsibility to ensure the safe operation of their automated
driving systems for their entire lifecycle.
Further consultation on the detailed content of the law and differences in potential leg-
islative implementation approaches resulted in a range of proposals noted by infrastruc-
ture and transport ministers in May 2021. A subsequent round of targeted consultation
focused on how the AVSL framework would interact with existing state, territory and
Commonwealth transport laws, and in February 2022, a Commonwealth law approach for
automated vehicles was agreed upon by ministers.
The NTC, in a document entitled “The regulatory framework for automated vehicles
in Australia,”63 presents an end-to-end regulatory framework for automated vehicles, in
particular the safety assurance framework. Space constraints preclude a detailed discus-
sion of this document, but some key “take-aways” include:
1. Three key regulators for automated vehicle safety are proposed. A first-supply reg-
ulator will approve the entry of new automated vehicles to the market for the first
time, by assessing the quality of evidence provided by applicants about the safety
of their automated driving system (ADS) and certifying ADSEs at first supply. An
ADSE is the party that will self-certify the safety of the ADS and take responsi-
bility for it over its life. An in-service regulator’s key function will be to ensure
regulated parties assure the safety of an ADS over its life cycle. It will have a range
of functions and powers to ensure safety risks are comprehensively managed. The
third regulator comprises state and territory road transport regulators who will

60 See Department of Infrastructure, Transport, Cities and Regional Development “Automated vehicles
in Australia,” www​.infrastructure​.gov​.au ​/transport​/automatedvehicles​/index​.aspx; The Office of Impact
Analysis, “The regulatory framework for automated vehicles in Australia,” 4 April 2022, https://oia​.pmc​.gov​
.au ​/published​-impact​-analyses​-and​-reports​/regulatory​-framework​-automated​-vehicles​-australia (hereafter
Office of Impact Analysis 2022).
61 National Transport Commission, “Automated Vehicle Program Approach,” October 2019, www​.ntc​.gov​
.au​/sites​/default​/files​/assets​/files​/ NTC​%20Automated​%20Vehicle​%20Reform​%20Program​%20Approach​%20​
%28October​%202019​%29​%20-​%20Public​%20version​.pdf.
62 James Fernyhough, “Motorists, states set to pay for self-driving car crashes,” Financial Review, 17
January 2019, www​.afr​.com​/companies​/financial​-services​/motorists​-states​-set​-to​-pay​-for​-selfdriving​- car​
-crashes​-20190117​-h1a5ru.
63 Office of Impact Analysis 2022 (n 60).

171
 Autonomous V ehicles

retain responsibility for an automated vehicle’s access to the road network, vehicle
registration, road management, regulation of human drivers and other road users
as well as human driver licensing under existing state and territory laws;64
2. Access to the public road network will be regulated through registration and an
automated vehicle can be registered by a person just like a conventional vehicle.
Registered owners of vehicles will be required to hold compulsory third-party
insurance in order for their vehicles to be registered;65
3. The ADSE will be subject to a general safety duty to ensure the safe operation
of its automated vehicles, so far as is reasonably practicable. This duty rests with
the ADSE for the design life of the ADS and will be detailed in the AVSL. The
general safety duty places the onus of identifying risks onto the ADSE and allows
the ADSE to mitigate risks as it sees fit.66 To meet its general safety duty, as well
as generally ensure safe operation, the ADSE must also meet certain prescriptive
duties in the AVSL that support the general safety duty. These prescriptive duties
aim to support ADSEs to meet the general safety duty by providing some clarity
about minimum safety requirements, without limiting the scope of the general
safety duty itself. For example, the ADSE must ensure, so far as is reasonably prac-
ticable, that systems are developed, used and maintained to carry out the general
safety duty; ensure that system upgrades to the ADS are installed safely and do
not result in the operation of an unsafe ADS; and make efforts to ensure the ADS
cannot be interfered with by third parties, so far as is reasonably practicable;67
4. An ADSE must ensure the vehicle operates in compliance with relevant road
rules when the ADS is engaged, including any jurisdictional differences and any
amendments when they come into force. The ADSE is responsible for complying
with dynamic driving task (DDT)68 obligations when the ADS is engaged;69
5. All jurisdictional MAII schemes (compulsory third-party and national injury
insurance schemes) should provide access for injuries and deaths caused when
ADSs are engaged. The key principle guiding this work is to “ensure no person is
better or worse off, financially or procedurally, in the relevant jurisdiction, if they
are injured by a vehicle whose ADS was engaged than if they were injured by a
vehicle controlled by a human driver;”
6. As part of its first-supply corporate obligations, ADSEs must outline their ongo-
ing data recording and sharing capability, including the ADS data it will record
and how it will provide the data to relevant parties. Operational aspects of data
access by motor accident injury insurers to assess liability (including adequate
legal frameworks) will be considered at a later stage of the in-service safety work
after states and territories have considered whether existing systems’ legal frame-
works support their access to data to assess liability for crashes;

64 Office of Impact Analysis 2022 (n 60) 15.

65 Office of Impact Analysis 2022 (n 60) 28–29.
66 Office of Impact Analysis 2022 (n 60) 31.
67 Office of Impact Analysis 2022 (n 60) 33.
68 Dynamic driving task (DDT) is defined as “all the operational and tactical functions required to operate
a vehicle in on-road traffic. This includes steering, acceleration and deceleration, object and event detection
and response, manoeuvre planning and enhancing conspicuousness through lighting, signalling and so on. The
DDT excludes strategic functions such as trip planning.” Office of Impact Analysis 2022 (n 60) 11.
69 Office of Impact Analysis 2022 (n 60) 43.

172
 A utonomous V ehicles

7. In relation to non-MAII injury, damage and loss, as part of the first-supply mini-
mum financial requirements, ADSEs must hold an appropriate level of insurance
to cover personal injury, death and property damage caused by an ADS. Affected
individuals need to take private action for non-MAII injury, damage and loss. This
could include action by individuals for negligence for injury, damage and loss not
covered by the MAII scheme in the individual’s jurisdiction, or action for property
damage.
National legislation governing autonomous cars and a new safety regulator are both on the
drawing board, with a view towards national laws being in place by 2026.

United States
In the United States, a bill, the Safely Ensuring Lives Future Deployment and Research
in Vehicle Evolution (SELF DRIVE) bill was passed by the House of Congress in
2017 but failed to get a vote in Senate. More recently,70 the National Highway Traffic
Safety Administration (NHTSA), which is part of the US Department of Transportation,
has integrated automated vehicles into the existing safety standards such that the text in
the standards does not rely on the existence of steering wheels and driver’s seats, which
may not exist in fully autonomous vehicles. In addition, the NHTSA has incorporated
lane-keeping support, pedestrian automatic emergency braking, blind spot detection and
blind spot intervention into its Five-Star Safety Ratings programme. Such driver-assis-
tance technologies are the first steps toward fully autonomous vehicles but, more impor-
tantly, toward safer ones. Developing safer vehicles requires significant investments, so it
is important that the legislation provide a framework that is predictable, reducing the risk
of long-term commitment.
In an interesting initiative, the NHTSA has issued a Standing Order requiring manufac-
turers and operators of automated driving systems SAE Level 2 advanced driver-assistance
vehicles to report crashes to the agency.71 In issuing the General Order, NHTSA wanted to
evaluate whether the manufacturers of ADS and Level 2 ADAS systems and the vehicles
equipped with them, including manufacturers of prototype vehicles and equipment, were
meeting their statutory obligations to ensure that their vehicles and equipment are free of
defects that pose unreasonable risks to motor vehicle safety. Prior to the implementation
of the General Order, NHTSA’s sources of timely crash notifications were limited and
generally inconsistent across manufacturers, including developers. The General Order is
therefore focused on procuring timely and transparent notification of real-world crashes
associated with ADS and Level 2 ADAS vehicles from manufacturers and operators. With
this data, NHTSA can respond to crashes that raise safety concerns about ADS and Level
2 ADAS technologies through further investigation and enforcement. If NHTSA finds

70 United States Department of Transportation, “NHTSA Finalizes First Occupant Protection Safety
Standards for Vehicles Without Driving Controls,” National Highway Traffic Safety Administration, 10 March
2022, www​.nhtsa​.gov​/press​-releases​/nhtsa​-finalizes​-first​- occupant​-protection​-safety​-standards​-vehicles​-with-
out​- driving; see also United States Department of Transportation, “Automated Vehicles for Safety,” National
Highway Traffic Safety Administration, www​.nhtsa​.gov​/technology​-innovation ​/automated​-vehicles​-safety.
71 United States Department of Transportation, “Standing General Order on Crash Reporting,” National
Highway Traffic Safety Administration, www​.nhtsa​.gov​/ laws​-regulations​/standing​-general​- order​- crash​
-reporting.

173
 Autonomous V ehicles

a safety defect, it is able to take action to ensure that unsafe vehicles are taken off public
roads or remedied, as appropriate.
Matthew T. Wansley72 comments that:
After hesitating for a decade, the National Highway Traffic Safety Administration (NHTSA)
is quietly experimenting with a novel regulatory strategy. Instead of setting standards, the
agency is using its statutory powers in unprecedented ways—ordering automation developers
to report crashes daily and directing rapid recalls that require changes to defective software.
NHTSA is betting that intense monitoring and the credible threat of recalls will push devel-
opers to prioritize safety. This … experimental strategy could be transformed into effec-
tive safety regulation. Regulators should (1) require that all new vehicles be equipped with
telematics that can send safety data and receive software updates over the air; (2) mandate
universal crash reporting; and (3) use recalls to force developers of automation systems that
create unreasonable risks to restrict where their systems can operate until they can develop
safer code. These steps could help unlock automation’s potential to prevent bloodshed on the
highway.

It is generally accepted that federal legislation is needed to establish an overarching regu-

latory framework to provide for the safe and responsible use of autonomous vehicles and
of the technology supporting their deployment, and as a consequence “original equipment
manufacturers and vehicle developers alike will be looking to the Biden administration
for a federal roadmap to navigate this regulatory landscape.”73
In the absence of federal regulation, there are a plethora of laws and executive orders74
at state level with these laws and orders allowing autonomous vehicle operations or testing
on public roads. Thirty-two states, including Washington DC, have current legislation,
and it is observed that as they have “often turned to autonomous vehicle manufacturers,
parts suppliers, and technology companies, among other stakeholders, for assistance with
drafting their laws, the resulting laws, as might be anticipated, create something of a
‘patchwork’ for compliance and implementation purposes.”75
It is beyond the scope of this chapter to analyse on a state-by-state basis the liability
and insurance arrangements in place or contemplated, but a brief reference to Michigan
will demonstrate the complexities that can emerge and the unresolved questions regarding
responsibility that remain. Public Act 332 of 2016 (Senate Bill 995) states that:
when engaged, an automated driving system allowing for operation without a human operator
shall be considered the driver or operator of a vehicle for purposes of determining conform-
ance to any applicable traffic or motor vehicle laws and shall be deemed to satisfy electroni-
cally all physical acts required by a driver or operator of the vehicle.

As David Christensen76 observes:

72 Matthew Wansley, “Regulating Automated Driving,” 15 August 2022, Cardozo Legal Studies Research
Paper No. 689, SSRN, https://ssrn​.com​/abstract​= 4190688.
73 Mark J. Fanelli and Caitlin Zeytoonian, “Will the Biden Administration Deliver on Federal Regulation
for Autonomous Vehicles?” Morgan Lewis, 10 November 2020, www​.morganlewis​.com ​/pubs​/2020​/11​/will​-the​
-biden​-administration​- deliver​- on​-federal​-regulation​-for​-autonomous​-vehicles.
74 Aarian Marshall, “Who’s Regulating Self-Driving Cars? Often, No One,” Wired, 27 November 2019,
www​.wired​.com​/story​/regulating​-self​- driving​- cars​-no​- one/.
75 See also, Melanie Musson, “Which states allow self-driving cars? (2021 Update)” AutoInsurance​.or​
g, 26 February 2021, www​.autoinsurance​.org​/which​-states​-allow​-automated​-vehicles​-to​- drive​- on​-the​-road/.
76 David E Christensen, ”What driverless cars mean for Michigan Auto Lawyers,” Christensen Law, www​
.hg​.org​/ legal​-articles​/what​- driverless​- cars​-mean​-for​-michigan​-auto​-lawyers​- 41853.

174
 A utonomous V ehicles

Michigan’s third-party litigation, available in serious auto accident injury and wrongful
death cases, is still first and foremost a question of liability. Auto accident defense attorneys,
whether they represent insurance companies or at-fault drivers, are always looking for com-
parative fault defenses to reduce their clients’ liability. That depends on the actions of the
driver, which now includes the autonomous vehicle’s programming.
This could result in a collision between Third Party no-fault claims and product liability
litigation. When a driverless car is involved in an accident, the question will be whether a
defect in the vehicle’s programming caused the “driver’s” behavior, and in turn the plain-
tiff’s injuries. This could pit insurance defense attorneys against auto manufacturers, as each
defendant seeks to pin liability for a severe crash on the other vehicle.
The introduction of driverless vehicles into the mix of motorists in Michigan and across
the country could force auto lawyers to get creative in their insurance claims and injury law-
suits. As vehicles’ AI take over more driving responsibilities, they will have to meld worlds of
no-fault law and product liability to make sure their clients get all the compensation they need.

Product liability
An alternative liability pathway for autonomous vehicles is to transfer liability to the
manufacturer. This proposition has the strong support of certain leading car manufactur-
ers who assert that all manufacturers who sell fully autonomous vehicles must accept
liability for cars involved in accidents that were in a fully autonomous mode at the time
of the accident.77
While the allocation of liability to the manufacturer does present a potential solution in
relation to the injury or damages sustained through the operation of a fully autonomous
vehicle, the limitations inherent in this proposition as a standalone solution are immedi-
ately apparent.
The first and most obvious relates to the level of autonomy under which the vehicle is
operating. If the vehicle is a Level 5 fully autonomous vehicle, then the liability proposi-
tion is workable. However, with vehicles in which neither an identifiable human driver
with full control of the vehicle nor a completely driverless vehicle system exists, ambigu-
ity in the allocation of liability and responsibility increases.78 In such cases, the driver
could argue that the vehicle’s autonomous systems should have taken over and averted
the accident, while the vehicle manufacturer could equally argue that the driver, absent a
completely autonomous system, must bear responsibility for the control of the vehicle.79
Ambiguities of this kind are not insurmountable. For example, in Germany, amend-
ments to the Road Traffic Act80 require automated vehicle manufacturers to install a

77 See for example Parliament of Australia, “Social issues relating to land-based automated vehicles in
Australia,” August 2017, www​.aph​.gov​.au ​/ Parliamentary ​_ Business​/Committees​/ House​/ Former​_Committees​/
Industry ​_Innovation​_ Science​_ and​_ Resources​/ Driverless​_vehicles​/ Report (hereafter Parliament of Australia
, Social Issues), see, Volvo Car Australia, [4.9];
see also Parker O’Very, “3 ways self-driving cars will affect the insurance industry,” Venture Beat,
26 January 2018, https://venturebeat​.com​/2018​/01​/26​/3​-ways​-self​- driving​- cars​-will​-affect​-the​-insurance​
-industry/, “Google, Volvo, and Mercedes-Benz already accept liability in cases where a vehicle’s self-driving
system is at fault for a crash. Tesla is taking things a step further by extending an insurance program to pur-
chasers of Tesla vehicles.”
78 Parliament of Australia , Social Issues (n 77) [4.14].
79 Ibid.
80 German Road Traffic Act (Strassenverkehrsgesetz, “StVG”), 21 June 2017, www​.whitecase​.com ​/pub-
lications​/article​/germany​-permits​-automated​-vehicles#:~​:text​= On​%2021​%20June​%202017​%2C​%20Germany​
,vehicles​%20to​%20use​%20public​%20roads.

175
 Autonomous V ehicles

“black box” that can identify whether the human driver had control of the vehicle at the
time of any accident in order to clarify liability issues. This does not, however, address
concerns that arise in relation to whether two distinct insurance policies are required to
cover each scenario.
Accordingly, it is thought that any quantum shift in liability for damages being directly
recoverable from manufacturers is more likely to take place once technology advances to
the stage of fully automated vehicles.81 In that context, it has been foreshadowed that cer-
tain manufacturers, such as Tesla, might elect to “bundle” motor vehicle insurance with
the sale of the vehicle and develop a hybrid model by self-insuring off their own balance
sheets and buying wholesale off the reinsurers.82
Regardless of the final landing that is reached relative to manufacturers assuming
or being legislatively affixed with responsibility for fully autonomous vehicles, there is
no doubt that increased automation will fuel a significant increase in product liability
claims.83 Driverless vehicles will likely continue to be vulnerable to the same types of
claims that non-autonomous vehicles are, including product liability cases focusing on
mechanical or physical defects, electrical system defects or software defects.84
To these must be added autonomous-technology-specific claims. Dani Ryskamp85 offers
the following insights:
The primary feature distinguishing the autonomous vehicle from the non-autonomous one is
the autonomous vehicle’s control system and software. Control systems typically consist of
LIDAR86 arrays and sensors, which the vehicle uses to “see” its surroundings. The impres-
sions from these systems are used by onboard computers to make driving decisions, which are
communicated to the vehicle for execution.
It’s not unrealistic, therefore, to assume that the first product liability cases involving driv-
erless vehicles will focus on defects in the LIDAR systems’ manufacturing (such as weak
mounting brackets), design (such as sensor placement resulting in “blind spots”), or instruc-
tions and warnings (such as a clear explanation of conditions in which the LIDAR may fail).
Software defects pose a potentially fertile ground for autonomous vehicle product liability
lawsuits. For instance, software designs that depend on inadequate sensor data (either in terms
of content or transmission speed) or that fail to perform safe ordinary driving manoeuvres

See also Freshfields Bruckhaus Deringer LLP, “Germany publishes draft law for the approval of fully auton-
omous vehicles,” 17 February 2021, https://digital​.freshfields​.com​/post​/102gr1m​/germany​-publishes​- draft​-law​
-for​-the​-approval​- of​-fully​-autonomous​-vehicles,
which explains: “The German Federal Ministry of Transport and Digital Infrastructure (BMVI) has pub-
lished a legislative proposal on the approval of completely driverless vehicles: the Autonomous Driving Act
(Gesetz zum autonomen Fahren). The draft passed the federal cabinet on 10 February 2021 and is expected to
be enacted mid-year.”
81 Hand (n 35).
82 “Tesla: ‘In the Future We Could Offer a Single Price for the Car, Maintenance, and Insurance,’”
Futurism, 25 February 2017, https://futurism​.com​/tesla​-in​-the​-future​-we​- could​- offer​-a​-single​-price​-for​-the​
-car​-maintenance​-and​-insurance; Huckstep (n 18).
83 Tiffany Y Gruenberg, “Self-Driving Cars Will Likely Increase Product Liability Litigation,” The
National Law Review, 22 January 2019, www​.natlawreview​.com​/article​/self​- driving​- cars​-will​-likely​-increase​
-product​-liability​-litigation.
84 For example, approximately 67 million Takata air bags have been recalled because these air bags can
explode when deployed causing serious injury or even death; see National Highway Department of Transport,
“Takata Recall Spotlight,” National Highway Traffic Safety Administration, www​.nhtsa​.gov​/equipment​/takata​
-recall​-spotlight.
85 Dani Alexis Ryskamp, “Product Liability Law for Self-Driving Cars,” 27 August 2021, www​.expertin-
stitute​.com ​/resources​/insights​/product​-liability​-law​-for​-self​- driving​- cars/.
86 Light detection and ranging systems.

176
 A utonomous V ehicles

may quickly become the subject of litigation. Inadequate pattern recognition, collision avoid-
ance algorithms, or human-computer coordination may also lead to lawsuits.87

A further major concern, as mentioned above, relates to the potential for cyber hacking.
A recent article in Forbes,88 referring to the 2020 cyber attack encompassing an estimated
18,000 or more US companies, points to the same vulnerabilities in self-driving cars.
These vehicles will be outfitted with OTA (over-the-air) updating capabilities allowing
the vehicle manufacturer or self-driving technology provider to have access to the in-car
onboard computer systems and the AI driving system, doing so via the OTA electronic
connection. This connectivity creates vulnerability to network-based attacks of various
kinds with privacy or safety implications where the cyber hack might attempt to override
the AI driving system, getting access to the driving controls of the self-driving car.
Accordingly, Max W Gershweir89 stresses the importance of cyber liability and infra-
structure liability insurance:
to protect against remote vehicle theft, unauthorised entry, ransomware, and hijacking of vehi-
cle controls, requiring coverage for identity theft, privacy breaches, and the theft or misuse
of personal data. There will also be a need for “cloud-based” server systems to manage traffic
and road networks, which could fail, as could external sensors and signals. Additionally, com-
munication problems originating at the system level might arise.90

With increased autonomy, it is inevitable that the focus will shift from driver liability
to possible manufacturer or design defects in the vehicle. This will potentially implicate
other policy types, including product liability insurance for manufacturers of autonomous
vehicles and their components, and necessitate apportionment of liability with new insur-
ance products which address product liability issues, as well as dealing with new and
emerging risks such as cyber security and data protection.91
Accordingly, the shift in responsibility for accidents from human drivers to autonomous
systems could result in a corresponding shift from compulsory third-party liability insur-
ance to insurance coverage of vehicle and software manufacturers, which in turn should
make it mandatory for manufacturers and suppliers to have insurance that is appropriate
and sufficiently broad to cover a number of risk areas, including public liability, product
liability and cyber risk.92

87 See also, Lexis Nexis, “Self-Driving Cars Run Into Product Liability Issues,” 23 September 2020, www​
.lexisnexis​.com ​/community​/ lexis​-legal​-advantage​/ b​/insights​/posts​/self​- driving​- cars​-run​-into​-product​-liabil-
ity​-issues.
88 Dr Lance B. Eliot, “Largest Ever Cyber Hack Provides Vital Lessons For Self-Driving Cars,” Forbes, 29
December 2020, www​.forbes​.com ​/sites​/ lanceeliot​/2021​/12​/29​/ largest​- ever​- cyber​-hack​-provides​-vital​-lessons​
-for​-self​- driving​- cars/​?sh​= 783eac5f715e.
89 Max W Gershweir, “The future of liability insurance in the age of the driverless car: the US perspec-
tive,” Kennedys Law, 1 April 2019, www​.kennedyslaw​.com ​/thought​-leadership​/article​/the​-future​- of​-liability​
-insurance​-in​-the​-age​- of​-the​- driverless​- car​-the​-us​-perspective.
90 Cusano and Costonis (n 18) point to necessity for infrastructure insurance. They state: “Cloud server
systems, signals, and other safeguards that will be put in place to protect riders and drivers offer an annual
revenue potential of $500 million in premiums for property and casualty insurers who underwrite the value of
the hardware and software in play. The need to secure and insure the public infrastructure is likely to be vast
and much larger than $500 million, but governments often ‘self-insure’ these risks so the opportunity for com-
mercial insurance is likely to be lower.”
91 See, for example, Paul Tullis, “Self-Driving Cars Might Kill Auto Insurance as We Know It,” Bloomberg,
19 February 2019, www​.bloomberg​.com ​/news​/articles​/2019​- 02​-19​/autonomous​-vehicles​-may​- one​- day​-kill​- car​
-insurance​-as​-we​-know​-it.
92 Social Issues (n 77), Insurance Commission of Western Australia, Submission 36, 4.

177
 Autonomous V ehicles

Insurance industry dynamics

Regulatory questions are not the only items on the disruption menu. Insurers face major
challenges deriving from significant change that is foreshadowed in relation to the owner-
ship and operation of autonomous vehicles. It is anticipated that a large percentage of fully
autonomous vehicles will be owned by motor vehicle manufacturers “such as General
Motors, by technology companies such as Google and Apple, and by other service provid-
ers such as ride-sharing services.”93 Examples include:

• General Motors’ investment in the ride-sharing company Lyft in a venture that

gives the automaker direct access to the growing market for ride-sharing and a
potential channel for offering self-driving cars for on-demand use;94
• Uber has agreed to purchase as many as 24,000 self-driving Volvos once the
technology is production-ready, putting the vehicles into its extensive ride-hail-
ing network;95
• Amazon-owned Zoox has unveiled an electric autonomous vehicle as part of an
intended robotic taxi enterprise;96
• Waymo, an autonomous driving technology company that started as the Google
Self-Driving Car Project in 2009;97 and
• Microsoft has invested in Cruise, the General Motors driverless car unit, in a
US $2 billion funding round that gives the autonomous driving company a $30
billion valuation.98

With most autonomous vehicles likely to be owned by original equipment manufacturers

and other service providers such as ride-sharing companies, Accenture and the Stevens
Institute of Technology99 predict the number of individual policies will decline, along
with revenues from premiums generated by these policies. Moreover, they add that “since
autonomous vehicles will be considerably safer than vehicles driven by humans, there will
be fewer road accidents, leading to reduced pricing for insurance policies.”100

93 Cusano and Costonis (n 18).

94 Greg Gardner, “General Motors invests $500M in Lyft, forms partnership,” Freep, 4 January 2016, www​
.freep​.com​/story​/money​/cars​/general​-motors​/2016​/01​/04​/gm​-lyft​-partnership​/78251804/.
95 Mike Isaac, “Uber Strikes Deal with Volvo to Bring Self-Driving Cars to Its Network,” New York Times,
20 November 2017, www​.nytimes​.com ​/2017​/11​/20​/technology​/uber​- deal​-volvo​-self​- driving​- cars-​.html.
96 Kara Swisher, “Autonomous Vehicles Take Another Big Leap,” New York Times, 14 December 2020,
www​.nytimes​.com ​/2020​/12​/14​/opinion ​/Zoox​-Amazon​-self​- driving​.html?.
97 Andrew Buncombe, “Waymo Launches First US Commercial Self-Driving Taxi Service,” Independent,
5 December 2018, www​.independent​.co​.uk ​/ life​-style​/gadgets​-and​-tech ​/news​/waymo​-self​- driving​-taxi​-service​
-google​-alphabet​-uber​-robotaxi​-launch​-us​-a8669466​.html.
98 Patrick McGee, “Microsoft invests in $30 billion driverless car company Cruise,” arsTechnica, 20
January 2021, https://arstechnica​.com​/cars​/2021​/01​/microsoft​-invests​-in​-30​-billion​- driverless​- car​- company​
-cruise/.
99 Accenture 2017 (n 10).
100 Accenture 2017 (n 10).

178
 A utonomous V ehicles

For example, a detailed analysis by the Insurance Institute for Highway Safety in
the United States has determined autonomous cars may be able to prevent one-third of
­crashes.101 Similarly, Johnathon P. Ehsani et al.102 report that:
In 2020, motor vehicle crashes were responsible for an estimated 38,680 deaths and close to
3 million injuries in the United States. Crashes persist as a leading cause of death throughout
the life span, with young people disproportionately affected. Human errors, caused by impair-
ment, fatigue, and distraction, are present in over 90% of crashes. Therefore, the possibility
that vehicles could drive without human involvement suggests that AVs have the potential to
save thousands of lives.

Figures from the US Department of Transportation’s National Highway Traffic Safety

Administration103 endorse the proposition that automated cars are expected to remove this
human error factor and lead to safer roads and fewer claims.
In this regard, it should not be thought that the roadway forward is without its bumps for
autonomous vehicles. Not surprisingly, given their relative novelty, accidents involving
autonomous vehicles are well-publicised and attract strong public interest. For example,
Tesla104 has been involved in several accidents that have been blamed on Tesla technol-
ogy; for example, the driver of a 2021 Tesla Model S told Californian authorities the
vehicle was in “full self-driving mode” when the technology malfunctioned, causing an
eight-vehicle crash on the San Francisco Bay bridge in December 2022. As the numbers
of vehicles in operation continue to increase, it can reasonably be expected that accident
numbers will also increase. Nevertheless, the future is extremely positive with companies
such as Uber Technologies Inc recently rekindling their vision of a self-driving taxi fleet
nearly two years after it sold its autonomous vehicle division.105
Moreover, with constant technology upgrades and innovation—ranging from advanced
sensors, cameras and increasingly robust testing and validation protocols becoming
standard, accident rates proportionate to driver-operated vehicles are expected to drop
significantly.
Accordingly, the reduction in the number of motor vehicle insurance policies driven by
changes in relation to the ownership and operation of autonomous vehicles, compounded
by a potential reduction in pricing due to lower accident rates, poses major challenges to
the traditional motor vehicle insurance market.
The rapid escalation in the availability of detailed data in conjunction with associated
analytics creates many and varied considerations and issues for insurers and others to
address; these include the following:

101 Joshua Dowling, “Autonomous cars won’t eliminate crashes—report,” Drive, 9 June 2020, www​.drive​
.com​.au ​/news​/autonomous​- cars​-won​-t​- eliminate​- crashes​-report/.
102 Johnathon P. Ehsani et al., “State Laws for Autonomous Vehicle Safety, Equity, and Insurance,”
Journal of Law, Medicine & Ethics 50, no. 3 (2022), 569–582.
103 United States Department of Transportation, “Automated Vehicles for Safety,” National Highway
Traffic Safety Administration, www​.nhtsa​.gov​/technology​-innovation ​/automated​-vehicles​-safety.
104 “Tesla behind eight-vehicle crash was in ‘full self-driving’ mode, says driver,” The Guardian, 23
December 2022, www​.theguardian​.com ​/technology​/2022​/dec​/22​/tesla​- crash​-full​- self​- driving​-mode​- san​
-francisco.
105 See Jackie Davalos, “Uber Revives Self-Driving Taxi Dreams, Plans to Start This Year,” Bloomberg, 6
October 2022, www​.bloomberg​.com ​/news​/articles​/2022​-10 ​- 06​/uber​-self​- driving​-taxis​-new​-partnership​- could​
-ferry​-riders​-as​-soon​-as​-this​-year.

179
 Autonomous V ehicles

1. With increasing automation and the focus of liability progressively migrating to

the vehicle, particulars of the driver, his or her driving capacities as recorded by
telematics and his/her claims history, will be subordinated to the detailed informa-
tion as to the autonomous vehicles’ control system and software. Risk assessment
and rating will be driven by these vehicle factors, and insurers will need to develop
a whole new set of skills and expertise in-house to fully understand the intri-
cate mechanical and technological details of every motor vehicle.106 At the same
time, actuarial risk calculations historically plagued by information asymmetry
issues will be substantially mitigated by rich data flows in real time from insured
vehicles, operators/owners, surrounding vehicles and a myriad of other connected
technology sources;
2. Industries that to date have sat outside insurance risk management will have the
potential to become competitors as auto manufacturers, and technology compa-
nies see value in vertically integrating risk protection into their supply chains.
Fabian Pütz et al.107 point out that the rise of CAV will have a profound impact on future
competition in the motor insurance market.
This is due in part to changing societal mobility approaches leading to a shift in customer-
interfaces in the motor insurance market. This is because the potential shift of the status
of the vehicle owner from individuals to commercial businesses would transform the motor
insurance market from a retail mass-market (B2C with demand-sided polypoly) to a more
B2B market with a demand-sided oligopoly. Additionally, CAV will impact motor insurance
competition due to new (digital) business ecosystem platforms using in-vehicle data for inno-
vative service offerings. The current legal and technical status quo for access to in-vehicle
data potentially hampers third party providers such as insurance companies to offer their own
telematics-based services.

3. The age of fully autonomous vehicles likely will also have a major impact on
claims and their handling. In relation to claims that are made, managing and using
the voluminous data collected by autonomous vehicles may be very significant in
relation to claims handling and determination of liability. This data is likely to
be critical for establishing the cause of an accident and the attribution of liabil-
ity. For claims to be handled as swiftly and smoothly as possible, it will be vital
that insurers and other parties with a legitimate interest have access to the relevant
in-vehicle data that establishes the facts of an accident, so that liability can be
correctly apportioned. Assuming complete cooperation in relation to data sharing
between insurers and motor manufacturers, insurers will be able to determine a
better picture of what happened in any accident without the insured’s input.108

106 Huckstep (n 18).

107 Pütz et al. (n 25).
108 Huckstep (n 18).

180
 A utonomous V ehicles

Conclusions
This brief overview demonstrates that autonomous vehicles will disrupt the global insur-
ance market, presenting both challenges and opportunities for manufacturers, insurers
and others.
In resolving the question of where and how to affix liability for accidents involving auton-
omous vehicles, the content of, and the debates surrounding, the passage of the Automated
and Electric Vehicles Act 2018 (UK) and the Autonomous Driving Act 2021 (Germany)
merit careful attention. Similarly, close consideration of, and adoption, of comprehensive
across-the-board legislative frameworks such as that detailed by the Law Commission of
England and Wales and the Scottish Law Commission (the Law Commissions)109 is essen-
tial to achieve a comprehensive regulatory framework for self-driving vehicles.
Regulatory regimes that separate out liability strands, such that multiple policies may
be required to address the spectrum of risks that might cause an accident, will inevita-
bly not only increase transaction (and premium) costs but generate delay and confusion
around the expeditious delivery of compensation. Whether this will be through the chal-
lenge of having traditional motor vehicles and autonomous vehicles on the road at the
same time, or through nuanced applications of various liability regimes, the reality is that
costs will increase, and vulnerable injured parties may suffer. Arguably, a single insurer
solution presents the best prospect of achieving alignment between “horseless” and “driv-
erless” carriages in aligning risk and liability.
It is clear that cooperation and collaboration between governments, manufacturers,
insurance providers and technology companies will be essential if the journey to fully
autonomous vehicles is to be hastened. For example, the European Commission110 recently
stated that “Europe must seize the opportunities presented by connected, cooperative,
and automated mobility” (CCAM) and recognised that this ambition was best realised
through joint initiatives in research and innovation, and through other partnerships focus-
ing on digital technologies. Moreover, collaboration was required to address matters such
as harmonisation and coordination of relevant traffic rules, liability for automated vehicles
and to ensure that the key digital enablers are in place—such as including electronic com-
ponents for mobility, network infrastructure, cloud-to-edge resources, data technologies
and governance as well as AI.111 Globally, the challenges and opportunities presented by
autonomous vehicles will best be addressed by government and industry collaboration.
For insurers, the shift towards autonomous vehicles presents challenges to adapting
their policies and premiums to reflect the changing landscape and to compete for business.
On the positive side of the ledger from an insurer perspective, three areas with significant
potential for insurers in the period from 2020 to 2050 have been identified in relation to
cyber security, infrastructure insurance and product liability.112

109 Joint Report 2022 (n 6).

110 COM 789 (n 15) [57].
111 COM 789 (n 15) [67].
112 Cusano and Costonis (n 18).

181
 C hapter 8

Autonomous Ships

Liability and Insurance

Maurice Thompson and Martin Davies

CON T EN TS
Introduction 183
Liability insurance for ships and shipowners 186
Choice of law for product liability 188
Limitation of liability and networking of its effects 191
Classification societies 200
Maritime cyber risks 208
Conclusion 211

182 DOI: 10.4324/9781003319054-8

 A utonomous S hips

Introduction
Autonomous, crewless ships are in an advanced stage of development, much as autono-
mous, driverless road vehicles are. Autonomous ships are generally referred to as MASS
(maritime autonomous surface ships), and they are expected to begin commercial opera-
tions within the next ten years. Law-making bodies are already moving to make regulations
to accommodate crewless vessels of various sizes.1 From 2018 to 2021, the International
Maritime Organization (IMO, an agency of the United Nations) conducted a “scoping”
exercise to assess the degree to which the existing regulatory framework of international
IMO legal instruments may need to be modified to make them applicable to MASS.2
The IMO’s definition of “MASS” is unfortunately broad, encompassing everything
from futuristic robotic drones to ships that are plying the seas right now:3 “A ship which,
to a varying degree, can operate independent of human interaction.”4 For example, many
“traditional,” crewed ships already operate with significant levels of automation of func-
tions that historically were performed by humans. The engine rooms on many existing
ships are equipped with systems that allow normal operating to continue for hours on
end without manual intervention or human observation, employing automated monitoring
and alarm systems that signal the need for human intervention, when necessary, by crew
members on board. There are already extensive regulations governing the operation of
UMS (unattended machinery spaces) on existing vessels,5 and more elaborate ones are
being developed that can be adapted to ships with more advanced levels of automation.6
Existing ships with UMS would qualify as MASS under the IMO’s definition, which is
reflected in the fact that the IMO prescribed four provisional “degrees of autonomy,” the
first of which would apply to an existing ship with UMS:7
(1) Ship with automated processes and decision support. Seafarers are on board to
operate and control shipboard systems and functions. Some operations may be
automated and at times be unsupervised but with seafarers on board ready to take
control;
(2) Remotely controlled ship with seafarers on board. The ship is controlled and oper-
ated from another location, but seafarers are on board to take control and to oper-
ate the shipboard systems and functions;

1 For example, on 6 October 2022, the UK’s Maritime & Coastguard Agency released a consultation paper
seeking comments on a proposed statutory instrument entitled “Merchant Shipping (Small Workboats and
Pilot Boats) Regulations” 2023, which is designed to provide a single point of reference for all of the manda-
tory requirements and guidance concerning small workboats, including MASS operating as workboats: see
Maritime & Coastguard Agency, “Consultation Document,” www​.gov​.uk ​/government​/consultations​/the​-mer-
chant​-shipping​-small​-workboats​-and​-pilot​-boats​-regulations​-2023​/consultation​- document.
2 IMO Maritime Safety Committee, “Framework for the Regulatory Scoping Exercise for the Use of
Maritime Autonomous Surface Ships (MASS)” MSC 100/20/Add.1, Annex 2, para 2.
3 Robert Veal, “Regulation and liability in remoted controlled and autonomous shipping: a panoptic view”
(2020) 45 Tul Mar LJ 101.
4 International Maritime Organization, “Report of the Maritime Safety Committee on its Ninety-Ninth
Session” (16–25 May 2018) MSC 99/WP.9, Annex 1, para 3.
5 See, e.g., Netherlands Regulatory Framework—Maritime, “ItoRO No. 17—Unmanned Machinery
Space—Notation (UMS),” https://puc​.overheid​.nl​/nsi​/doc​/ PUC​_1197​_14​/2/.
6 See, e.g., Lloyd’s Register, “Unmanned Marine Systems Code,” www​.lr​.org​/en​/unmanned​- code/
7 MSC Framework (n 2) para 4.

183
 Autonomous S hips

(3) Remotely controlled ship without seafarers on board. The ship is controlled and
operated from another location. There are no seafarers on board to take control and
to operate the shipboard systems and functions;
(4) Fully autonomous ship. The operating system of the ship is able to make decisions
and determine actions by itself.
This chapter focuses on MASS in categories 3 and 4—i.e. ships without crew members on
board. Although the appellation is rather unwieldy, we will call these “crewless MASS”
to distinguish them from crewed MASS in IMO categories 1 and 2. Crewless MASS pose
new liability risks and, thus, the need for new insurance responses. Laws, both national
and international, are changing to accommodate crewless MASS, and the insurance
market is responding accordingly. After the “scoping exercise” was completed, the IMO
began work in 2022 on the development of a non-mandatory MASS Code with a view to
adoption in the second half of 2024; experience gained in the application of the non-man-
datory Code will shape the development of a mandatory MASS Code, which is envisaged
to enter into force on 1 January 2028.8
Liability claims in relation to traditional, crewed ships usually arise as a result of human
error of some kind. Navigational mistakes on the part of humans on the bridge of a ship
lead to collisions9 and other maritime casualties.10 The owner or operator of the ship is
held liable under familiar principles of vicarious liability for the fault of the people on the
ship, or strict liability for failing to perform contractual promises for safe carriage of pas-
sengers or cargo.
In contrast, liability for loss or damage caused by crewless MASS in IMO category
4 will seldom arise as a direct result of human error in the operation of the ship. One of
the perceived advantages of crewless MASS is the reduction of the possibility of damage
caused by human error, although human error remains possible in the case of remotely
controlled crewless MASS in IMO category 3, which will be controlled by a shore-based
operator (SBO). A crewless MASS in IMO category 4 will only be able to cause damage
as a result of some kind of malfunction or another failing of the ship’s operational systems.
A crewless MASS in IMO category 3 may cause damage either as a result of human error
by the SBO, or some kind of malfunction or other failing of the ship’s remote-control
systems.
Thus, there is a fundamental difference between the present framework of liability for
the operation of crewed ships and the likely future framework of liability for the operation
of crewless MASS. At present, liability finds its way, by one legal means or another, to the
shipowner or operator, which insures against liability in ways explained in the section of
this chapter entitled “Liability insurance for ships and shipowners.” In future, there is the

8 International Maritime Organization, “Autonomous shipping” www​.imo​.org​/en​/ MediaCentre​/

HotTopics​/ Pages​/Autonomous​- shipping​. aspx#:~​:text​= IMO​% 20has​% 20recently​% 20completed​% 20a​,with​
%20varying​%20degrees​%20of ​%20automation.
9 For a recent example of a UK Supreme Court decision about sailing errors leading to a collision between
ships, see Nautical Challenge Ltd v Evergreen Marine (UK) Ltd (The Alexandra 1 and Ever Smart) [2021]
UKSC 6, [2021] 1 Lloyd’s Rep 299.
10 The catastrophic oil spill from Exxon Valdez in Prince William Sound, Alaska, was the result of error
on the part of the master, which culminated in the US Supreme Court holding the owner responsible: Exxon
Shipping Co v Baker, 554 US 471, 128 S Ct 2605 (2008).

184
 A utonomous S hips

possibility that liability may also find its way to the manufacturer or designer of a MASS
or its operational systems, the entities responsible for the relevant system malfunction or
failure.
The insurance of traditional, crewed ships is built upon the premise of limited liability
of shipowners and operators, which is explained in the section of this chapter entitled
“Limitation of liability and networking of its effects.” The potential liability of manu-
facturers and designers of crewless MASS and their operational systems will depend on
what law governs their activities (a question considered in the section entitled “Choice of
law for product liability”), but it would typically, if established, be unlimited in amount.
That will only change if manufacturers and designers are able to bring themselves under
the umbrella of limited liability that presently protects ship operators, a possibility con-
sidered in the section entitled “Limitation of liability and networking of its effects,” or
to take advantage of some yet-to-be-devised scheme of limitation applicable directly to
them. The section of the chapter entitled “Classification societies” explains the role of
classification societies and explains how they, too, may face the risk of unlimited liability
in an era of MASS, unless they can bring themselves within the protection of a limited
liability regime.
Maritime cyber risks are already a threat to shipping, and that threat will increase with
the development of crewless MASS.11 Much of the standard equipment on modern ships
requires storage and transmission of digital information on and by computer systems.
This is true of bridge systems such as voyage data recorders (VDRs) and electronic chart
displays (ECDIS),12 cargo handling and management systems, unattended machinery
space (UMS) control and monitoring systems, and communication systems. Disruption
of the storage and transmission of that information, either maliciously by hacking or the
introduction of ransomware or malware, or accidentally by the unintended consequences
of benign actions such as software maintenance, can lead to information or the whole sys-
tem being corrupted, lost or compromised. As long ago as 2017, the IMO published mari-
time cyber risk management guidelines for all ship operators.13 Cyber risks have increased
considerably since then, and they are of special significance for crewless MASS, which
rely on the use of digital technology to an even greater extent than traditional, crewed
ships.14 The cyber risks associated with crewless MASS and the development of maritime
cyber security insurance will be considered in the section entitled “Maritime cyber risks”
in this chapter.

11 Hasan Mahbub Tusher et al., “Cyber security risk assessment in autonomous shipping” (2022) 24
Maritime Economics and Logistics 208, 211–215 (hereafter Tusher).
12 Mandatory carriage of ECDIS (Electronic Chart Display and Information System) on all oceangoing
ships was phased in from 1 July 2012 to 1 July 2018; it is required by the International Convention for the Safety
of Life at Sea (SOLAS) (Opened for signature 1 November 1974, entered into force 25 May 1980) 1184 UNTS
278. See International Maritime Organization, “ECDIS—Guidance for Good Practice” (16 June 2017) www​
.classnk​.or​.jp​/ hp​/pdf​/activities​/statutory​/ism ​/imo​/msc1​- circ1503​-rev1​.pdf.
13 International Maritime Organization, “Guidelines on Maritime Cyber Risk Management” (MSC-
FAL.1/Circ.3, 5 July 2017) wwwcdn​.imo​.org​/ localresources​/en​/OurWork ​/Security​/ Documents​/ MSC​-FAL​.1​
-Circ​.3​%20-​%20Guidelines​%20On​%20Maritime​%20Cyber​%20R​isk​%20Management​%20(Secretariat).pdf.
14 Tusher (n 11) 211.

185
 Autonomous S hips

Liability insurance for ships and shipowners

Liability insurance for ships and shipowners is provided not by commercial insurers, such
as Lloyd’s of London, but by mutual self-insurance collectives known as Protection and
Indemnity Associations, or P&I Clubs.15 Twelve of the largest P&I Clubs make up the
International Group of P&I Clubs; between them, these 12 provide marine liability cover
for about 90% of the world’s ocean-going tonnage.16 The International Group oversees
a Pooling Agreement between the member Clubs, which provides a mechanism for the
sharing of claims that exceed US $10 million. The combination of group pooling and the
reinsurance that the pool buys on behalf of the member Clubs provides (in 2022) a maxi-
mum amount of US $3.1 billion of cover for claims arising out of a single incident (US $1
billion for oil pollution claims).17
Because each shipowner that enters a ship in a P&I Club is both (co-)insurer and assured,
the concept of mutuality is of central importance to the operation of P&I insurance. One
consequence of this fact is that the list of risks covered is very broad and generous, cover-
ing most of the liabilities that could conceivably be incurred in the operation of a com-
mercial trading ship,18 including (among many other things) fines relating to the accidental
discharge of oil, a risk that would most certainly not be covered by commercial insurers.19
In addition to the extensive list of risks covered, each Club also has an “omnibus rule,”
which covers any other liabilities, costs or expenses incidental to the business of owning
or operating a ship if the Members’ Committee (or Board) approves cover for the claim.20
Thus, even if a claim does not fall within the extensive list of covered liabilities, a group of
shipowner representatives within the same Club can agree that the liability claim should
nevertheless be paid, usually on the basis that if the same circumstances had given rise to
a claim against another member, that member would similarly expect coverage. That is the
quintessential definition of mutuality: “There but for the grace of God, go I.”
In essence, P&I mutuality means that commercial shipowners share among themselves
all liability risks that any of them might face when operating their ships. That is impor-
tant because the liability risks faced by uncrewed MASS will be very different from
those presently faced by crewed ships. For example, claims arising from illness or injury
to crew members presently make up a significant portion of Club liabilities.21 The most
common type of liability covered by each of the Clubs—liability for cargo claims—often

15 The P&I Clubs themselves would no doubt insist that they provide indemnity insurance, rather than
liability insurance, because each Club offers cover on a “pay to be paid” basis that requires—at least in the-
ory—the Member to pay the covered liability before seeking an indemnity from the Club. In practice, most
Clubs act much like liability insurers do, at least for solvent Members.
16 International Group of P&I Clubs, “About the International Group,” www​.igpandi​.org​/about/.
17 International Group of P&I Clubs, “The International Group pooling and GXL reinsurance contract
structure 2022 has now been finalised,” www​.igpandi​.org ​/article​/international​-group​-pooling​-and​-gxl​-rein-
surance​- contract​-structure​-2022​-has​-now​-been​-finalised/.
18 One significant exception is that, for historical reasons, Clubs cover only 25% of collision liability, the
other 75% being covered by the ship’s hull insurer: see, e.g., UK P&I Club, “Rules 2022” Rule 2, Section 10,
www​.ukpandi​.com​/media​/files​/uk​-p​-i​- club​/rules​/2022​/rules​-2022​.pdf. Other International Group Clubs insure
on the same basis.
19 Ibid, Rule 2, Section 22(E).
20 Ibid, Rule 2, Section 24.
21 An analysis by the Swedish Club of claims for the years 2005–2014 showed that 24.5% of claims paid
were for injury or illness: Swedish Club, “P&I Claims Analysis,”
www​.swedishclub​.com ​/media ​_ upload ​/files​/ Publications​/ P​% 26I​% 20Claims​% 20Analysis​% 20web​.pdf,
Graph 4.5.

186
 A utonomous S hips

arises as a result of human error in cargo handling. Indeed, the reduction of incidents
arising from human error is often claimed to be one of the major benefits of the introduc-
tion of MASS. On the other hand, MASS may face liability risks that would not be faced
by their crewed counterparts. Damage caused by software malfunction or as a result of
interruption in data flow from ship to shore (or vice versa) is a risk more likely to be borne
by a MASS, even though cyber risks are a threat to all ships in the present environment.
If liability for such risks will be borne by the shipowner initially, as opposed to being
sheeted home directly to the software manufacturer or data transmission provider, it is a
liability likely to be faced more frequently by the operators of crewless MASS than by
traditional crewed ships.
Because there is much less mutuality of risk exposure between crewed and crewless
ships, there is therefore little or no basis for P&I insurance, as presently understood,
involving a mixture of both types of ship. For example, there is no obvious reason why
the owner of a crewless MASS would enter that ship in one of the existing P&I Clubs
that cover crew-related risks (among many other things), because it would then have to
pay into the pool of funds covering liability for crew claims, without any prospect of ever
calling on payment from the pool for the same kind of claim. Conversely, the owners of
traditional crewed ships might be reluctant to accept entry of a crewless MASS that would
be exposed to technical risks different in kind from those faced by their own ships.
There are at least two possible responses to this lack of mutuality between the owners of
autonomous ships and the owners of traditional crewed ships. The first is that a separate,
non-P&I, market for liability insurance for autonomous ships may be created, provided by
commercial insurers of liability risks—to the extent that one is even called for, given the
possibility that direct responsibility for failures may be directed to designers or manufac-
turers rather than shipowners. The other is that a separate system of P&I insurance, based
on mutuality, may develop solely for the owners of crewless MASS, who face similar risks
in the operation of their ships.
It is too soon to know which of these alternative insurance arrangements is likely to
develop in the future. It seems likely that the short- to medium-term response will be that
the owners of crewless MASS will seek liability insurance cover from commercial insur-
ers, at least until there is enough of a critical mass of such shipowners to make mutual,
group self-insurance on something akin to the P&I model a viable option. In the longer
term, owners of crewless MASS may decide to replicate the mutual, self-insurance model
that has been used successfully in the shipping industry for nearly 200 years, by creating
some form of P&I association for owners of the same kind of ships, facing the same kind
of liability risks.
Some of the existing P&I Clubs are already betting that the latter option will be the way
forward. For example, the Shipowners Club (an International Group member) already
provides a specialist policy for MASS risks, which it launched in 2018.22

22 The Shipowners’ Club, “Maritime Autonomous Vessel Liability Insurance,” www​.shipownersclub​.com​

/media​/2018​/07​/ MAV​-Liability​-Insurance​-Brochure​_061118​-1​.pdf.

187
 Autonomous S hips

Choice of law for product liability

There seems to be a developing consensus that the designers and manufacturers of the
operating systems of crewless MASS must be expected to bear some liability for the
consequences of the malfunction of those systems. By whatever means liability ends up
with the systems designers and/or manufacturers, a question of prime importance (both
in practice and because of the focus of this book) is how such liability should be insured.
Before that question can be addressed, however, there is a threshold question that has, as
yet, received little attention. By what law should the liability of systems designers and/
or manufacturers be judged? This is by no means an abstract or theoretical question. To
state the obvious, the risk to be covered by liability insurance bought by systems design-
ers and/or manufacturers is directly related to the possible extent of their legal liability.
Determining by what system of law that liability will arise is an essential prerequisite to
assessing the magnitude of the risk.
It is highly likely that any damage caused by the malfunction of the operating systems
of a crewless MASS in IMO category 4 will occur somewhere other than the country
in which those systems were designed and/or manufactured. Even a remotely controlled
crewless MASS in IMO category 3 may well cause damage in a place far distant from the
country in which the shore-based operator (SBO) is operating its controls.23 A wrongful
act in one country leading to harm in another is a familiar problem in the conflict of laws,
but none of the complex choice of law principles that have been developed to deal with
this situation is ideally suited to deal with damage caused by a malfunctioning crewless
MASS at sea.
For example, the Rome II Regulation,24 which applies throughout the European Union
(including in the UK even after Brexit),25 provides the choice of law rules for non-con-
tractual obligations. Article 4(1) of Rome II states the basic rule that the law applicable to
a non-contractual obligation arising out of a tort/delict shall be the law of the country in
which the damage occurs.26 This general rule is unsatisfactory, even for traditional crewed
ships, if the damage occurs on the high seas outside the sovereign territory of any country.
What should “the country in which the damage occurs” be if the damage is sustained
by a ship on the high seas? Should it be the law of the flag of the damaged ship? Similar
questions might arise in a case of human error by an SBO of an IMO category 3 crewless
MASS if negligence in the country of the SBO were to cause harm on the high seas.
More significantly for present purposes, however, Article 5 of Rome II states a more
specific rule for product liability cases, which provides a cascade of possibilities, none of
which seems particularly well suited to the situation of MASS-caused harm:27
(1) [T]he law applicable to a non-contractual obligation arising out of damage caused
by a product shall be:

23 In 2018, the harbour tug RT Borkum, located in Rotterdam, was controlled from the floor of the
International Tug, Salvage & OSV Convention, which was taking place nearly 1200 km away in Marseille:
gCaptain, “Captain Demos Remote-Controlled Tugboat from 700 Miles Away,” https://gcaptain​.com ​/watch​
-captain​- demos​-remote​- controlled​-tugboat​-from​-700​-miles​-away/.
24 Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 (hereafter
Rome II), OJL 199/40.
25 Civil Jurisdiction and Judgments (Amendment) (EU Exit) Regulations 2019 (UK), SI 2019/479.
26 Rome II (n 24) art 4(1).
27 Rome II (n 24) art 5(1).

188
 A utonomous S hips

(a) the law of the country in which the person sustaining the damage had his or her
habitual residence when the damage occurred, if the product was marketed in
that country; or, failing that,
(b) the law of the country in which the product was acquired, if the product was
marketed in that country; or, failing that,
(c) the law of the country in which the damage occurred, if the product was mar-
keted in that country.
However, the law applicable shall be the law of the country in which the person
claimed to be liable is habitually resident if he or she could not reasonably foresee
the marketing of the product, or a product of the same type, in the country the law of
which is applicable under (a), (b) or (c).
(2) Where it is clear from all the circumstances of the case that the tort/delict is mani-
festly more closely connected with a country other than that indicated in para-
graph 1, the law of that other country shall apply. A manifestly closer connection
with another country might be based in particular on a pre-existing relationship
between the parties, such as a contract, that is closely connected with the tort/
delict in question.
The key operative concept of the “marketing” of a product is obviously not well suited to
the situation of systems designed for use on ships or, indeed, for ships themselves as defec-
tive products. As Professor Kurt Siehr observed about the application of Article 5 of Rome
II to traditional, crewed ships, it is artificial to speak of ships or ship-based systems being
“marketed” like other products.28 Article 5(1)(a) provides that the relevant law should be
that of the habitual residence of the person suffering the harm but only if the product was
“marketed” in that country. Ships may be advertised for sale on the internet or in inter-
national trade fairs, as may ship-based operating systems, but ships are not marketed like
cars, because they are not typically produced and sold by the manufacturer to customers
who were not identified in advance.29 Professor Andrew Dickinson has argued convinc-
ingly that advertising of a product should only qualify as “marketing” for purposes of
Article 5 of Rome II if the advertisement is targeted at potential end users with a view to
sales.30 If that is right, the only “marketing” that takes place in relation to a ship or ship-
based operating system takes place between the shipyard and the first owner of the ship
as they negotiate the specifications of the ship to be built.31 That “marketing” is likely to
take place either in the country of the shipyard or the country of the shipyard’s customer,
but it is very unlikely to occur (except by coincidence) in the country of habitual residence
of the owner of a ship or other property damaged by a malfunctioning crewless MASS.
If the ship or operating system was not “marketed” in the country of habitual residence
of the owner of the damaged ship or other property, the Rome II choice of law cascade
moves from Article 5(1)(a) to Article 5(1)(b), which chooses the law of the country in
which the product was acquired, providing the product was “marketed” in that country.
In the present context, that would point to the law of the country of the shipyard, which

28 Kurt Siehr, “The Rome II Regulation and Specific Maritime Torts: Product Liability, Environmental
Damage, Industrial Action” (2010) 74 RabelsZ 139, 142 (hereafter Siehr).
29 Ibid.
30 Andrew Dickinson, The Rome II Regulation: The Law Applicable to Non-Contractual Obligations
(OUP 2010) 372–373 [5.20].
31 Siehr (n 28) 142–143.

189
 Autonomous S hips

would be the place where the product was acquired by its first user. To the extent that any
“marketing” of the product occurred at all, some of it will presumably have occurred in
the country of the shipyard. Applying the law of the country of habitual residence of the
producer/shipyard is also consistent with the “escape clause” at the end of Article 5(1),
which points to the law of the country of habitual residence of the producer of the product
if that producer could not reasonably foresee the marketing of the product in the victim’s
country.32 This approach does, however, focus on the law of the place where the physi-
cal product was made, which may not be the place where it was designed. If a suit were
to be brought directly against the designer of a defective MASS or ship-based operating
system, it seems that Article 5 would still apply the law of the country where the physical
product was acquired, even if that is not the same as the designer’s country, because any
allegation of negligent design would still be an allegation of “a non-contractual obligation
arising out of damage caused by a product” for purposes of Article 5.
A further complication is as to the definition of the relevant “product” itself, which
could be the ship, or the operating system installed into that ship, or software installed
into that operating system installed into that ship. That question could influence the ques-
tion of what was “marketed” to whom by whom, and where, thus influencing the relevant
governing law.
Importantly, because computer software is an intangible capital asset, it probably does
not qualify as a “product” for purposes of Rome II at all,33 which means that, within the
European Union, the law governing the malfunctioning of such a product would have to
be chosen by the domestic, non-EU choice of law rules of the forum country. Obviously,
outside the European Union, where Rome II does not apply, the domestic, choice of law
rules of the forum country will also have to select the governing law for both tangible
products such as MASS and intangible products such as the software that runs ship-based
operating systems. The choice of law rules applicable in product liability cases varies
considerably, even among countries that ostensibly take similar approaches.
For example, the choice of law rule for torts in both Australia and Canada applies the
law of the place of the wrong, with no “flexible exception.”34 Although these two common
law countries agree about the basic choice of law rule for torts, they differ about where the
tort occurs in a product liability case.
In Australia, if the plaintiff’s complaint in a product liability case is that the product was
negligently manufactured, the place of manufacture is regarded as being the place of the
wrong.35 If, however, the plaintiff’s claim is based on strict products liability, the plaintiff’s
complaint is not that the product was negligently manufactured, but that it was defectively
dangerous, so the place of the wrong is where the plaintiff suffers harm as a result of the

32 Siehr (n 28) 143.

33 Dickinson (n 30) 368 [5.12]; cf Marek Swierczynski, Łukasz Żarnowiec, “Law Applicable to Liability
for Damages Due To Traffic Accidents Involving Autonomous Vehicles” (2020) 14(2) Masaryk U J Law & Tech
177, 183, 186, who argue for an “autonomous meaning” of “product” in Rome II that would also apply to digital
content and algorithms.
34 John Pfeiffer Pty Ltd v Rogerson [2000] HCA 36, (2000) 203 CLR 503; Regie Nationale des Usines
Renault SA v Zhang [2002] HCA 10, (2002) 210 CLR 491; Tolofson v Jensen; Lucas v Gagnon [1994] 3 SCR
1022.
35 McGowan v Hills Ltd [2015] VSC 674; Vautin v BY Winddown Inc (No 4) [2018] FCA 426.

190
 A utonomous S hips

defect in the product. That, in turn, leads to the basic question of where a wrong occurs
36

when the damage is sustained on the high seas. The High Court of Australia has indicated
an unwillingness to answer that question, suggesting instead that an Australian court
should simply apply its own law, the lex fori, to maritime torts occurring on the high
seas.37 However, the High Court said that in such cases, the lex fori should be the common
law of Australia including “the general principles of maritime law or the maritime law of
the world,” rather than the law of any particular Australian state.38
Because there is no strict product liability in Canada, any claim for damage caused
by a defective product must allege negligence. Unlike their counterparts in Australia,
Canadian courts take the view that the place of the wrong in product liability cases is the
place where the harm was suffered, not the place of the allegedly negligent act/omission.39
However, rather like its counterpart in Australia, the Supreme Court of Canada takes the
view that Canadian courts should apply a body of federal Canadian maritime law when
damage is suffered on the high seas, as opposed to the law of any particular province.40
Accordingly, with just this limited comparison between the laws applicable in two
Commonwealth countries, it should be clear that the use of MASS has the potential to add
even further complexities to the already complex sphere of conflict of laws.
Returning to the main question of insurance, it should by now be obvious that the scope
of the risk for liability insurers of manufacturers and designers of crewless MASS or
ship-based operating systems (including those of crewed MASS) is far from clear, simply
because it is not at all clear what law will govern their liability. Courts in some countries
may apply the law of the place of manufacture; others may apply the law of the place of the
harm (wherever that is); others still may apply their own law, the lex fori. Just as there is no
uniformity of choice of law principles, so equally there is no uniformity of the substantive
law that may govern the liability of manufacturers and designers: Some jurisdictions have
fault-based laws, others have strict liability for product liability. The probable result is that
insurers will have to underwrite very conservatively, or perhaps with extensive exclusions
until a more predictable pattern of liability works itself out.

Limitation of liability and networking of its effects

Limitation of shipowners’ liability is one of the distinctive features of maritime law, a
feature upon which much of the economics of maritime commerce, and hence of interna-
tional trade, is based. Shipowners are able to limit the amount of their liability for claims
arising out of a single incident, which makes it easy for liability insurers (P&I Clubs) to
discern their maximum level of risk for any of the ships that they cover and to exclude
from their membership any ships assessed to introduce risk beyond that maximum
level. Limitation is not presently available to the manufacturers or designers of MASS

36 Amaca Pty Ltd v Frost (2006) 67 NSWLR 635; British American Tobacco Australia Services Ltd
v Laurie [2009] NSWSC 83.
37 Blunden v Commonwealth [2003] HCA 73, (2003) 218 CLR 330, 340 [23] (Gleeson CJ, Gummow,
Hayne, and Heydon JJ). See also CMA CGM SA v The Ship Chou Shan [2014] FCAFC 90, (2014) 224 FCR 384,
404–405 [91]–[92] (Allsop CJ, Besanko, and Pagone JJ).
38 Blunden (n 37) 337 [13].
39 Furlan v Shell Oil Co [2000] BCCA 404, 77 BCLR (3d) 35; Gulevich v Miller [2015] ABCA 411, 28 Alta
LR (6th) 217.
40 Whitbread v Walley [1990] 3 SCR 1273 [18]–[19] (LaForest J for the Court).

191
 Autonomous S hips

or ship-based operating systems, so if in future they are to be held liable directly for
harm caused by their products, the potential exposure for them and/or their insurers may
be far greater than that of their customers, the shipowners. Because there is no interna-
tional maritime equivalent of the UK’s “single insurer” system under the Automated and
Electric Vehicles Act 2018, which channels liability to a single insured source,41 there will
have to be some contractual solution by which the benefits of limitation and the risks of
unlimited liability are shared between shipowners and manufacturers or designers. To the
eyes of those not familiar with maritime law, the limitation of liability regime may appear
startling, if not shocking, but it is so fundamental a part of the shipping business that its
effect must be taken into account when considering insurance for a future of MASS and
automated systems.
The present-day worldwide system of limitation of shipowners’ liability traces its ori-
gins to eighteenth-century England and the case of Boucher v Lawson.42 In Boucher, the
plaintiff shipped a cargo of gold bullion from Portugal to London on the defendant’s ship
Little Job. The bullion was shipped without the defendant owner’s permission, as it was
illegal at that time to export gold from Portugal to England. The ship’s master agreed to
carry the cargo and signed a bill of lading for carriage of the cargo to London, but once
the bullion arrived safely in London, he refused to hand over the cargo to the plaintiff on
request. The law reports are silent about what happened next, but presumably, the master
must have kept the gold because the plaintiff sued the defendant, the shipowner, who was
held liable in full for the master’s refusal to deliver the gold. The decision caused consider-
able consternation among shipowners, who were concerned that it might expose them to
personal liability far exceeding the value of their investment in their ships. The British43
Parliament speedily passed the Responsibility of Shipowners Act 1734, which limited the
liability of shipowners to the value of the vessel at the end of the voyage, plus pending
freight.44 Initially, the value-based limit of the shipowner’s liability applied to claims of all
kinds, but the Merchant Shipping Act 1854 (UK) later provided that liability for personal
injury and death should be limited by reference to the tonnage of the carrying ship (at the
time, £15 per tonne), rather than by reference to its value.
The United States followed the UK’s lead in enacting limitation legislation in 1851.
The US legislation was passed as a result of litigation arising from the loss by fire of
the steamship Lexington in Long Island Sound en route from New York to Stonington,
Connecticut, with the loss of 139 lives and much valuable cargo. The Merchants Bank of
Boston sued the owner of Lexington for loss of a crate of gold and silver coins, and the US
Supreme Court eventually held that the shipowner was liable to the bank in full.45 This one
crate, among the many items of cargo lost in the fire, was worth over a third of the value

41 Automated and Electric Vehicles Act 2018 (UK) s 2(1) provides that where an insured automated vehicle
causes damage in an accident when driving itself on a road, the insurer is liable for that damage.
42 Boucher v Lawson (1733) Cas T Hard 85, 95 Eng Rep 53. Some of the details of the description here come
from a shorter but more factually descriptive report, Boucher v Lawson (1733) W Kel 155; 25 Eng Rep 533.
43 At the time, the Parliament was that of Great Britain, a country that came into existence in 1707 with the
union of England (and Wales) and Scotland; the United Kingdom did not come into existence until 1801, with
the union of Great Britain and Ireland. For the time being, at least, the country is called the United Kingdom of
Great Britain and Northern Ireland, after the secession of the Republic of Ireland in 1922.
44 Pending freight is money still owing to the shipowner from cargo-owners or passengers. In modern
practice, freight is very often prepaid before a voyage begins, so there is now seldom any pending freight after
a mid-voyage disaster.
45 New Jersey Steam Navigation Co v Merchants Bank of Boston, 47 US (6 How) 344 (1848).

192
 A utonomous S hips

of the ship, and so the Supreme Court’s decision clearly signalled that the shipowner’s
liability for all the lives and property lost in the disaster would far exceed the value of the
ship.46 Much as their British counterparts had done in Parliament after Boucher v Lawson,
American shipowners promptly petitioned Congress for statutory relief from what they
regarded as a potentially ruinous liability, arguing that their competitiveness in the inter-
national shipping market would suffer if they were not put on the same protected foot-
ing as their British competitors. In 1851, Congress passed the Limitation of Shipowners’
Liability Act, which, remarkably, is still in force in the United States.47 Like the British
Act of 1734 on which it was modelled, the American Act of 1851 limited the shipowner’s
liability to the value of its vessel at the end of the voyage in question, plus pending freight.
That is still the formula used in US law, although there is now an “uplift” of $420 per
tonne for personal injury and death claims if the value of the basic limitation fund is insuf-
ficient to pay all claims.48
The preamble to the British Act of 1734 stated its protectionist purpose frankly: “To
prevent any discouragement to merchants.” The great Admiralty judge Dr Lushington
was equally blunt in observing that limitation of liability had nothing to do with justice for
those suffering damage or loss: “[T]he principle of limited liability is that full indemnity,
the natural rights of justice, shall be abridged for political reasons.”49 The protective effect
of limitation legislation is exemplified starkly by litigation that followed modern history’s
most famous shipwreck, the sinking of the Titanic. The owners of Titanic petitioned for
limitation of liability in the United States, and the US Supreme Court ultimately held that
the British owner was entitled to limit its liability under the US statute for damage caused
by its British-registered ship, even though that ship had, notoriously, never reached the
United States.50 The value of the vessel at the end of the voyage was, of course, nothing,
because it lay at the bottom of the Atlantic Ocean, with the result that the owner’s liability
was limited to almost nothing.51 Because the Act has never been amended since 1851,
there would be the same result today (remarkably; scandalously in the eyes of many).52
The United Kingdom abandoned the original value-based system of limitation in 1894,
adopting a tonnage-based system for all types of claim in the Merchant Shipping Act 1894
(UK) s 503, which meant that shipowners had at least some limited liability even if their
ships were lost in the incidents giving rise to liability. The tonnage-based system in the UK
Act of 1894 was emulated in international conventions in 1924 and 1957 and it forms the
basis of the international Convention on the Limitation of Liability for Maritime Claims

46 The previous owner of Lexington, Cornelius Vanderbilt, sold the ship to the New Jersey Steam Navigation
Co in 1838 for $60,000. The Merchants Bank of Boston recovered $22,240 for its lost crate of gold and silver.
47 The Act is now codified at 46 USC §§ 30501-12.
48 46 USC § 30506(b).
49 Cail v Papayanni (The Amalia) (1863) 1 Moo PC (NS) 471, 473; 15 Eng Rep 778, 779.
50 Oceanic Steam Navigation Co v Mellor, 233 US 718 (1914).
51 The limitation fund was based on the value of a few lifeboats plus “pending freight.” Apparently, the
owner subsequently made voluntary payments to some (but not all) of the plaintiffs, having fought successfully
to establish that it had no legal obligation to do so.
52 In 2019, the dive boat Conception caught fire during the night, off Santa Cruz, California. Thirty-four
people on board died in the fire. While the bodies were still in the wreck on the bottom of the sea, the owner
of Conception, Truth Aquatics Inc, petitioned the US District Court for the Southern District of California,
seeking to limit its liability under the Act of 1851.

193
 Autonomous S hips

1976 (LLMC 76). The original LLMC 76 was amended by a protocol in 1996 that entered
53

into force on 13 May 2004 (LLMC 76/96). The limits of liability under the 1996 protocol
were significantly increased by “tacit amendment” with effect from 2015.54
The tonnage-based LLMC limitation regime is in force in one form or another in
74 countries, all around the world. The unamended LLMC 76 is in force in 18 countries;55
LLMC 76/96 is in force in 56 countries, 36 of which are still party to LLMC 76, 14 of
which have denounced the original LLMC 76 and are party only to the Protocol of 1996,
and six of which have adopted the Protocol of 1996 without ever being party to the origi-
nal LLMC 76.56
In short, John Fletcher, the cunning but (apparently)57 thieving master of Little Job, set
in train a process that has become an integral part of the economics of international trade.
The international business of shipping is founded upon the bedrock premise of limited
liability. Liability for major casualties is limited by LLMC (or, in the United States, by the
1851 Act); liability for individual incidents of cargo loss or damage is also limited, by a
different international convention that gives effect to a set of rules governing international
carriage of goods by sea, known as the Hague-Visby Rules.58 The insurance premiums59
that ship operators pay to their P&I Clubs reflect the limited magnitude of their risk of
liability, which is in turn reflected in the freight rates that ship operators charge to carry
cargo, which is in turn reflected in the landed cost of all goods carried by sea. In other
words, if limitation of shipowners’ liability were to be abolished, the price of everything
carried by sea60 would increase because insurance premiums and freight rates would
increase as a consequence of the increased risk of liability. Although limitation can lead
to unsavoury results, it is too fundamental a part of the fabric of international trade to be
abolished now.
It is not only the owners of seagoing ships who have the ability to invoke the benefit
from the international regime of limited liability. If the commercial operation of the ship

53 Convention on the Limitation of Liability for Maritime Claims 1976 (opened for signature in London,
19 November 1976, entered into force 1 December 1986) 1456 UNTS 221 (hereafter LLMC 76), amended by
Protocol of 1996 to amend the Convention on the Limitation of Liability for Maritime Claims 1976 (opened for
signature in London, 2 May 1996, entered into force 13 May 2004) (hereafter LLMC 76/96).
54 The Legal Committee of the International Maritime Organization (IMO) resolved on 19 April 2012
(Resolution LEG.5(99)) to increase the limits in the 1996 Protocol. Because an insufficient number of IMO
member countries objected to the resolution within the stipulated period of time, the amendments entered into
force on 8 June 2015 as an amendment to the 1996 Protocol.
55 International Maritime Organization, “Status of IMO Treaties” (18 October 2022 edition), wwwcdn​
.imo​.org​/ localresources​/en ​/About​/Conventions​/StatusOfConventions​/Status​%20of ​%20IMO​%20T​reaties​.pdf.
56 Ibid.
57 The reports of the case never actually state that Fletcher kept the gold, but many of the arguments made
by counsel come close to suggesting that he did.
58 International Convention for the Unification of Certain Rules of Law relating to Bills of Lading (“Hague
Rules”) (opened for signature in Brussels 25 August 1924, entered into force 2 June 1931), amended by Protocol
to amend the International Convention for the Unification of Certain Rules of Law relating to Bills of Lading
(Visby amendments, or “Hague-Visby Rules”) (opened for signature in Brussels 23 February 1968, entered
into force 23 June 1977) 1412 UNTS 127. The Hague-Visby Rules, art 4 r 5, limit the carrier’s liability for
cargo loss or damage to 666.67 Special Drawing Rights per package or unit or 2 Special Drawing Rights per
kilogram, whichever is higher.
59 Technically, the premium paid to a P&I Club is known as a “call.”
60 The very title of a recent book says everything that needs to be said about the significance of interna-
tional carriage of goods by sea: Rose George, Ninety Percent of Everything: Inside Shipping, the Invisible
Industry that Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate. (Picador, 2014).

194
 A utonomous S hips

is devolved to a charterer, which is often the case,61 the charterer will also be entitled to
seek to limit its liability under LLMC,62 and any owner or charterer that enters into a con-
tract for carriage of goods by sea may also be entitled to limit its liability for cargo loss or
damage under the Hague-Visby Rules if such rules are applicable.63
The only possible technical obstacle to an owner or operator of a crewless MASS rely-
ing on the international regime for limitation of liability is the slim chance that crewless
MASS may not qualify as “ships” for purposes of the relevant international conventions.
There is no internationally uniform definition of what constitutes a “ship” or a “vessel,”
even though these terms are routinely used in international conventions concerning mari-
time matters, including LLMC 76/96, which uses the term “ship” without defining it. For
example, the UN Convention on the Law of the Sea (UNCLOS) uses the words “ship,”
“vessel,” “device” and “equipment” to refer to things that might navigate on or under the
oceans, but it does not define any of those terms. It seems to follow, then, that what con-
stitutes a “ship” must be left to domestic law to decide.64 If a country has determined that
a crewless MASS constitutes a “ship” for purposes of its domestic laws concerning ship
registration, and has granted to that MASS nationality and the right to fly its flag, it ought
to follow that other countries that are party to UNCLOS ought to accept that the MASS is
entitled to exercise the navigational rights granted to ships, such as the right of innocent
passage in UNCLOS Art 17. UNCLOS 91 provides that every State Party “shall fix the
conditions for the grant of its nationality to ships,” and it can be argued that one of those
“conditions” is whether the relevant thing actually constitutes a ship according to the laws
of the flagging state.65
On the assumption that crewless MASS will be characterised as “ships,” which on the
face seems likely, presently only the “owner, charterer, manager and operator” of the
MASS will have the ability to seek to limit liability under LLMC 76/9666 if a malfunc-
tion or other systems failure leads to damage. However, if the person suffering damage or
loss were to sue the manufacturer or designer of the ship-based systems directly, liability
would, on the face of it at least, be unlimited (if successfully established under the relevant
governing law). If the manufacturer or designer had to buy liability insurance to cover
potentially unlimited exposure, the insurer would have to charge premiums to cover the
risk of losses that the experience of crewed ships shows can occasionally be catastrophic.67
If the potential risk exposure of ship operators on the one hand and manufacturers and
designers on the other were to differ in this way, that would obviously have a significant
impact on insurability and the cost of insurance, which would have the overall effect of

61 Space does not permit a thorough explanation of the commercial arrangements for the division of respon-
sibility for various aspects of the operation of trading ships, which can be quite complex. They are explained, in
a non-technical manner, in Martin Davies, “Liability in the shipping industry” in Martin Petrin and Christian
Witting (eds), Research Handbook on Corporate Liability (Edward Elgar, 2023) 317–331.
62 LLMC 76/96 (n 53) art 1(2) provides: “The term ‘shipowner’ shall mean the owner, charterer, manager
and operator of a seagoing ship.”
63 Hague-Visby Rules (n 58) art 1(a) provides: “‘Carrier’ includes the owner or the charterer who enters
into a contract of carriage with a shipper.”
64 Robert Veal, Michael Tsimplis and Andrew Serdy, “The legal status and operation of unmanned mari-
time vehicles” (2019) 50 Ocean Dev & Int’l L 23, 25–31.
65 Ibid, 27.
66 LLMC 76/96 art 1(2).
67 For example, it is estimated that the total cost of the grounding and capsizing of the passenger ship
Costa Concordia on Isola del Giglio in Italy was US $2 billion.

195
 Autonomous S hips

making the insurance of crewless MASS more expensive than the insurance of traditional
crewed ships. Requiring shipowners to indemnify manufacturers or designers against
direct liability for malfunctioning ship-based systems would simply shift the risk to ship-
owners, who have traditionally insured on the basis of limited liability. The overall cost
of insurance would then likely be higher than it is at present; it would merely be borne
by a different party, the shipowner or operator—unless the liability of manufacturers and
designers could be brought under the umbrella of limited liability that protects shipowners
and operators, or under some yet-to-be-devised scheme of limitation applicable directly
to them.
Oddly enough, that first option may be easier than it seems. Although it is not yet clear
which national laws will impose liability (if any) on manufacturers and designers (see
section entitled “Choice of law for product liability”), it may nevertheless be possible
to extend the benefits of limited liability to manufacturers and designers of autonomous
ship-based systems in countries that are party to one or another version of LLMC. If
LLMC does not already protect manufacturers and designers—which it possibly might—
a relatively simple amendment would have that effect, although it must be acknowledged
that amendments to international conventions or protocols are a less-than-ideal solution
because they usually lead to patchy adoption by contracting states.
In their present form, LLMC 76 and LLMC 76/96 both already extend the potential ben-
efit of limitation to anyone for whom the shipowner is responsible. Article 1(4) provides:
If any claims set out in Article 2 are made against any person for whose act, neglect or default
the shipowner is responsible, such person shall be entitled to avail himself of the limitation of
liability provided for in this Convention.

This is complemented by Article 9(1)(a), which provides that the limit of liability calcu-
lated by reference to the tonnage of the ship applies “to the aggregate of all claims which
arise on any distinct occasion … against [a “shipowner”] and any person for whose act,
neglect of default he or they are responsible” (emphasis added). Furthermore, the limit of
liability calculated by reference to the tonnage of the offending ship applies only once, to
all those entitled to limit their liability. That is the effect of Article 11(3), which provides:
A fund constituted by one of the persons mentioned in paragraph 1(a),(b) or (c) or paragraph
2 of Article 9 [i.e. a fund constituted by a shipowner, salvor, or ‘any person for whose act,
neglect or default he or they are responsible’] shall be deemed constituted by all persons men-
tioned in paragraph 1(a),(b) or (c) or paragraph 2, respectively.

An example may make the operation of Article 11(3) a little clearer. In The MSC Napoli,68
the owner of the ship MSC Napoli instituted limitation proceedings in London after the
ship ran aground off the south coast of England, eventually becoming a total loss with
considerable loss of cargo.69 The owner constituted a limitation fund calculated by refer-
ence to the tonnage of the ship; cargo claimants were then obliged to bring their claims
against the fund and to recover pro rata if the total of successful claims exceeded the
value of the fund. Two other liability defendants also faced cargo claims as a result of the

68 Metvale Ltd v Monsanto International SARL (The MSC Napoli) [2008] EWHC 3002 (Admlty), [2009]
1 Lloyd’s Rep 246.
69 The incident is perhaps best remembered by the fact that the people of Cornwall revived their age-old
practice of “wrecking,” scavenging cargo (including, famously, 17 BMW motorcycles) from containers that
washed up on the shore from the wreck of MSC Napoli.

196
 A utonomous S hips

loss of MSC Napoli. They were slot charterers that had contracted with cargo owners in
their own names.70 These slot charterers successfully claimed that they were entitled to the
benefit of the limitation fund constituted by the shipowner, by operation of Article 11(2)
of LLMC 76/96. As “charterers,” they qualified as “shipowners” for purposes of LLMC
76/96,71 so they would have been entitled to limit their liability as “one of the persons men-
tioned in … Article 9.” The effect of Article 11(3) was that the limitation fund constituted
by one of the parties qualifying as “shipowner” (the actual shipowner) was deemed to be
constituted by all of the persons mentioned in Article 9, including the slot charterers.
Although a manufacturer or designer of MASS or ship-based operating systems could
obviously not qualify as a “shipowner” for purposes of Article 2 of LLMC 76/96, as the
slot charterers in The MSC Napoli did, they might nevertheless qualify as a “person for
whose act, neglect or default [the shipowner is] responsible.” The reference in LLMC to
persons for whom the shipowner is “responsible” was apparently designed to ensure that
the master and crew of the ship would be brought under the umbrella of limited liability—
and a single limitation fund established by the shipowner, at that, as The MSC Napoli and
Art 11(3) show. The reference to the shipowner being “responsible” for the act, neglect or
default of others was clearly intended to refer to persons for whom the shipowner is vicari-
ously responsible. It is at least arguable, however, that there is no reason why it should be
confined to situations of vicarious responsibility. If the shipowner assumes responsibility
for the liability of the manufacturer or designer by agreeing to indemnify them against
direct claims, it could then be said to be “responsible” for fault on their part.
The standard English textbook on limitation of liability simply states that “It is by no
means clear what is meant by the word ‘responsible,’” but it does go on to say “Article 1(4)
of the 1976 Convention is apparently wide enough to encompass agents and independent
contractors such as stevedores provided that the shipowner is responsible for their actions
as a matter of law.”72 The manufacturer or designer of MASS or autonomous operating
systems is obviously not in the same position as a stevedore hired by the shipowner to load
and unload cargo, but in some respects, their relationship to the shipowner is (or would be)
the same: An independent contractor engaged to perform some of the necessary functions
of the ship, on the basis of an indemnity from the shipowner. At least some support for this
position can be found in a recent English decision.
In Splitt Chartering APS v Saga Shipholding Norway AS (The Stema Barge II),73 the
Court of Appeal of England and Wales considered the meaning of the word “operator” in
Art 1(2) of LLMC 76/96. The barge Stema II was engaged to deliver cargo to a company
named Stema UK. It caused damage to an underwater cable when it dragged its anchor
during a storm. The barge was owned by a company named Splitt and chartered to an
affiliate of Stema UK, a Danish company named Stema A/S. There was no doubt that
both Splitt and Stema A/S were entitled to limit their liability under LLMC 76/96, as they

70 A slot charterer charters an agreed number of container bays from the owner or operator of a container
ship; it then sells the use of those container bays to cargo owners, contracting as carrier even though it has no
control over the physical operation of the ship.
71 “Shipowner” is defined to include “owner, charterer, manager and operator of a seagoing ship”: see n 62
above. Teare J held that “charterer” meant any kind of charterer, including slot charterers: The MSC Napoli (n
68) [17]–[19] (Teare J).
72 Patrick Griggs, Richard Williams and Jeremy Farr, Limitation of Liability for Maritime Claims (4th edn
Informa 2005) 13.
73 [2021] EWCA Civ 1880, [2022] 1 Lloyd’s Rep 170.

197
 Autonomous S hips

were “owner” and “charterer” of the barge, respectively. The question was whether Stema
UK was an “operator” of the barge because its personnel operated the machinery on the
barge and were involved in monitoring the weather and in the decision to leave the barge
at anchor during the storm. The Court of Appeal of England and Wales held that Stema
UK was not an “operator” of the barge, and so was not entitled to limit its liability under
LLMC 76/96, because:74
In my judgment the term “operator” must entail more than the mere operation of the machin-
ery of the vessel (or providing personnel to operate that machinery) … The term must relate
to “operation” at a higher level of abstraction, involving management or control of the vessel,
or else article 1(4) would be rendered otiose and categories of service providers would be
included notwithstanding their express exclusion by the contracting parties as revealed in the
travaux préparatoires.

It was not argued, either at first instance75 or on appeal, that Stema UK was entitled to
limit its liability because Stema A/S was “responsible” for Stema UK for purposes of Art
1(4). That appears to be because that was simply not so, as a matter of fact: Stema A/S and
Stema UK were simply associated companies who divided responsibility for certain func-
tions among themselves, without making either one legally responsible for the actions of
the other. Although the judgments in the Court of Appeal do not give any direct support to
the interpretation of “responsible” considered above, there is at least some obiter support
to be found in the following passage:76
I recognise, as did the judge, that it may be unfortunate if the limitation afforded to a group
of companies which comprises the owner, charterer and operator of a vessel is effectively lost
because an associated company provided crew for certain mechanical operations of the ves-
sel. However, such a group can take steps to bring all its associates within the umbrella of the
protection by ensuring that crew are seconded to the owner or operator and/or ensuring that
the owner or operator is responsible for the actions of the associate: given the importance of
limitation of liability to the viability of the enterprise, ensuring such protection would seem
to be an important business consideration for those engaged in international trade by sea and
one which they might be expected to arrange with care.

Presumably, a group of associated companies could “arrange with care” to extend the right
to limit to the associated company by using appropriate provisions in contracts between
the companies in the group. That interpretation is also supported by the court’s reference
to the travaux préparatoires of LLMC 76/96:77
There was also a proposal that the word “responsible” in article 1(4) be deleted and replaced
by the phrase “legally liable at law in the absence of a contract” in order to prevent shipowners
extending protection to other persons by contract, but that proposal was also rejected.

The travaux do indeed support the proposition that the word “responsible” was intended
to include those for whom a shipowner is contractually responsible,78 which lends further

74 Ibid 180, [58] (Phillips LJ, Sir David Richardson and Sir Launcelot Henderson agreeing), referring to
ASP Ship Management Pty Ltd v Administrative Appeals Tribunal [2006] FCAFC 23, (2006) 149 FCR 261.
75 Splitt Chartering APS v Saga Shipholding Norway AS (The Stema Barge II) [2020] EWHC 1294
(Admlty); [2021] 2 Lloyd’s Rep 307.
76 Splitt Chartering APS v Saga Shipholding Norway AS (The Stema Barge II) [2021] EWCA Civ 1880,
[2022] 1 Lloyd’s Rep 170, 180, [61] (Phillips LJ, Sir David Richardson and Sir Launcelot Henderson agreeing).
77 Ibid, 174 [17].
78 See Comité Maritime International, “The Travaux Préparatoires of the LLMC Convention, 1976 and
of the Protocol of 1996” (CMI 2007) 51–54, https://comitemaritime​.org​/wp​- content​/uploads​/2018​/05​/ Travaux​

198
 A utonomous S hips

support to the argument that a shipowner could bring the manufacturer or designer of a
crewless MASS under the umbrella of LLMC protection by use of appropriate contractual
provisions.
If a manufacturer or designer of MASS or its systems would not already fall under
the definition of those for whom the shipowner is “responsible” if the shipowner agreed
to indemnify them against liability, then a very small amendment to LLMC would be
enough to achieve that result. The word “responsible” could be expanded to “responsible,
or for whose responsibility they have accepted liability by contract,” or words to that
effect. As noted above, though, a solution that depends upon the amendment of an exist-
ing convention or protocol is never ideal. There is always also the spectre of unintended
consequences, i.e. that this apparently innocuous amendment might have the effect of
conferring protection far beyond what it was intended to achieve.
Article 2 of LLMC 76/96 defines the types of claims that are subject to a limitation of
liability under the convention. Assuming for present purposes that manufacturers and
designers can be protected by LLMC, the type of claim most likely to arise as a result of a
malfunction of a crewless MASS is defined in Art 2(1)(a):
[C]laims in respect of loss of life or personal injury or loss of or damage to property (including
damage to harbour works, basins and waterways and aids to navigation), occurring on board
or in direct connexion with the operation of the ship or with salvage operations, and conse-
quential loss resulting therefrom.

Although any fault on the part of the manufacturer or designer of autonomous shipboard
systems would be far removed in time and space from any damage or loss caused by
the malfunctioning of those systems, limitation should nevertheless still be available to
manufacturers or designers because the loss or damage would occur on board the crewless
MASS or in direct connection with its operation, even if the fault complained of did not.
Existing P&I Clubs are reluctant to cover any contractual liabilities that go beyond the
level imposed by law, because of the fundamental P&I premise of mutuality: Any liability
voluntarily assumed by a member is not a mutual risk shared by all, and so should not be
covered.79 As a result, existing P&I Clubs would be unlikely to cover any liability that the
owner of a crewless MASS was to assume voluntarily by way of a promise of indemnity
to a manufacturer or designer, but for reasons already considered in the section entitled
“Liability insurance for ships and shipowners,” the concept of mutuality does not work
well between traditional crewed vessels and MASS, in any event. If the future of liabil-
ity insurance for crewless MASS lies in the creation of new, MASS-specific P&I Clubs,
cover for an indemnity designed to bring manufacturers and designers under the umbrella
of limited liability may become a standard feature. If the future of liability insurance for
crewless MASS lies with commercial insurers, it would make obvious sense for insurers
to agree to cover these indemnity risks, because the alternative would be for manufactur-
ers and designers in the position of having to insure against unlimited liability.

-Preparatoirse​- of​-the​-LLMC​- Convention​-1976​-and​- of​-the​-Protocol​- of​-1996​.pdf. The proposal referred to in

The Stema II was originally made by the United States delegation (ibid, 52 n 12) but was eventually withdrawn
after it was opposed (ibid 54).
79 Steven Hazelwood and David Semark, P & I Clubs Law and Practice (4th edn Informa 2010) 220–222,
[12.48]–[12.53].

199
 Autonomous S hips

Classification societies
From the above discussion, readers not possessing any depth of knowledge of maritime
law will have noted that a principal reason for affording limitation of liability to those who
qualify under the various shipowners’ limitation of liability regimes, is for the betterment
of the economics of maritime commerce, and hence of international trade. The adoption
of a limitation of liability regime for shipowners etc. is therefore politically motivated.
“The policy evident in [limitation provisions] is the protection of the owner engaged in
the maritime carrying trade from financial ruin where his ship causes damage of the
prescribed kind.”80 That is worth repeating in advance of the following discourse relat-
ing to “classification societies.” In other words, just as there would seem to be a case for
the extension/creation of a limitation of liability regime for certain manufacturers and
designers (as above), a not-too-dissimilar case can be made for the possible protection of
classification societies. To consider this, it is useful to review the underlying rationale for
the existence of classifications societies themselves and then consider whether the role
they fulfil with regards to international shipping (historically, versus presently) has any
bearing on the question.
The commercial shipping industry is heavily regulated, and notwithstanding the sensa-
tion that often accompanies a ship sinking, or grounding, and the media circus that can
generate, the industry is strongly safety and environmentally conscious, resilient and has
a good track record. Regulation needs to be as international as possible to minimise the
possibility that matters concerning the likes of ship construction and maintenance, navi-
gation and standards of crew training and competence are regulated differently per juris-
diction. It would be a burden for ship-owning/operating stakeholders to have to navigate
an ever-changing regulatory landscape as the particular ship voyaged across the seas. It
would make little sense if different standards applied at the commencement of the marine
voyage in one country, to those applicable in potentially multiple other countries in transit,
and then the country in which the marine voyage concludes. Policing such a patchwork of
regulations would also lead to duplication and be unproductive.
Addressing this need for international focus, the maritime industry is well regulated
by a number of mature international bodies including the aforementioned IMO, which is
tasked as an agency of the United Nations to regulate the safety of ships and the protection
of the marine environment. The IMO sets standards via international diplomatic conven-
tions which its member states then adopt and enforce via their national laws. Given the
potential geographic range of service of any ship over its lifetime and the possible myriad
nationalities of its owners, desponent owners and other charterers, all of which will likely
be subject to multiple changes over the life of the ship, responsibility for the enforcement
of IMO regulations primarily rests with the ship’s “flag state;” that is, the country in which
the ship itself is registered at any given time, as opposed to the nationality of its owner etc.
A secondary layer of responsibility rests with “port state control,” which is the control
that a country may exert on foreign ships that enter or traverse its sovereign waters. Both
the flag state and the port state will police the IMO’s requirements, and the principal
method of doing so is via regularly mandated and often directly ordered inspections and

80 China Ocean Shipping Co v South Australia (1979) 145 CLR 172 at 185 per Barwick CJ, quoted in Strong
Wise Ltd v Esso Australia Resources Pty Ltd (The APL Sydney) (2010) 185 FCR 149; [20110] 2 Lloyd’s Rep
555 at 561 [31] per Rares J.

200
 A utonomous S hips

surveys of ships. These surveys are typically undertaken by classification societies or

other companies offering various marine classification services. There are 11 of the for-
mer in the company of the “International Association of Classification Societies” (IACS)
which was set up to provide “an assurance of professional integrity and maintenance of
high professional standards.”81 The IACS member organisations currently classify in
excess of 90% of the world’s commercial shipping fleet. There are then a further 30–40
other companies offering various marine classification services.
Classification societies had their origins in the late eighteenth century when marine
insurers based at Lloyd’s coffee house in London developed a system for the annual inde-
pendent inspection of ship’s hulls and equipment presented to them for insurance cover.82
Their origins were rooted in the notion that a ship’s seaworthiness was central to most
ship-related transactions.83 Being in class does not imply, however, nor expressly warrant,
the safety, fitness for purpose or seaworthiness of a ship.84 It is merely an attestation that
the ship is in compliance with the standards that have been developed and published by
the particular classification society issuing the classification certificate. While the layers
of standard oversight provided by the likes of the IMO and port states rely on classification
societies to assist in “policing” these standards, the classification societies themselves do
not “enforce” any rules or standards. It is a nuanced relationship, in that the classifica-
tion society will publish (in the form of Rules) minimum technical requirements for the
design, construction, maintenance and survey of ships and other marine facilities, and
certify whether those requirements have been complied with. While they will make rec-
ommendations to shipowners on matters of maintenance and safety etc. as they relate to
their Rules, which the shipowner will need to comply with in order to ensure that the ship
will be confirmed to remain “in class,” it is the shipowner who holds a non-delegable duty
to maintain a “seaworthy” ship.85
Without endorsement from a classification society, the ship’s insurance may be compro-
mised, or insurance may then be difficult or even impossible to obtain both for the ship and
any cargo to be carried on it. The lack of class certification could also be a breach of any
charter party itself, giving rise to the right of a charterer to terminate the charter party and
sue the shipowner or counterparty up the charter chain for damages. Further, failure to
evidence class certification could result in a ship’s access to a country’s ports and territo-
rial waters being limited or indeed prevented. Compliance with the Rules of a classifica-
tion society is a typical requirement of standard form contracts for shipbuilding,86 sale,87

81 International Association of Classification Societies (IACS), “About IACS,” https://iacs​.org​.uk ​/about/

82 IACS, “What are Classification Societies?”www​.iacs​.org​.uk/​_ pdf​/Class​%20monograph​.pdf.
83 Hannu Honka, “The Classification System and its Problems With Special Reference to the Liability of
Classification Societies” (1994) 19 Tulane Maritime Law Journal 1, 2.
84 Sundance Cruises Corp v The American Bureau of Shipping (The Sundancer) 7 F 3d 1077 (2nd Cir
1994).
85 Koch Marine Inc v D’Amica Società di Navigazione ARL (The Elena D’Amico) [1980] 1 Lloyd’s Rep 75,
76 (Robert Goff J).
86 See, e.g., China Maritime Arbitration Commission (CMAC) Standard Newbuilding Contract (Shanghai
Form), art II.1, www​.cnpi​.org​.cn​/uploadfiles​/ hetong2​-1. This form is widely used by Chinese shipyards.
87 See, e.g. Norwegian Shipbrokers’ Association’s Saleform 2012, cl 8(a)(v), www​.bimco​.org​/Contracts​
-and​- clauses​/ BIMCO​- Contracts​/SALEFORM​-2012#.

201
 Autonomous S hips

hull and machinery insurance and P&I Club cover.89 Accordingly, classification surveys
88

are vital to the maritime industry, shipping, modern trade and commerce.
Originally, classification societies were independent, self-regulated organisations that
had no commercial interests related to ship design, ship building, ship ownership, ship
operation, ship management, ship maintenance or repairs, insurance or chartering. At its
simplest, they were providing certified ship surveying services for insurers. That classic
role has slowly evolved, however, to the point that whether a classification society is acting
in a non-profit or profit-making capacity may impact what, if any, duties it might owe to
both those that engage it, and to third parties. That evolution has seen many classifica-
tion societies create profit-making subsidiaries that provide, among others, consultancy
services in connection with the requirements of classification. The benefit to shipowners
in taking advantage of these classification consultancy services is they can take steps
in advance of any required classification survey, to monitor and maintain their vessels
pursuant to recommendations from the classification society, and therefore reduce the
possibility that significant repairs or other action may be needed subsequent to the official
survey. The obvious benefit to a classification society is that it enables them to broaden
their service offering.
An impact of this development has been that despite the early contention that classifica-
tion societies were non-profit organisations that existed to provide services for the “public
interest” in the maritime sector, the increasing existence of a potential financial interest
has brought their independence into question. In turn, that has led to an erosion of the
notion that they could not be held to owe a duty of care to principals or third parties in
respect of its discharge of services.
In the context of a discussion as to autonomy in the shipping industry, be it via the
use of MASS or other autonomous craft such as drones,90 and how that may impact the
potential liability, or extent of liability, of a classification society, it is worth noting that
notwithstanding the integral part they play in relation to the seaworthiness of seagoing
ships, courts have historically been reluctant to hold classification societies liable to third
parties (e.g. such as subsequent purchasers of ships) who suffer loss as a result of some
condition of unseaworthiness.91 Indeed, there are very few decisions globally that have
assessed the liability of classification societies at all. In a way, that can be attributed to a
seeming “reluctance” on the part of aggrieved parties who may have suffered loss said to
be consequent upon services rendered by classification societies, from actually choosing
to pursue a classification society. Most readers will be familiar with the “flood-gates”
theory, of being cautious not to permit what might, to that point, have been a novel claim,
lest it give rise to a “flood” of similar claims. The almost self-perpetuating “reluctance” to
hold classification societies liable to third parties to date might be described in a similar
style as reflecting a “dam-wall” type of thinking. That is, the dearth of case-law on point
internationally may evidence that claimants are themselves “reluctant” to run the financial

88 American Institute of Marine Underwriters, “American Institute Hull Clauses (September 29, 2009),”
lines 272–274, www​.aimu​.org​/forms​/ HullClauses2009​.pdf.
89 See, e.g., UK P&I Club, “Rules 2022” Rule 5(K), www​.ukpandi​.com​/media​/files​/uk​-p​-i​- club​/rules​/2022​
/rules​-2022​.pdf.
90 Anthony Tarr, Julie-Anne Tarr, Maurice Thompson and Jeffrey Ellis, Drone Law and Policy: Global
Development, Risks, Regulation and Insurance (Routledge 2022) 100–107.
91 Marc Rich & Co AG v Bishop Rock Marine Co Ltd (The Nicholas H) [1996] AC 211 (HL); Sundance
Cruises Corp v American Bureau of Shipping (The Sundancer), 7 F 3d 1077 (2d Cir 1994).

202
 A utonomous S hips

risk of pursuing a classification society given that same dearth of case-law upon which s/
he might weigh their chances of success.
While there are certain differences in the way classification societies are treated
between common law and civil law jurisdictions, one stated rationale for the reluctance
to hold them liable to third parties focuses on their otherwise potential liability exposure
if they were held liable to third parties. Without limitation, that liability exposure could
be many times greater than the fees that they charge for the limited services they histori-
cally provided,92 thus making the risk uninsurable from their point of view. That could
risk their vital role in assisting in the maintenance of maritime commerce. In other words,
just as most shipping companies would not run the risks of carrying goods around the
world if they had no ability to limit their potential liability, classification societies would
be unlikely to continue to provide the vital services they do, if they were seen as a ready
target for lawsuits where their own liability might be unlimited.
The seminal English legal authority is Marc Rich & Co AG v Bishop Rock Marine Co
Ltd (The Nicholas H).93 In The Nicholas H, the House of Lords was faced with the ques-
tion of whether a classification society owed a duty of care to a third-party cargo inter-
est arising from the alleged careless performance of a survey of a damaged vessel by a
classification society which resulted in the vessel sailing and subsequently sinking.94 The
court held that it would not be fair, just, and reasonable to impose such a duty of care on a
classification society. Among others, the court held that:
(1) The recognition of such a duty would “disturb the balance created by the Hague
Rules and Hague-Visby Rules as well as by tonnage limitation provisions, by ena-
bling cargo owners to recover in tort against a peripheral party to the prejudice of
the protection of shipowners under the existing system.”95
(2) Classification societies act in the public interest and were created “for the sole
purpose of promoting the collective welfare, namely the safety of lives and ships at
sea,” filling a role that would otherwise need to be fulfilled by States.96 Recognition
of such a duty could adversely affect the willingness of classification societies to
continue providing their services;97 and
(3) Further to (2), recognition of such a duty would result in classification societies
becoming potential defendants in many cases,98 which would necessitate a fur-
ther layer of insurance, complicate otherwise straightforward claims procedures
between (for example) cargo interests and shipowners, and, again, could result in
the classification societies becoming unwilling to conduct the necessary surveys.99
The approach adopted by the English courts was not born overnight in response to any
particular set of facts or in respect of classification societies generally. It had its origins in
the three-pronged interpretation developed via the judgments in Anns v Merton London

92 The Sundancer (n 91) 1084, pointing out that the plaintiff sought damages of US $264,000,000 from a
classification society that had charged $85,000 for its services.
93 [1996] AC 211 (hereafter The Nicholas H).
94 Ibid 240 (Lord Steyn).
95 Ibid 241.
96 Ibid 242.
97 Ibid.
98 The Court stated that NKK conducts approximately 14,500 surveys per year worldwide: ibid 241.
99 The Nicholas H (n 93) 241.

203
 Autonomous S hips

Borough Council through to the milestone English cases of Donoghue v Stevenson,101

100

Hedley Byrne & Co Ltd v Heller & Partners Ltd102 and Dorset Yacht Co v Home Office,103
then affirmed and developed further in Caparo Industries Plc v Dickman.104 As held by
the English Court of Appeal in Reeman v Department of Transport,105 “foreseeability,
proximity of relationship and the question of whether it is fair, just and reasonable to
impose a duty of care are matters which overlap and are really facets of the same thing.”
Nevertheless, The Nicholas H is not an authority for the proposition that a duty of care
will never be owed by a classification society towards a third-party claimant. The key to
the English approach is that the public policy arguments militating against imposing a
duty of care upon a classification society will always need to be balanced with the reason-
able imposition of such a duty in any particular circumstance.
As far as claims by third parties were concerned, the US courts took a different
approach, with the United States Court of Appeals for the Fifth Circuit deciding, in Otto
Candies LLC v Nippon Kaiji Kyokai Corporation (Otto Candies),106 to hold a classifica-
tion society liable to a third party for negligent misrepresentation. As Otto Candies was
the first such successful claim in the United States, there was a concern at the time that it
could result in a proliferation of claims in the United States against classification societies
for alleged negligence and/or negligent misrepresentation. While that proved not to be the
case, it goes to show the differing views internationally as to the original perceived effec-
tive immunity of classification societies.
The developing tension as to the liability of classification societies and the limitation of
that liability has been the focus of some international considerations by Comite Maritime
International (CMI). In 2014, at the CMI’s Hamburg Conference, the then CMI Secretary-
General, Professor John Hare, appealed for this area of law to be carefully reviewed.107
That appeal was accepted and there has been considerable work done by the CMI on such
review, but no move has yet been made for any changes. Given the effective exponential
rise in research and development of MASS, even since that appeal in 2014, it will be a
challenge to keep any review and consideration for any change contemporary. That is, as
noted above, effecting amendments to international conventions or protocols is difficult
and time-consuming, and can lead to patchy adoption by contracting states which could
in fact exacerbate differences from jurisdiction to jurisdiction over a long period of time.
This brings us back to the development of MASS. Classification societies are more inti-
mately involved in the design and manufacture of MASS than they have historically been
in respect of traditional crewed ships, with their participation in respect of some MASS
now beginning before construction starts, with the design and testing of the software
and other systems to be used on board the MASS.108 Given the value of their role to the
shipping industry and international trade to date, that is to be applauded. However, this

100 [1978] AC 728, 751.

101 [1932] AC 562, 580.
102 [1964] AC 1129.
103 [1970] AC 1004, 1027.
104 [1990] 2 AC 605, 617.
105 [1997] 2 Lloyd’s Rep 648, 677.
106 346 F3d 530 (5th Cir 2003).
107 ​ https:/​/comitemaritime​.org​/work​/classifications​-socie​ties/#.
108 Det Norske Veritas (DNV), “Remote-controlled and autonomous ships position paper,” www​.dnv​.com​
/maritime​/publications​/remote​- controlled​-autonomous​-ships​-paper​- download​.html.

204
 A utonomous S hips

increased involvement and their evolution as a service provider must surely bring with it
an increased risk of liability which may test the historical reluctance of the courts to hold
them liable for the “classic” and limited services they historically provided.
Consider the IACS Position Paper on MASS published on the IACS website in March
2019.109 IACS states that one of its “positions” is that it “will provide the expertise on
matters related to MASS.” It then provides a “Summary of work carried out by IACS on
this issue to date,” and under the sub-heading “Internal review of all IACS Resolutions
(2017),” it states that:
IACS considers the lack of specific requirements for hardware and software elements of
autonomous systems as the main barrier hindering the development of autonomous ships.
Without such requirements, verification and validation activities cannot be clearly defined and
properly executed. IACS would encourage a program of work in the coming years to tackle
this issue.

If the stated position that it “will provide the expertise on matters related to MASS” is
interpreted to mean “when the relevant MASS has been delivered,” then that might reflect
its historic expertise relative to the different classes of ships it provides services to. In
other words, once MASS are commonplace, one can expect that, by that time, IACS and
its members would have developed a degree of expertise unique to MASS (i.e. different to
crewed ships). However, if interpreted to mean that IACS or its members, even from that
time (i.e. March 2019), have that “expertise on matters relating to MASS,” then that raises
some questions. For instance, “how?” and “what are the boundaries of that said exper-
tise?” and “could it impact their potential liability?” In other words, if their services his-
torically were in relation to essentially just surveying, and later developed via subsidiaries
into services provided at the design and construction phase, then at the point in time that
technology is actually being developed by software engineers and designers and manu-
facturers of detailed systems of safety, navigation etc., with an autonomous nature, it is
questionable as to whether the classification society itself can claim any relevant expertise
with regards to that technology? That is, at least, at that time.
A further sub-heading in that March 2019 Position Paper, namely in respect of
“Collaborative Work,” provides some further insight. IACS broadly describes various
examples of how IACS and its members are:110
actively cooperating with regulators and industry and using its technical expertise to consoli-
date its position, and will look to develop and demonstrate competence through the develop-
ment of requirements and procedures.

Accepting that it is only a Position Paper and that it is now four years old, none of the
descriptions of the examples provided is suggestive of any degree of cooperation or col-
laboration with those designers and manufacturers of autonomous systems at the point of
design, manufacturing, installation or implementation. That said, reference to the web-
sites of various IACS members does suggest that some may indeed be having an impact
at that early stage. By way of example, consider the installation of Sea Machines’ “Sea
Machines Robotics SM300” autonomy system into Foss Maritime’s tug Rachael Allen
which gained approval in principle from the classification society American Bureau of

109 ​
https:/​/iacs​.org​.uk ​/media​/8673​/iacs​-mass​-position​-pape​r​-rev2​.pdf.
110 Ibid.

205
 Autonomous S hips

Shipping (ABS) in mid-2022. The tug is to use the autonomy system for routine transit and
stand-by operations, and then remote piloting will be trialled from a shore-based com-
mand centre. It is worth noting comments on a point made by Sea Machines and ABS. On
Sea Machines’ website, the following is stated:111
The American Bureau of Shipping (ABS) verified the design of the Foss harbor tug outfitted
with the Sea Machines SM300 autonomy system. This follows the established process of new
technology qualification, document evaluation in accordance with ABS Rules and Guides,
a successful product review and shows that Sea Machines’ technology conforms with ABS’
requirements addressing use aboard. …
The SM300 installed on Rachael Allen is the result of close collaboration between three
U.S.-based companies: Sea Machines, Foss and ABS. This cooperation by a software com-
pany, marine transportation provider and classification society highlights the importance of
interdisciplinary collaboration in bringing emerging technology solutions into commercial
operations and enhancing productivity and safety by addressing issues like crew fatigue dur-
ing long transits or idle periods.
(authors’ italics for emphasis)

The italicised words could be interpreted to mean that ABS verified the design of the tug
itself, including the installed SM300 autonomy system.
On the ABS website, the following is stated:112
ABS collaborated with Sea Machines and Foss Maritime to advance adoption of autonomous
operations at sea by issuing approval in principle (AIP) to their vessel autonomy system, the
SM300, that provides autonomous navigation and collision detection and collision avoidance
(CDCA).
Foss is to install Sea Machines’ SM300 system on board its harbor tug Rachael Allen to
enhance safety and efficiency of operations. …
Through the AIP process, ABS reviewed numerous documents for Sea Machines includ-
ing software test plans and concept of operations materials for the Rachael Allen. In such
reviews, ABS seeks to identify potential design risks or issues that may result in substantial
change in direction in the project by evaluating the design approaches, rules, regulations and
types of calculations presented.
(authors’ italics for emphasis)

The italicised words could be interpreted slightly differently from that communicated on
the Sea Machines’ website, to mean that ABS verified the design of the SM300 autonomy
system itself, which was yet to be installed, and that it did so after careful review of
software test plans during which time it identified potential design risks or issues, which
presumably were then addressed in order to achieve the AIP.
A similar message is conveyed in the marine press at the time, per the following report
on the industry-specific Marine Log website:113

The approval followed the established process of new technology qualification and docu-
ment evaluation in accordance with ABS Rules and Guides, a successful product review and
shows that the Sea Machines technology conforms with ABS requirements addressing its use
aboard.
(authors’ italics for emphasis)

111 https://sea​-machines​.com ​/sea​-machines​-sm300​-system​- onboard​-foss​-tug​- earns​-abs​-approval/.

112 https://news​.cision​.com ​/american​-bureau​- of​-shipping ​/r​/abs​-issues​-approval​-in​-principle​-for​-autono-
mous​-system​- on​-board​-tug​,c3697624.
113 https://marinelog​.com ​/technology​/sea​-machines​-autonomy​-system​- on​-board​-foss​-tug​-gains​-abs​-aip/.

206
 A utonomous S hips

The italicised words could be interpreted to mean that ABS approved the new technology
itself.
This is not an exercise in semantics, but as anyone involved in the practice of law will
appreciate, the choice of words can have unintended consequences when third parties,
lawyers, arbitrators and courts might rely on, or pore over specific wording. Indeed, in
some jurisdictions, such as Australia, there is consumer legislation, pursuant to which a
claimant can bring a claim against a party on the basis of a representation (which can be
written, oral or even silence in certain circumstances), which the claimant alleges consti-
tutes “misleading or deceptive” conduct.114 The test is an objective one: In order to suc-
cessfully pursue such a claim, one does not need to prove any ill-intent, or mala fides on
the part of the party that made the representation. The court will examine the effect the
conduct is likely to have had on ordinary or reasonable members of a particular class and
whether the members of that class would have been misled or deceived or would have been
likely to have been misled or deceived on the facts when they relied on the representation
which turned out to be false and they suffered loss as a consequence. There does not even
need to be a contractual nexus between the claimant and the defendant, and representa-
tions on the internet can qualify.
As can be seen from the reporting from the three sources above on the same achieve-
ment, the extent of the involvement of ABS is not clear, such that is not clear what ABS
actually approved. Obviously, certain perimeters would be stipulated in the AIP, but that
is not the end of the matter. An objective analysis would need to determine whether ABS:
(i) approved the design of the tug itself, which included an installed SM300 autonomy
system (e.g. getting a roadworthy certificate check for your car, with the inspector
assessing the car overall which may include a navigation system); or
(ii) was a party to the design and creation of the software and technology used in the
SM300 autonomy system itself, which ABS then approved, as well as the system
itself, and then the integration of the system into the tug?
It is not a stretch to envisage a scenario where: (i) A classification society is held to have
“represented” that a particular software, or system into which software is loaded as part of
a system of autonomy, meets its stringent standards; and (ii) the classification society can
be shown to have known that such software or system is to be installed into an autonomous
vessel that will ply the waters of ports and the seas, that it may more readily be argued to
owe duties of care to third parties if that software or autonomous system fails and those
third parties suffer losses. Indeed, even the shipowner could have a claim against the clas-
sification society.
The above example is not to question for a second the product itself, nor the collabora-
tion between the relevant parties with regard to its development, nor the quality of the tug
and its systems, nor the professional competencies of any of the relevant parties. Rather, it
is to showcase that the services that a classification society may now provide can go well
beyond the scope of services provided historically. That originally limited service offering
assisted in discreetly “defining” classification societies, and provided a ready rationale for
courts to consider those services as being in the “public interest,” such that it would not be
just to hold that they owed a duty of care to third parties in the discharge of those duties,

114 Competition and Consumer Act 2010 (Aus), Schedule 2, s.18.

207
 Autonomous S hips

breach of which could see them held liable to such third parties. That rationale is being
eroded by the proliferation of services now being offered by some classification societies.
Accordingly, just as an argument may now be made that manufacturers and designers of
MASS and autonomous systems should be entitled to an ability to limit their liability, so too
a strong argument can be made on behalf of classification societies for similar protection. In
other words, if the classification societies are to be permitted to “evolve,” just as the industry
they service is doing, then if there is an increasing risk that classification societies may be
held liable to shipowners and third parties, it may be time to re-think whether they should be
entitled to limit their liability. The evolution of their services, in step with the industry they
support, should not be constrained by an outdated international convention, conceived when
autonomous shipping, indeed even computing at that time, would have been the stuff of fanci-
ful science fiction dreams. If MASS are to deliver the promised environmental, safety and
economic benefits internationally, then they will require appropriate insurance, and the cost
of same could be prohibitive, if available at all, if the vital role of classification societies in this
evolution of shipping is not protected via an acceptable form of limitation of liability.
That said, from what is available in the public domain, at the least, it does not appear
that either IACS or the IMO are considering this growing issue, and the early work that
the CMI was doing on point does not appear to have been advanced to any ready recom-
mendations.115 It is respectfully submitted that this needs to be addressed.

Maritime cyber risks

As noted in the introduction to this chapter, cyber risks are of special significance for
crewless MASS because of their extensive reliance on digital technology; connectivity
between ship and shore systems is the fundamental basis of the technologies envisaged
for crewless MASS of IMO categories 3 and 4. Because cyber risks in general are consid-
ered in another chapter of this book, this section focuses specifically on the risks faced by
crewless MASS.
Studies suggest that the main system vulnerabilities include the following: The auto-
matic identification system (AIS); the global navigation satellite system (GNSS); sensors
to provide data for almost all of the navigation and other operational systems used by a
crewless MASS in IMO category 4; and voyage data recorders.116 Of these, the first two
are related and pose perhaps the most obvious threat to commercial shipping, because
they affect traditional, crewed ships as well as crewless MASS.
All existing cargo ships larger than 500 gross tonnes are required by IMO regulations to
carry AIS transponders that provide position, identification and other information about the
ship.117 The GNSS uses incoming information from four satellite systems: (1) The United
States’ Global Positioning System or GPS; (2) Europe’s Galileo; (3) Russia’s Global Navigation
Satellite System or GNSS; and (4) China’s BeiDou satellite cluster.118 The AIS is principally

115 “Liability of Classification Societies,” Comite Maritime International—CMI, https://comitemaritime​

.org​/work​/classifications​-societies/.
116 K Tam, “Cyber-Risk Assessment for Autonomous Ships,” 2018 International Conference on Cyber
Security and Protection of Digital Services (Cyber Security), https://pearl​.plymouth​.ac​.uk ​/ bitstream ​/ handle​
/10026​.1​/11245​/ PID5305125​.pdf​?sequence= 1 (hereafter Tam).
117 SOLAS (n 12) reg V/19.
118 Tam (n 116) 4.

208
 A utonomous S hips

used to pinpoint the ship’s location for outside observers; the GNSS is used to bring in infor-
mation to be used by the ship’s tracking systems to assist in navigation. A much-publicised
incident in 2017 highlighted the cyber risks associated with these two systems. About 20 ships
in the vicinity of the Novorossiysk Commercial Sea Port on the Black Sea reported that their
AIS traces showed their position to be Gelendzhik Airport, around 32 km inland.119 Most of
the speculation at the time suggested that this example of “GPS spoofing” (more accurately,
“GNSS spoofing”)120 was a test for a military system to be used as a cyberweapon,121 but
the incident gave rise to persistent concerns that commercial shipping could be vulnerable to
GNSS spoofing for all kinds of reasons, military and non-military.122
More recently, the ShipManager ship management software provided by the Norwegian
classification society Det Norske Veritas (DNV), which is used by thousands of ships, was
compromised by a ransomware attack that caused DNV to shut down the computer servers
that make remote access to the software and stored data available to users.123 The software
supports the management of vessels and fleets in technical, operational and compliance
aspects, including maintenance and repair, procurement, safety systems and data analyt-
ics.124 This cyber attack shows that it is not only the navigational and data-storage systems
of ships that are vulnerable to cyber risks. Global businesses of all kinds are increasingly
accustomed to using cloud-based software and data-storage systems as part of their every-
day operations, and the shipping industry is no exception. DNV’s ShipManager tool is not
MASS-specific but the attack on the system, which depends upon the exchange of digital
information among ships, their operators and the operating system, shows that even the
best, most secure systems may be vulnerable.125
The IMO published Guidelines on Maritime Cyber Risk Management in July of 2017,126
and it resolved, also in 2017, to encourage member countries to ensure that cyber risks
were appropriately addressed in safety management systems, affirming that an approved
safety management system for purposes of the International Safety Management Code
(ISM Code)127 for ships should take into account cyber risk management.128

119 Ship Technology, “GPS spoofing; what’s the risk for ship navigation?” www​.ship​-technology​.com ​/
features​/ship​-navigation​-risks/ (hereafter Ship Technology).
120 Ibid.
121 David Hambling, “Ships fooled in GPS spoofing attack suggest Russian cyberweapon,” New Scientist
(10 August 2017), www​.newscientist​.com​/article​/2143499​-ships​-fooled​-in​-gps​-spoofing​-attack​-suggest​-rus-
sian​- cyberweapon/.
122 Ship Technology (n 119).
123 MarineLink, “1,000 Ships Affected by Cyber Attack on DNV’s ShipManager Software,” www​
.marinelink​.com​/news​/ships​-affected​- cyber​-attack​- dnvs​-502203.
124 Ibid.
125 DNV, the victim of the ransomware attack in January 2023, markets and provides cybersecurity ser-
vices to users in the shipping industry (see n 130 below), so it cannot be said to be the most vulnerable of
targets.
126 International Maritime Organization, “Guidelines on Maritime Cyber Risk Management,”(MSC-
FAL.1/Circ.3, 5 July 2017), wwwcdn​.imo​.org​/ localresources​/en​/OurWork ​/Security​/ Documents​/ MSC​-FAL​.1​
-Circ​.3​%20-​%20Guidelines​%20On​%20Maritime​%20Cyber​%20R​isk​%20Management​%20(Secretariat).pdf.
127 International Maritime Organization, “International Management Code for the Safe Operation of
Ships and for Pollution Prevention (International Safety Management (ISM) Code)” (Resolution A.741(18)
adopted on 4 November 1993), wwwcdn​.imo​.org​/ localresources​/en​/ KnowledgeCentre​/ Ind​exof ​I MOR​esol​
utions​/AssemblyDoc​u ments​/A​.741(18).pdf.
128 International Maritime Organization, “Maritime Cyber Risk Management in Safety Management
Systems” (MSC 98/23/Add.1, 16 June 2017), wwwcdn​.imo​.org​/ localresources​/en​/OurWork ​/Security​/
Documents​/ Resolution​​%20MSC​.428(98).pdf.

209
 Autonomous S hips

Crewless MASS in IMO category 4 rely heavily on sensors to perform many functions,
including the provision of information about objects, moving or stationary, in the vicinity
of the MASS when navigating, and information about the functioning of onboard systems,
similar to those already used in UMS engine room systems on existing vessels. In the case
of a crewless MASS in IMO category 4, this flow of data may either remain entirely on
board the vessel, if that is where the computers processing information and giving com-
mands are located, or it may be transmitted wirelessly to land-based computers perform-
ing those functions, or it may be done by both in tandem. Whatever system is used, the
flow of data can be interrupted by malicious attacks with obvious effects on the ability of
the MASS to navigate safely. In the case of crewless MASS in category 3, the relaying of
information from ship to shore and vice versa is an integral part of the vessel’s operation,
so the wireless transmission of information between MASS and shore, usually via satel-
lite, is subject to the same kind of vulnerability as is demonstrated by “GNSS spoofing.”
Voyage data recorders are passive collectors of data, similar to the “black box” record-
ers on commercial aircraft. Interference with the VDR of a crewless MASS would not
interfere with its navigation in the same way that GNSS spoofing would, but it could be
used to erase or hide the traces of other malicious activity, much in the same way as tam-
pering with a traditional ship’s log could be.129
Because of the risks posed to commercial shipping by cyber risks, there is an increasing
number of commercial service providers offering cyber security protection for ships. Some
classification societies are offering services of this kind,130 utilising their intimate knowledge
and understanding of all the operating systems on ships (and MASS). As is pointed out in
Chapter 11, one feature of the new risk management responses to cyber risks is for providers to
offer an integrated combination of cybersecurity protection services and insurance against the
risk of loss incurred as a result of attacks that get through the net of protection that has been
provided. Some P&I Clubs have entered into partnerships with integrated service operators of
this kind: For example, the West of England P&I Club has bought what it describes as a “sig-
nificant stake” in Astaara Co Ltd, a company providing the integrated security-and-insurance
services just described, with a particular focus on commercial shipping.131
Given the exponential rise in cyber risks, one would expect that avoiding or mitigat-
ing cyber attacks would be front of mind for any software engineer or designer of any
autonomous system for use in shipping, just as it should be for any classification society
involved in any certification of any autonomous system. Indeed, the range of services said
to be offered by many of the IACS member classification societies with regard to cyber
safety is impressive. That should be applauded and encouraged. However, they are yet
further services that were not historically provided by classification societies (for obvi-
ous reasons). Accordingly, the same analysis as above should be afforded to the designers
and manufacturers of MASS and systems of autonomy, as well as classification societies
involved in those stages. Again, if viewed through a prism of “what could result in inter-
national shipping grinding to a halt? ” cyber attacks would be one answer if they prolifer-
ated to the point of causing serious losses which then compromised available insurance in

129 Tam (n 116) 5.

130 See, e.g., Det Norske Veritas (DNV), “Maritime cyber security,” www​.dnv​.com ​/maritime​/insights​/
topics​/maritime​- cyber​-security​/index​.html.
131 West of England, “Cyber Security,” www​.westpandi​.com ​/products​/cyber​-security/. See also Astaara,
“Navigate maritime security with confidence,” https://astaaragroup​.com/.

210
 A utonomous S hips

the shipping industry. The recent cyber attack on DNV’s ShipManager product provides
an example of how many vessels could be impacted by just one attack. It follows, as per
the discourse above in the section entitled “Classification societies,” that the provision of
these broader services by classification societies may increase further their exposure to
new liabilities.
Buying cybersecurity protection from a professional provider is, in itself, some form
of “insurance” for the owner or operator of any ship, including a crewless MASS.
Nevertheless, insurance against risks suffered or caused as a result of cyber attacks is an
obvious need, given the fact that it is notoriously difficult to identify the identity or loca-
tion of hackers and other malicious cyber assailants. In many cases, it is (and will continue
to be) effectively impossible to identify the source of a cyber attack; all that can be known
is the damage or loss that it caused. Even if the identity and location of the attacker could
be identified, there would then arise fairly profound choice of governing law questions of
the kind outlined in the section entitled “Choice of law for product liability.” What would
be the law governing liability for an intentional attack by a person in one country against
assets in another? What prospect of recovery could there possibly be against an assailant
who might have no (or no identifiable) assets?
Coming full circle to the political rationale for the limitation of a shipowner’s liabil-
ity, an argument can be made that if the current and future insurance underwriters are
expected to provide the insurance cover to permit the continuation of international ship-
ping, they will need to rely on classification societies more than ever, and it may not be
reasonable to expect classification societies to continue to provide those services if, by
doing so, they expose themselves to unlimited liability risks which then impacts their own
ability to obtain suitable insurance cover.

Conclusion
It is difficult, if not rather distasteful for some, to argue for limited liability, given that
it has nothing to do with justice for those who suffer damage or loss and everything to
do with providing incentives for investment for those involved in the shipping industry,
many of whom run multi-million dollar businesses. As Dr Lushington pointed out long
ago,132 there is nothing fair or just about limitation of liability: It benefits those who cause
harm at the expense of those who suffer that harm. Nevertheless, it is one of the founda-
tions on which the cost of international trade is based, and while unpleasant for some, the
removal of this remnant from the past would increase the cost of almost everything. As the
experience of environmental protection and climate change amelioration measures shows,
people tend to be all in favour of reform until they are asked to pay the real price of vir-
tue. There is no realistic prospect of limitation of shipowners’ liability disappearing from
the overall picture of maritime law. There is, however, a realistic prospect of unlimited,
perhaps uninsurable, liability for manufacturers and designers of crewless MASS and, to
a lesser but possible extent, classification societies if some way is not found to give them
similar protection as that afforded to shipowners. This chapter has, with some mixed feel-
ings, provided some arguments for the extension of that protection.

132 The Amalia (n 49).

211
 C hapter 9

Unmanned Aerial Vehicles

Liability and Insurance

Maurice Thompson, Anthony A Tarr, Julie-Anne Tarr and Simon Ritterband

CON T EN TS
Introduction 213
Regulatory challenges and uncertainty 215
Assessment of risks 217
General 217
Operational risks 218
Product standards 219
Personal injury and property damage 220
Trespass, privacy, nuisance and noise 221
Data protection 222
Cyber risks 222
Insurers’ responses 224
General 224
Write-back drone insurance cover 224
Bespoke drone insurance 225
First party 225
Third-party liability 226
Conditions 227
General exclusions 227
Other covers and extensions 227
On-demand drone insurance 229
Home and contents cover 231
Mutual insurance 232
Compulsory third-party liability insurance 233
General 233
Compulsory third-party drone insurance or not? 238
Implementation options 240
Concluding comments 242

212 DOI: 10.4324/9781003319054-9

 U nmanned A erial V ehicles

Introduction
The exponential growth1 in the use and deployment of unmanned aircraft (UA) and
unmanned aircraft systems (UAS),2 or remotely piloted aircraft (RPA) and remotely
piloted aircraft systems (RPAS),3 (hereafter “drones”),4 as well as the technology under-
pinning their scope and operation, is delivering enormous opportunity, economic advan-
tages and societal benefits for various users, operators and the community at large.5
Drones are now in widespread use in mining, the maritime and energy sectors, remote
exploration works and repair, geological surveys, agricultural land management, urban
transport and delivery, aerial photography, media and more. Increasing recreational use
continues to fuel market growth of drones globally, and their expanding deployment in
areas such as law enforcement, search and rescue and emergency relief is evolving very
rapidly.6
Notwithstanding the new horizons in efficiency ushered in through drone usage, there
are growing risks associated with the rapid growth in the use and deployment of drones,
and these risks are not at the stage yet where they are stabilising. Instead:
given technological advances, the veritable explosion in their usage, their capacity to carry
payloads and their ability to travel vast distances, the potential for injury or damage resulting
from drone operations is ever increasing. Their increased deployment through transport and
delivery services in high density population areas will further enhance personal injury and
property damage risks.7

Moreover, a primary and growing concern of aviation authorities and experts is the num-
ber of incidents where drones have come into contact with or caused hazards to aircraft.
There are increasing reports in recent years of drone sightings from pilots, citizens and

1 At present there are nearly 1.3 million registered drones in the United States and more than 116,000
drone operators. Officials say there are hundreds of thousands of additional drones that are not registered.
See, for example, David Shepardson, “US agency requires drones to list ID number on exterior,” Reuters,
13 February 2019, www​.reuters​.com ​/article​/us​-usa​- drones​/u​-s​-agency​-requires​- drones​-to​-list​-id​-number​- on​
-exterior​-idUSKCN1Q12O9; the commercial and civilian drone market is expected to grow at a compound
annual growth rate of 19% over a five-year period according to a research report by Global Market Insights,
Inc. See 2018 report, Ankita Bhutani and Preeti Wadhwani, “Commercial Drone/Unmanned Aerial Vehicle
(UAV) Market,” February 2018, www​.gminsights​.com ​/industry​-analysis​/unmanned​-aerial​-vehicles​-UAV​
-commercial​- drone​-market.
2 The term unmanned aircraft (UA) is used to describe the aircraft itself, whereas the term unmanned air-
craft system (UAS) is generally used to describe the entire operating equipment including the aircraft, the con-
trol station from where the aircraft is operated and the wireless data link. See, for example, Federal Aviation
Administration, “Unmanned Aircraft Systems” 5 January 2021, www​.faa​.gov​/uas/.
3 The International Civil Aviation Organization (ICAO) employs the acronym RPAS (standing for remotely
piloted aircraft system) or RPA (remotely piloted aircraft). The term RPAS appears to be the preferred terminol-
ogy used by international aviation related agencies such as ICAO, Eurocontrol, the European Aviation Safety
Agency (EASA), the Civil Aviation Safety Authority (CASA—Australia) and the Civil Aviation Authority
(CAA)—New Zealand.
4 In this book, unless the context demands more “jurisdiction specific” language, unmanned aircraft and
remotely piloted aircraft will be referred to as “drones.”
5 See Professor Julie-Anne Tarr, Maurice Thompson and Dr Anthony Tarr,“Compulsory liability insurance
for drones in Australia” (2021) 31 Insurance Law Journal 1.
6 Generally, see Drone Law and Policy: Global Development, Risks, Regulation and Insurance, edited by
Anthony A. Tarr, Julie-Anne Tarr, Maurice Thompson and Jeffrey Ellis (Routledge, 2021) (hereafter Drone
Law and Policy).
7 Julie-Anne Tarr, Maurice Thompson and Anthony Tarr, “Regulation, Risk and Insurance of Drones:
An Urgent Global Accountability Imperative” (2019) 8 Journal of Business Law 559, 562. (hereafter Tarr,
Thompson and Tarr).

213
 U nmanned A erial V ehicles

law enforcement personnel. For example, it was widely reported8 that the illegal operation
of drones within the airspace of Gatwick Airport brought the United Kingdom’s second-
largest airport and busiest single-runway airport in the world to a standstill in December
2018.9 This disrupted the travel plans of 125,000 people and cost the airlines an estimated
US $63 million.
In recent years, the Federal Aviation Administration (FAA) in the United States of
America and the UK Airprox board are reporting significant increases in the number of
dangerously close encounters and drone incidents involving aircraft.10
Other risks, both from an operational and insurance perspective, include nuisance, pri-
vacy issues and concerns around data collection, through the use of drones to collect
information through aerial surveillance, which could result in the drone collecting unin-
tended data.11 This is particularly pertinent to government agencies and law enforcement,12
whose increasing use of drones gives rise to serious privacy issues and concerns around
data collection and use. However, these concerns are equally applicable to non-govern-
mental agencies who, for example, may use drones to collect unauthorised data through
aerial surveillance of a mining company’s resources or of a land developer’s properties.13
As with any rapidly evolving technology, drone use is revealing new vulnerabilities and
cyber security threats. No organisation is immune from the risks and associated costs of
tackling cyber threats. Loss of reputation, monitoring and notification costs, and network
interruptions associated with breaches all need to be considered. Attacks such as exploit-
ing drones’ software or firmware vulnerabilities to take over the drone and gain access to
other networks and systems of an organisation, or malware embedded in drone software
that could compromise the device where it is located and allow data sent to and from the
drone to be exfiltrated and reviewed, are real concerns. These risks need to be mitigated
with improvements in technology, regulation and appropriate insurance.
Drone operators increasingly are seeking professional indemnity insurance to cover,
for example, any errors or negligence in relation to information procured by operators on
behalf of clients. As drones are at their most fundamental level, a “delivery” system, it is
actually the payload they are carrying (cameras, sensors etc) that are earning the money
for the pilot. In the case of a drone used for survey work and a Lidar sensor, it is the data
that the sensor captures which is ultimately passed onto the client.

8 No one has been held liable for the disruption.

9 James Cooper, Patrick Slomski and Maurice Thompson, “Gatwick Meltdown: drones in a no-go-zone,”
Clyde & Co, 21 December 2018, www​.clydeco​.com​/en​/insights​/2018​/12​/gatwick​-meltdown​- drones​-in​-a​-no​-go​
-zone.
10 “Reported UAS Sightings, October 2022–December 2022,” www​.faa​.gov​/uas​/resources​/public​_ records​
/uas​_sightings​_ report, Haye Kesteloo, “UK drone incidents rose more than a third in 2018, say safety experts,”
Drone Dj, 5 April 2019, https://dronedj​.com ​/2019​/04​/05​/uk​- drone​-incidents​-2018​-safety​- experts/.
11 Tarr, Thompson and Tarr (n 7).
12 Matthew R Koerner, “Drones and the Fourth Amendment: Redefining Expectations of Privacy,” 2015
64(6) Duke Law Journal 1129, 1131; Laura La Bella, “Drones and Law Enforcement: Inside the World of
Drones,” (Rosen Publishing, 2017) 10.
13 See, for example, Maurice Thompson, Clyde & Co, observes that “companies are at great risk of
industrial espionage from drones,” quoted in Ben Norris, “The Search for Risk-Based Rules,” 21 May 2019,
Commercial Risk Europe 14.

214
 U nmanned A erial V ehicles

Regulatory challenges and uncertainty14

The hazards associated with drone use are relatively novel and this generates considerable
uncertainty. This is, among other reasons, a result of the ever-evolving technology and
capabilities of drones which make it difficult for regulators to accurately assess the risk
associated with their use and deployment.15
Whether it be from a third-party liability perspective or with respect to breaches in
privacy and government regulations, the freedom of growing numbers of drone opera-
tors having to cover vast areas of terrain using a drone creates uncertainty. In addition,
risks also arise by virtue of the fact that drones have not been developed nor are they
constrained to be used for a single or specific purpose. For example, automobiles, planes
and helicopters are used for relatively confined purposes, such as transport and delivery,
whereas drones have a very broad range of applications, and those applications are con-
stantly evolving.
An appreciation of the wide diversity and ever-expanding operations and circumstances
in which drones are deployed or are used is essential to (a) understanding the risks associ-
ated with their use and (b) informing the regulatory regime appropriate to these diverse
contexts.
For example, some of the factors highlighted as important considerations in the devel-
opment of regulatory responses include:

• Where the drone is deployed or operating. Increased deployment through trans-

port and delivery services in high-density population areas will increase personal
injury and property damage risks. Operation in this complex urban environment,
as compared to more remote and less densely populated areas, requires a more
intense focus on considerations of risk (personal injury and property damage),
technological protections and mitigations, management of very low-level air-
space and its traffic, as well as aviation regulation, planning law and the rights of
individuals to their privacy and peace. Risk assessment requires careful consid-
eration of multiple factors. For example, a drone with a heavy payload flying over
an urban area is certainly a high risk, and the corollary could be inferred that a
similar drone flying over the sea is therefore safer or lower risk. However, from
an insurance perspective, the flight over sea may be categorised as a higher risk,
due to the potential total loss of aircraft and payload in water;
• The drone operator. Licensing and certification requirements for drone pilots
and operators are centred on safety issues. Minimum standardised training and
education obligations are imposed to ensure that individuals ultimately in control
of the drones have a clear understanding of the authorised operating conditions,
the limits on where and in what circumstances a drone can be flown and the
potential dangers associated with unlawful activity;

14 Drone Law and Policy (n 6) Chapters 13–19.

15 See Ben Norris, “The search for risk-based rules” 2019 Commercial Risk Europe 14. In the article, Jeff
Ellis from Clyde & Co is quoted as saying: “Regulations are meant to mitigate a risk. But before you figure out
what risk mitigation should be, you need to understand the risk itself. So regulators are now trying to assess the
risk. As regulators are satisfying themselves via various testbeds, the rules are going to change.”

215
 U nmanned A erial V ehicles

• Technological advances. Overcoming certain technological challenges is essen-

tial for drones to be safely integrated into airspace and co-exist with other air
traffic. Detect and avoid technology and improving land-based command and
control concepts are required to enable the broad range of drone capabilities to
be carried out accurately and safely;
• The regulator. This question has caught most governments and regulators com-
pletely off-guard. The age of drones is breaking the classic stereotype of “avia-
tion” and bridging into other sectors. From a maritime perspective, for instance,
a classic aviation regulator would have little, or no knowledge, of the risks associ-
ated with (i) offshore oil rigs, (ii) ocean-going vessels, (iii) port operations, (iv)
confined tanks, (v) climate environments inside cargo holds and storage tanks
and facilities loaded with various commodities, (vi) deep-sea mining at 3 km
below the ocean’s surface, or (vii) maritime law. With drones now used so heav-
ily in sectors such as maritime, offshore oil and gas, natural resources, mining
and transport, it could be argued that drones should be regulated separately from
classic aviation or, at the very least, consideration should be given to some dual
regulatory oversight. There are a number of good examples internationally.

A significant challenge facing regulators is to appropriately assess the risk and to intro-
duce a regulatory framework commensurate with that risk. The regulatory intervention
ideally needs to tread a path that does not stifle innovation and is not so “heavy-handed”
as to unduly impact commercial and recreational uses of drones.16 Many countries are
struggling to achieve or even to assess this balance.
Nevertheless, sensitivity to a measured approach is very evident in regulators’ public
statements; for example, the European Commission in a communication dated 9 December
202017 emphasises the necessity to put European transport on track for the future and the
importance of a coordinated European approach to connectivity and transport activity to
overcome crises such as the COVID-19 pandemic and to strengthen the European Union’s
strategic autonomy and resilience.18 Drones are an integral part of the Commission’s
vision for innovative and sustainable technologies in transport,19 and the Commission
commits to facilitating technological development and to establishing an agile regulatory
framework to support the deployment of solutions on the market.20

16 See, for example, Kyle Bowyer, “The Robotics Age: Regulatory and Compliance Implications for
Businesses and Financial Institutions,” The European Financial Review, 21 April 2018, www​.eur​opea​n fin​anci​
alreview​.com​/the​-robotics​-age​-regulatory​-and​- compliance​-implications​-for-businesses-and-financial-institu-
tions/, “Regulation needs to strike a balance between controlling risk and stifling growth. Interestingly, the call
for regulation often comes from innovators and thinkers such as Elon Musk and Bill Gates and it is becoming
increasingly evident that existing laws regulating product liability, consumer rights, property law, intellectual
property and tort law, to name but a few, may not be adequate to manage and control the risks associated with
rapidly advancing AI (including technologies such as drones).”
17 See, for example, European Commission, Communication from the Commission to the European
Parliament, the Council, The European Economic and Social Committee and the Committee of the Regions,
Sustainable and Smart Mobility Strategy—putting European transport on track for the future (Brussels
9 December 2020, COM 789 Final) (hereafter Smart Mobility Strategy).
18 Ibid paras 1–5.
19 Ibid para 66.
20 Ibid para 64–65.

216
 U nmanned A erial V ehicles

Traditional regulatory structures are complex, risk-averse and adjust slowly to shifting
social circumstances. Emerging technologies such as drones can lead to unforeseeable
outcomes where clear regulations and ethical guidelines are absent.
Furthermore, the proposed regulatory approach needs to cover the complex web of air-
space integration, safety, security, noise, environment, privacy, safe and efficient electric
take-off and landing vehicles, infrastructure, technology trials and central coordination.21
These are all important issues and are integral to the development of comprehensive trans-
national and national policies that will allow countries to benefit from the considerable
opportunities provided by emerging aviation technologies.

Assessment of risks
General
Given the regulatory uncertainty, the ongoing development of insurance products by
insurers has played and will continue to play a significant role in understanding and miti-
gating the risks associated with drone operations. In this context, as is usually the case
with other emerging risks, insurance has a role to play in not only responding and provid-
ing cover for the risks as they are currently understood (and for which data is available)
but also in shaping, refining and predicting the ongoing and future risk environment.
Some have gone as far as saying that the insurance industry is the “gate-keeper” of the
industry. If the insurance industry is not fully satisfied with the safety levels of operations,
then operators will either be unable to obtain insurance, or the premium costs would be
so high as to make it non-commercially viable. Fortunately, there is considerable evidence
emerging that the insurance industry is fully engaged at the ground level and working
hand-in-hand with operators, developers and regulators to ensure the continued success
and growth of the drone industry.
Insurance products often develop and evolve in tandem with government regulations.
In many cases insurance is mandated: Compulsory third-party insurance is a good exam-
ple. However, drones are somewhat different. The approach taken by regulators across the
globe to mandate insurance cover for drones is not consistent. Some jurisdictions have
mandatory minimum insurance requirements22 while others recommend that insurance be
obtained or have limited requirements23 or no requirements at all. This suggests that the
appetite for drone insurance products has been driven by other factors, such as an under-
standing by drone operators of the risks of drone operations, and perhaps in more than
equal measure by the rapid emergence and investment by insurers in developing innova-
tive products to meet the demand, price the risks accurately, and enable organisations to
essentially expand, economise and complement their existing business operations using

21 See, Department of Infrastructure, Transport, Regional Development and Communications, Emerging

Aviation Technologies National Aviation Policy Issues Paper, September 2020 www​.infrastructure​.gov​.au ​/
aviation​/drones​/files​/drone​- discussion​-paper​.pdf (hereafter referred to as the Emerging Aviation Technologies
Paper); See also, Tarr, Thompson and Tarr (n 7).
22 For example, see Regulation (EC) No 785/2004 and EU Regulations (EC) 2019/947 and 2019/945, effec-
tive from 31 December 2020.
23 For example, the Federal Aviation Administration (FAA) and the Civil Aviation Safety Authority
(CASA) do not presently require operators of drones in the United States or Australia, respectively, to take-out
third-party liability insurance, but such cover is strongly recommended.

217
 U nmanned A erial V ehicles

drones. It is clear that insurance has an integral role in protecting the ongoing viability of
drone operations.
One of the main considerations in assessing drone risk is loss history. This data is
increasing but there are many uninsured drones which have resulted in unreported acci-
dents. Even where there is a mandatory obligation to report drone incidents,24 many are
likely to be unreported. This is because they are either uninsured or the cost to replace the
drone outweighs the damage it may have caused to a third party. Drone operators may lose
control of a drone which goes on to cause damage which may remain unreported where
the drone and the drone operator are unable to be identified. There may also be instances
where the injured property or party simply does not realise the damage sustained was
caused by a drone.
Generally though, established drone insurers, such as Moonrock Drone Insurance, have
now entered a period where they have much better access to historical information and
new data and can more accurately identify risks and price policies fairly and transparently.
For example, larger drones, such as those over 25 kg, used to require individual pricing,
but many users can now be provided with an insurance policy quote online as insurers
have better acquired an understanding of the risks, boundaries and parameters of drone
use which can be insured. Similarly, insurers have an improved understanding of beyond
visual line of sight (BVLOS) operations and its growth trajectory over the next five years.
By utilising an insured’s data at the end of a policy, insurers are also able to price the same
insured’s subsequent policy with improved accuracy.

Operational risks
One of the most significant risks from an insurance perspective in relation to the use of
drones is the difficulty to account for or predict the circumstances in which a drone may
be used. Of course, current policies exist which require drone users to specify the terrain
and conditions in which they intend to operate an insured drone, such as the population
density of the area and predicted weather conditions,25 however the amount of underwrit-
ing required to determine the risk level can be significant.
Operational conditions for drones can change rapidly and frequently. In addition, the
fact that drones are significantly more autonomous than other aircraft, such as aeroplanes
or helicopters, means that the types of terrain in which they operate are difficult to predict
with certainty. This is particularly so in congested areas, where rural and urban fringes
are only separated by a few kilometres, and it is easy for even recreational drone users to
cover a number of types of terrains in a single flight.

24 In the United States, consumer drone accidents are subject to the Code of Federal Regulations, Title
14 Aeronautics and Space, Chapter 1, Subchapter F, Section 107.9 and state that drone accidents need to be
reported if it results in serious injury or loss of consciousness to any person, or causes damage to property
(other than the drone itself) exceeding US$500.
25 International Underwriting Association Developing Technology Monitoring Group, “On-demand and
Conquer: Is the future of insurance a pay-as-you-go one?,” Report, 9 October 2019 p 5, http://iual​.informz​
.ca ​ / IUAL ​ /data ​ / images ​ / 2019 ​ % 20Circular ​ % 20Attachments ​ / 068 ​ _ IUA​ % 20Developing ​ % 20Technology​
%20Monitoring​%20Group​%20-​%20Interview​%203​.pdf.

218
 U nmanned A erial V ehicles

Further risk to insurers arises from the fact that drones are not infrequently operated by
persons with limited or no training. Simon Ritterband 26 comments that:
Potentially the highest risk profile pilots are the “sport or recreational” users and they are the
ones with the lowest barrier of entry, as a pilot could simply purchase a Drone, register it, and
get flying. Even if they are required to pass a theoretical competency test, which could help
reiterate flight regulations, new pilots are still more likely to crash due to pilot error.
Those flying for “work” purposes are more likely to operate within a well-structured pro-
cess and be better trained than those that don’t. Excluding “sport and recreational” pilots from
the requirement for insurance leaves the theoretically most risky segment of pilots exposed.
Particularly if an uninsured pilot has an accident with third-party repercussions which could
also severely damage the public perception towards the UAV industry.
Accordingly, in relation to the ambition to achieve a balanced regulatory framework, dis-
cussed above, it is argued that more attention should be paid to sport and recreational
users (who constitute the vast preponderance of drone users at present), as opposed to
those flying for “work” purposes who are more likely to be better trained and to operate
within a well-structured process.

Product standards
There are also significant gaps in domestic and international standards relating to air-
worthiness, manufacturing standards, design and engineering requirements and certifi-
cation.27 Anyone could purchase from a retail store or online, a low-cost drone which
may not be airworthy in certain weather conditions or may be generally of poor quality
and therefore susceptible to breakdown or failure and the potential consequences thereof.
This in turn results in a connected insurance risk, in that underwriters need to consider
whether an insured drone is capable of safe operation as its owner intends.
As with any emerging technology, there are unforeseen or overlooked risks and the pos-
sibility of undesirable misuse of applications or effects which cannot be anticipated at the
current time. As Guy Carpenter explains:
many manufacturers (some of which are emanating out of less regulated markets such as
China) may not be adequately covered. This was evident with Chinese drywall manufacturers
who did not have adequate coverage for construction defects. The result was that their liability
was shifted to the US-based contractors and distributors. Similarly, we see that the emerging
risks associated with UAS and drones will involve highly complex liability scenarios that
could encompass all aspects of the global UAS/drone manufacturing and service provider
supply chain.28

Unlike helicopters or aeroplanes, the rapidly evolving nature of drone technology means
that insurers cannot easily utilise standard product specifications—particularly in relation

26 Correspondence from Simon Ritterband to Dr Anthony Tarr, 1 November 2020, see www​.moonrock-
insurance​.com. Simon Ritterband, managing director of Moonrock Insurance Solutions, currently sits on a
number of government advisory panels along with the Department for Transport (UK), the CAA and other key
stakeholders within the industry. He also sits on the British Standards Institute Committee (BSI) (hereafter
Ritterband, Moonrock).
27 Tarr, Thompson and Tarr (n 7) 562.
28 See report by Guy Carpenter, Marsh & McLennan Companies, “A clearer view of emerging risks,”
September 2015, www​.guycarp​.com​/content​/dam​/guycarp​/en​/documents​/dynamic​- content​/A​_Clearer​_View​
_of​_Emerging ​_ Risks​.pdf.

219
 U nmanned A erial V ehicles

to the software used to operate the drone, which might be updated or upgraded numer-
ous times within a normal annual insurance policy period—as an indicator of a drone’s
reliability and performance. Further, both the operator and the mechanical performance
of an aeroplane or helicopter is easier to predict—in both cases, the operator is licensed
and highly trained, and the craft itself has standard product specifications and extensive
safety data.29

Personal injury and property damage

One of the key risks is that the drone could collide with or crash into an aircraft, another
object or the ground.30 Early on, those risks appeared to be consistent with general avia-
tion risks, and for that reason, the first versions of drone insurance policies were adapted
from existing aviation policy wordings.31
In addition to first-party risks (that is, damage to the drone itself), there are also
third-party liability risks. There are numerous examples worldwide of incidents or near
misses caused by these risks eventuating. Drone crashes have also been reported to have
sparked bushfires in Australia and the United States.32 There are also increasing accounts
of manned aircraft, including passenger airliners, recording near misses with drones.33
While the issues associated with writing third-party liability cover are not new to insur-
ers, the related risks are arguably magnified with respect to drones. At its simplest, this
is because it is much more difficult to predict who will operate the drone and how it will
be used. A recreational drone, which is insured for photographing landscapes, could quite
easily crash into the wrong area of bushland and cause a bushfire. In addition, even in situ-
ations where one would expect the use of a drone to be tightly controlled (such as the air
space adjacent to a major international airport), the fact remains that if an operational
error occurs, or there is deliberate non-compliance, the consequences of the drone mal-
functioning or causing damage are very difficult to predict.
Therefore, injury to individuals and property damage is an extant risk arising out of
the use of drones,34 and given technological advances, the increase in their usage, and
their ability to travel long distances, the potential for damage resulting from drone usage

29 See, for example, United States Government Accountability Office, “Unmanned Aircraft Systems—
Measuring Progress and Addressing Potential Privacy Concerns Would Facilitate Integration into the National
Airspace System,” Report to Congressional Requesters (GAO-12-981), September 2012, 14 www​.gao​.gov​/
assets​/650​/648348​.pdf; Andrew J Armstrong, “Development of a Methodology for Deriving Safety Metrics
for UAV Operational Safety Performance Measurement,” January 2010, Master of Science in Safety Critical
Systems Engineering, Department of Computer Science, York University, www​-users​.cs​.york​.ac​.uk/​~mark ​/
projects​/aja506​_ pro​ject​.pdf.
30 See, for example, Pam Stewart, “Drone danger: Remedies for damage by civilian remotely piloted air-
craft to persons or property on the ground in Australia” (2016) UTSLRS 24, (2016) 23 Torts Law Journal 290.
31 International Underwriting Association Developing Technology Monitoring Group, “On-demand and
Conquer: Is the future of insurance a pay-as-you-go one?,” Report, 9 October 2019, 5, “IUA Publishes on
demand insurance report,” 16 October 2019, www .iua .co .uk /IUA​_ Member /Press /Press_Releases 2019 /
IUA​_ publishes on -demand insurance report .aspx ?WebsiteKey =84dca912 -b4fb -4a0f -a6e5-47ad899350aa
32 Julie-Anne Tarr, Anthony Tarr, Ron Bartsch and Maurice Thompson, “Drones in Australia—Rapidly
evolving regulatory and insurance challenges,” (2019) Insurance Law Journal 30 (3) 135, 141.
33 Tom Chamberlain and Tony Avery, “Drones—Everything you need to know,” Presentation, 10 September
2019, 34, www​.actuaries​.org​.uk​/system​/files​/field​/document​/ Hot​%20Topic​%201​_Tom​%20Chamberlain​_Tony​
%20Avery​.pdf.
34 Stewart (n 30).

220
 U nmanned A erial V ehicles

is ever-increasing. There is also little doubt that the applications to which drones will be
35

put will evolve as organisations find ways to employ drones to compete with others or to
provide their products and services more efficiently.36
Other risks, as discussed above, both from an operational and insurance perspective,
include nuisance, privacy issues and concerns around data collection, through the use of
drones to collect information through aerial surveillance.37 Serious trespass, privacy and
nuisance issues and concerns around data collection and use arise given the intrusive
potential of drones equipped with cameras and surveillance capability, which are now
readily available to the public.

Trespass, privacy, nuisance and noise

The drone’s size, versatility, and manoeuvrability separate it from other aircraft and sat-
ellites. When the property laws changed to accommodate high-altitude aircraft, such as
aeroplanes and even helicopters, it was understood that the risks to privacy were minimal
and the need for air travel was great. However, drones manoeuvre in low-altitude airspace,
thereby posing new and tangible threats to privacy.
The common law concerning trespass and private nuisance is supplemented by data
protection legislation in a number of jurisdictions and there are varying levels of maturity
in such legislation ranging from comprehensive, principles-based data protection regimes
(such as Europe’s General Data Protection Regulation (GDPR)) to the patchwork of secto-
ral and state laws in the United States.
To minimise the risk of self-help processes38 to remedy or augment existing torts to han-
dle drone privacy cases, and to clarify regulatory oversight and other legal issues, future
legislation is needed. There will be an ongoing need to define the scope of landowners’
property interest in low-altitude airspace, thereby balancing the interests of a burgeoning
industry with those who wish to keep drones at a reasonable distance. Recognition will
need to be afforded to the reality that the creation of air corridors in urban areas to accom-
modate extensive drone traffic will impact property values.
The proliferation of drones in the urban environment may give rise to issues of noise
pollution, loss of enjoyment of property and nuisance. Noise is identified in many juris-
dictions as one of the most significant limiting factors impacting public acceptability of
drone operations. Moreover, local authorities, councils and municipalities are usually the
first port of call for noise complaints with strong community expectations that their locally
elected and appointed officials take an active and leading role in setting and enforcing the
regulatory framework relating to noise control and privacy intrusions through various
planning and enforcement mechanisms. Accordingly, it is not surprising to find a complex
overlay of national and local laws endeavouring to address noise issues. For example, in
Australia, the federal government has sought to maintain responsibility for the regulation

35 Jacinta Long and Sarah Yau, “Drone Damage: What Happens If a Drone Hits You?” Clyde & Co, 13
December 2017.
36 Tarr, Thompson and Tarr (n 7).
37 Ibid 561.
38 See the Kentucky case that gave birth to “The Drone Slayer” being the owner of a property who used his
shotgun to shoot down a drone flying over his property; Boggs v Merideth United States District Court Western
District of Kentucky Civil Action No. 3:16-CV-00006-TBR March 21, 2017.

221
 U nmanned A erial V ehicles

of drone noise to ensure that a consistent approach is applied across the country to foster
interoperability, enforcement and compliance by industry.39

Data protection
The use of drones raises a number of privacy issues in light of the extent and scope of data col-
lection via drones. Drones have long been considered “eyes in the sky” with all but the most
basic consumer models routinely equipped with some form of camera for still or video image
capture. More advanced surveillance technologies can combine a drones’ sophisticated cam-
era, high-quality audiovisual recording and storage capabilities with data analytics tools such
as facial recognition software, gait analysis and other biometric assessment techniques to
identify individuals for targeted observation. The size and manoeuvrability of drones enable
them to monitor individuals at a distance and to follow and track targets, potentially without
the knowledge of the person that is subject to surveillance. As technologies develop and
drones become “smarter,” the possibilities for data collection are almost limitless.
While drone operators must abide by the terms of relevant aviation regulations, those
rules must be considered in conjunction with prevailing privacy and data protection laws.
As previously mentioned relative to privacy etc., there are also varying levels of maturity
in the applicable data protection legislation ranging from the comprehensive, principles-
based GDPR in Europe to the patchwork of sectoral and state laws in the United States.
Legislators may wish to consider adopting privacy and data protection regulations
specifically for drones. A regulation that identifies explicit privacy responsibilities when
using drones would provide consistency and certainty for drone operators, insurance com-
panies, courts and individuals. Such laws would set forth specific privacy principles and
requirements tailored to drone usage and mirror existing gold standards of data protec-
tion, such as the GDPR. For example, such laws should prescribe the adoption of data
retention procedures and procedural protections for accessing data.40
Additionally, it is contended that legislators should implement transparency and
accountability measures requiring drone operators to publish on a regular basis “usage
logs” which document the activities conducted by the drones and the information col-
lected during such activities. Privacy laws regulating drones could also allow legislators
to clarify what they mean by specific terminology and define what places should be enti-
tled to specific privacy protections. At the moment, conflicting laws and frameworks have
caused confusion in certain countries as to the types of activities that are prohibited and
the areas that are protected.41

Cyber risks
Drones are particularly vulnerable to cyber threats as a result of their dependency on
external wireless input channels, such as GPS, radiofrequency, radar, infrared and Wi-Fi

39 Generally, see Drone Law and Policy (n 6) Chapter 9 Personal Injury, property damage, trespass and
nuisance, 167–182.
40 See, Gregory McNeal, “Drones and aerial surveillance: Considerations for legislatures, The Project on
Civilian Robotics Series,” Brookings, November 2014, www​.brookings​.edu​/research ​/drones​-and​-aerial​-sur-
veillance​- considerations​-for​-legislatures/.
41 Drone Law (n 6) Chapter 10 Data Protection, privacy and big data, 183–212.

222
 U nmanned A erial V ehicles

sensors to operate effectively. Like any internet-connected computer device or intercon-

nected computer system, the main security challenges are protecting the transmission of
information between authorised devices and preventing unauthorised users from access-
ing systems.
In most jurisdictions, the law does not comprehensively address cyber security issues
specific to the operation of drone technology. Around the world, governments and regula-
tors have typically absorbed the various registration, safety and air-flight navigation issues
posed by drone use into aviation laws. However, these laws generally fail to address the
cyber risks relevant to drone technology. They are often silent or vague on cyber risk
issues or leave it to privacy regulators to manage the risk through the lens of data privacy
protection.
However, data privacy risks and protecting personal data from unauthorised access/
disclosure/loss or misuse is only one aspect of the broader cyber risks associated with
drone usage. Further, privacy laws are mostly principle-based and technology neutral, and
do not comprehensively impose information security or systems integrity best practice
requirements and standards specific to drone technologies. They also tend to be limited in
scope, applying only to commercial operators and not individuals collecting data (drone
footage or audio) for personal or non-commercial use. In other words, the privacy laws
typically will not apply to recreational drone operators, leaving a gap in regulatory over-
sight of a large proportion of users. Privacy laws also apply practically to activities relat-
ing specifically to data handling, that is, collecting, holding or disclosing data.
Commonly, these laws will govern the activities of the drone operator or the customer
who engaged the drone operator, and not the drone manufacturer. The latter would instead
be primarily responsible for building security controls into the device or associated appli-
cations to guard against cyber-attacks. These oversight gaps need to be addressed if con-
fidence in burgeoning drone technology is to be maintained.
Moreover, it is important to recognise that privacy risk extends beyond the personal
data collected by the drone itself, such as audio/image/video footage and surveillance /
tracking data. Rather, drones should be viewed as part of a broader unmanned aerial sys-
tem (UAS) which includes the drone and other connected devices, including any subse-
quent data processing activities undertaken on associated computer systems by the drone
operator. This concept has important implications for information security and cyber risk,
as it acknowledges the fuller picture of drone usage and the interconnectivity between
multiple systems in drone use, and the flow of data from one system to the next; that is, it
is not just the security of the drone itself that must be regulated but also the data collected,
transmitted and stored by associated computer systems.42
The hazards associated with the operation of drone use are relatively novel and in turn
bring with them a degree of uncertainty. This is, among other reasons, a result of the
ever-evolving technology and capabilities of drones which make it difficult for insurance
underwriters to accurately assess the risk associated with an insured’s activity.43
Insurers providing products for new and evolving risks do face challenges in accessing
sufficient relevant data around emerging risks to enable accurate pricing. Nevertheless,
insurers have embraced the challenge to provide protection against future uncertainties

42 Drone Law (n 6) Chapter 11 Cyber Risks, 213–251.

43 Tarr, Thompson and Tarr (n 7).

223
 U nmanned A erial V ehicles

and uncertain loss. While the precise delineation and evaluation of risk may be a work in
progress, there is already a well-developed insurance market, described in the sections
below, providing cover for liability arising from the use of a drone.

Insurers’ responses
General
The insurance industry initially adopted an approach to drone insurance using standard
aviation wordings on an annual basis, adapting those policies by removing coverages such
as passenger liability but effectively giving users a standard aviation policy at a dispro-
portionate cost of issuance.
While aviation insurance policies have been adapted to suit larger drone operations, the
recent growth of industries that have expanded their business activities to include some
drone operations, together with the proliferation of the recreational drone market and its
ongoing expansion, has led to the development of a range of further innovative insurance
solutions to meet that demand. In addition to providing add-on or write-back cover within
existing lines of insurance to encompass drone operations, insurers have responded by
developing bespoke policies and on-demand “pay-as-you-fly” products.
These approaches, and some specific examples, are considered in more detail below.44
The purpose is to illustrate the approach utilised by insurer underwriters to the unique
challenges presented by drones, rather than to examine the merits of each cover.

Write-back drone insurance cover

Drones are becoming more frequently used in particular industries, and for organisations
within those industries, cover is being developed and underwritten based on their existing
needs.
This is particularly the case in relation to small to medium enterprises where third-
party liability arising from drone applications is an ongoing risk—for example, in the real
estate and the entertainment industries, drones are being used more frequently around
residential premises and people.
Without drone insurance, small to medium enterprises face a potentially significant
uninsured liability exposure. Under a usual form of public and products or other liability
insurance policy, an insured entity obtains cover for personal injury or property damage
caused by an occurrence in connection with the insured’s business, subject to the policy’s
terms, conditions and exclusions. This cover generally excludes claims arising out of the
use of aircraft and/or drones specifically.
In this market, underwriters are now providing insurance cover through endorsements
which delete the exclusion in its entirety and write back insurance cover for drone opera-
tions. However, with regulatory oversight alone arguably insufficient for some insurers to
have confidence that risks associated with drone use are fully captured, further assurance
around the management and use of the drone operations within a particular environment

44 Any policy wordings considered in this chapter are, of course, subject to change, and subject to all of the
underwriting criteria, terms, conditions, exclusions and endorsements. Policy wordings have been considered
for illustrative purposes only.

224
 U nmanned A erial V ehicles

(for example, through a particular app or particular drone platform providing flight man-
agement software and analytics, which encompasses things such as aviation compliance
and drone fleet management) may be the way forward in enabling insurers to have more
readily usable data-set to properly understand and underwrite a particular risk.

Bespoke drone insurance

In the large commercial enterprise and professional drone operator space, there is now a
relatively broad range of insurance products which provide bespoke insurance cover for
drone operations on an annual basis, usually with a detailed underwriting submission
required from the insured.

First party
First-party insurance covers are, at first glance, similar to motor and other first-party prop-
erty policy wordings; however, there are some specific differences to take into account the
unique nature of drone operations which draw more from traditional aviation policy word-
ings. It is clear from the publicly available policy wordings that insurance underwriters
have attempted a deep dive into the drone industry, using both traditional wording from
other policies together with bespoke wording to produce workable solutions.
Insurance cover for first-party loss generally includes payment for replacement or
repair of the drone or damaged components of the drone while in flight, which is a key
risk given the nature of drone operations. Alternatively, payment by the insurer may be
made on the agreed value of the drone.
While this cover may appear to be similar to other standard forms of insurance, such
as motor or contents insurance, there are further key underwriting and policy wording
issues to be taken into account which require close reference to drone manufacturers’
specifications and the life expectancy of the drone and its components. The underwrit-
ing considerations in this respect, and the policy wordings which follow, are more akin
to those in an aviation policy. This is because the item that is insured (that is, the drone)
requires rigorous and consistent maintenance, similar to an aircraft, rather than an item
that requires less maintenance, for example, a motor vehicle or a static item within a home.
Cover may be prescribed to fall within particular boundaries relating to flights and/or
peripheral activities, and records or logs of flights and maintenance and spare items/acces-
sories may be required. Given the highly fluid nature of drone operations, these require-
ments are set out in some policies in detail.
Drones are obviously highly specialised and technical pieces of equipment. Some may
be easily damaged. Cover may also be provided for the drone and accessories while the
drone is in transit, on the ground (for example, where the drone is damaged by another
object), or while undertaking other activities peripheral to the operation of the drone.
Cover for fire, vandalism, theft and other perils may also be provided.
Cover may also be available for certain emergency costs in circumstances where a
drone has been forced to land or is at risk of damaging property or putting people in dan-
ger. This is an example of a type of cover that has been specifically drafted or adapted to
suit the fluid nature and unique risks of drone operations.
As with most policy wordings for first-party property, there is a line between unin-
tended, insured damage and progressive or cumulative damage caused by wear and tear

225
 U nmanned A erial V ehicles

or by any mechanical or software defect, failure or malfunction relating to the drone’s

use. There may also simply be deterioration due to age or use, or damage caused during
routine maintenance and repair and inspection or repair. The usual first-party property
damage exclusions are included to take these issues into account. In short, the damage or
loss must be accidental.
Exclusions for progressive or cumulative damage have been adapted to take into
account the nature of drone operations and may include mechanical damage caused
by progressive or cumulative exposure (rather than a single incident) to corrosive sub-
stances or other elements, and deterioration or ageing or lack of performance. Some
aspects of exclusions are written back if the drone’s maintenance complies with the
manufacturer’s specifications.
In relation to drones used for videography, damage caused by scratching, fogging or
misting of camera lenses or damage to the photographic film may be excluded unless aris-
ing from a single accident or incident.
Finally, consequential or economic losses, and trading losses, may also be excluded.

Third-party liability
As set out above, the risks associated with drone operations are a combination of risks that
are known and understood: Risks that are unique to drone operations, and risks that are
emerging. Cover for third-party liability arising from drone operations generally follows
standard forms of other public and product liability policy wordings, with some notable
differences to take into account the unique nature of drone-related risks.
Insuring clauses may provide that the insurer will cover bodily injury/accidental bod-
ily injury (including fatal injury), property damage/accidental property damage or other
third-party loss arising from the use of the drone. Invasion of privacy/privacy liability and
noise liability are other third-party covers that may also be provided.
The causal connection between the drone incident and the cover differs between policy
wordings and jurisdictions. Some of the causal links include “caused by” or “arising out
of” or must be linked to an “occurrence” as defined or arise out of the ownership or use
of the drone.
Reflecting regulatory requirements or developments in different jurisdictions or alter-
natively on the basis of underwriting certainty, cover may be confined to use by appropri-
ately licenced or authorised operators or people piloting the drone or supporting the drone
operations. This may be included as it is required (i.e. is mandatory) from a regulatory
compliance perspective or may be included to provide some certainty to underwriters
about the experience or qualifications of the persons operating or supporting the use of
the drone.
Drones generally carry camera equipment, but more recent commercial developments
are likely to see more drones used for carrying payloads, which raise the risk of items or
objects falling from the drone causing injury or property damage. Specific bespoke cov-
ers may be either written into policies to cover these types of risks, where the damage or
injury is not caused by the drone itself but by a failure in its payload. Alternatively, these
risks may be excluded, depending upon the insurer’s risk appetite.
Finally, third-party cover may also take into account the vicarious contractual or legal
obligations that the insured may have to other parties where another party—for example,
an outsourced provider—is acting on the insured’s behalf.

226
 U nmanned A erial V ehicles

The exclusions applicable to third-party liability may encompass the usual exclusions
relating to employer’s liability, including injury to employees of the insured during the course
of their employment, which would otherwise be covered by compulsory workers’ compensa-
tion insurance and damage to other property owned by or in the control of the insured.

Conditions
Conditions imposed on the insured vary significantly between jurisdictions, primarily
on the basis of differing local regulatory requirements. Obligations under bespoke drone
insurance policies may require the insured to use due diligence, comply with regulatory
and statutory requirements, comply with regulatory directives about maintenance and
inspection, keep maintenance records, maintain logbooks and flight records (in some
cases with caps placed on the annual flying time), only use licenced or trained or author-
ised operators, and assess the drone is airworthy prior to flights.

General exclusions
General exclusions contained in many bespoke drone policies (some of which may be
written back through purchasing additional covers) are the usual exclusions applicable
to liability policies, which include liability assumed under the contract, dishonesty, fraud
and known or prior facts and acts or circumstances, liability arising out of noise, pollution
or contamination, natural disasters and perils, criminal and civil fines and penalties, and
computer viruses.
There are also exclusions which relate specifically to drone risks, which include use at
air shows, air races or other heavily populated events, landing or taking off from a location
that does not comply with a manufacturer’s recommendations or specifications, where the
drone is operated by an unauthorised person and flying the drone outside the territorial or
specific geographical limits contained in the policy.

Other covers and extensions

Bespoke policies may also have extensions that address specific risks to which the drone
operator may be exposed. Some policies contain a broad range of additional covers—sim-
ilar to some management liability insurance policies—which enable an insured to choose
which covers to add. Covers differ from jurisdiction to jurisdiction.
The additional covers, many of which focus on business continuity, may include alter-
native hire costs and recovery costs, cyber liability, including loss of assets and extortion,
electronic business interruption and some statutory liabilities.

MOONROCK DRONE INSURANCE—COMMERCIAL

INSURANCE-RELATED CASE STUDY
Background on Moonrock Drone Insurance
Upon qualifying to be a registered UAV Pilot, Moonrock’s chief executive officer Simon
Ritterband sought to obtain insurance as would be expected. It was immediately apparent that
the insurance market for drones was wholly underdeveloped, with very few offerings and very
user-unfriendly.

227
 U nmanned A erial V ehicles

He created a team to vastly streamline and improve the process, with Paul Lisberg, bring-
ing business management experience, having spent years on the executive management team of
major global entertainment businesses, and Dominic Trigg, who has 20 years of experience run-
ning an industry-leading insurance brokerage, to form Moonrock.
Moonrock offers the first instant purchase policies for drone pilots, eliminating the labori-
ous process of providing extensive information, and then having to wait for a call-back or email
response. Moonrock have also sought to provide policies that really deal with the concerns and
genuine risks for pilots. Their policy offers cover for cyber security and is the first to offer privacy
cover, which is one of the general public’s primary concerns about the growth of drones.

Commercial drone insurance

Over the previous 12 months, Moonrock has seen an exponential increase in the number of
requests to insure non-standard drone operations. These include BVLOS, heavy lift drones, swarm
displays etc. As such Moonrock has developed a facility specifically designed to cater for these
non-standard operations. To do this they had to look at a new way of pricing drone insurance.
Traditional approaches to underwriting risk are to primarily use historical data in combina-
tion with “exposure” analyses (in this case, number, duration, purpose, and direction of flights)
to form a base for calculating annual loss costs. However, no such database existed in relation to
large drone/non-standard operational flights. Moonrock was able to draw on its six-year record of
small commercial UAS usage (drones typically under 25kg maximum take-off mass (MTOM))
but intrinsically felt that wider data capture would be required on which to establish firmer, con-
sistent and logical assumptions.
Initial research within the UK environment surprisingly raised further challenges, in that
there was little coordination of data between the various regulatory and oversight stakeholders.
Indeed, the Australian Traffic Safety Bureau (ATSB) was recommended as the best nationally
coordinated incident database. By combining output from the two representative incident logs,
Moonrock was able to begin to start joining the dots. Interpolation of the results was felt to be
feasible, but extrapolation would require additional input.
After examination, Moonrock concluded that the key underwriting elements to be captured
would need to address the following main risks, namely:

• Ground risk/first party—theft, flood (natural catastrophe in general), fire, transportation,

accidental damage, security. This would encompass total physical damage at risk, indi-
vidual drone value at risk, and equipment/spare schedule;
• Air risk/first party—collision, loss, damage. This would encompass maximum exposure
per flight, maximum exposure in proximity, flightpath (proximity to water), hours flown,
redundancy of drone/usage, and swarm flight;
• Air risk/third party—overflight of assets, maximum take-off mass, payload risk, liability
limit at risk, time over water, route.

In addition to an assessment of these specific risks, generic data is needed in relation to:

• Risk management, age and make of UAS, UAS maximum range and endurance, hours
flown, UAS wing type, safety features, BVLOS exposure, take-off location, max flight
time, pilot experience/qualifications, wing type, UAS usage and loss record of client.

228
 U nmanned A erial V ehicles

Having set their information needs, Moonrock could now weigh the various rating factors to
reflect what it felt to be the risks that each insured carried bearing in mind that the policy offered
is an annual policy rather than a “per flight/pay as you fly” module.

Concluding Moonrock case study comments

Moonrock will shortly be working with customers to input their regular flight data into their
own data systems which analyse historical drone activity and drone incidents. By categorising
and interpreting the data, Moonrock expects that it will be able to better understand trends and
patterns within the data that will be used to aid the pricing of insurance. This ultimately will
enable Moonrock to better price premiums and, in the not-too-distant future, produce automated
data-driven pricing.
Much work is still needed to be done to create adequate exposure data bearing in mind the
multivarious sources and sheer volume of the output that is needed to be captured. Moonrock
now inputs data sets from a myriad of sources to set baseline models to work from.
Moonrock’s aim is to ultimately benefit end users and stakeholders alike by hopefully reduc-
ing prices (by virtue of better risk management) and also honing policy conditions to focus better
on insuring fortuitous events rather than foreseeable, attritional incidents or unintended or even
unrequired coverage (which would have been priced into the composite cost).

On-demand drone insurance

In 2018, Flock (in conjunction with Allianz) launched the world’s first “pay-as-you-fly”
drone insurance product, providing hyper-personalised pricing for commercial drone
operators. It became the largest drone MGA in Europe, servicing over 3,500 customers.
However, as is noted in Chapter 3, in 2019 Flock decided to launch into a much larger
market than drones and have migrated their business to insurance for commercial motor
fleets to both capitalise on a larger economic opportunity and to fully realise their vision
of making the world quantifiably safer.
Nevertheless, there are numerous “pay-as-you-fly” insurance options available for com-
mercial and recreational drone owners and operators,45 and it is instructive to consider
some of the salient features of this insurance solution.
Advocates for on-demand drone insurance solutions state that no two drone pilots or
flights are the same, and neither are their risk profiles. Accordingly, it is argued that the
“one-size-fits-all” approach to pricing that many traditional insurers have adopted results
in limited or zero visibility into customer activity. As a result, a lack of consideration by
insurers of the risks taken at an individual customer level may result in safety-conscious
drone enterprises overpaying for their insurance. In this context, risk mitigation is neither
incentivised nor enabled by insurers.

45 See for example, Flycovered Drone Insurance “Pay-As-You-Fly commercial drone insurance,” www​
.flycovered​.com​/drone/; James Jones, “Finally! Drone Insurance That is Flexible (and Affordable),” 20 May
2020, www​.droneit​.com​.au​/finally​- drone​-insurance​-that​-is​-flexible​-and​-affordable.

229
 U nmanned A erial V ehicles

It is argued that the introduction of “pay-as-you-go” insurance assists in better promot-

ing drone safety and ultimately will enable insurers to more accurately price drone risks
using big data.46 This is accomplished by accessing large amounts of information and data
from different sources, including weather data, building density and population density,
in a way which allows insurers to assess the risk posed by a certain drone in the sky.47
This, it is contended allows for an unparalleled degree of precision when assessing and
pricing drone flight risks. Rather than treating all drone enterprises in the same way and
providing them with an annual policy price, an exposure-based pricing approach allows
for the risk of each and every flight undertaken by a drone fleet to be quantified and priced
individually. The result is a more accurate correlation between risk and price.
As well as more accurate pricing, an insurer with visibility into a drone pilot’s real-time
exposure is able to provide actionable insights at the precise moment they are required, for
example by encouraging them not to fly in the wind or rain. Insurers are then able to offer
more comprehensive “risk management” solutions, rather than just insurance policies.
These arguments and considerations were the genesis of the alternative “pay-as-you-
fly” approach to assessing and pricing drone insurance. By leveraging big data to intelli-
gently identify and quantify flight risks, the on-demand model endeavours to develop and
provide tailor-made policies based on individual risk profiles.
In contrast to traditional insurance pricing, “exposure-based” pricing considers risk
on a per-event (or in this case, on a per-flight) basis. By combining real-time data with
algorithmic risk assessments, it is possible to predict the likelihood (“probability”) of a
drone flight resulting in a crash, as well as the associated cost (“severity”) of that crash.
Multiplying the probability of a crash with its associated severity gives the “technical
insurance price” (or expected loss) of a single drone flight.
There are, and will be, many differences in approach and detail between different “pay-
as-you-fly” models, but the following dynamics likely will be common to most insurance
arrangements.
The cost of “pay-as-you-fly” cover is based on levels of exposure, which is assessed on
a per-flight basis.48 Commonly, drone users and operators will utilise an app “to enter their
flight details and receive a quote that changes depending on a number of factors, including
the time of day, location and flight conditions, in real time. It can be utilised by both com-
mercial and recreational drone operators.”49
Through the mobile app, commercial and recreational pilots are able to purchase cus-
tomised equipment and liability insurance on demand (lasting for a prescribed time
period, commonly from one to eight hours). The cost of cover is “exposure-based” as the
risk is assessed on a per-flight basis and determined by combining real-time data with
algorithmic risk assessments.50

46 Interview with Tom Chamberlain Allianz Global Corporate and Specialty IUA Developing Technology
Monitoring Group, “On-demand and Conquer: Is the future of insurance a pay as you go one?”
“IUA Publishes on demand insurance report,” 16 October 2019, www​.iua​.co​.uk ​/ IUA​_ Member​/ Press​/ Press​
_Releases​_ 2019​/ IUA​_ publishes​_on​- demand​_insurance​_ report​.aspx​?WebsiteKey​= 84dca912​-b4fb​- 4a0f​-a6e5​
-47ad899350aa (hereafter IUA Chamberlain 2019).
47 Ibid 5.
48 Flock, “The Future of Insurance for Connected Drone Fleets” (Flock White Paper, 2019) https://landing​
.flockcover​.com​/enterprise​-whitepaper, (hereafter Flock).
49 IUA Chamberlain 2019 (n 46).
50 Flock (n 48).

230
 U nmanned A erial V ehicles

Risk mitigation and management may be strong benefits deriving from this insurance
process. For example, Flock’s analysis showed that on average, “pay-as-you-fly” pilots
will compare 15 different risk-dependent quotes before purchasing a policy (such as by
changing the date and time of flight or altering the flight plan). By comparing flight risk
metrics, pilots could identify when and where it was safest to fly. This resulted in a 4.5-
point reduction of the flight risk metric per flight flown, which helped pilots lower their
final quote price by 15%.
Accordingly, a transition towards exposure-based insurance potentially offers a range
of benefits for large drone enterprises. In particular:

• Risk mitigation is enabled and rewarded. This data-driven approach allows large
drone operators to understand the level of risk they are exposed to and make
changes to reduce risk, and insurance costs as a result. This could be everything
from identifying high-risk equipment to avoiding dangerous weather conditions
or identifying areas where pilots need additional training; and
• Revenues and insurance costs are aligned.

With an exposure-based insurance policy, flying more frequently (and thereby undertak-
ing a greater degree of in-flight risk) can result in a higher premium price. In quieter
periods, however, enterprises are less exposed to in-flight risk, paying lower premiums as
a result. This reduces the complexity of financial planning and stabilises an organisation’s
cash flow. This is particularly important in industries such as agriculture and wind farm
surveying where work is incredibly seasonal.

Home and contents cover

In relation to recreational operators of drones, the Australian Senate Inquiry Committee51
noted that the vast majority of recreational RPAS operators are unlikely to be insured to
cover damage or injury caused by devices under their control. Some operators will pur-
chase a specialised public liability product for the use of their drone and some others may
have recourse to third-party liability cover under their home and contents insurance where
damage caused by a drone occurs on the insured property.
The Insurance Information Institute52 comments that:
If a drone is damaged in an accident it is most likely covered under a homeowners or renters
insurance policy (subject to a deductible). The liability portion of a homeowners or renters
policy may provide coverage against lawsuits for bodily injury or property damage that a poli-
cyholder causes to other people with a drone. It may also cover privacy issues—for example if
a drone inadvertently takes pictures or videotapes a neighbour who then sues the policyholder.
It will not cover any intentional invasion of privacy. The policy will cover theft of a drone.

Whether a home and contents policy will provide third-party cover for such damage will,
of course, depend on the wording of the policy. For example, some commonly available

51 “Regulatory requirements that impact on the safe use of Remotely Piloted Aircraft Systems, Unmanned
Aerial Systems and associated systems,” 31 July 2018, para 4.21.
52 “Facts and Statistics: Aviation and Drones,” www​.iii​.org​/fact​-statistic​/facts​-statistics​-aviation​-and​
-drones.

231
 U nmanned A erial V ehicles

home and contents policies contain express exclusions for legal liability arising out of an
accident involving a drone and most home and contents policies exclude cover where the
liability relates to commercial endeavour: That is, being used for business purposes.53 A
simple transaction such as a neighbour paying another neighbour to take photos of his/her
house could be assessed as business use and could void any insurance.
Other exclusions in home and content policies such as an “aviation” or “aircraft exclu-
sion,” with a definition of aircraft included in the policy, or not,54 and exclusion of injuries
to family members, require any insured seeking to rely upon the terms of a home and
contents policy to examine that policy very closely. In discussing the importance of third-
party liability insurance in relation to drones, the Netherlands government stated:
Not all types of third-party liability insurance cover damage caused by drones. If your drone
causes damage to property or physical harm, the injured party can hold you liable. This is
why it is important to make sure that your third-party liability insurance covers drone-related
damage. Paying for damage caused to other people can be expensive.55

Similar advice is provided by the Swedish Aviation Authority which recommends that
homeowners secure third-party liability insurance since regular home insurance usually
does not cover damages caused by drones.56
Other personal, non-commercial insurance may also respond in certain circumstances.
For example, private health insurance and no-fault medical coverage policies may pro-
vide no-fault medical coverage if someone is accidentally injured by the insured’s drone.
Moreover, comprehensive motor vehicle insurance may, depending upon the policy terms,
cover damage caused to the insured motor vehicle if a policyholder’s drone crash-lands
into his or her car.57

Mutual insurance
With emerging risks come new opportunities and potential for innovation. Recent com-
mentary and research on the growing use of drones have highlighted a number of emerging
and established markets which could be targeted by not only drone users themselves but
by the insurers covering such use. There is potential to develop one or more drone mutual
insurance schemes and/or specialised insurance products targeting particular markets and/
or areas of activity. Such mutuals or specialised products could command an early mar-
ket advantage with large corporates or government entities in a given sector where drone
usage is sophisticated and yet traditional underwriting is slow to embrace the new risk.
Such traditional underwriting is currently hampered as a consequence of the regulatory

53 See for example Philadelphia Indemnity Insurance Company v. Hollycal Production Inc No. 5:18-cv-
00768-PA-SP (C.D. Cal. Dec. 7, 2018).
54 Aims, “Drones key issues for Insurance,” White Paper, January 2016, 7.
55 Despite the risks identified by the Government of Netherlands, there is no requirement to have drone
insurance to fly drones recreationally. See Rules for the recreational use of drones, www​.government​.nl​/topics​
/drone​/rules​-pertaining​-to​-recreational​-use​- of​- drones.
56 Transport Styrelesenn, “Drone-Unmanned Aircraft,” Transport Styrelsen, September 2020, www​
.transportstyrelsen​.se​/en ​/aviation ​/Aircraft​/drones-​-unmanned​-aircraft/, “This recommendation is for drones
weighing less than 20 kgs—such cover is not a requirement for drones weighing less than 20 kg that are used
only for shows and recreation.”
57 See, for example, “Facts and Statistics: Aviation and Drones,” Insurance Information Institute, www​.iii​
.org​/fact​-statistic​/facts​-statistics​-aviation​-and​- drones.

232
 U nmanned A erial V ehicles

environment significantly lagging behind the development of the technology and usage and
the fact that there are no currently recognised safety and operating standards against which
traditional underwriters can assess risk in a given sector.
Three examples of markets that could be targeted would be:
(a) “Drones within the commodities/resources sector” covering soft commodities
(crop spraying, harvest timing/quality optimisation, crop quality monitoring);
hard commodities (stockpile monitoring, mine shaft/tunnel inspection and trans-
fers, remote mine mapping, industrial espionage regarding stockpiles and release
of product to market, remote and hazardous locations deliveries, terrain and sub-
strata mapping, remote sampling); livestock (live export animal monitoring on
vessel, livestock marking and movement); fisheries (remote offshore species detec-
tion for trawler shots and long lines, inter-fleet transfers);
(b) “Drones, local authorities and councils” covering the varied and growing expo-
sures of such bodies in relation to subdivisions (planning, design, drainage,
construction monitoring and compliance); illegal dumping (assessment, remote
monitoring, case evidence); roads (planning, design, dilapidation/condition stud-
ies, traffic monitoring, car park design); parks and sports fields (planning, bike
paths, parking, light poles, amenities roof inspections, stadium inspections, irri-
gation design); roof inspection (condition of roof sheeting/gutters/facades, solar
panel design/inspection/audits; waterways (flood level and hydrology studies, pol-
lution, weeds and vegetation analysis, erosion); coastal (sea-level rise assessment/
planning, seawall assessment/design, coastal erosion, cliff stability studies); geo-
technical (landslips, slope stability assessment); thermal (roof insulation assess-
ment, heat maps of leakage/inefficiency); and town planning (whole township
digital capture, LGA digital transformation).
(c) “Drones in the maritime and offshore oil and gas industries” providing cover
in relation to vessels (vessel hold inspections, autonomous vessels—blue water,
brown water and ports, ship to shore transfers, classification surveys, hazardous
goods carriage inspections, sulphur emissions testing by drones, “eye in the sky”
navigation; ports (autonomous tugs, autonomous vehicle systems management,
drone’s pilotage, container yard operations); and offshore (commissioning/decom-
missioning accommodation vessel to rig transfers, rig topside and maintenance
surveys, saturation diving support, riser and pipeline inspections and mainte-
nance, oil spill detection and monitoring).

Compulsory third-party liability insurance

General
As noted above, injury to persons and property damage are very real concerns arising out
of the use of drones. If a person who sustains injury or property damage is to have a real
opportunity to pursue a damages claim against a drone pilot or operator, it is essential that
the person at fault is able to be identified and that the person at fault has the capacity to
satisfy any damages award or settlement.
Registration and licensing initiatives will make it easier for “on board” identification of
drone owners, pilots, or operators but in the absence of compulsory third-party insurance

233
 U nmanned A erial V ehicles

there is no certainty that damages awards will be satisfied. This problem is compounded
where the drone is unlicensed and/or unregistered and the responsible party cannot be
identified in so-called “fly and run” incidents.
As discussed above, the rapid growth in the use and deployment of drones creates sig-
nificant challenges to regulators and the community at large—both practical and regula-
tory. The issue as to whether third-party liability insurance should be required, or not,
fits very solidly within this “challenge” basket. In the sections below, this chapter briefly
outlines the current approaches taken to this issue in several jurisdictions and examines
the arguments for and against, with particular reference to a recent policy paper issued in
Australia.58
In the ICAO UAS Toolkit,59 described by ICAO as a helpful tool to assist states in realis-
ing effective UAS operational guidance and safe domestic operations, chapter 2.8 states:
The operator shall have adequate insurance in the event of an incident or accident. Some
States require a minimum third-party liability insurance to be in effect for all UAS operations.

In many jurisdictions, compulsory insurance requirements are already in place. For exam-
ple, in the European Union, a commercial drone operator was required to have public
liability insurance to protect against legal liability for third-party property damage or
injury while using a drone.60 Regulation (EC) No 785/2004 required all commercial drone
operations to carry third-party liability insurance with the minimum third-party insur-
ance requirement being based on the mass of the aircraft on take-off. Recreational drone
operators using a drone with a weight above 20kg were not excluded from the requirement
for compulsory insurance and several member states had mandated third-party insurance
in relation to lighter drones.61 New drone regulations 2019/947 and 2019/945, effective
31 December 2020, adopt a risk-based approach with an emphasis on the type of drone
and the purpose for which it is being operated, rather than on whether the application is
commercial or non-commercial.
Until the commencement of the new EU drone regulations in the United Kingdom on
31 December 2020,62 anyone who wanted to fly a drone for commercial work in the United
Kingdom needed a “Permission for Commercial Operation” (PfCO) from the CAA. It was
a condition of each PfCO that the applicant/operator had appropriate insurance coverage
that met the requirements of Regulation (EC) No. 785/2004. Pilots with permissions for
aerial work (under the PfCO) were only required to have a public liability cover of a mini-
mum of £1 m. Simon Ritterband63 explains:
(T)his was to ensure that air carriers and air operators had a minimum level of cover to protect
the public. This was defined post 9/11 and far before drones would be considered as a risk on

58 Emerging Aviation Technologies Paper (n 21).

59 ​w ww​.icao​.int​/safety​/ UA ​/ UASToolkit​/ Pages​/ Narrative​-Regulat​ion​.aspx.
60 Regulation (EC) No 785/2004 of the European Parliament and of the Council of 21 April 2004 on insur-
ance requirements for air carriers and aircraft operators. The adequacy of insurance requirements has been
considered in the UK, see for example, “Drones Take Flight: Key Issues for Insurance, Emerging Risk Report,
Innovation Series” Lloyds, 2015, www​.lloyds​.com​/news​-and​-insights​/risk​-reports​/ library​/drones​-take​-flight/.
61 ​w ww​.easa​.europa​.eu​/faq​/1​16469.
62 As of June 2020, the CAA has said that “as part of the Brexit Treaty, the UK is required by international
law to implement any elements of EU regulation that come into force and become applicable within the (Brexit)
transition period (to 31 December 2020). Therefore, the new drone laws will become applicable within the UK
on Thursday, December 31, 2020.”
63 Ritterband, Moonrock (n 26).

234
 U nmanned A erial V ehicles

the level that they are now. However, as the exponential growth of drones continues, there
becomes new needs to ensure the public are fully protected.

The adoption of new European Union Safety Agency regulations64 will bring different
considerations to bear to take into account the risk-based approach embraced by EU
Regulations 2019/947 and 2019/945.65 These Regulations, which set the framework for
the safe operation of drones in European skies (EU and EASA Member States), do not
distinguish between leisure or commercial activities and take into account the weight and
specifications of the drone and the operation it is intended to undertake.
As EASA66 explain:
EU Regulation 2019/947, which will be fully applicable from December 30, 2020, caters for
most types of operation and their levels of risk. It defines three categories of operations: the
“open”, “specific” and “certified” categories.
The “open” category addresses operations in the lower risk bracket, where safety is
ensured provided the drone operator complies with the relevant requirements for its intended
operation. This category is subdivided into three further subcategories called A1, A2 and A3.
Operational risks in the “open” category are considered low, and therefore no authorisation is
required before starting a flight.
The “specific” category covers riskier operations, where safety is ensured by the drone
operator obtaining an operational authorisation from the national competent authority before
starting the operation. To obtain the authorisation, the drone operator is required to conduct
a safety risk assessment, which will determine the requirements necessary for safe operation
of the drone(s).
In the “certified” category, the safety risk is so high that certification of the drone opera-
tor and the aircraft is required to ensure safety, as well as the licensing of the remote pilot(s).

The recent changes to EASA Regulations will make the determination of the appropriate
level of cover and premium payable more complicated. In terms of commercial use at the
inception of the new Regulations, the majority of operations would fall into the “open”
and “specific” categories—although there will no longer be a distinction between the
regulation for commercial and non-commercial pilots. Given that all of the operations
outlined within the “open” category would already be covered by insurers, it presents
very few issues to the insurer adjusting to the new regulations. The “specific” category,
however, will provide far more scope to drone operators. Without fully understanding the
parameters for this category from the CAA it is difficult for insurers to provide a simple
solution. It is not possible for insurers to provide blanket approval for cover of specified
operations. Some of the activities that fall into the specified category will be exactly the
same activities that insurers already cover. In these cases, again, cover can be provided
rather easily and only presents a challenge with ensuring that operators have the appropri-
ate authorisations to complete these activities. The “new” activities are where data needs
to be gathered before insurers can comfortably provide cover without further investiga-
tion. As time elapses, underwriters will gain clarity as to what activities are acceptable,
and a list of acceptable uses can be created. With time and experience, they will be able

64 EU Regulations 2019/947 and 2019/945. See also Commission Delegated Regulation (EU) 2020/1058
of 27 April 2020 amending Delegated Regulation (EU) 2019/945 as regards the introduction of two new
unmanned aircraft systems classes, www​.easa​.europa​.eu​/document​-library​/regulations​/commission​- delegated​
-regulation​- eu​-20201058.
65 ​w ww​.easa​.europa​.eu​/domains​/civil​- drone​s​-rpas.
66 Ibid.

235
 U nmanned A erial V ehicles

to have a better understanding of the activities and produce lists of acceptable and unac-
ceptable activities/risks. In essence, the new regulations allow a new set of activities that
can be undertaken by drone operators. Insurers must decide whether they want to provide
cover for these or not, and at what price.
Compulsory insurance requirements are also in place in Norway67 Iceland,68 Costa
Rica, Trinidad and Tobago, Brazil, Chile, Columbia, Guyana, Uruguay, Kenya, Nigeria,
Rwanda, South Africa, United Arab Emirates, China, Hong Kong, Philippines, Thailand,
and Liechtenstein.69 Some brief examples follow.
Consider, for example, Hong Kong where the operation of drones is regulated by Hong
Kong’s Civil Aviation Department with the overarching regulation a HK drone operator
must observe being Article 48 of the Air Navigation (Hong Kong) Order (Cap. 448C).
Under this Order, there are no operator licensing and certification requirements if a drone
weighing less than 7 kg is operated for recreational purposes only. However, if the drone
weighs more than 7 kg or if the drone is operated for non-recreational purposes, the opera-
tor has to submit an application for non-recreational flight to the HK CAD, and also sub-
mit proof of operator ability. Drone operators and owners in Hong Kong can be civilly
liable for loss or damage caused to persons or property by a drone on a strict liability basis
under the Civil Aviation Ordinance.70 This means that the plaintiff is not required to prove
any fault on the part of the owner or operator. Given the existence of that strict liability
regime, the Hong Kong Civil Aviation Department requires proof of insurance for all non-
recreational operation of drones and for recreational operations where the drone weighs
more than 7 kg.71 Moreover, the Department has proposed that owners of aerial vehicles
over 250 g must purchase insurance for third-party liability for injuries and death with the
minimum coverage for vehicles between 250 g and 7 kg to be HK $5 million, while those
over 7 kg would require cover of HK $10 million.72
In 2019, Kenya declared the use of unmanned aircraft illegal and published a public
notice warning the public not to use drones or risk facing penalties. Kenya has since lifted
these restrictions, and the use of drones is now (subject to compliance with the regula-
tions) permissible in Kenya. The regulations set out mandatory insurance requirements
in respect of third-party risks, for the operation of drones unless dispensed with by the
regulatory authority based on the category in which the drone belongs.73

67 See section 18, Insurance, “The operator is responsible for ensuring that it has insurance cover for third-
party liability”; cf. Section 11-2 of the Aviation Act, https://luftfartstilsynet​.no​/en ​/drones​/commercial​-use​- of​
-drones​/about​- dronesrpas​/regulations​- of​- drones/.
68 See Icelandic Transport Authority, www​.icetra​.is​/aviation ​/drones​/frequently​-asked​- questions​-faq.
69 Therese Jones, “International Commercial Drone Regulation and Drone Delivery Services,” Rand
Corporation, 2017, www​. rand​.org​/content​/dam​/rand​/pubs​/research​_ reports​/ RR1700​/ RR1718z3​/ RAND​
_RR1718z3​.pdf.
70 Section 8(2), Civil Aviation Ordinance.
71 In China, commercial drones weighing over 250 g can only be flown with a business licence—to obtain
the licence the operator must be covered by insurance against liability for third parties on the surface. See,
“The Law Reviews,” The Aviation Law Review, Edition 8, August 2020, https://thelawreviews​.co​.uk ​/edi-
tion ​/the​-aviation​-law​-review​- edition​-8​/1229750​/china and Hogan Lovells, “China launches first operational
rules for civil unmanned aircraft,” 21 January 2016, www​.hoganlovells​.com ​/en ​/ blogs​/internet​- of​-things​/china​
-launches​-first​- operational​-rules​-for​- civil​-unmanned​-aircraft.
72 See Civil Aviation Department, www​.cad​.gov​.hk​/english​/faq​.html​# uas.
73 See The Civil Aviation (Unmanned Aircraft Systems) Regulations, 2020, Kenya Subsidiary Legislation,
Section 40, https://kcaa​.or​.ke​/node​/493.

236
 U nmanned A erial V ehicles

The operation of drones in South Africa is governed and regulated by the South African
Civil Aviation Authority (SACAA) via Part 101 of the Civil Aviation Regulations 2011.
Drones are required to be registered with the SACAA register, and owners are issued with
a certificate of registration74 by the director of SACAA. There are various approvals that
an operator is required to obtain, depending on whether the drone is being operated for
purposes of commercial, corporate, non-profit or private operations. “Private operations”
are defined as the use of a drone for an individual’s personal and private purposes where
there is no commercial outcome, interest or gain. An RPAS Operators Certificate (ROC) is
required for all drone operations, except private operations, and a ROC holder is required
to be adequately insured for third-party liability, with a minimum cover of 500,000 rand
per drone.75 The insurance requirement is necessary as a result of section 8 of the South
African Civil Aviation Act 2009, which imposes a strict liability regime for material dam-
age or loss caused by a drone. Any resulting damages may be recovered from the regis-
tered owner of the drone without proof of negligence or intention or other cause of action.
Another jurisdiction with compulsory insurance is Brazil, where the National Civil
Aviation Agency requires insurance coverage for damage to third parties if the RPA has a
maximum take-off weight of greater than 250 g.76
Where countries have regulated for compulsory insurance when operating a drone,
some are even expressing concerns that minimum levels of insurance such as third-party
liability cover may not be enough if an accident, such as a “hit and fly,” occurs.77
The Federal Aviation Administration (FAA), the Civil Aviation Safety Authority
(CASA) and the Civil Aviation Authority (CAA) NZ do not presently require operators of
drones in the United States,78 Australia and New Zealand, respectively, to take out third-
party liability insurance, but such cover is strongly recommended. For example, CASA
does advise all commercial and recreational drone operators in its “Advisory Circular on
Remotely piloted aircraft systems—licensing and operations” that:79
CASA strongly recommends that operators discuss with an insurer the potential liability for
any damage to third parties resulting from RPAS operation [that is, drone operation] and con-
sider taking out suitable insurance.

CASA recommends that commercial operators of drones take out two kinds of insurance:
1. Third-party public liability insurance; and
2. First-party property insurance or UAV insurance (being a specialised insurance
product for unmanned aerial vehicles).
In addition, CASA may impose a condition on a licensed commercial drone operator to
obtain insurance as part of that operator’s risk management procedures. For example, it

74 Part 101.02.4(1) Civil Aviation Regulations 2011 (South Africa).

75 Regulation 101.04.12, Civil Aviation Regulations 2011 (South Africa).
76 See ANAC, National Civil Aviation Agency—Brazil, www​.anac​.gov​.br​/en ​/faq​/drones​/operations.
77 See, for example, the Insurance Regulatory and Development Authority of India, “Report on the Working
Group for Insurance of Remotely Piloted Aircraft,” 18 September 2020, www​.irdai​.gov​.in​/ADMINCMS​/cms​
/Search​_ Results​.aspx
78 Note that state legislatures having varying requirements. For example, the state of Minnesota requires
a drone operator to have liability insurance up to US $100,000 per person and US $300,000 per accident. See
Minnesota Department of Transportation, www​.dot​.state​.mn​.us​/aero​/drones​/index​.html.
79 July 2018, para 4.8.10.1.

237
 U nmanned A erial V ehicles

is likely such a condition would be imposed where the pilot seeks permission to operate
the drone for commercial purposes at night. In addition, commercial RPAS operators are
typically expected to have public liability coverage as part of state and territory business
obligations.80
In the case of New Zealand, it should be noted that its no-fault accident compensa-
tion scheme (ACC scheme) governed by the Accident Compensation Act 2001 provides
compensatory cover for those who suffer a personal injury in New Zealand, regardless
of whether the injured party is a New Zealand citizen. The scheme also covers nervous
shock or mental injuries that occur as a result of a physical injury. The ACC scheme
bars proceedings being brought for damages arising directly or indirectly out of any per-
sonal injury covered by the ACC scheme, either by the injured party or by the Accident
Compensation Corporation after it has paid compensation to the injured person. The oper-
ation of drones in New Zealand is governed by parts 101 and 102 of the Civil Aviation
Rules, and failure to comply with these rules will generally be an offence under the Civil
Aviation (Offences) Regulations 2006. However, liability for injuries or damage caused
by drones is not governed by these regulations and will instead be governed by ordinary
principles of negligence. The application of New Zealand’s ACC scheme means that liabil-
ity for injuries caused by drones in New Zealand will be limited to damage arising out of
a mental injury not covered by the ACC scheme and exemplary damages. Accordingly,
the reason owners and operators of drones are not required to have (only strongly encour-
aged) compulsory third-party liability insurance in New Zealand is because such cover is
already to a significant extent there by virtue of the ACC Scheme.
From this brief survey, it is clear that there is a difference in opinion or approach in rela-
tion to compulsory third-party liability insurance. This is not surprising. Inevitably there
will be significant variations in drone regulations and insurance requirements from coun-
try to country as regulatory authorities struggle to adapt current and prospective laws to
new technology and to resource the regulation of this exponentially growing sector, with
each country having their own particular imperatives, social, economic and political.81

Compulsory third-party drone insurance or not?

In a recent paper entitled the “Emerging Aviation Technologies Paper,”82 the Department
of Infrastructure, Transport, Regional Development and Communications in Australia
makes the following comments in relation to drone insurance:
Most commercial drone operators make the business decision to hold insurance to cover for
any damage or injury caused as part of managing the risk of their operations. Recreational
users that are members of some drone organizations carry insurance as part of their mem-
bership. The requirement to hold insurance is often a condition of engagement by organisa-
tions procuring drone-based services. There are a range of models in other sectors where
third-party insurance has been mandated, such as for vehicles. However, it remains to be
seen whether this would be an appropriate mechanism for drones, especially considering the

80 Department of Industry, Innovation and Science, “Arrange insurance for your business,” 10 May 2016,
www​.business​.gov​.au​/info​/run ​/insurance​-and​-workers​- compensation​/arrange​-insurance​-for​-your​-business.
81 Therese Jones, “International Commercial Drone Regulation and Drone Delivery Services,” Rand
Corporation, August 2017, www​.rand​.org​/content​/dam​/rand​/pubs​/research​_ reports​/ RR1700​/ RR1718z3​/
RAND​_ RR1718z3​.pdf. See this Report for a summary of the then current status of the regulatory environment
for drone delivery services.
82 Emerging Aviation Technologies Paper (n 21).

238
 U nmanned A erial V ehicles

disparate risk profiles of operations across the drone sector. Aviation traditionally has oper-
ated free from mandated compulsory third-party insurance for damage to property or injury,
although many industry operators hold insurance policies to cover a range of scenarios as a
part of their risk management processes. Any decision to implement an insurance scheme for
drone operators will need to be informed by relevant drone accident data, be proportionate to
the risk profile of operations, be consistent with a holistic approach to regulation and comple-
ment the suite of various approaches available to manage risks and impacts from the use of
drones. International approaches have included an insurance service as an optional industry
developed UTM service.83

This laissez-faire approach is in direct contrast to the approach adopted in Europe and
other jurisdictions described above, and it can be forcefully argued that any national regu-
latory policy in relation to drones must consider and address the issue of compulsory
third-party liability insurance as a vital dimension in managing the risks and impacts
associated with their use and deployment. The following arguments arise:
There is mounting evidence that injury to persons and property damage are very real
concerns arising out of the use of RPAS and that incidents of actual harm are increasing
rapidly.84
The Policy Issues Paper takes a very “wait and see” approach to ground risks by stating:
There is no single data set for determining the number of incidents occurring domestically
or internationally from drones involving ground risks. In Australia, there were 47 reported
terrain collisions from drones between January 2016 and June 2017. It is expected that most
recreational drone collisions with terrain would go unreported as there is no requirement to
report such an incident in many circumstances, particularly as these collisions do not signifi-
cantly impact safety in most cases. There is limited documentation of injuries in Australia
with most documented cases minor in nature. There have been no fatalities in Australia as a
result of a drone colliding with a person. With the exception of military uses, there is limited
documentation of any international fatalities from drone collisions. Risks to people on the
ground can be from a drone flying into a person, or the drone or debris from a drone falling
onto a person. These may have different consequences and require different mitigations which
could vary considerably based on the size and design of the drone.85

This statement, with respect, misses the point from an insurance perspective—the key
role of insurance is to protect against future uncertainties and uncertain loss. While the
precise delineation and evaluation of risk may be a work in progress, there is already a
well-developed insurance market, described above, providing cover for liability arising
from the use of a drone. Insurers providing products for new and evolving risks do face
challenges in accessing sufficient relevant data around emerging risks to enable accurate
pricing. However, these products do exist, and if a person who sustains injury or property
damage is to have a real opportunity to pursue a damages claim against a drone pilot
or operator, it is essential that the person at fault is able to be identified or alternative
recourse be available. Furthermore, the person at fault should have the capacity to satisfy
any damages award or settlement. A requirement to hold appropriate third-party liability
insurance should not, in these authors’ opinion, have to wait upon an indeterminate num-
ber of future fatalities.

83 Emerging Aviation Technologies Paper (n 21) 25.

84 See Julie-Anne Tarr, Maurice Thompson and Anthony Tarr, “Regulation, Risk and Insurance of Drones:
An Urgent Global Accountability Imperative” (2019) Journal of Business Law 559.
85 Emerging Aviation Technologies Paper (n 21) 24–25.

239
 U nmanned A erial V ehicles

Given the increasing sophistication of these aircraft, the veritable explosion in their
usage, their capacity to carry payloads and their ability to travel vast distances, the
potential for injury or damage resulting from drone operations is ever-increasing.86
Notwithstanding the assertions in the Policy Issues Paper, numerous examples of personal
injury and damage to property are already emerging through drone accidents.
Moreover, as discussed above, the increasing use of drones also gives rise to very real
privacy concerns. These privacy concerns encompass issues such as the unauthorised
collection of data and industrial espionage. Other real drone risks of a non-safety nature
include potential damages arising from private law claims (for example, such as trespass,
nuisance, and invasion of privacy) and possible damage to a company’s goodwill or repu-
tation. These are further liability risks that need to be addressed by insurance.
Accordingly, in the opinion of the authors of this chapter, a national policy that omits
a considered and effective implementation of compulsory liability insurance is ignoring
a vital dimension in managing the risks and impacts associated with the use and deploy-
ment of drones and other emerging aviation technologies.

Implementation options
Where a decision is made to require third-party liability insurance, a potential implemen-
tation option would be to replicate the regime, with necessary modifications and adjust-
ments, that generally applies in Australia, the United States and the UK in respect of
motor vehicles.
In Australia, for example, all jurisdictions have a range of statutes that supplement
or supplant liability based on the general principles of negligence in the aftermath of
road accidents. Compulsory Third Party (CTP) insurance schemes for personal injury and
National Injury Insurance Schemes (NIIS) are in place in all Australian jurisdictions to
provide lifetime care for catastrophic motor vehicle accident personal injuries.87 As Mark
Brady, Tania Leiman and Kieran Tranter explain:88
This approach to motor vehicle accident personal injury contrasts with claims for motor vehi-
cle accident property damage and other loss, where it has generally been left to the general
law of negligence to determine driver liability for claims brought in negligence.

Vehicles are required to have CTP insurance. In the event of a motor vehicle accident, this
insurance covers any compensation claims that may arise and the motor vehicle accident
victims are awarded compensation by the CTP insurer of the offending vehicle. Where the
vehicle involved in an accident cannot be identified or is on the road illegally without CTP
insurance, legislation across most Australian jurisdictions provides recourse for these vic-
tims through a Nominal Defendant.89

86 Jacinta Long and Sarah Yao, Clyde & Co, “Drone Damage: What happens if a drone hits you?” Insight,
12 December 2017.
87 See for example, Transport Accident Act 1986 (Vic.); Motor Accident Insurance Act 1994 (Qld); Motor
Accidents Compensation Act 1999 (NSW); Lifetime Care and Support (Catastrophic Injuries) Act 2014 (ACT);
Motor Accidents (Lifetime Care and Support) Act 2016 (NSW); National Injury Insurance Scheme (Qld) Act
2016; and Motor Vehicle (Catastrophic Injuries) Act 2016 (WA).
88 “Automated Vehicles and Australian Personal Injury Compensation Schemes” (2017) 24 Torts Law
Journal 32, 36.
89 In the UK, the Motor Insurer’s Bureau compensates the victims of road accidents caused by unin-
sured and untraced motorists. Various arrangements apply in the United States including states that maintain

240
 U nmanned A erial V ehicles

For example, in Queensland, the Nominal Defendant is a statutory body established

under the Motor Accident Insurance Act 1994 (Qld) for the purpose of compensating peo-
ple who are injured as a result of the negligent driving of unidentified and/or uninsured
(no CTP insurance) motor vehicles. The Nominal Defendant operation is funded by a levy
within the CTP insurance premium with the levy being set on the basis of an actuarial
assessment of claim trends. With regard to claims involving uninsured motor vehicles, the
Nominal Defendant has the right to recover as a debt, the amount paid in settlement of the
claim from the owner or driver (or both) of the uninsured motor vehicle.
The South Australian privatisation model is particularly useful as an example of a
framework that could be replicated in the drone context. The role of government is to
mandate the CTP insurance, approve the standardised policy coverage and approve the
insurers authorised to offer the insurance product. The authorised insurers under this
competition model then compete on service, price and other policyholder benefits.90
The position is similar in the United Kingdom and the United States.91 For example,
pursuant to the Road Traffic Act 1988 (UK) motorists must carry third-party insurance
against liability for injuries to others and for damage to other person’s property, resulting
from the use of a vehicle on a public road or in other public places; similarly, in the United
States, most states require the vehicle owner to carry some minimum level of liability
insurance, with few exceptions, such as allowing alternative arrangements such as posting
cash bonds (New Hampshire and Mississippi) or paying an uninsured motor vehicle fee
to the State (Virginia).
In the European Union, pursuant to a 2009 motor insurance directive, all motor vehi-
cles in the European Union are required to be covered by compulsory third-party liability
insurance.92 The directive prescribes minimum third-party liability insurance cover in EU
countries and introduces a mechanism to compensate local victims of accidents caused
by vehicles from another EU country. It imposes an obligation upon member states to
create guarantee funds for the compensation of victims of accidents caused by uninsured
or untraceable vehicles. The Directive also harmonises cross-border claims settlement
and compensation procedures under Articles 19–27, for example, national compensation
bodies, claims representatives in other member states, a time limit to make a “reasoned
offer” and rules for national information centres to assist claimants seeking compensation.
However, civil liability determinations and calculations of awards remain at the discretion
of EU member states.
There are, of course, beyond the approaches described above, a diversity of legislative
responses globally to the compensation of third parties arising out of the use of motor
vehicles. For example, in South Africa, the Road Accident Fund (RAF) is a juristic person

unsatisfied judgment funds to provide compensation to those who cannot collect damages from an uninsured
or under-insured driver.
90 See, for example, Premier of South Australia, “Car rego costs driven down with lower CTP insurance
premiums in full competition,” 22 May 2019, https://premier​.sa​.gov​.au​/news​/car​-rego​- costs​- driven​- down​-with​
-lower​- ctp​-insurance​-premiums​-in​-full​- competition.
91 See also the third-party liability compensation schemes in Canada, Hong Kong, Hungary, Indonesia,
India, Italy, Norway, Romania, Russian Federation, Spain and the United Arab Emirates. This is not an exclu-
sive list.
92 Motor insurance—Directive 2009/103/EC relating to insurance against civil liability in respect of the
use of motor vehicles, and the enforcement of the obligation to insure against such liability.

241
 U nmanned A erial V ehicles

established by an Act of Parliament,93 responsible for providing appropriate cover to all

road users within the borders of South Africa and for rehabilitating and compensating
persons injured as a result of motor vehicles. Contributions to the RAF are done by way
of a levy on fuel used for road transportation. Moreover, compensation funds are found in
other areas, such as compensating consumers in the case of insolvency of tour operators94
and to protect victims of terrorism95 or natural catastrophes.96
In the particular case of drones, it is suggested that an adaptation, with appropriate
modifications, of the relevant compulsory third-party motor vehicle scheme with associ-
ated Nominal Defendant arrangements or of other accident compensation arrangements
could provide a tried and extensively tested pathway to resolving problems flowing from
unregistered and/or uninsured drones.

Concluding comments
The challenges in insuring drone use are particularly novel, not only due to the evolving
nature of the technology but also because of the unique factors to be considered as part of
risk assessment.97
The rapid development of drone technology obviously creates challenges for organisa-
tions whose businesses are affected, and also for insurers who need to analyse, plan for
change and to some extent predict, the future risk landscape.
Insurance underwriting models generally use historical data to predict the future risk
landscape. However, drone technology is arguably moving too fast for this to be the only
tool that insurance underwriters utilise. There is, however, one key characteristic of
drones that will assist with underwriting drone risks in the future, which is data: Drones
produce a vast amount of real-time data that can be used to analyse risks as they arise.
The data that drones capture should make the task of underwriting drone insurance more
accurate, and as drone technology improves and the implementation of drones expands,
the data available for underwriting will also increase.
Artificial intelligence (AI) is a significant tool in helping insurers understand the risks
in the drone industry. Dr Ernest Earon comments:98
There are millions of drones operating routinely around the world. We don’t have the ability to
look back over a hundred plus years, as they do for traditional aviation, to help us understand

93 Road Accident Fund Act, 1996 (Act No. 56 of 1996).

94 See, for example, in the UK, Atol’s air travel trust fund (ATTF) is a tourism industry-funded safety
net which provides compensation to customers when tour operators become insolvent. It is funded by a small
per-passenger payment from licensed tour operators who book air travel, www​.caa​.co​.uk​/ATOL​-protection​/Air​
-travel​-trust​/About​-the​-Air​-Travel​-Trust/.
95 See, for example, in the United States, certain US persons who were injured in acts of international
state-sponsored terrorism can apply for compensation to the “US Victims of State Sponsored Terrorism Fund,”
www​.usvsst​.com/.
96 See, for example “The Norwegian National Scheme for Natural Damage Assistance,” which provides
compensation for damage caused by natural perils, in cases where there is no insurance cover available, www​
.naturskade​.no​/en ​/the​-norwegian​-natural​-perils​-pool/.
97 Tarr, Thompson and Tarr (n 7).
98 Miriam McNabb, “The Connection Between AI and Drone Insurance—Why the Big Players in
Insurance are Believers [Deep Dive],” Drone Life, 30 April 2019, https://dronelife​.com ​/2019​/04​/30​/the​- connec-
tion​-between​-ai​-and​- drone​-insurance​-why​-the​-big​-players​-in​-insurance​-are​-believers​- deep​- dive/, Dr Earon,
who is quoted in the article, is chair of the data division of the FAA’s Unmanned Aircraft Safety Team, former
CTO and co-founder of Precision Hawk.

242
 U nmanned A erial V ehicles

where the risks are. What we do have, though, is tremendously rich data sets that detail all
aspects of a drone’s operation, including components like batteries.
The information is there if you can extract it. This presents significant opportunities for
insurers to utilise the increasing data on drone use to create bespoke and innovative insurance
products. The challenge is the sheer volume of data, and the subtleties of the signals in that
data, or in other words to interpret the data in a way that accurately conveys the risks to the
insurer underwriting the drone operations. AI helps us see through all the noise and clutter
and variation of the data to see the underlying patterns, behaviors and yes, risks. It would
simply not be possible to do this otherwise.
Risk management and mitigation tools are crucial in helping emerging industries scale
and set new standards. AI is a critical component but it’s not the only one. A combination of
expertise in hardware, software, underwriting and machine learning will be crucial—serv-
ing as drivers of growth for any business and industry impacted by this rapidly accelerating
digital wave.

Risk assessments from the perspective of an insurer are also made more difficult by the
fact that not all risks are entirely understood—even using big data. This is inherent in any
area of technology which is still developing, though the unique challenge applicable to
insuring drones is that the infancy of the technology does not limit the associated risks (it
simply means they are yet to be discovered). Notwithstanding this, there are clear areas of
risk emerging as the most major considerations for insurers, such as third-party damage,
and this is something that, with time, a greater understanding of drone technology will
allow insurers to underwrite risks with an even higher level of precision.
Diverse approaches are needed to meet demand in relation to the commercial, quasi-
commercial and recreational proliferation of drones, and to meet demand in industries
which have expanded their business activities to include drone operations. While expo-
sure-based on-demand insurance potentially offers a range of benefits for drone owners
and operators, a large market segment prefers policies on an annual basis, providing cover
even when the drone is not flying for a specific time period. For example, Moonrock’s cus-
tomer research found that its market segment that operated drones preferred annual insur-
ance, whereby they purchase a policy, file the documents and do not have to think about
insurance until a claim was necessary or when renewal came around.99 It also allowed
finance directors to attribute a fixed cost and budget accordingly. Moonrock commented
further that:
Pilots that entered into the commercial drone industry 2015/16 were made up predominantly
of model flying enthusiasts moving into the drone industry, aviation enthusiasts, and small
single operator pilots working in a small market (television and film productions). This was
shortly followed by the advancement of camera and LIDAR100 equipment that allowed survey-
ing and monitoring companies to utilise drones for their requirements.

Moonrock, more recently, has seen a shift in their business due to a consolidation of the
market, with far more enterprise businesses taking advantage of drones in-house, includ-
ing bespoke training for pilots specifically for their business needs (wind farm inspection,

99 Ritterband, Moonrock (n 26).

100 Lidar (Light Detection and Ranging) is a method for measuring distances by illuminating the target
with laser light and measuring the reflection with a sensor. Differences in laser return times and wavelengths
can then be used to make digital 3D representations of the target. It has terrestrial, airborne and mobile appli-
cations. See, for example, National Oceanic and Atmospheric Administration, “What is Lidar?,” 2020, https://
oceanservice​.noaa​.gov​/facts​/ lidar​.html.

243
 U nmanned A erial V ehicles

agriculture and other commercial enterprises). This has allowed Moonrocks’ underwrit-
ers to create far more bespoke policies taking into account the levels of risk they may
face. The blanket one policy fits all approach is becoming less and less a feature of today’s
insurers in the drone industry.101
In conclusion, it should be noted that in relation to autonomous vehicles, automated
vehicles or driverless cars, the Automated and Electric Vehicles Act 2018 (UK) extends
compulsory motor vehicle insurance to cover the use of automated vehicles in automated
mode. As such, any victim(s) (including the “driver”) of an accident caused by a fault
in the automated vehicle itself is covered by the compulsory insurance in place on the
vehicle. The insurer is initially liable to pay compensation to any victim, including to
the driver who legitimately handed over control of the vehicle. The insurer then has
the right to recover costs from the liable party under existing common law and product
liability law.102
When considering drones (that is, automated aerial vehicles) it is not, therefore, too
much of a stretch to contemplate that they should be treated similarly to the proposed
treatment of automated vehicles, especially when the drone is an aerial taxi or aerial deliv-
ery vehicle operating in a high-density population area. It is, therefore, not unreasonable
that the operator of such a drone should carry appropriate and adequate liability insurance
to ensure that members of the public have recourse to compensation for death, injury or
property damage.
The implementation of a compulsory CTP insurance regime in relation to commercial
drone operations would resonate with the broader community interest, especially where
personal safety is concerned.
It should also be noted that the benefits of public liability insurance cover extend far
beyond individual compensation. Coupled with a robust registration regime, operators
with insurance cover would become more visible, accountable and traceable in the case
of an accident or incident. According to one submission to the Australian Senate Inquiry
Committee,103 the possession of an operator’s certificate and the associated insurance pol-
icy for a business regularly acts as a deterrent for unsafe flights. In contrast, amateur or
recreational operators who have “no skin in the game” may be more inclined to illegally
take on jobs or unsafe operations as “they will most likely lose nothing but the fee they
got for the job anyway.”104
Finally in relation to drones, as is the case with motor vehicles, workplaces and a myr-
iad of other circumstances, a “prevention better than cure” approach to reduce and/or
mitigate accidents is essential. Using social media and newsletters to inform and educate
consumers to reduce risk and improve flying is gaining global traction; for example, in

101 Ritterband, Moonrock (n 26).

102 “Commentary on provisions of Bill/Act” (2018) www​.legislation​.gov​.uk​/ukpga​/2018​/18​/notes​/division​
/6​/index​.htm.
103 Mr Ashley Fairfield, “Submission 51,” p 2 in the Australian Senate Inquiry Committee, this submis-
sion was referred to in the Parliament of Australia, Senate Standing Committee on Rural and regional Affairs
and Transport, “Regulatory requirements that impact on the safe use of Remotely Piloted Aircraft Systems,
Unmanned Aerial Systems and associated systems,” 31 July 2018, para 4.22, www​.aph​.gov​.au ​/ Parliamentary​
_Business​/Committees​/Senate​/ Rural​_ and​_ Regional​_ Affairs​_ and​_Transport​/ Drones​/ Report.
104 Ibid.

244
 U nmanned A erial V ehicles

relation to battery failures of particular drones105 and general safety tips and reminders
and updates regarding drone laws.106 Similarly, insurers, by sharing information with the
regulator as to particular types of claims emerging or particular geographical areas where
there are a higher number of accidents, will facilitate more targeted education and other
strategies to reduce risk and accidents.

105 “DJI and CAA Issue Battery Warning for Pilots Flying Matrice 200 and Inspire 2 Drones,” DroneLife,
“https://dronelife​.com ​/2018​/11​/01​/dji​-battery​-warnings​-matrice​-200 ​-inspire​-2/;
“Battery lost power in mid flight” https://autelpilots​.com​/threads​/ battery​-lost​-power​-in​-mid​-flight​.10375/.
106 See Civil Aviation Authority, “News for remote pilotsla—test updates on drone issues,” New Acceptable
Means of Compliance and Guidance Material (AMC/GM) to UK Reg (EU) 2019/947, 7 December 2022,
www​.caa​.co​.uk ​/drones​/updates​-and​-publications​/news​-for​- drone​-and​-remote​-pilot​- operators/.

245
 C hapter 1 0

The Rise of Fintech

Liability and Insurance

Karen Boto, Georgia Amos, John Moran, Jennifer

Robbins and Jordan Welden-Iley1

CON T EN TS
Introduction 248
Part 1 248
What is fintech? 248
Types of fintech companies 250
Fintech in the UK 252
Current landscape 252
Drivers for growth in the UK 254
The financial crisis 254
Funding 254
Open banking 255
Big Tech 256
Fintech Regulation and market initiatives in the UK 256
Regulation in the UK 256
Risk and compliance 257
Market initiatives 258
Fintech in Australia 268
Current landscape 268
Embedded finance/fintech 269
Open banking 269
Decentralised finance 270
Payments 270
Middle-and-back-office solutions 271
Buy-now-pay-later 271
Digital native banks 272
Regulatory environment 272
The future landscape for fintech 274
Part 2 275
Fintech exposures 275
1

1 The authors acknowledge and express their appreciation for the contributions to this chapter by Sharaf
Al Hijazin and Kaya Wong.

246 DOI: 10.4324/9781003319054-10

 T he R ise of F intech

Regulatory issues 275

Investor claims 277
Intellectual property (IP) infringement/employment disputes 278
Professional liability, breach of contract and technology failures 278
Automated decision-making and algorithmic discrimination 279
Cyber-attack/data/crime 280
Business interruption/reputational risks 281
Managerial liability/directors’ and officers’ claims 281
Insurance for fintechs 282

247
 T he R ise of F intech

Introduction
Over the past decade or so, the rise of financial technology, “fintech” for short, has had a
profound impact across the globe. This journey began with fintech start-ups disrupting the
traditional banking sector by creating innovative financial products and delivering them
digitally, almost instantaneously and for a fraction of the cost. Indeed, while fintech has
frequently been described as a struggle between incumbent financial institutions and new
start-ups, this is no longer the case, and the reality is more complicated.
In the wider context, fintech has driven significant and widespread innovation and may
be more appropriately viewed as a key step on the digital transformation journey of the
financial services industry more generally. Put another way:
Fintech is not a niche within financial services. Nor is it a sub-sector. It is a permanent, tech-
nological revolution, that is changing the way we do finance.2
In this way, it is apparent that fintech businesses are now part of the way that incumbent
financial institutions participate in the financial services sector but also how regulators
monitor the financial services industry, consumers engage with the sector and companies
compete in the global financial sector.
One of the main reasons the fintech sector has grown so rapidly, across multiple regions,
is due to its diversity and the opportunities it creates for financial inclusion. Fintechs
are now providing novel ways of doing business in every branch of finance imaginable,
often leveraging breakthrough technologies. This proliferation of new technologies has
re-shaped existing marketplaces, offering consumers and businesses new modes of under-
taking traditional financial activities, even creating new marketplaces in certain instances.
The first part of this chapter looks at the rise of fintech in more detail and the jurisdic-
tions making their mark as global fintech leaders. It also provides an overview of the ini-
tiatives that are being deployed to support industry innovation in these regions. However,
despite the fintech sector attracting billions in investment globally each year, some new
and existing businesses involved in the industry are still struggling to find comprehensive
insurance cover, particularly those operating in the cryptocurrency sphere. Therefore, this
chapter will briefly consider the cryptocurrency sphere.
The benefits that fintechs offer are matched with new and often complex risks. The
second part of this chapter considers these risks and the new opportunities they have cre-
ated in the insurance space. The unique set of risks faced by fintech businesses has led
to the development of purpose-built fintech policies and the emergence of a new class of
insurance. This chapter will provide an insight into the insurance solutions typically being
made available to fintechs and the underwriting challenges they pose.

Part 1
What is fintech?
“Fintech” is a portmanteau of “financial technology.”3 It is the innovative use of technol-
ogy in the design and delivery of financial products and services. It is used to describe

2 Ron Kalifa, The Kalifa Review on the UK Fintech Sector, HM Treasury, 16 April 2021, www​.gov​.uk​/
government​/publications​/the​-kalifa​-review​- of​-uk​-fintech (hereafter Kalifa Review).
3 Deutsche Bundesbank, “Fintech—technology-enabled financial innovation,” www​.bundesbank​.de​/
en​/tasks​/ banking​-supervision​/individual​-aspects​/fintechs​/fintech​-technology​- enabled​-financial​-innovation​
-622840#.

248
 T he R ise of F intech

the actual technologies and processes being deployed, to streamline, digitise and enhance
traditional financial services.
Alternatively, “fintech” can be used as a more general reference to the sector as a
whole or more specifically as a reference to the new companies, usually start-ups, that
are emerging within multiple branches of the financial industry. These start-ups typically
utilise some form of novel technology to create and provide innovative financial products
and services to their ever-growing consumer base.4
Broadly speaking there are two distinct types of fintech companies. Firstly, there are
those that are working with financial services firms, to provide innovative financial offer-
ings, which allow for greater efficiency and speed in their existing products or processes—
known as “enablers.” While the incumbent financial institutions initially operated at a
slower pace, when embracing technological advancement, often due to compatibility
issues with their legacy IT systems and infrastructure, they are now fully cognisant of the
need to incorporate new innovative technologies, or modify or enhance existing technolo-
gies with additional developments, to remain competitive.
Secondly, there are those companies that provide novel and more radical technology-
powered financial services offerings for certain activities—known as the “disruptors.”
These companies are seeking to change the capabilities, business operations and/or busi-
ness models of the incumbents. The disruptors are constantly seeking to change the way
consumers access and manage their finances by establishing new products and services.
They are even creating new marketplaces, often without reliance on any existing incum-
bents’ process or value chain.
The initial focus of many fintechs was to allow the 1.7 billion unbanked adults5 to par-
ticipate in financial services globally, without the need for a bank account, in a way that
facilitates development. Now, their focus is no longer just on this demographic. Fintechs
are attracting a much wider consumer base as societies are becoming more willing to
embrace digitalisation, which has been afforded by the growth in internet and mobile
device access globally, and more recently as a direct result of the COVID-19 pandemic.
Some key statistics indicating this trend are as follows:

• Worldwide account ownership increased by 50% in the 10 years spanning 2011 to

2021, to reach 76% of the global adult population;
• From 2017 to 2021, the average rate of account ownership in developing econo-
mies increased by 8% from 63% to 71%;
• The key drivers of high-tech solutions and alternative payment methods are the
levels of internet access (approximately 57% of the global population—4.388
billion) and mobile device access (approximately 67% of the global popula-
tion—5.112 billion);6 and
• In Africa alone, there are 444 million mobile users which enables individuals to
use e-wallets; mobile money is therefore driving growth in account ownership,
particularly in Sub-Saharan Africa, where 33% of adults have a mobile money

4 “Financial Technology (Fintech): Its Uses and Impact on Our Lives,” Investopedia​.co​m, www​.investope-
dia​.com​/terms​/f​/fintech​.asp.
5 John McKenna, “Where adults lack access to a bank account,” World Economic Forum, 22 June 2018,
www​.weforum​.org​/agenda​/2018​/06​/chart​- of​-the​- day​-where​-adults​-lack​-access​-to​-a​-bank​-account/.
6 Simon Kemp, “Digital in 2019: Global Internet Use Accelerates,” We Are Social, 31 January 2019, https://
wearesocial​.com​/uk ​/ blog​/2019​/01​/digital​-in​-2019​-global​-internet​-use​-accelerates/.

249
 T he R ise of F intech

account, which is linked to a user’s mobile phone account that they can top up
7

with cash and use to buy goods and services online.

Taking the developments outlined above together, formal bank account ownership is only
one key measure for the progression of financial products and services and financial inclu-
sion. As foreshadowed by the e-wallet statistics for Africa above, in the course of 2021,
Worldpay reported that 75% of all e-commerce purchases would be paid for via local pay-
ment methods rather than traditional debit and credit-based payment methods (for which
the UK is one of the highest users).8 Local payment methods, including bank transfers,
e-wallets, cash-based payments and local cards have now shifted to be recognised as the
norm for most of the world rather than as alternative payment methods.
Indeed, the COVID-19 pandemic accelerated the two concurrent trends of digital finan-
cial services adoption and the global fall in the unbanked adult population. While these
trends have created new opportunities for the fintech sector during, and following, the
COVID-19 pandemic, this has also increased the prioritisation of fintech amongst global
financial regulators and policy makers alike.
In terms of new opportunities for the fintech sector, the COVID-19 pandemic high-
lighted the requirement for reducing coronavirus risks associated with exchanging phys-
ical bank notes and coins, helping micro, small and medium enterprises (MSMEs) to
engage in the economy digitally and supporting financial inclusion in developing markets.
According to the Global FinTech Regulatory Rapid Assessment Study, conducted by the
Cambridge Centre for Alternative Finance (CCAF) and the World Bank, digital payments
and remittances displayed a 50% increase in advanced economies and a 65% increase in
emerging markets and developing economies since the outbreak of the pandemic.9
In all, it is undeniable that the pandemic catalysed the proliferation of fintechs in certain
areas of the economy and has now equally presented challenges that regulators need to
address promptly and, in novel ways, to ensure the approach adopted to the fintech sector
in the long term is appropriate for all involved stakeholders.

Types of fintech companies

The volume of companies entering the global fintech sector remains high and interest in
the fintech industry continues to grow year on year across the world.
According to Statista,10 as of November 2021, there were 10,755 fintech start-ups in the
Americas, making it the region with the most fintech start-ups globally. In comparison,
there were 9,323 such start-ups in the EMEA region (Europe, the Middle East and Africa)

7 “Global Findex Database 2021 survey headline findings on account ownership,” The World Bank, 15
June 2021, www​.worldbank​.org​/en​/publication​/globalfindex​/ brief​/the​-global​-findex​- database​-2021​- chapter​-1​
-ownership​- of​-accounts.
8 Ibid.
9 Philip Rowan et al, “2020 Global COVID-19 FinTech Regulatory Rapid Assessment Study,” CCAF pub-
lications, World Bank Group and University of Cambridge Judge Business School, www​.jbs​.cam​.ac​.uk​/faculty​
-research​/centres​/alternative​-finance​/publications​/2020​-global​- covid​-19​-fintech​-regulatory​-rapid​-assessment​
-study/.
10 “Number of fintech startups worldwide from 2018 to 2021, by region,” Statista, www​.statista​.com ​/statis-
tics​/893954​/number​-fintech​-startups​-by​-region/.

250
 T he R ise of F intech

and 6,268 in the Asia-Pacific region. In total this means that as of late 2021, there were
over 25,000 fintechs across the world.
As a result of the depth and breadth of the fintech ecosystem, the companies entering these
spaces do vary widely. Broadly speaking, the ecosystem covers a wide range of financial
business lines, including payment processing, corporate and retail banking, insurance, capi-
tal markets, lending, and wealth management. It is an ecosystem that is rapidly evolving.
In October 2022, CB Insights Research published its annual list of the 250 “most prom-
ising private fintech companies” globally.11 The winners of 2022 were selected from a
pool of 12,500 private companies and were selected based on a mosaic of factors. The
top 250 of 2022 span multiple sub-sectors in the fintech ecosystem, with the greatest
concentration of winners in the following areas: Payments processing and networks, cryp-
tocurrency, insurance, core banking and infrastructure, and retail investing and wealth
management. The 2022 cohort also spans 33 different countries by headquarters locations,
with the highest concentrations in the United States (53%), the UK (12%), India (6%),
Brazil (4%) and Germany (3%).
Of the 2022 winners, CB Insights highlight that 64% are repeat winners and 36% are
new winners, representing the fewest new entrants since the Fintech 250 began. While
there are multiple reasons for this trend, a key factor is that fintechs are staying private
for longer, rather than exiting quickly via an initial public offering (IPO) or merger and
acquisition (M&A) (losing them eligibility from the CB Insights list), especially amid the
market turmoil of 2022.
Given the diverse range of companies entering the fintech ecosystem, the propositions
on offer all naturally differ from company to company. These fintechs are, however, all
typically leveraging innovative technologies, such as drones, machine learning or artifi-
cial intelligence (AI), blockchain, robotics, cloud computing, big data, virtual reality and
biometrics (in addition to other technologies) to support their products and/or services.
These novel offerings are made available online or, more commonly, via a smart phone or
tablet. They can include digital banking, payment apps, financial planning tools, robo-advis-
ers, crowdfunding and lending platforms through to digital wallets and crypto assets (includ-
ing cryptocurrencies and other digital tokens) as well as associated custodians and exchanges.
For additional context, some key success stories from around the globe at the time of
writing this chapter include:

OakNorth12—A tech-led challenger bank, whose target market has been a customer
segment typically underserved by commercial banks. OakNorth’s services include
a white label platform as a service proposition used to deploy OakNorth’s credit
analysis and underwriting expertise with machine learning to enable credit papers
to be collated in days rather than weeks. The platform then enables proactive
monitoring of the financial and operational data of every borrower in the bank’s
portfolio, flagging up any potential issues to assist in reducing the likelihood of an
overdue payment or default in the future. As with a large number of new fintechs,
OakNorth has been focused on disruption for good, with the loans provided by

11 “The Fintech 250: The most promising fintech companies of 2022,” CB Insights Research, 4 October
2022, www​.cbinsights​.com​/research​/report​/top​-fintech​-startups​-2022/.
12 ​w ww​.oaknorth​.com​./.

251
 T he R ise of F intech

OakNorth having directly assisted with the creation of over 10,000 new homes, of
which 9,000 are affordable homes and social housing units, in addition to 11,000
new jobs in the UK.13
Klarna14 —The Swedish fintech company was founded in 2005 and enables customers
to “buy now, pay later” by opting to split the price into four biweekly interest-free
payments, pay in 30 days, or choose a monthly payment plan with a term up to
36 months, carrying an APR of between 0% to 24.99%. The Klarna model works
in such a way that it may get paid twice: (i) Firstly by the retailer that pays mer-
chant and interchange fees; and (ii) secondly by the consumer if they pay fees on
the loans. Klarna positions itself within the market as a safer credit option than tra-
ditional credit cards, as a payment option for consumers that want to buy without
building an ever-larger pile of high-interest revolving debt.
Coinbase15—Coinbase is known as one of the largest crypto exchanges by trading volume
in the US and has seen prolific growth since it was founded in 2012. Coinbase’s success
was predominantly attributed to its ability to allow users to build their own cryptocur-
rency wallets and use their bank accounts to buy and sell cryptocurrency, as well as
providing a range of merchant payment processing systems and tools.

It is clear from the current breadth of successful fintechs within the global market that
keeping up with the pace of innovation and ever-increasing customer expectations, while
meeting complex regulatory requirements, will require all financial services firms, includ-
ing fintechs, to remain agile and put in place strong corporate governance procedures. For
example, fintechs that launched to provide one solution to their chosen customer base are
swiftly diversifying to provide multiple services to customers to remain profitable and
relevant, and to successfully expand their operational footprint into multiple jurisdictions.

Fintech in the UK
Current landscape
Over recent years, the UK has emerged as a leading global centre for financial innovation,
being recently ranked as the second highest fintech ecosystem globally.16
Indeed, during the last decade, the UK has undergone a fintech revolution, with the
fintech sector becoming one of the fastest-growing sectors, experiencing substantial year-
on-year growth. Prior to this revolution, it may have taken days/weeks to open a current
account, which would involve on-paper verification. Fast forward ten years, and it is now
possible to open a current account safely and securely entirely through the app of a chal-
lenger bank within minutes.
This fintech revolution has also led to the proliferation of choice for small and medium-
sized enterprises (SMEs) and not just for individuals. For example, SMEs now have digital

13 Lawrence Wintermeyer, “OakNorth Is Europe’s Most Valuable Fintech And In Profit: A Rare Breed
Of Fintech Unicorn,” Forbes, 4 April 2019, www​.cbinsights​.com​/research​/report​/top​-fintech​-startups​-2022/.
14 ​ w ww​.klarna​.com ​/​au/.
15 ​ w ww​.coinbase​.co​m /.
16 “The UK FinTech landscape,” Deloitte UK, www2​.deloitte​.com​/uk​/en​/pages​/financial​-services​/articles​
/uk​-fintech​-la​ndscape​.html (hereafter Deloitte).

252
 T he R ise of F intech

access to a multitude of lenders that leverage machine learning and AI, enhanced data
analytics and other fintech tools to provide immediate loan and refinancing decisions
based on informed risk analysis.
Some key takeaways from the UK fintech market of 2021 are as follows:

• The fintech sector has observed an annualised growth rate of 16% versus the
annualised growth rate of 1.3% for SMEs over the past ten years;
• For the UK, while London has developed as a superhub of fintech activity, the
UK has also observed nine additional high-growth fintech clusters that are grow-
ing at increased rates;
• The UK continues to create global category-defining fintechs and has strengths
across the board, particularly in wealthtech and payments;
• There are approximately 2,500 fintechs in the UK, with key acceleration between
2011–2016 where the number of fintechs increased up to 21% year on year.
Although there have been signs of slowing since then, there has still been plenty
of activity;
• The UK fintech landscape has proliferated in 23 different specialisms, which
can be aggregated into eight broad categories—banking (13%), regtech (10%),
insurtech (6%), lending (13%), payments (19%), wealthtech (37%), quote aggre-
gators and accounting (4%), business banking (8%);
• The UK overall has clear strengths in wealthtech (including personal financial
management and cryptocurrencies) and payment technology, as this accounts for
more than 50% of all UK fintechs.17

Despite this burgeoning market, according to KPMG,18 investment in this sector has
slowed during 2022. Total investment in the UK fintech market dropped to £8.1 billion
in the first half of 2022, which was down almost threefold from £23.4 billion in the same
period in 2021. It is therefore apparent that the investment levels in the market are signifi-
cantly subdued when compared with the 217% year-on-year growth of the sector between
the first half of 2020 and the first half of 2021.19
However, market observers consider that 2021 was always going to be a difficult year to
follow for fintech, which saw several large deals and huge rounds of funding. Furthermore,
although 2022 started off positively, the level of investment decreased significantly due to
several unforeseen events, such as the Russia–Ukraine conflict, macroeconomic factors
and concerns about a potential global recession looming. The fintech sector is also cer-
tainly not alone; these factors have subdued investments across the board more generally.
Notwithstanding the notable reduction in year-on-year growth between 2021 and 2022,
the levels of investment in the UK fintech market remained higher than the levels in the
first half of 2020 and 2019. Accordingly, the investment decline between 2021 and 2022 is

17 Deloitte (n 16).
18 “UK fintech investment drops to £8.1 billion in H1 2022—down 65 percent in a year,” KPMG, https://
home​.kpmg​/uk​/en​/ home​/insights​/2022​/08​/pulse​- of​-fintech​.html (hereafter KPMG).
19 Veronica Glab, “2022 Summer Investment Report,” Innovate Finance, 2022, www​.innovatefinance​
.com​/capital​/2022​-summer​-investment​-report/#:~​:text​= In​%20the​%20first​%20half​%20of​%202022​%20total​
%20capital​,second​%20globally​%20in​%20FinTech​%20investment​%2C​%20behind​%20the​%20US.

253
 T he R ise of F intech

not as significant when compared to these preceding years and when the outlier deals of
2021 are removed from the statistics.

Drivers for growth in the UK

The UK’s emergence as a global fintech leader is perhaps not particularly surprising. It is
indisputable that the UK has long been recognised for its world-leading reputation in the
financial services field, which is undoubtedly the foundation of the UK’s success in the
fintech sector. There are, however, several additional factors which have assisted the UK’s
fintech journey to date, which are considered briefly below.

The financial crisis

In the wake of the global financial crisis in 2008, the tightening of regulatory frameworks
worldwide stimulated the growth of the fintech sector. In a bid to improve the safety
and soundness of the global financial system, regulators imposed increased burdens on
incumbent financial institutions. While existing financial services firms therefore devoted
critical time and resources to ensuring that they were meeting the newly required risk and
compliance initiatives, innovation became less of a priority. In parallel, the UK regula-
tor, the Financial Conduct Authority (FCA), actively encouraged competition from non-
traditional financial players, in a further bid to enhance market integrity.
Consequently, the financial crisis provided disrupting fintechs with an obvious gap to
fill. Specifically, fintechs were afforded the opportunity to present alternative financial
support and services to the market at a time when a large proportion of consumers had lost
trust in the existing financial institutions and the broader global banking system.
The proliferation of new fintech entrants, following the financial crisis, led to an ero-
sion of the monopolisation that the traditional financial institutions had long held. Fintechs
provided consumers with choice and transparency when selecting from a market of com-
petitive services and product offerings, ultimately improving the consumer experience.

Funding
The long period of low-interest rates that followed the global financial crisis resulted in a
protracted low-yield environment. This fuelled investments into alternative asset classes
such as venture capital. When converged with the regulatory factors mentioned above, fin-
techs have enjoyed overwhelmingly strong funding support. Indeed, over the past decade
or so, fintechs have continued to obtain steady funding from various sources, including
private equity firms, angels and large corporates.
There has also been unwavering support, typically for early-stage fintechs, from a growing
number of accelerators and incubators since 2008, consistently to 2021. For the more advanced
fintechs, significant funding has been generated by their exits through M&A deals.
Indeed, while funding from traditional financial institutions has been introduced to the
fintech sector at a slower pace, as discussed at the outset of this chapter, the incumbents
no longer typically view fintechs as a threat and they are not standing still. They are more
frequently recognising the need to partner up with, or acquire, fintechs so that they remain
relevant in the eyes of their consumers. The investment from financial institutions has
therefore also increased steadily year on year accordingly.

254
 T he R ise of F intech

Between 2019 and 2021, a key concern for funding in the UK fintech space was the
potential impact of Brexit. However, at this stage, this does not appear to have had any
significant consequences. The reason for this most likely being due to the actions that the
government, regulators and policy makers have taken to stimulate and sustain the growth
of the UK fintech sector, which is explored further below.
For 2022, fintech funding across M&A, private equity and venture capital fell from
2021, which mirrors the decline in investment experienced in the broader technology
sector across the Americas and EMEA regions, referenced above. However, despite the
global decline in funding, the UK continues to be a centre for fintech innovation with
UK fintechs attracting more funding than those in France, Germany, China, Brazil and
Canada combined, despite the initial concerns regarding the Brexit impact.
An additional pattern for investment between 2018 and 2022 has been the use of spe-
cial-purpose acquisition company (SPAC) deal-making, for which fintechs are a clear
focus. SPACs are entities created with the purpose of securing M&A deals, whereby the
SPAC raises capital through an IPO for the purpose of acquiring an existing operating
fintech (as a private company). Subsequently, the fintech can merge with (or be acquired
by) the publicly traded SPAC and become a listed company in lieu of its own IPO.20 This
essentially allows the fintech to bypass the typically lengthy and complex traditional pro-
cess of going public.

Open banking
The introduction of open banking in the UK in 2018 also created new opportunities for
fintechs. It enabled customers to utilise financial data to secure services from a wide range
of financial providers across a multitude of financial products.
Open banking has been a substantial initiative led by the UK Competition and Markets
Authority (CMA), which required the nine leading British banks to agree on a single com-
mon standard to safely share their customer banking data (with the customer’s explicit
consent) with authorised third parties, via secure application programming interfaces
(APIs).21 The open banking ecosystem in the UK now extends beyond the CMA and cur-
rently comprises more than 330 regulated firms, made up of over 230 third-party provid-
ers of services and more than 90 payment account service providers, who together account
for over 95% of current accounts.
At this stage the CMA, working with the open banking implementation entity (OBIE),
continues to take steps to improve the corporate governance of the OBIE and to ensure
issues continue to be addressed with respect to sharing valuable data and ensuring com-
petition within the market.22
The real driving force behind open banking was the European Union legislation (the
Payment Services Directive23), known as PSD2, which was implemented across the UK

20 “How special purpose acquisition companies (SPACs) work,” PwC, www​.pwc​.com​/us​/en​/services​/con-

sulting ​/deals​/ library​/spac​-merger​.html.
21 Press Release, “UK’s Open Banking to launch on 13 January 2018,” Open Banking, 19 December 2017,
www​.openbanking​.org​.uk ​/news​/uks​- open​-banking​-launch​-13​-january​-2018/.
22 Competition and Markets Authority, “Update on Open Banking,” UK Government, 1 October 2021,
www​.gov​.uk​/government​/news​/update​- on​- open​-banking.
23 “PSD2—a game changing regulation,” PwC (UK), www​.pwc​.co​.uk ​/industries​/ banking​- capital​-markets​
/insights​/psd2​-a​-game​- changing​-regulation​.html.

255
 T he R ise of F intech

and Europe on 13 January 2018. PSD2 primarily aimed to make payments faster, more
transparent and more secure by demanding the use of strong customer authentication.
It, however, also required all payment account providers (so not just the leading British
banks part of open banking) to give authorised third parties access to vital banking data
(TPPs). These TPPs are known as payment initiation service providers (PISPs) (who can
initiate payments on behalf of customers cutting out the middleman) and account infor-
mation service providers (AISPs) (essentially data aggregators).

Big Tech
In conjunction with the trends above, and the more general proliferation of technology
and digitisation transforming the customer experience, we have observed the large tech
giants becoming more active in this space, such as Google, Amazon, Facebook and Apple.
Although this is a global trend, it has an impact on the fintech sector in the UK because of
the wide-reaching consumer bases.
A notable example is Google, which, in 2018, unified its payment offering under its
Google Pay establishment and, in 2020, let customers open a bank account through the
GPay app.
The key Big Tech players have continued to mirror the Google model (e.g. Apple Pay
launching a credit card) to enter mainstream financial services. In addition, the Big Tech
players have acquired firms that provide support to the incumbent and fintech industries,
including digital payment and cross-border payment providers, virtual currency and cryp-
tocurrency platforms and mobile payment technology providers, amongst others.24 This
has enabled the Big Tech players to provide services at multiple points in the financial
services cycle. Another notable example is Facebook entering the market with a digital
currency called Diem (formally known as Libra) and PayPal providing account holders
with the opportunity to trade in cryptocurrencies.
Notwithstanding the acquisitions and developments that Big Tech continues to make in
the financial services sector, the regulatory rules and standards continue to act as a bar-
rier to Big Tech acquiring the complete banking route. For example, although they may
own petabytes of consumer data, the Big Tech players are not authorised to possess the
credit history and essential components for complex decisions to evolve as mature lend-
ing/financial services providers.

Fintech Regulation and market initiatives in the UK

Regulation in the UK
Although the above factors have all played a crucial role in the rise of the fintech sector in
the UK, one of the key stimulants for the rapid growth has been the favourable regulatory
environment in which fintechs are able to operate.

24 Tarun Anand, “What happens when Big Tech enter Fin Tech,” appICE, 22 July 2021, www​.appice​.io​
/what​-happens​-when​-big​-tech​- enter​-fintech/#:~​:text​=Big​%20Tech​%20enter​%20FinTech​%20with​%20tech-
nology ​ % 20support.​% 20However ​ % 2C ​ , decisions​ % 20to​ % 20evolve​ % 20as​ % 20a​ % 20mature​ % 20lending​
%20platform​%20-

256
 T he R ise of F intech

The UK regulators have strived to strike an appropriate balance between upholding

their operational objective of protecting consumers, while ensuring that innovation is not
stifled by esoteric or restrictive regulatory standards.
In this regard, currently, there is no specific regulatory framework for fintechs in the
UK. The financial regulator, the FCA, adopts a technology-neutral approach, meaning
that it neither mandates regulated firms to use a particular type of technology to facilitate
their services nor does it regulate that technology. However, fintechs do remain subject to
the existing body of UK financial regulation.
Unless an exemption applies, fintechs which carry on certain regulated activities, by
way of business in the UK, will fall within the regulatory perimeter. Like any other firm
undertaking regulated activity, fintechs will need to obtain the requisite authorisation
from the FCA, or the Prudential Regulation Authority (PRA) in some cases. Once author-
ised, fintechs will then be subject to the extensive rulebooks, published by the regulators
and a range of primary legislation.
The full extent of the regulatory obligations and requirements will depend on the spe-
cific financial service offering and activity being performed. Although it is not practical to
list them all in this chapter, by way of example:

• Alternative finance, such as crowdfunding and lending, is typically regulated by

the FCA and under the Financial Services Markets Act (FSMA) 2000;
• Payments are regulated by the FCA under the Payment Services Regulations and
by the Payment Systems Regulator (PSR), with additional permissions required
for the issuance of e-money under the Electronic Money Regulations 2011;
• Wholesale securities markets and retail investment banks are regulated by the
FCA under the Markets in Financial Instruments Directive II (MiFID II);
• Robo-advisors require permission to give investment advice (as do any other
medium involved in investment activities and wealth management); and
• Digital banks are regulated in broadly the same way as regular banking activity.

In addition to the PSR mentioned above, other relevant UK regulators that may impact
fintechs might include HM Revenue and Customs (HMRC) and the Information
Commissioner’s Office (ICO). While some fintechs may currently fall outside the regula-
tory perimeter, they may find themselves subject to specific financial regulation in future
as the regulatory net widens.
Indeed, a particular area of the fintech sector that has evidenced growth potential, is
that of crypto assets. The questions of how and to what extent crypto assets can and should
be regulated remain perennial questions for UK regulators and policymakers to grapple
with and is discussed in the case study below.

Risk and compliance

Aside from the specific activity-based regulation which may apply to certain fintechs, most
fintechs will also be subject to broader regulatory requirements in data and privacy protection.
For example, the UK General Data Protection Regulation (UK GDPR) will apply to all
fintechs established in the UK that process personal data. Processing is broadly defined to
include the collection, storage or destruction of such data. The UK GDPR supplements the

257
 T he R ise of F intech

Data Protection Act (2018). Fintechs will also need to consider whether the EU’s General
Data Protection Regulation (EU GDPR) applies to their business (or indeed equivalent
legislation in any other jurisdiction within which they operate).
According to the EU GDPR and UK GDPR rules, any company from any country may
be subject to either or both GDPR rules if it offers goods or services to EU and/or UK citi-
zens, amongst other extra-territorial applications of the EU GDPR and UK GDPR. This
means that if a fintech failed to plan for GDPR compliance and advertises to and attracts
a sizeable EU and/or UK user base, it will have to, in a brief period, comply with GDPR
rules or risk serious fines.25
In addition, most UK fintechs will need to comply with anti-money laundering (AML)
regimes.26 A wide range of legislation in the UK exists to govern financial crime, such as
the Proceeds of Crime Act (2000), which creates several basic offences that apply to all indi-
viduals and businesses, and other secondary offences that may only apply to regulated firms.
Furthermore, fintechs operating in the regulated sector will also need to be aware of the Money
Laundering, Terrorist Financing and Transfer of Funds Regulations (MLRs) that they must
comply with.27 These regulations focus on customer due diligence, record keeping and report-
ing obligations for suspicious transactions. Other key pieces of legislation, such as the Bribery
Act 2010, will generally apply to any firm undertaking business in the UK.
As the fintech landscape develops, consumer protection also remains high on the agenda
and will likely apply to most fintechs’ activities. At the time of writing this chapter, the
FCA’s new Consumer Duty is in the process of being implemented by regulated firms in
the UK.
Indeed, regulators remain focused on: (i) ensuring consumers are fully aware of the
nature and risks of the new products and services that are emerging; (ii) limiting, or even
prohibiting, the sale of certain products and services to retail customers, and (iii) amend-
ing and modifying rulebooks to adapt to emerging fintech developments.

Market initiatives
A well-considered and competitive regulatory regime is likely to ensure that the UK
remains a favoured jurisdiction for fintech investment, which will engender the growth
of this nascent industry. It is apparent that UK policy makers and regulators are fully
cognisant of this reality.
To date, the FCA has been described as one of the most “fintech friendly” regulators in
the world,28 which is a reputation it is keen to uphold. Indeed, as discussed above, the UK’s

25 For example, see European Data Protection Board, “The Swedish Authority for Privacy Protection
(IMY) issues an administrative fine against Klarna Bank AB after investigation,” 5 April 2022, https://edpb​
.europa​.eu​/news​/national​-news​/2022​/swedish​-authority​-privacy​-protection​-imy​-issues​-administrative​-fine​
-against​_en.
26 Transparency International UK has called for more proactive supervision of fintechs after finding more
than a third of the UK-licensed electronic-money institutions show red flags, see Transparency, “Together
in Electric Schemes, analysing money laundering risk in e-payments,” www​.transparency​.org​.uk​/together​-in​
-electric​-schemes​-UK​- e​-payment​-EMI​-money​-laundering​-risk.
27 Steve Goodrich, “Together in Electric Schemes, analysing money laundering risk in e-payments,”
Transparency International UK, March 2022, www​.transparency​.org​.uk​/together​-in​- electric​-schemes​-UK​- e​
-payment​-EMI​-money​-laundering​-risk.
28 Seem for example, Caroline Binham, “UK regulators are the most fintech friendly,” Financial Times, 12
September 2016, www​.ft​.com​/content​/ff5b0be4​-7381​-11e6​-bf48​-b372cdb1043a.

258
 T he R ise of F intech

supportive and progressive approach has been the cornerstone of its success in this space
and many initiatives pioneered by the FCA have been emulated by regulators worldwide.
A leading example is the FCA’s active engagement with key stakeholders in the market,
via its Innovation Hub.29 Launched in 2014, the Innovation Hub has supported a diverse
range of fintechs (as well as other companies). The Innovation Hub comprises three main
initiatives: The Regulatory Sandbox, Innovation Pathways, and the Digital Sandbox
(which was run as two separate pilot schemes).
In particular, the Regulatory Sandbox allows firms from all sectors in the financial
services market “to test innovative propositions in the market with real consumers” in a
controlled environment, while obtaining support from the FCA in identifying consumer
protection safeguards that can be built into new products and services.30
In a drive to encourage participation amongst firms to gain access to regulatory exper-
tise, the scheme moved to an “always open” model in mid-2021, inviting authorised firms
and unauthorised firms that require authorisation, and even innovative technology busi-
nesses looking to enter the UK financial services market, to submit applications to join the
Regulatory Sandbox throughout the year. The latest figures show that 850 firms have been
supported through the Innovation Hub, including 165 firms and products accepted for testing
in the Regulatory Sandbox. Entering the Regulatory Sandbox also provides firms with a path-
way towards obtaining regulatory authorisation; 92% of firms who have used the Regulatory
Sandbox have become successfully authorised, 80% of whom are still in operation.31
For firms looking for closer guidance and supervision in navigating regulatory risks, the
Innovation Hub offers successful applicants one-to-one discussions with a dedicated case
manager, informal steers to help understand grey areas of regulation and pre-authorisation
meetings to help clarify the regulator’s expectations, all in aid of making the authorisation
process less complex and burdensome. Dedicated supervisory support is also available to
those firms for the first year after obtaining authorisation.
Since 2016, the FCA has also hosted a series of “TechSprints”; typically, week-long
events to develop technology-based ideas or proof of concepts that help to address indus-
try-specific problems and solutions.32 Participants have included those in and outside of
the financial services market, including regulated and unregulated firms, start-ups, tradi-
tional financial institutions and universities. Themes are wide-ranging and have included
sustainability, global AML and financial crime, pensions and consumer access.
In addition, in 2019 the FCA, along with an international group of financial regulators
and related organisations, built on the FCA’s earlier proposals for a “global sandbox,” to
create the Global Financial Innovation Network (GFIN), which currently comprises more
than 70 organisations internationally.33 GFIN seeks to provide a more efficient way for
innovative firms to interact with regulators, helping them navigate between countries as

29 Financial Conduct Authority, “Innovation Hub: market insights,” 10 January 2023, www​.fca​.org​.uk​/data​
/innovation​-market​-insights.
30 Financial Conduct Authority, “Regulatory Sandbox,” 14 October 2022, www​.fca​.org​.uk​/firms​/innova-
tion ​/regulatory​-sandbox.
31 London Stock Exchange, “The UK Fintech Ecosystem,” 8 August 2022, www​.londonstockexchange​
.com​/discover​/news​-and​-insights​/uk​-fintech​- ecosystem.
32 Financial Conduct Authority, “TechSprints,” 5 August 2022, www​.fca​.org​.uk​/firms​/innovation​/regtech​
/techsprints.
33 Financial Conduct Authority, “Global Financial Innovation Network,” 22 June 2022, www​.fca​.org​.uk​/
firms​/innovation​/global​-financial​-innovation​-network.

259
 T he R ise of F intech

they look to scale new ideas, targeting firms wishing to test innovative products, services
or business models across more than one jurisdiction. GFIN also aims to create a new
framework for co-operation between financial services regulators on innovation-related
topics, sharing different experiences and approaches.
In October 2020, GFIN launched its first cross-border testing scheme, with 23 regulators
across eight regions participating in the initiative. The model adopted by the regulators
was one of “hub and spoke,” meaning that a lead regulator was appointed for each firm par-
ticipating in the testing to help coordinate and manage the engagement between the vari-
ous participating regulators and firms involved. The lead regulator acted as the main point
of contact and liaised with both parties to resolve issues or queries that arose throughout
the assessment phase. The scheme found that participants being given the opportunity to
collaborate directly with regulators and gain in-depth understanding helped them refine
their proposed products.34
It is apparent that a regulator’s efforts to partake in dialogue with those it regulates helps
to ensure the delivery of good compliance outcomes and aid the development of innova-
tive technologies. Given the proven success of such engagement, it is likely that the FCA
will continue to adopt this proactive, “friendly” approach as the fintech sector matures.
In March 2021, the findings of the highly anticipated independent strategic review of
UK fintech, dubbed the Kalifa Review, were published and quickly endorsed by the UK
Chancellor. Set out across a five-point plan—policy and regulation, skills, investment,
international and national connectivity, the Kalifa Review provided recommendations for
delivering better outcomes for customers, both for consumers and enterprises (especially
SMEs).35 Of particular interest, in relation to regulation, the Kalifa Review proposed that
regulators should implement a “Scalebox” to support firms focusing on scaling innovative
technology, which would include enhancing the Regulatory Sandbox, making the Digital
Sandbox pilot permanent, and providing additional support for growing regulated firms.
In relation to regulation, the UK government has also welcomed the adoption of further
recommendations put forward in the Kalifa Review, including those that may have previ-
ously seemed experimental or futuristic. By way of example, responding to the changing
patterns of consumer behaviour, the Bank of England has set up a taskforce with HM
Treasury to explore the development of a central bank digital currency (CBDC), or a
“digital sterling.” In its Discussion Paper published in June 2021, the principles stated to
underlie the creation of a CBDC, however, are familiar, being those that underlie the UK
government and the FCA’s broader approach towards fintech innovation: While financial
inclusion is a priority, alongside the creation of a competitive ecosystem to support diverse
innovative ideas, user privacy and “doing no harm” in delivering monetary and financial
stability are also parallel goals.36
The UK government intends to move towards greater legal recognition of stable coins
and to bring them within existing electronic payment regulations, to facilitate their wider
use as recognised forms of payment.

34 Global Financial Innovation Network, “The Global Financial Innovation Network Cross-Border Testing
Initiative: Cohort 1.0,” May 2022, www​.thegfin​.com​/crossborder​-testing.
35 Kalifa Review (n 2).
36 “Responses to the Bank of England’s March 2020 Discussion Paper on CBDC,” 7 June 2021, Bank of
England, www​.bankofengland​.co​.uk ​/paper​/2021​/responses​-to​-the​-bank​- of​- englands​-march​-2020 ​- discussion​
-paper​- on​- cbdc.

260
 T he R ise of F intech

In addition to focusing its efforts on creating an innovation-friendly regulatory envi-

ronment, the UK government is equally aware that steps need to be taken to educate
consumers about risks and opportunities presented by emerging technologies, such that
innovation remains “in the interest of consumers.”37 In this respect, the Kalifa Review
proposed that adults need to be retrained and upskilled to meet the needs of UK fintech
through access to short courses from high-quality education providers at low cost.
It is therefore apt that, in October 2021, the FCA launched a five-year, £11 million
“InvestSmart” campaign to provide education for inexperienced investors through
targeted online articles and social media, aimed at encouraging the making of better-
informed investment decisions.38 The InvestSmart campaign has been accompanied by
the FCA’s strengthening of financial promotion rules for high-risk investments, with rules
for crypto asset promotion to be finalised when legislation brings the asset class within
the remit of the FCA.39
Amongst the changes to be introduced are measures such as the prescription of risk
warning wording for firms to use, the banning of incentives to invest (such as “refer a
friend” bonuses) and further clarification on requirements for personalised risk warnings
to help clients categorise themselves correctly dependent on their knowledge/experience.
While evidence will in time emerge as to the success of these methods in safeguarding
consumer interests, such measures are likely to form an integral part of a regulator’s
toolkit against the backdrop of an evolving fintech space.
It is clear from the above examples (which do not cover the full range of initiatives and
only seek to draw on some of the most notable examples) that the UK government has
placed a priority on ensuring that the country retains its premier status in the financial
services sector. To do so, not only has it taken bold steps towards welcoming innovation,
but it has created a safe environment through versatile regulation for innovative ideas to
be tested and developed.
Indeed, as mentioned earlier in this chapter, the UK has emerged as one of the world’s
leading global fintech hubs with 2,500 fintech companies in Britain, with that number
forecasted to double by 2030.40
An emerging theme throughout the analysis of fintech is the increasing importance of
cryptoassets to investors, the fintech industry, insurers and to regulators. The following
case study describes the insurance considerations and challenges for this emerging digital
asset class.

37 Nikhil Rathi, “Levelling the playing field—innovation in the service of consumers and the market,”
Speeches, Financial Conduct Authority, 20 April 2021, www​.fca​.org​.uk​/news​/speeches​/ levelling​-playing​-field​
-innovation​-service​- consumers​-and​-market.
38 Financial Conduct Authority, “About the InvestSmart campaign,” www​.fca​.org​.uk​/investsmart​/about​
-campaign.
39 Financial Conduct Authority, “PS22/10: Strengthening our financial promotion rules for high-risk
investments and firms approving financial promotions,” 1 August 2022, www​.fca​.org​.uk ​/publications​/policy​
-statements​/ps22​-10​- strengthening​- our​-financial​- promotion​-rules​-high​-risk​-investments​-firms​- approving​
-financial​-promotions.
40 The Global City, “The UK: innovation hub for fintech,” March 2022, www​.theglobalcity​.uk​/
PositiveWebsite​/media​/research​- downloads​/Col​_ Fintech​_ Final​-with​-updated​-icon​.pdf.

261
 T he R ise of F intech

CRYPTOASSETS—INSURANCE CONSIDERATIONS AND

CHALLENGES FOR AN EMERGING DIGITAL ASSET CLASS
The case study is written by Helen Bourne,41 Rose Amin42 and Chander Agnihotri.43

Although the cryptoasset market is prone to fluctuation and is currently in the midst of a
prolonged period of contraction (referred to as the “Crypto Winter”44), if one is to take a step
back, it is apparent that, on a macro level, this is an upwards trending sector, that is already
worth billions of pounds and is largely untapped by insurers. While this presents an obvious
commercial opportunity, there are a number of inherent challenges that have led to insur-
ers adopting a cautious approach when entering the market. These include rising levels of
cybercrime, difficulties in defining and determining the use of these evolving assets, and chal-
lenges in establishing their true value. Nonetheless, there is an increased offering of crypto-
insurance products, and as a result, a rise in related litigation is expected in the coming years.

What are cryptoassets?

The term cryptoasset is often applied in a liberal manner, with the meaning dependent upon the
defining party’s perspective and interests. There is no global standard definition but a helpful
and balanced definition can be found in the UK government’s guidance for the Economic Crime
and Corporate Transparency Bill 202245 which states that a cryptoasset is a: “Cryptographically
secured digital representation of value or contractual rights that uses a form of distributed ledger
technology and can be transferred, stored, or traded electronically.”46 Distributed ledger technol-
ogy is described in Chapter 5, and the term is used interchangeably with “blockchain” herein.
In broad terms, there are two main types of cryptoasset, these being:

(i) Cryptocurrencies—which, adopting a binary approach, are either a medium of exchange

or store of value, held digitally on the blockchain which utilises cryptography, i.e. encryp-
tion, techniques to control the creation of each unit and to accurately verify each and
every transfer. The cryptocurrency that is most often cited as serving as a store of value is
Bitcoin. This is largely on account of it being the first widely accepted cryptocurrency and
there being a finite amount that can be mined. “Ether” (frequently mistakenly referred to
as Ethereum, which is the underlying blockchain technology) represents one of the most
widely adopted cryptocurrencies as a medium of exchange.
(ii) Non-fungible tokens (“NFTs”)—this being a blockchain-based, non-interchangeable,
digital identifier that is used to confirm the ownership and the authenticity of a unique

41 Partner, Clyde & Co (London), www​.clydeco​.com ​/en ​/people​/ b​/ helen​-bourne.

42 Partner, Clyde & Co (London), www​.clydeco​.com ​/en ​/people​/a​/rosehana​-amin.
43 Legal Director, Clyde & Co (London), www​.clydeco​.com ​/en ​/people​/a​/chander​-agnihotri.
44 The term “crypto winter” is used in, OECD (2022), “Lessons from the crypto winter: DeFi versus CeFi,”
OECD Business and Finance Policy Papers, No. 18, OECD Publishing, Paris, https://doi​.org​/10​.1787​/199edf4f​
-en. www​.oecd​-ilibrary​.org​/finance​-and​-investment​/ lessons​-from​-the​- crypto​-winter​_199edf4f​- en.
45 Economic Crime and Corporate Transparency Bill 2022, “Policy Paper: Factsheet: Cryptoassets—Key Terms
and Definitions,” updated 8 November 2022, www​.gov​.uk​/government​/publications​/economic​-crime​-and​-corpo-
rate​-transparency​-bill​-2022​-factsheets​/factsheet​-cryptoassets​-key​-terms​-and​-definitions#:~​:text​= Cryptoasset​%3A​
%20A​%20cryptographically​%20secured​%20digital,​%2C​%20stored​%2C​%20or​%20traded​%20electronically.
46 This is not dissimilar to the also helpful definition found within the EU’s Markets in Crypto-Assets
(MiCA) Regulation, which provides that cryptoassets are “digital representation of a value or a right which
may be transferred and stored electronically, using distributed ledger technology or similar technology” (Art. 3
(1) No. (2) MiCA).
262
 T he R ise of F intech

digital asset. While the application of NFTs in respect of digital artworks has been highly
publicised, they are continuously being used in new and innovative ways; one interesting
example of which was by the rapper Nas who in 2022, sold NFTs for two of his singles,
which provided purchasers with streaming royalty ownership.47

Crypto insurance remains at an embryonic stage. However, as the use of cryptoassets exponen-
tially expands, and the number of crypto-related coverage inquiries received by insurers increases
(both in respect of existing traditional policies and the possibility of “new” cover), it is expected
that the market will mature quickly. Insurers justifiably remain wary given the volatility and cur-
rent paucity of regulation in the crypto-space. It has therefore not been unusual to see insurers
implement blanket crypto-exclusions across their books. However, with demand increasing from
a range of “credible” sectors, in particular in the fintech industry, and both regulation and related
law developing at a frenetic pace, carriers are starting to offer cover or at least develop a better
understanding of how crypto might impact their traditional offering.

How are cryptoassets “held”?

Cryptoassets are secured in wallets that utilise a two-key system and offer encryption:

(i) Public key—which is a code that allows one party to transfer a cryptoasset into the wallet of
another person. In this way, a public key is akin to a bank account number and sort code;
(ii) Private key—this is an alphanumeric code that essentially serves as the password to a wal-
let. A person that has details of a private key, will have complete control over the contents
of the wallet. Private keys are analogous to online banking login details.
As a point of clarification, the digital assets themselves are held on the blockchain in a decentral-
ised fashion. It is, therefore, the private key that provides access to the asset in question, that is
held in a wallet. There are two main types of wallets:

(i) Cold wallets—these are not connected to the internet and are often touted as being more
secure. They utilise “old technology” including hard drives, USB sticks and even paper
(sometimes laminated and kept in a secure location). While less prone to hacks there have
been a number of high-profile losses arising from the use of cold wallets, including that
of James Howells, a Newport-based computer engineer, who reportedly threw away an
“old” hard drive that contained the private key for circa £150 m worth of Bitcoin (subject
to fluctuations in Bitcoin’s value).48
(ii) Hot wallets—which are held on devices that are connected to the internet. While they
provide greater accessibility, they are more prone to cyber-attacks. Such attacks are rap-
idly on the rise as reported by blockchain analysis company, Chainalysis Inc, which stated
within its 2022 Crypto Crime Report that there were circa US $3.2 billion worth of cryp-
tocurrency hacks in 2021, this being almost six times the previous year.

47 See, “Nas is the next artist selling a share of his royalties as NFTs,” Music Ally, 7 January 2022, https://
musically​.com​/2022​/01​/07​/nas​-selling​-share​- of​-royalties​-as​-nfts/.
48 See Nick Hartley, “Bitcoin: Missing hard drive could fund Newport crypto hub,” BBC News, 2 August
2022, James Howells is planning to spend millions digging up a landfill in a bid to find the hard drive, www​
.bbc​.com ​/news​/uk​-wales​- 62381682.

263
 T he R ise of F intech

What are the typical types of losses and risk?

As the use and adoption of cryptoassets expands, so too will the types of risk that materialise and
the number of entities exposed to the same. The value of any cryptoasset is dependent upon pre-
serving the continual, uninterrupted asset and transaction security and a vulnerability or failure
in one or both of these can lead to catastrophic consequences. A primary and growing risk of loss
is the theft of the assets themselves. Chainalysis state in their 2022 report that the $3.2 billion
in stolen funds was substantially a result of phishing, key logging, code exploitation and other
criminal activities.49
These can be broadly grouped together as “crypto-custody risks,” which essentially involve
the compromise of a private key, affording bad actors access to, and control over, digital assets.
There are a number of ways that this compromise can occur, which range from the highly tech-
nical to more “traditional” means of theft. As to the former, compromise can occur at the very
inception of the security process i.e. the “private key ceremony,” which is when a private key is
generated. A sophisticated hacker that has gained access to a device can copy keys during this
generation process, allowing them to steal the assets the moment they are “secured.”
The transportation of private keys can also represent a point of vulnerability. This can arise in
physical form in respect of cold storage, which has led to widely reported instances of significant
losses both as a result of human error, including the simple throwing away of a hard drive holding
the key to millions of pounds in Bitcoin, and “real life” theft (with the thief sometimes simply
after the device itself). The digital transfer of private keys can also offer opportunities to online
hackers, as can the normal use of the wallets themselves (through the use of keylogging software
etc.). Social engineering fraudsters have also begun to target the owners of cryptoassets in rec-
ognition of the large rewards that can be achieved from a successful fraud and often under the
guise of investment opportunities in this unregulated space. Further, the continued development
of crypto-architecture, including cross-chain bridges that facilitate liquidity between different
cryptocurrencies, has begun to be exploited giving rise to headline-catching hacks of hundreds
of millions of dollars.
Businesses that are exposed to this risk include:

• Cryptocurrency exchanges—which represent highly lucrative targets for hackers, lead-

ing to a number of high-profile thefts, a recent example of which was the compromise of
Binance, the world’s largest crypto exchange, which suffered a reported loss of US $570
m in October 2022;50
• Cryptoasset custodians—these are responsible for the storage and safekeeping of the
crypto asset through secure key management. The “custody risk” results in respective
liabilities owed by the custodian to the owners. There has been a recent migration of
traditional financial institutions into this area, as seen towards the end of 2022, with BNY
Mellon announcing the launch of its digital asset custody programme (albeit for bitcoin
and ether only);

49 See, “Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-
Time Low in Share of All Cryptocurrency Activity,” Chainanalysis, 6 January 2022, https://blog​.chainalysis​
.com ​/reports​/2022​- crypto​- crime​-report​-introduction/.
50 “What Happened With The $570 Million Binance (BNB) Hack? And What Does It Really Mean For
Crypto Investors?” Forbes, 9 October 2022, www​.forbes​.com ​/sites​/qai​/2022​/10​/09​/what​-happened​-with​-the​
-570​-million​-binance​-bnb​-hack​-and​-what​- does​-it​-really​-mean​-for​- crypto​-investors/​?sh​= 2e4df02e68a0.
264
 T he R ise of F intech

• Entities that deal with NFTs—whether those that create them or traditional institutions
such as the auction house Christie’s, which now has a dedicated NFT arm and accepts
bids in ether;
• More generally, businesses that accept cryptocurrencies as payments. This is becoming
an increasingly broad group, with major companies such as Microsoft leading the charge.

The current lack of regulation (albeit this is quickly evolving) and volatility in this space, in itself,
also gives rise to a number of risks. The clearest example of this was the collapse of one of the
world’s leading crypto exchanges, FTX, which shook the entire crypto-market when it went from
being worth over US $30 billion to filing for bankruptcy in a matter of days. While the demise of
FTX is a complex matter, it has been reported that this was the result of high-risk loans (utilising
the company’s own token) and a complete breakdown in corporate governance,51 whereby funds
said to have been illegitimately transferred between group companies and reserves were not
properly maintained. This resulted in huge losses, not only for its large customer base but also the
venture capitalists and big institutions such as the Ontario Teachers’ Pension Plan which viewed
FTX as a reputable and safe investment in crypto.

Insurance cover
There are a number of major insurers that now offer crypto-specific cover as part of their com-
mercial crime/cybercrime or specie offerings.

• Under a crime policy, the insurance typically provides cover for the loss, damage, destruc-
tion or theft of property/digital assets in secure premises or in transit or transmission. As
noted by the Director in Commercial Risk Solutions at Aon “[i]t also covers internal and
external fraud, including electronic theft, which would include hot wallet protection.”52
Cover has been taken by reputable crypto-businesses, such as, Coinbase, which states
on its website that it “carries crime insurance that protects a portion of digital assets held
across our storage systems against losses from theft, including cybersecurity breaches.”53
• Specie cover focuses on the theft or destruction of assets while stored in secured loca-
tions (i.e. “cold storage”), which would cover theft by a staff/employee or an employee
inadvertently destroying private key data. This type of insurance typically does not cover
cyber-attacks or where the assets are accessible or connected to the internet (e.g. in a hot
wallet).

However, the insurance industry is yet to fully embrace this sector presumably as a result of
factors such as the challenge of fully understanding the technical issues that underlie security
breaches, volatility and a lack of regulation. Insurance options remain limited, as even if it can be
demonstrated that security risks are managed and relevant guidelines or regulations are complied

51 See, for example, Dan Byrne, “FTX collapse is a case study in bad governance,” Corporate Governance
Institute, 22 November 2022, www​.the​corp​orat​egov​erna​ncei​nstitute​.com ​/insights​/news​-analysis​/governance​
-causes​-ftx​- collapse/.
52 www​.aon​.com​/unitedkingdom​/insights​/ keeping​- cryptocurrency​-secure​.jsp.
53 https://help​.coinbase​.com​/en​/coinbase​/other​-topics​/ legal​-policies​/ how​-is​- coinbase​-insured.

265
 T he R ise of F intech

with, the volatility in the value of the assets means that the level of exposure for the insurer can
vary significantly.

Regulation
In the UK, as a fundamental regulatory requirement, businesses undertaking cryptoasset
exchange or custody wallet services must comply with registering requirements in compliance
with the Money Laundering Terrorist Financial and Transfer of Funds (Information on the Payor)
Regulations 2017 (MLR).
Additionally, UK authorities are investigating and taking enforcement action in relation to the
dealing of crypto assets. For example, warnings have been issued to crypto ATMs to shut down or
face enforcement action, and the FCA has taken action against scams perpetrated by crypto firms
that were unregistered.54 The UK government’s approach to regulating cryptoassets however is
not only geared towards protecting financial stability and market integrity but also encouraging
growth, innovation and competition in the UK.55
It is anticipated that the UK government will introduce new legislation that will:

• Give powers to the FCA to ensure that cryptoassets are promoted in a manner which is
clear, fair and not misleading;
• Regulate the issuance and custody activities of fiat-backed stable coins issued in the UK
as part of the Financial Service and Markets Bill 2022; and
• Regulate broader crypto asset activities such as the trading of and investment in
cryptoassets.56

Julian Knight, Chair of the DCMS Committee aptly describes the challenges and opportunities:

NFTs swept through the digital world so fast that we had no time to stop and consider. Now
that the market is veering wildly, and there are fears that the bubble may burst, we need to
understand the risks, benefits, and regulatory requirements of this groundbreaking technology.
Investors, especially vulnerable ones, are at risk of being swindled into buying NFTs whose
value may tank on the moment of purchase. Our inquiry will investigate whether greater regula-
tion is needed to protect these consumers and wider markets from volatile investments.
This inquiry will also help Parliament understand the opportunities presented by an excit-
ing new technology which could democratise how assets are bought and sold.57

There is also a general trend globally, towards increased regulation, which becomes more pressing
given events such as the aforementioned collapse of FTX.58 The need for risk controls in the form

54 HM Treasury, “Future financial services regulatory regime for cryptoassets: Consultation and call for
evidence,” February 2023 at para 1.9.
55 Ibid at para 1.11.
56 Ibid at paras 1.15–1.16. See also Figure 3.A at para 3.16.
57 UK Parliament, “DCMS Committee to hold inquiry into the future of the NFT market,” 4 November
2022, https://committees​.parliament​.uk ​/work ​/7038​/nonfungible​-tokens​-nfts​-and​-the​-blockchain ​/news​/174174​/
dcms​- committee​-to​-hold​-inquiry​-into​-the​-future​- of​-the​-nft​-market/.
58 See, for example, Todd Griffith and Danjue Clancey-Shang, “Cryptocurrency Regulation and Market
Quality,” Journal of International Financial Markets, Institutions and Money (2023) 101744, and Karisma

266
 T he R ise of F intech

of developing regulation will be reinforced by a demand for crypto insurance in order to ensure
operational resilience in the cryptoasset market. If a sensible regulatory framework is established
within England and Wales, (which legislators have indicated is their intention) the market contin-
ues to expand and cybercrime increases, an increase in crypto-related insurance can be expected.
Alongside regulation, the UK courts have also scrutinised the activities and transactions relating to
crypto assets, establishing (by way of a very brief summary) that: (i) Cryptoassets constitute property
and therefore can form the subject of proprietary injunctions; (ii) crypto exchanges whose accounts
have been used as a fraud can be said to hold stolen cryptoassets on constructive trust for the victim
(and therefore can be made subject to proprietary injunctions);59 and (iii) such exchanges can be made
subject to Bankers Trust, or other disclosure orders to assist with tracing efforts.60

Non-fungible tokens (NFTs)

As the use and popularity of NFTs continues to expand, insurers have begun to offer cover under
specie and fine art policies. While it is clear that NFTs can constitute unique high-value assets,
the accurate quantification of that value can be problematic.
This can be seen from the sale of the NFT for the artwork “Everydays—The First 5000 Days”
by the artist, Beeple (real name, Mike Winkleman), for US $69.3 m, which is widely credited for
the rise to prominence of NFTs in 2021.61 The artist himself advised that prior to this sale he was
selling his works for a fraction of the value.62 Given this dramatic change in the value of his work,
the extent to which the piece has and/or will continue to retain its value is difficult to determine.
This issue was also exemplified by the sale of the NFT for the first tweet of Jack Dorsey, the
founder of Twitter, which was purchased for US $2.9 m in March 2021 and was subsequently put
up for auction in April 2022 for 14,969 ether (circa US $50 m at the time) but only received a top
bid of 0.09 ETH, circa $280.63 Accordingly, insurers are justifiably cautious about evaluating the
value of NFTs and presumably also have concerns regarding the possibility of a divergence in
views with an insured regarding the changing value of an NFT over time.
Another key issue in insuring NFTs is the potential for “fakes” arising from the application
of NFT technology to copyright-protected art by unauthorised persons. Where NFT creators
sometimes choose to remain anonymous or are relatively unknown, the ability to confirm that an
NFT relates to the original, authentic piece of digital art may be challenging, and if a mistake is
made, the asset is likely to be rendered worthless. In addition to fraud risks, the NFT market can
also be subject to market manipulation and money laundering.64

Karisma. “Comparative Review of the Regulatory Framework of Cryptocurrency in Selected Jurisdictions.”

Regulatory Aspects of Artificial Intelligence on Blockchain (2022) 82–111.
59 Jones v Persons Unknown [2022] EWHC 2543 (Comm).
60 LMN v Bitflyer Holdings Inc & Ors [2022] EWHC 2954 (Comm).
61 The “wallet address,” and “smart contract address,” are both displayed in the details section of the auc-
tion page at Christie’s, see https://onlineonly​.christies​.com​/s​/ beeple​-first​-5000​- days​/ beeple​-b​-1981​-1​/112924,
interestingly the estimate of this NFT was categorised as “unknown.”
62 As stated during an interview on “The Tonight Show with Jimmy Fallon” in 2022.
63 See, Ben Davis, “A Crypto-Collector’s Attempt to Flip the NFT of Jack Dorsey’s First-Ever Tweet—for
Which He Paid $2.9 Million—Flops Big-Time,” Artnet, 15 April 2022, https://news​.artnet​.com ​/market​/attempt​
-to​-flip​-nft​-first​-tweet​-flops​-2099625.
64 For a discussion of the EU approach and legal uncertainty, see Umet Turkensen, Adam Abukari and
Dimitrios Kafteranis, “Money Laundering Via Non-Fungible Tokens,” Oxford Business Law Blog, 16 May
2022, https://blogs​.law​.ox​.ac​.uk ​/ business​-law​-blog​/ blog​/2022​/05​/money​-laundering​-non​-fungible​-tokens.

267
 T he R ise of F intech

Given this burgeoning area of NFTs, insurers are naturally seeking ways to enter this mar-
ket. However, the above issues give rise to obvious underwriting concerns. Nonetheless, if this
rise in the use of NFTs continues (as is anticipated), insurers will invariably delve further into
this market. As a result, intellectual property (IP) and ownership disputes are likely to arise and
also possible coverage concerns resulting from issues such as the accuracy of declarations made
regarding the provenance of an asset at the time of obtaining cover.

Concluding comments
The volatility, current paucity of regulation and complexities of the cryptoasset market has given
insurers justifiable pause. However, if one is to take a step back, there is a reasonable argument
that there is an overarching upwards trend in this already multi-billion pound market. Should
this continue, insurers are expected to expedite their movement into this space, developing more
sophisticated methods of evaluating risk and increasing their crypto-related offerings.
However, the issues identified within this case study are not easily resolved. While crypto-
specific insurance products may increase in number and diversity, cryptoassets are likely to
remain a target for cybercriminal, meaning that thefts and related losses will also continue on an
upwards trajectory. As this happens, and the courts become more sophisticated in tackling cryp-
toasset fraud, a rise in recovery actions can be expected. Related litigation such as IP disputes
regarding NFTs, may also proliferate along side the popularity and use of NFTs.65 Further, the
anticipated introduction of increased regulation is expected to give rise to further litigation, pos-
sibly aimed at the executives of crypto-businesses that fall short of investor/customer expecta-
tions and/or struggle to keep pace with a rapidly evolving regulatory landscape.

Fintech in Australia
Current landscape
The Australian fintech ecosystem now ranks sixth in global fintech rankings (second in
the Asia-Pacific region),66 and despite a challenging and the uncertain economic envi-
ronment, in recent years Australia’s fintech sector has continued to demonstrate steady
growth and increased maturity.
While early fintech businesses sought to disrupt traditional financial services busi-
nesses, since about mid-2017, they have been increasingly collaborative with incumbent
businesses. As a result, the traditional financial services industry has significantly trans-
formed and now has digital innovation at the forefront of its strategic priorities. Continued

65 Andy Ramos makes the point:

“It is a certainty that NFTs and the metaverse, when it comes into being, will bring many challenges to own-
ers of IP rights. Most of these challenges cannot be anticipated at this stage. Consequently, we must analyze
NFTs, the emergent metaverse and any other new digital phenomena against existing regulations, which have
been enacted after thorough debate by multiple countries and cultures”;
see, “The metaverse, NFTs and IP rights: to regulate or not to regulate?” World Intellectual Property
Organization, June 2022, www​.wipo​.int​/wipo​_magazine​/en ​/2022​/02​/article​_0002​.html.
66 Findexable, “The 2021 Global Fintech Rankings—powered by Mambu,” https://findexable​.com​/2021​
-fintech​-rankings/.

268
 T he R ise of F intech

technological advancement has also seen agile and specialised Australian fintechs con-
tinue to challenge incumbents competing on operational efficiency and cost reduction.
As of 2022, the four largest fintech sectors in Australia, by number and amounts
invested, were payments, lending, data & analytics, and insurance technology (insurtech).67
Other sectors rapidly growing include capital markets, blockchain, regulatory technology
(regtech), wealth technology (wealthtech), and middle and back office functions.
Australian fintech growth is evidenced by a rise in the creation of new companies, the
volume and value of investments, and the demand and interest in tech-integrated solu-
tions. With healthy levels of both local and international capital funding, digitally native
generations coming of age, the development of fast-growing sub-sectors and an evolv-
ing regulatory environment, Australian fintech businesses are increasingly becoming an
attractive hub for fintech investment and talent.
Emerging business-to-consumer and business-to-business trends, including embedded
finance and open banking, are contributing to the development of new ecosystems and the
evolution of business models. Advancements in digital technologies are allowing fintechs to
provide services that focus on customer centricity through new and complementary offerings,
enhanced online interactions and highly efficient operational capabilities that enable a desir-
able customer experience. Some of the core trends in the Australian fintech ecosystem include:

Embedded finance/fintech
Traditional financial services businesses are expected to continue to expand their scope
through embedded finance partnerships. This includes partnering with non-financial busi-
nesses across a range of sectors, to leverage existing customer databases and complement
current offerings and provide a more holistic customer experience. Financial services
businesses are then applying embedded fintech to ensure their processes are highly effi-
cient and digitally-sound, allowing them to best serve non-financial businesses.

Open banking
Open banking is becoming a major source of innovation that is well-placed to reshape
the banking industry. In Australia, the Consumer Data Right (CDR) legislation is key to
allowing the sharing of accounts and data across financial institutions, fintechs and other
third parties.68 The CDR legislation reduces barriers to entry for smaller players, encour-
ages competition and allows fintechs to provide specialised data-rich services reliant on
secure application programming interfaces (APIs). For example, Australian neobank,
“Ubank,” was one of the first Australian fintechs to leverage open banking product data
to provide greater transparency in financial services. Open banking in Australia, while
promising, still has many issues to rectify. The regulator The Australian Competition and
Consumer Commission (ACCC) ACCC is currently undertaking a consultation on “data
quality and compliance in the CDR.”69 A number of banks were delayed in implementing

67 KPMG (n 18).
68 Office of the Australian Information Commissioner, “CDR Legislation,” www​.oaic​.gov​.au​/consumer​
-data​-right​/cdr​-legislation.
69 James Eyers, “The big issues plaguing Australia’s open banking push,” 27 January 2022, Australian
Financial Times, www​.afr​.com​/companies​/financial​-services​/the​-big​-issues​-plaguing​-australia​-s​- open​

269
 T he R ise of F intech

their CDR solutions, reportedly due to “issues related to the pandemic and a shortage of
skilled IT resources.”70 In December 2022, the ACCC found that ING, which was required
to be in a position to share data for certain financial products by specific deadlines, did not
meet all of these obligations as required. Penalties were enforced.71
The refusal of CDR accreditation to iSignthis Australia Pty Ltd is a clear example of the
importance to regulators of insurance arrangements.72 The ACCC refused CDR accredita-
tion to iSignthis, as the ACCC was not satisfied iSignthis would be able to comply with the
obligations of an accredited data recipient under the CDR Rules.
ACCC Commissioner Peter Crone provided the following reasons:
We refused to accredit iSignthis because we were not satisfied on the material before us about
iSignthis’s data security protections, insurance and whether it is a fit and proper person to be
accredited.

In addition, iSignthis did not provide evidence of its current insurance policies, and, as
a result, the ACCC was not able to assess the adequacy of iSignthis’s insurance arrange-
ments to manage CDR data.

Decentralised finance
The Australian cryptocurrency space is evolving rapidly, with the disruptive potential of
decentralised finance (DeFi) on the agenda of fintech ecosystems across the globe. There are
numerous examples of protocols and projects providing peer-to-peer financial services pow-
ered through blockchain technology. For example, Powerledger, a software solution headquar-
tered in Australia and operating globally, is utilising its distributed trading platform to allow
customers to transact energy, trade environmental commodities and invest in renewables to
create a more flexible and resilient power system.73 However, much of the development in
this space to date is considered high risk, and it is expected that sector regulation will eventu-
ate, particularly with respect to risk management frameworks, cybersecurity and operational
requirements. This, along with strong engagement between industry, regulatory bodies and
academia, will provide further credibility to ease the risk profile of this expanding sector.

Payments
The payments sector is one of the largest fintech sectors in Australia, with the risk of
COVID-19 transmission through cash payment and handling having accelerated the adop-
tion of electronic payment solutions. The New Payments Platform (NPP) scheme enabling

-banking​-push​-20230126 ​-p5cfky; the news article explains, “No major banks are offering customers options
based on the consumer data right. ANZ Bank is not even accredited as a data recipient.”
70 ACCC, “Bank of Queensland pays penalty for alleged breach of Consumer Data Right Rules,”13
July 2022, www​.accc​.gov​.au​/media​-release​/ bank​- of​- queensland​-pays​-penalty​-for​-alleged​-breach​- of​- con-
sumer​- data​-right​-rules.
71 ACCC, “ING Bank pays penalties for alleged breaches of Consumer Data Right Rules,” 16 December
2022, www​.accc​.gov​.au​/media​-release​/ing​-bank​-pays​-penalties​-for​-alleged​-breaches​- of​- consumer​- data​-right​
-rules.
72 ACCC, “iSignthis refused Consumer Data Right accreditation,” Media Release, 15 December 2022,
www​.accc​.gov​.au ​/media​-release​/isignthis​-refused​- consumer​- data​-right​-accreditation.
73 ​ w ww​.powerledger​.​io/.

270
 T he R ise of F intech

24/7 instantaneous funds transfers is seeing increased usage,74 and there has been growth
in the adoption of the PayID service which allows connection of payments through mobile
numbers.75

Middle-and-back-office solutions
Businesses providing middle-and-back-office solutions are seeing increased demand from
banks and other financial services businesses looking to enhance their customer experi-
ence through AI-backed smart processes.76 Customer-facing applications such as intel-
ligent chat interfaces and robo-advisors are being increasingly adopted; however, these
solutions are now maturing, and as such, businesses are focusing on ensuring the underly-
ing data is leveraged to optimise operational efficiency and customer experience.

Buy-now-pay-later
The buy-now-pay-later (BNPL) trend continues to proliferate in Australian markets, with
the generational transition between baby boomers and millennials driving the rapid rise
of e-commerce. For example, the current Australian leader in the BNPL space “Afterpay,”
is currently collaborating with Westpac, to leverage their banking-as-a-service (BaaS)
solution and provide transaction and savings accounts initially with short-term ambitions
involving personal finance management and mortgages.77
An innovative initiative from “Coverpay,” launched as a “get cover, pay later” scheme,
targets merchants in the insurance distribution chain, such as insurers, underwriting
agencies, brokers and authorised representatives, enabling them to offer Coverpay as a
payments option for customers who cannot or do not want to pay their full premium
up front.78 Once the customer pays the first instalment on a premium to Coverpay, the
insurer receives the full amount from Coverpay. With rising insurance premiums and an
economic downturn, this model of insurance could, according to the Managing Director
of Coverpay:
encourage more small business operators to take out insurance, saying under-insurance was
a significant problem in Australia, with many unable to take the one off hit of a premium
payment.79

74 Reserve Bank of Australia, “The New Payments Platform,” www​.rba​.gov​.au ​/payments​-and​-infrastruc-

ture​/new​-payments​-platform/.
75 ​ https:/​/payid​.com​​.au/.
76 For a discussion of the implication of AI-based robo-advisory, see, for example, Christian Dietzmann,
Timon Jaeggi, and Rainer Alt (2023), “Implications of AI-based robo-advisory for private banking invest-
ment advisory,” Journal of Electronic Business & Digital Economics, (Vol. ahead-of-print No. ahead-of-print.)
https://doi​.org​/10​.1108​/JEBDE​- 09​-2022​- 0037.
77 Westpac, Westpac and Afterpay announce partnership, 20 October 2020, Media Release Westpac, www​
.westpac​.com​.au ​/about​-westpac​/media ​/media​-releases​/2020​/20 ​- october/.
78 Alexandra Cain, “Coverpay spearheads buy-now-pay—later insurance in Australia,” ANZIF, 14
October 2021, https://anziif​.com ​/professional​- development​/articles​/2021​/10​/coverpay​-spearheads​-buy​-now​
-pay​-later​-insurance​-in​-australia.
79 Ibid, see also Paul Smith, “Get cover, pay later’ insurance player launches after funding round,” 27
September 2021, Australian Financial Review, www​.afr​.com​/technology​/get​- cover​-pay​-later​-insurance​-player​
-launches​-after​-funding​-round​-20210924​-p58unx.

271
 T he R ise of F intech

As with Open Finance, this area is undergoing increasing scrutiny from regulators with
options for regulatory intervention currently being considered by the Treasury following
a “Regulating Buy Now, Pay Later in Australia,” consultation.80 The growth of BNPL is
supported by the exemptions in place, but the exemptions were not designed with that
outcome in mind.81 This unintended regulatory gap creates the potential for consumer
harm due to the absence of key protections. The balance between access to fundamental
purchases, such as insurance, and key consumer protections may necessitate future regu-
latory interventions, such as affordability assessments, responsible lending obligations or
conceivably more onerous requirements to conduct reasonable inquiries into a consumer’s
financial situation and taking reasonable steps to verify this information82 before BNPL
is offered.

Digital native banks

A digitally native banking experience is rising in popularity with the Australian Banking
Association reporting that more than 80% of Australians now prefer to transfer money,
pay bills or check account balances online.83 With most major banking interactions being
digital, there is a significant deterioration in the demand and utility for brick-and-mortar
branches and ATMs. COVID-19 has accelerated the adoption of digital services and going
forward digital native banks are well-placed for strong growth. They hold competitive
advantages with respect to operational costs, analytical capabilities and advanced digital
user experiences.

Regulatory environment
There are several regulatory initiatives to support fintech in Australia:
1. Senate Select Committee Committee. The Australian Senate established a Select
Committee on Financial Technology and Regulatory Technology on 11 September
2019. It prepared an Issues Paper for consultation and produced an interim report
on 2 September 2020 making a number of recommendations to the Australian
Government.84 The Issues Paper covered the:
• Size and scope of the opportunity for Australian business and consumers
arising from fintech and regtech;

80 See options paper, November 2022, https://treasury​.gov​.au​/consultation​/c2022​-338372, (hereafter

Options Paper). The viability of this industry is in questions; see, for example, Ayesha Krester, “80 staff sacked
as Openpay shuts,” 7 February 2022, Australian Financial Review, www​.afr​.com​/companies​/financial​-services​
/80​-staff​-sacked​-as​- openpay​-shuts​-20230207​-p5cil3. which describes the company as “using its own propri-
etary technology to assess credit, but … unable to contain operating costs as retail sales softened.”
81 Options Paper (n 80) 5.
82 Options Paper (n 80) 5.
83 “Banking Customers continue to shift to digital,” Australian Banking Association, 19 October 2021,
www​. ausbanking​.org​. au​/ banking​- customers​- continue​- shift​- to​- digital/#:~​:text​= New​% 20analysis​% 20by​
%20the​%20ABA​%20has​%20shown​%20a​,account​%20balances​%2C​%20pay​%20bills​%2C​%20or​%20transfer​
%20money​%20online.
84 Parliament of Australia, “Select Committee on Financial Technology and Regulatory Technology,”
September 2020, ISBN: 978-1-76093-108-7, www​.aph​.gov​.au ​/ Parliamentary ​_ Business​/Committees​/Senate​/
Financial​_Technology ​_ and​_ Regulatory ​_Technology​/ Fin​anci​alRe​g ula​toryTech ​/ Interim​_ report.

272
 T he R ise of F intech

• Barriers with respect to the uptake of new technologies in the financial

ecosystem;
• Progress with fintech reform and benchmarking with other global
jurisdictions;
• Opportunities and practices within the regtech sector with respect to compli-
ance strengthening and cost reduction; and
• Effectiveness of current initiatives in promoting a positive environment for
fintech and regtech start-ups.
2. Crowdfunding. A special-purpose legislative framework for equity crowd funding
was introduced in 2017.85 The framework minimises regulatory requirements for
public fundraising while providing measures for investor protection;
3. Mandatory comprehensive credit reporting. A mandatory comprehensive credit
reporting regime was initiated by the Australian Government in 2017,86 which cul-
minated in the passing of the National Consumer Credit Amendment (Mandatory
Credit Reporting and Other Measures) Act 2021.87 It provides lenders with access
to a deeper, richer set of data enabling them to better assess a borrower’s true
credit position and their ability to pay a loan while introducing some further pro-
tections to consumers;88
4. Cryptocurrency exchanges. The Anti-Money Laundering and Counter-Terrorism
Financing Amendment Act 2017 (Cth) was passed on 7 December 2017, with the
Australian Transaction Reports and Analysis Centre (AUSTRAC) commencing
regulatory oversight on 3 April 2018.89 This extended the anti-money laundering
and counter-terrorism financing regime (AML/CTF) to include digital currency
exchanges within its scope, requiring them to operate with an anti-money laun-
dering risk management programme, comply with know-your-customer (KYC)
requirements, and keep records and report certain transactions.90 The intention
was to increase trust and confidence in these exchanges. As another example of the
government’s keen interest in this area, on 23 June 2021, the Senate referred the
adequacy and efficacy of Australia’s anti-money laundering and counter-terrorism
financing regime to the Legal and Constitutional Affairs References Committee
for inquiry and report;91

85 ASIC, “Crowd-sourced funding,” https://asic​.gov​.au​/regulatory​-resources​/financial​-services​/crowd​

-sourced​-funding/.
86 Australian Government, The Treasury, “Mandatory Comprehensive Credit Reporting,” https://
treasury​.gov​.au ​/consultation ​/c2018​-t256276, https://treasury​.gov​.au ​/consultation ​/c2018​-t256276 (hereafter
Comprehensive Credit Reporting).
87 National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures)
Act 2021, www​.legislation​.gov​.au​/ Details​/C2021A00005.
88 Comprehensive Credit Reporting (n 86).
89 Anti‑Money Laundering and Counter‑Terrorism Financing Amendment Act 2017, www​.legislation​.gov​
.au​/ Details​/C2017A00130.
90 Australian Government, “A guide to preparing and implementing an AML/CTF program for your
digital currency exchange business,” AUSTRAC, 14 August 2020, www​.austrac​.gov​.au ​/ business​/ how​- comply​
-guidance​-and​-resources​/guidance​-resources​/guide​-preparing​-and​-implementing​-amlctf​-program​-your​- digi-
tal​- currency​- exchange​-business.
91 For the recommendations, see, Parliament of Australia, “The adequacy and efficacy of Australia’s anti-
money laundering and counter-terrorism financing (AML/CTF) regime,” March 2022, ISBN: 978-1-76093-
387-6, www​.aph​.gov​.au​/ Parliamentary​_ Business​/Committees​/Senate​/ Legal​_ and​_Constitutional​_ Affairs​/

273
 T he R ise of F intech

5. Innovation Hub. The Australian Securities and Investments Commission (ASIC)

operates an Innovation Hub which provides practical support to fintech busi-
nesses that are developing innovative financial products or services as they navi-
gate Australia’s financial regulatory system.92 Eligible fintechs receive informal
guidance from ASIC on their obligations under the financial services regulatory
framework, how ASIC administers the framework, and licensing processes and
key regulatory issues that should be considered as they establish their business.93
ASIC also strategically promotes regtech adoption and fosters several internal
working groups;
6. Enhanced regulatory sandbox. The Australian Government introduced the
enhanced regulatory sandbox (ERS) to facilitate financial innovation in Australia
from September 2020.94 Similar to previous regulatory sandboxes, the ERS allows
businesses to access the ERS and test certain innovative financial services or credit
activities without first obtaining an Australian Credit licence. The ERS allows for
the testing of a broader range of financial services and credit activities and for a
longer duration (now up to two years) than previous regulatory sandboxes admin-
istered by ASIC.

The future landscape for fintech

The application of technology, and more broadly innovation, has clearly made an indel-
ible impact on the delivery of financial services across the world. The global fintech sector
continues to grow at a prolific rate, branching out in multiple new directions.
As will be apparent from this chapter, it has now been broadly accepted by incumbent
financial institutions, governments, regulators, investors and consumers worldwide that
fintechs will continue to challenge and change the traditional business models of financial
services firms. As digital transformation has become both pervasive and imperative, we
expect the landscape for fintechs will continue to evolve significantly.
Indeed, as innovative technologies mature, it is predicted that the number of new fin-
techs entering this global sector is likely to decline and the supply of venture capital will
continue to slow. This is not unusual in a growing market, especially in circumstances
where the exponential growth experienced by this sector, year on year, is unlikely to be
sustainable in the long term. Indeed, some sub-sectors of the fintech market are already
experiencing saturation, and contraction, such as in the payments space.
On that basis, the focus is now expected to shift to the adoption of these emerging tech-
nologies in the mainstream. This will allow the most successful start-ups to continue to
scale, leading to a period of further consolidation, with more fintechs partnering up with
incumbents and others surviving to offer niche services. Accordingly, this also means that
the fintech market will potentially be harder to compete in and some fintechs, who are

AUSTRA​,C​/ Report, see Fintech Submission, 21, www​.aph​.gov​.au ​/ Parliamentary ​_ Business​/Committees​/

Senate​/ Legal​_ and​_Constitutional​_ Affairs​/AUSTRAC​/Submissions.
92 ASIC, “Innovation Hub,” https://asic​.gov​.au ​/for​-business​/innovation​-hub/.
93 ASIC, “Innovation Hub,” https://asic​.gov​.au ​/for​-business​/innovation​-hub/.
94 ASIC, “Enhanced Regulatory Sandbox,” https://asic​.gov​.au​/for​-business​/innovation​-hub​/enhanced​-reg-
ulatory​-sandbox/.

274
 T he R ise of F intech

unable to sustain their activities, will regrettably fail. It is important however that fintechs
fail in an organised manner and consumers are protected properly.
This evolving fintech landscape inevitably brings various risks with it. Some of these
are new risks, while others are manifestations of existing risks in the financial services
sector. The unique set of risks faced by fintech businesses is set out in the next part of this
chapter.

Part 2
Fintech exposures
Fintechs clearly offer many benefits to societies and businesses, including employment
and investment opportunities, faster and more efficient processing, personalised services,
financial stability and financial inclusion. However, despite the undoubted success that
fintechs have achieved—and continue to achieve—across the globe, transforming tradi-
tional financial services is no easy feat. The benefits that fintechs offer are matched with
new and often complex risks.
Indeed, being on the cutting edge of technology exposes fintechs to a multitude of
serious risks, which are likely to be heightened at different points in time for this type of
company. The pace at which the risks can materialise, and their impact, will differ signifi-
cantly from the risks faced by traditional financial services firms.
Given the broad spectrum of fintech companies, operating within the numerous sub-sec-
tors, the risks will vary extensively from one fintech company to the next. Naturally, they will
also be different for a start-up, a scale-up, and a unicorn. While it is not practical to discuss all
the risks that fintechs face in this chapter, we highlight some categories of risk below, which
fintechs may encounter as they mature. These categories include the following:
1. Regulatory issues;
2. Investor claims;
3. Intellectual property infringement/employment disputes;
4. Professional liability, breach of contract and technology failures;
5. Automated decision-making and algorithmic discrimination;
6. Crime, cyber and data breaches;
7. Business interruption/reputational risks; and
8. Managerial liability/directors’ and officers’ claims.

Regulatory issues
Despite several regulators around the globe being supportive of fintechs, one of the biggest
hurdles that fintechs still face is trying to adapt their innovative products and services to
work within the relevant “regulatory perimeters,” where they apply. This can be particu-
larly challenging where they differ from one jurisdiction to the next. Indeed, a plethora
of regulatory issues can arise when a fintech business is seeking to expand its operational
footprint internationally. Furthermore, the lack of commonly applied standards in relation
to unregulated business activities or products contributes to this risk.
While fintechs, in several jurisdictions, are currently subject to “lighter” regula-
tory requirements than the incumbent financial institutions, many are still subject to

275
 T he R ise of F intech

ever-evolving regulatory regimes in the areas of consumer protection, AML/CTF and

operational resilience (particularly data protection and cyber).
Regulators will not typically excuse firms who are apathetic towards their compliance
obligations and failure to comply with regulations can have severe consequences. At an
early stage, fintechs need to assess how regulation might impact their businesses (espe-
cially as and when regulatory perimeters are re-drawn) and build this into their strategic
planning. However, from a young fintech’s point of view, compliance can be especially
challenging because of the sheer number of vulnerabilities a fintech will have to cover.
More than time, costs are one of the biggest deterrents to compliance. According to
research by LexisNexis Risk Solutions,95 UK financial institutions spend as much as £28.7
billion annually on AML compliance. As regulatory authorities continue to bring in more
regulations to protect end users, fintechs may struggle with rising compliance costs which
need to be passed on to the clients and thereby potentially affect business eventually.
Examples below serve to illustrate some regulatory and compliance challenges:

1. In 2022, Wise Bank’s Abu Dhabi subsidiary received a $360,000 fine after the
regulator deemed Wise failed to “establish and maintain adequate AML systems
and controls to ensure full compliance with its AML obligations.”96 Wise in its
defence said it quickly resolved the issue and “no instances of money laundering
or other financial crime were identified”;
2. In 2021, TransferGo was fined £50,000 by the Office of Financial Sanctions
Implementation (OFSI) in the UK for breaching financial sanctions regulations.
The investigation and fine related to the facilitation of a series of 16 payments to
accounts held at the Russian National Commercial Bank (RNCB), which at the time
was subject to EU sanctions imposed in relation to Russia’s annexation of Crimea;97
3. In 2022, the Australian unit of the world’s largest cryptocurrency exchange,
Binance, was fined AUD 2 million by the Australian Communications and Media
Authority for sending millions of emails that violated spam laws;98
4. In May 2020, MyBudget (an Australian company that provides personal budget-
ing services) was hit by a ransomware attack, causing a system outage that left
13,000 clients unable to access their online accounts. Subsequently, ASIC (the
conduct regulator) commenced an investigation to determine whether MyBudget
was operating a financial services business without the appropriate licence. ASIC
concluded that the company required a financial services licence to continue trad-
ing, noting that licence holders are subject to specific obligations designed to safe-
guard the interests of consumers.99

95 Karthik Subramanian, “Cost of Compliance for AML Regulation in UK Hits the Roof,” Finance Feeds,
21 June 2021, https://financefeeds​.com​/cost​- compliance​-aml​-regulations​-uk​-hits​-roof/.
96 Charlie Conchie, “Bumper numbers help paper over the woes of Wise,” 30 November 2022, MSN, www​
.msn​.com ​/en​-us​/money​/companies​/ bumper​-numbers​-help​-paper​- over​-the​-woes​- of​-wise​/ar​-AA14HfeR.
97 Office of Financial Sanctions Implementation, HM Treasury, Report of Penalty for Breach of Financial
Sanctions Regulations (section 149(2) PACA 2017 report). “Imposition of Monetary Penalty—TransferGo
Limited,” https://assets​.publishing​.service​.gov​.uk​/government​/uploads​/system​/uploads​/attachment​_data​/file​
/1008859​/050821_-​_TransferGo​_ Penalty ​_ Report​.pdf.
98 Cat Fredenburgh, “Binance Australia fined $2M for Spam Act violations,” Lawyerly, 14 December
2022, www​.lawyerly​.com​.au​/ binance​-australia​-fined​-2m​-for​-spam​-act​-violations/.
99 ASIC, “21-174MR MyBudget applies for AFS licence following ASIC investigation,” 19 July 2021,
https://asic​.gov​.au​/about​-asic​/news​- centre​/find​-a​-media​-release​/2021​-releases​/21​-174mr​-mybudget​-applies​-for​
-afs​-licence​-following​-asic​-investigation/.
276
 T he R ise of F intech

Investor claims
The prospects for fintechs as an investment asset class differ from other businesses. The
lack of specific regulatory regimes for fintechs undoubtedly provides them with an ele-
ment of freedom, but this factor also makes them potentially riskier to invest in than more
traditional financial services firms. Claims from investors, against fintechs, could arise on
multiple grounds.
For start-ups, the lack of historical financial data or inaccurate or overly ambitious
projections and forecasts could all result in unwanted liability. At any stage of the fund-
ing lifecycle (seed funding, Series A, Series B etc) claims relating to misrepresentations
made in private placement memorandums/prospectuses or other investment materials
could emerge, particularly where the financial performance of the company has not been
as positive as was expected.
The failure rate for fintechs is also typically high. Many of them fail, often suddenly
and without warning. The most cited reasons for failure are underfunding, inappropriate
or inadequate pricing of the credit risk and/or under capitalisation. These can all lead to a
lack of liquidity should investors want to exit their investments. This could lead to insol-
vency and creditor claims.
For example, as noted above, at one time FTX was one of the largest crypto exchanges
in the world, being referred to as an industry stalwart. However, in November 2022, FTX
filed for Chapter 11 bankruptcy in the United States, with 130 additional affiliated compa-
nies commencing the bankruptcy process at the time of writing this chapter (for example,
FTX US and Alameda Research). Binance, the world’s largest crypto exchange, initially
signed a letter of intent to acquire FTX to support FTX’s customers and to provide liquid-
ity, but due to corporate due diligence findings and the alleged US agency investigations,
decided to withdraw from the process. In addition, it is reported that approximately US
$1 billion in customer funds is missing from FTX. It is now expected that a wave of
lawsuits will follow the bankruptcy, in spite of US securities legal hurdles, due to the
losses incurred on the cryptocurrency exchange by amateur and seasoned investors. The
interesting legal hurdles in the United States are, amongst others, that: (i) Not all courts
have ruled that certain cryptocurrencies fit the legal definition of securities; and (ii) it is an
unsettled issue as to whether US securities laws apply to interest-bearing crypto accounts
like those offered by FTX.100
More advanced fintechs, looking to raise funds publicly could also face liability depend-
ing on the exit route they choose to adopt. Raising finance through an IPO has proved to be
a popular avenue for certain fintechs over recent years. However, while their popularity in
the United States has not been mirrored in other jurisdictions, SPACs have also emerged
as an alternative means for a private fintech company to go public. In summary, the result
of the SPAC process is a single public entity consisting of the business of the private target
company (usually the fintech) and the public capital of the SPAC. In this scenario, the fin-
tech (as the target company) could be exposed to claims relating to valuation and forward
projections, if they prove to be unrealistic or overly ambitious, particularly if the newly
merged public company does not perform as well as expected. Furthermore, claims could
arise if the (surviving) fintech company is not yet quite ready for life as a public entity.

100 Jody Godoy, “'Wave of lawsuits over FTX expected, but investors will face legal hurdles,” Reuters, 18
November 2022, www​.reuters​.com​/ legal​/wave​-lawsuits​- over​-ftx​- expected​-investors​-will​-face​-legal​-hurdles​
-2022​-11​-17/.
277
 T he R ise of F intech

More traditional M&A claims may also arise in situations where a fintech business is
acquired by an incumbent, Big Tech or other corporate.

Intellectual property (IP) infringement/employment disputes

In this fast-moving technological environment, being the first to the market is often
key for many fintechs. It is imperative, therefore, that fintechs have a clearly defined IP
strategy to protect their product and services, especially where competitive technology
is involved. As the industry matures several “copycatters” might emerge which could
lead to IP-related disputes.101 In Australia, much to the relief of Nintendo fans, the gam-
ing company was recently successful in applying for an interlocutory injunction under
Australian Consumer Law s232 stopping Pokemon Pty Ltd and its sole director Xiaoyan
Liu from releasing its digital tokens, a Pokeworld NFT game. Nintendo alleged that the
respondents were wrongly using its trademarked and copyrighted content in a manner
that was potentially misleading or deceptive under consumer law rather than bringing an
action in IP infringement.102
The deployment of a robust IP strategy may not only combat these prevalent risks; it
may also assist fintechs when seeking funding from investors, or in an M&A scenario,
who will require comfort that the necessary protections are in place.
It is not unfathomable that other IP-related disputes could also arise concerning the
theft of trade secrets or ideas. This may occur upon key individuals moving firms, which
could expose fintechs to liability.
Indeed, the fintech sector is emerging as a fertile industry for employment-related
issues. To obtain a competitive edge, fintechs need to attract and retain the right individu-
als with specialised skill sets. As there is currently a relatively small talent pool, at least
on the tech side, disputes may well arise.103 They may conceivably range from claims con-
nected to poaching the small pool of skilled workers to failure to hire/promote, discrimi-
nation claims, wrongful termination and many more. Loss of a key member of staff, with
a vital skill set, could also be detrimental to a fintech—it may not only delay development,
but it is also likely to have an adverse impact on its financial performance.
In addition, as more financial service firms begin to partner up with fintechs, issues may
arise due to different cultures and values that exist between fintech companies and tradi-
tional incumbents, which will need to be harmonised to foster a successful collaboration.

Professional liability, breach of contract and technology failures

One of the biggest liability threats to a fintech, particularly as it begins to scale, will be
the potential claims that it might face because of inadequate professional services being

101 See, for example in the US, Alice Corporation Pty. Ltd. v CLS Bank Intern., 573 U.S. 208, 134 S. Ct.
2347, 189 L. Ed. 2d 296 (2014), which led to the invalidation of several software and business method patents
in the fintech sector when the court ruled that implementing the abstract idea on a computer does not make it
patentable.
102 The Pokémon Company International, Inc v Pokemon Pty Ltd [2022] FCA 1561.
103 A shortage of skilled IT resources is cited by the ACCC as causing delays in meeting regulatory dead-
lines, see ACCC, “Bank of Queensland pays penalty for alleged breach of Consumer Data Right Rules,”13
July 2022, www​. accc​.gov​. au​/media​-release​/ bank​- of​- queensland​- pays​- penalty​-for​- alleged​- breach​- of​- con-
sumer​- data​-right​-rules.

278
 T he R ise of F intech

provided to clients, or where products fail. The fact that fintechs typically offer profes-
sional services, via an online tech platform, undoubtedly causes additional complexities.
For example, with automated services on the rise using AI, such as robo advisors—this
could lead to widespread professional liability issues.104 This will often not be synony-
mous with a human adviser making a single mistake. Errors in AI solutions clearly have
the propensity to scale much more quickly and be systemic.105
Furthermore, if the root cause of the problem is an issue with the technology, such as a
flaw in the software, this may lead to an error and omission claim against the fintech. This
could give rise to complex liability issues where multiple firms may be involved in bring-
ing the product to the market, such as developers, coders and programmers. This will
not eliminate the fintech’s responsibility to its end customer, but it may lead to litigation
behind the scenes, and there may well be issues regarding indemnities provided across
these firms which will need to be carefully navigated.
For example, in January 2021, Tyro (one of Australia’s largest EFTPOS providers)
experienced terminal outages lasting several weeks and affecting over 10,000 businesses,
around a third of its customer base.
The outages, which prevented companies from accepting credit card payments, were
due to a bug in code written by the device manufacturer. Tyro has undertaken a remedia-
tion programme to compensate its customers, which was estimated to cost around $15 mil-
lion.106 The terminal problems also triggered a short selling attack on Tyro shares, which
fell nearly 12% before a trading halt was put in place. Subsequently, a class action was
commenced against Tyro on behalf of customers who were affected by the system outage.107

Automated decision-making and algorithmic discrimination108

The infiltration of automated decision-making via algorithms into the fintech space will
not be without a range of wider problems. Any fintech proposition based on these pro-
cesses may exhibit bias that discriminates against certain classes of individuals, causing
financial exclusion, rather than financial inclusion, which, as discussed above, is one of
the key objectives of fintechs.
Fintechs will face considerable exposure if they are met with claims of programming bias,
which, again, could be much more considerable than claims relating to human bias. The under-
lying data set that these processes work with needs will need to be carefully managed.

104 The Aite Group estimates that assets on digital investment management platforms was around US
$257 billion at the end of 2018, and that client assets under management on roboadvice platforms will reach US
$1.26 trillion by 2023, see Alois Pirker, US Digital Investment Management Market Monitor, Q2 2019, Report
Summary, Aite Group, 22 May 2019, www​.aitegroup​.com​/report​/us​- digital​-invest
ment-management-market-monitor-q2-2019.
105 For a general discussion of liability issues, see Sophia Duffy and Steve Parrish, “You Say Fiduciary, I
Say Binary: A Review and Recommendation of Robo-Advisors and the Fiduciary and Best Interest Standards.”
Hastings Bus. LJ 17 (2021) 3.
106 James Eyres, “Tyro CEO ‘will need to rebuild trust’ after outage,” Australian Financial Review, 22
February 2021, www​.afr​.com​/companies​/financial​-services​/tyro​- ceo​-will​-need​-to​-rebuild​-trust​-after​- outage​
-20210222​-p574km.
107 Court House Capital, “Tyro Class Action,” https://courthousecapital​.com​.au​/tyro​- class​-action/#:~​:text​
=Claim​%20Overview​,from​%205​%20January​%202021​%20onwards.
108 See discussion in Chapter 2.

279
 T he R ise of F intech

For example, Wonga was once the UK’s biggest payday lender. Wonga relied on deci-
sion technology and risk modelling to automate its lending activities. Unfortunately, the
company’s AI ended up lending money to customers that could never afford to repay the
loans. As a result, the company ended up writing off loans for 330,000 clients. The com-
pany also waived fees and interest payments for another 45,000 clients. After a scandal
involving sending fake letters of demand to customers in arrears, the FCA demanded
Wonga pay £2.6 million in compensation. Wonga fell into administration in 2018.109

Cyber-attack/data/crime110
When dealing with consumers via online platforms, all fintechs (whatever technology
they choose to deploy) will be collecting, dealing with and relying heavily on personal
and financial data. In this regard, as discussed earlier in this chapter, fintechs must ensure
compliance with existing data protection requirements and legislation. They must also
implement appropriate cybersecurity practices.
This may not always be the case in practice. In the race to market, fintechs may be more
focused on technology and rapid innovation and may overlook crucial security concepts.
For these reasons, fintechs, and their customers, may be prime targets for cybercriminals.
For example, fintechs, like any other digital company, may be exposed to ransomware
or malware attacks, distributed denial-of-service attacks, phishing, digital identity theft,
deep fakes and many more. Cybercriminals carry out the attacks for a variety of reasons,
ranging from financial gain, espionage, terrorism and politics, all of which can create
large exposures to fintechs.
Indeed, at the time of writing this chapter, there are numerous examples of cyber crimi-
nals using increasingly sophisticated techniques to perpetrate financial crimes, leveraging
the innovative technologies that underpin new payment platforms and cryptocurrencies
to conduct complex transactions that are difficult to detect, trace and/or reverse. Fintechs
offering crypto-related services may also be more susceptible to money laundering.
As noted in the case study above, one of the major obstacles to the mainstream adoption of
cryptocurrencies stems from the catastrophic losses that have occurred in connection with
several high-profile hacks over the years. The first major crypto hack occurred in 2011 when
crypto exchange Mt. Gox lost 25,000 bitcoins worth approximately $400,000. Mt. Gox was
attacked again in 2014 with 750,000 bitcoins being stolen, allegedly from the company’s hot
wallet. 2022 could, however, end up being the largest year for crypto crime ever.111
Notable attacks in 2022 include the largest-ever hack which occurred on the Ronin
Network in March 2022. The Ronin Network supports the popular Axie Infinity block-
chain gaming platform. Hackers were able to steal approximately $625 million of ether
(ETH) and USDC stablecoin. The cybercriminal in this instance used hacked private keys
to forge fake withdrawals, draining the funds from the Ronin bridge in just two transac-
tions. The Ronin bridge served as a bridge for users to transfer their assets from other
ecosystems into Ronin and vice versa.

109 “Wonga collapses into administration,” The Guardian, 31 August 2018, www​.theguardian​.com ​/ busi-
ness​/2018​/aug​/30​/wonga​- collapses​-into​-administration.
110 See discussion in Chapter 11.
111 Kevin George, “The Largest Cryptocurrency Hacks so far,” Investopedia, 17 November 2022, www​
.investopedia​.com​/news​/ largest​- cryptocurrency​-hacks​-so​-far​-year/.

280
 T he R ise of F intech

It is also important to note that thefts from fintechs do not always only involve third
parties; like any other financial services firm, they are also vulnerable to employee dis-
honesty. For example, in September 2022, a defendant admitted guilt for the first time in a
case involving cryptocurrency markets and insider trading. Nikhil Wahi, the brother of a
former product manager at Coinbase Global, Inc. (Coinbase), pleaded guilty to one count
of conspiracy to commit wire fraud in connection with a scheme to engage in insider
trading in cryptocurrency assets by employing confidential information held by Coinbase
about which cryptocurrencies planned to be listed on Coinbase’s exchanges.112

Business interruption/reputational risks

When an online platform is compromised (whether it be by virtue of a cyber-attack or
technological failure) the ramifications can be widespread. This will often result in first-
party risk, regulatory action, third-party liability and business interruption.
Any disruption is also likely to cause severe reputational damage to the fintech in ques-
tion. This will be a particular sensitivity for fintechs who rely heavily on their brand and
reputation to gain consumer trust, to allow them to scale to compete with established
incumbents and or become a more attractive partnering proposition.

Managerial liability/directors’ and officers’ claims

The executives responsible for making key decisions relating to corporate governance,
technological advancement and investment strategies through to a fintech’s cyber security
measures and other compliance and risk strategies may face personal liability if their deci-
sions transpire to be unsound.
Organisational failure, on any level, often leads to questions about managerial effec-
tiveness. For example, if there is regulatory noncompliance the senior executives may be
held personally accountable. Also, in this scenario (depending on the jurisdiction), the
same senior executives may face claims from a disgruntled shareholder or creditor, an
employee, the company itself or its insolvency practitioners for a wide range of alleged
wrongful acts, including but by no means limited to breach of duty, neglect, errors, omis-
sions, employment practice violations and/or misstatements.
The exposure to directors and managers of fintech companies can be complex and vast.
The less mature fintechs entering the market, without necessarily having the right back-
ground and expertise in finance, with their expertise being more focused on the technol-
ogy, may well underestimate the scale of exposures that they face.113
For example, the Wirecard scandal114 involved a series of corrupt business practices
and fraudulent financial reporting (to artificially inflate profit) that led to the insolvency

112 United States Department of Justice, “Tippee Pleads Guilty In First Ever Cryptocurrency Insider
Trading Case,” US Attorney’s Office, 12 September 2022, www​.justice​.gov​/usao​-sdny​/pr​/tippee​-pleads​-guilty​
-first​- ever​- cryptocurrency​-insider​-trading​- case.
113 See, for example, Tim Sandle, “Human error remains the key challenge in Fintech security,” Digital
Journal, 15 July 2022,
www​.digitaljournal​.com ​/ business​/ human​- error​- remains​- the ​-key​- challenge ​-in​-fintech​- security​/article​
#ixzz7t482mrNA.
114 Jonas Heese, Charles C.Y. Wang and Tonia Labruyere, “Wirecard: The Downfall of a German Fintech
Star” Harvard Business School Case Collection, March 2021, www​.hbs​.edu​/faculty​/ Pages​/item​.aspx​?num​
=59971.

281
 T he R ise of F intech

of the German fintech company. The company was part of the DAX index and offered
electronic payment and risk management services. The subsidiary, Wirecard Bank AG,
held a banking licence. Allegations of accounting malpractices peaked in 2019 after the
Financial Times published a series of investigations, complaints and internal documents.
On 25 June 2020, Wirecard filed for insolvency, after revealing that €1.9 billion was
“missing.” This was followed by the resignation and arrest of its CEO, Markus Braun.
Questions have been raised about potential failures on the part of the German financial
regulator and Wirecard’s long-time auditor.115
In particular, the former CEO is at the time of writing is standing trial in Munich,
Germany to answer charges of “commercial gang fraud,” embezzlement and mar-
ket manipulation for his role in Wirecard’s collapse, with the Munich court scheduling
100 court days for the trial.116 Notwithstanding the ongoing trial against the former CEO,
Germany’s audit watchdog (Apas) is also set to release its ruling on potential misconduct
by Ernst & Young during its work for Wirecard. This serves to highlight the far-reaching
consequences of the collapse from a legal and regulatory perspective.

Insurance for fintechs

As the fintech industry continues to evolve, one of the key priorities for all global regula-
tors is likely to concern the risk mitigation strategies that are being deployed by fintechs.117
As far as possible, the risks discussed above, as well as numerous others, will need to be
mitigated. Additional unidentified risks are also likely to emerge as the sector matures.
This creates opportunities for insurers that are active in this space, potentially allowing
them to play a crucial role in helping the global fintech industry reach its full potential.
However, these opportunities are also not without their own challenges.
Underwriters need to consider fintech risks with considerable caution. In circumstances
where fintechs are often new companies, the historical data that underwriters usually rely
upon to price and assess risks, and form decisions over the scope of coverage to be made
available, is not typically available. In addition, underwriters will not have the benefit of
key underwriting data, such as industry claims trends.
It is obvious that the underwriting process for fintechs will naturally differ from other
sectors. It will also need to be bespoke for the fintech in question given the range of risks
they will individually face. While underwriting experience from both the tech and finan-
cial services sectors will certainly provide a good basis to evaluate the more traditional
risks, unique risks will almost undoubtedly run in parallel depending on the business
model the fintech is adopting and the novel technology it is utilising.
It is perhaps not therefore surprising that the fintech insurance market has taken time
to develop, with some fintechs still struggling to obtain a comprehensive insurance solu-
tion, covering all risks. At present, important insurance covers appear to be being made

115 Jenny Hill and Paul Kirby, “Wirecard trial of executives opens in German fraud scandal,” BBC News,
8 December 2022, www​.bbc​.com ​/news​/world​- europe​- 63893933.
116 Ibid.
117 See, for example, International Monetary Fund, “IMF Policy Paper: The Bali Fintech
Agenda,” 2018, www​.imf​.org​/en​/ Publications​/ Policy-
Paper​s/Iss​ues/2​018/1​0/11/​pp101​118-b​ali-f​intec​h-age​nda, in the Executive Summary, page 8, the IMF rec-
ognises “National authorities are keen to foster fintech’s potential benefits and to mitigate its possible risks.”

282
 T he R ise of F intech

available in a variety of forms. These are often offered by different underwriting divisions
and sometimes by different insurers. While it is, of course, encouraging that distinct insur-
ance solutions are obtainable, this can lead to unwelcome gaps in cover, or disputes between
insurers, if there are limitations, or duplication, in the insurance coverages being provided.
Despite this, the insurance market is starting to engage strongly with the rapidly grow-
ing fintech sector. Several comprehensive stand-alone fintech policies are emerging.
These are being developed by brokers and insurers to adequately meet these varied risks,
and typically provide the following covers: directors’ and officers’ (D&O), crime, civil
liability, cyber, employment practice liability (EPL) and tech errors and omissions (E&O).
These policies have needed to be carefully reconciled to cater for specific risks in this
sector, for example, a tech E&O insurance policy might usually contain a specific profes-
sional services exclusion, which will not be suitable for fintechs. In some cases, compa-
nies that are found to have inadequate professional indemnity (PI) insurance will also be
in breach of their capital requirements.118 Clients and prospective partners might even
insist on comprehensive liability coverage before any contractual agreements are made.
In a technological environment, risks can scale up quickly and regulators may respond with
knee-jerk reactions and restrictions. Fintech companies need to be aware of regulatory expo-
sures and the different regulations in the jurisdictions in which they operate to avoid regulatory
noncompliance. As Ashley Kovas explains in “Understanding the Risks of Fintech”:

The structure and scope of the regulatory regime has arisen for historical reasons unconnected
with fintech. At the moment, some areas of fintech activity are regulated while others are not. The
lack of commonly applied standards in the unregulated business may contribute to risk.119

While this comprises the typical combined offering, as discussed above, any fintech insur-
ance policy will still need to be tailored further for the specific insured. A “one size fits
all” approach will not work in the fintech sector, which will require a more bespoke under-
writing process.
Indeed, underwriters will need to heavily scrutinise the prospective individual insured’s
financials, valuations and forecasts, risk and compliance functions, the intended customer base
and data security procedures through to the integrity of the people involved in the business.
The specific risk landscape will also need to be reviewed constantly as the fintech grows and
seeks to expand its operational footprint. For example, a policy offered at the outset when a
proposition is still being developed by a young fintech company may not be fit for purpose a
year or two down the line as the fintech begins to take part in more complex financial activities
and begins to scale up. To mitigate this risk, it is suggested underwriters ask detailed questions
specific to the business and avoid relying on a “checklist” approach to price the risk accurately.
It is essential fintechs have robust governance processes in place and internal checking mecha-
nisms to allow the business to identify any potential changes in risk profile.120 Regular reviews
of policies and adjustments where necessary can help to avoid the risk of underinsurance.

118 “Why do Fintechs need bespoke insurance?” CFC Underwriting, 18 February 2022, www​.cfcunder-
writing​.com​/en​-au​/resources​/articles​/2022​/02​/why​- do​-fintechs​-need​-bespoke​-insurance/.
119 Thomson Reuters Regulatory Intelligence, https://legal​.thomsonreuters​.com ​/en ​/insights​/articles​/
understanding​-the​-risks​- of​-fintech.
120 For an overview of corporate governance issues of fintech firms, see, Khakan Najaf, Alice Chin and
Rabia Najaf. “Conceptualising the corporate governance issues of fintech firms.” The fourth industrial revolu-
tion: implementation of artificial intelligence for growing business success (2021) 187–197.

283
 T he R ise of F intech

Underwriters will also need to consider the impact of wider industry issues and the
evolving regulatory landscape, and have a clear understanding of the underlying technolo-
gies being used, as well as the products/services on offer, to accurately define and address
the specific risks to the fintech in question.
In practice, understanding the rapidly evolving technologies, and the unique risks they
pose in themselves, is one of the biggest challenges for underwriters in the fintech sector,
regardless of whether cover is being provided separately or comprehensively. Underwriters
are certainly not alone here; as discussed earlier in this chapter, this is also proving to very
much be the case for policymakers and regulators around the globe.
As a result, some fintechs may find it easier than others to obtain suitable levels of cover.
This is probably most noticeable when it comes to the insurability of fintechs undertaking
specific crypto-related activities, for example crypto custodians and crypto exchanges.
There is still a large degree of hesitancy when it comes to crypto assets and those emerg-
ing businesses involved with them.121
As noted in the case study, much of the hesitancy connected with crypto assets, includ-
ing cryptocurrencies and newer digital assets such as NFTs, arises from the sheer number
of hacks that have resulted in catastrophic losses over the past few years.122
Marsh Commercial123 describes three main reasons why NFT insurance is not yet fully
developed:
1. Unclear value—There is uncertainty around the valuation of NFTs: Unlike a home
or a car, whose value will be relatively well known, an NFTs value is much harder
to determine, especially as the market is still immature. That means it is difficult
for insurers to understand the level of financial risk involved in covering NFTs—in
turn that makes it hard to price NFT risks in any standardised way and therefore
develop off-the-shelf NFT insurance policies.
2. Disparate or intangible assets—An NFT is essentially two assets: The artwork or
other item the NFT links to and the NFT token itself. In fact, in many cases the NFT
and the artwork are intangible—meaning they don’t physically exist. They exist digi-
tally but can be held in very different locations, which may face different risks. This
again complicates the process of designing standardised NFT insurance.
3. Uncertain future—The risks affecting NFTs are not well understood and the tech-
nology is evolving fast, which again creates a significant barrier to developing
insurance products since most insurers will want to know precisely which risks
they are taking on, and that those risks are relatively stable.124
The points noted above are equally relevant to the regulators attempting to understand
and, where relevant, mitigate the risks.

121 It is yet unclear how DeFi will be regulated and if protection coverages in the DeFi space, such as dollar
peg stability for stablecoins and exchange and custodial wallet hacks or halted withdrawals, will be defined
as “insurance” products, adding another layer of complexity for fintechs. See International Association of
Insurance Supervisors, “IAIS Report on FinTech developments in the insurance sector,” December 2022, 14
(hereafter IAIS 2022).
122 See, for example, Eyup Sagban, “An Overview of the Cyber Insurance in Specific to NFTs.” Digital
L. Rev. 3 (2021) 430.
123 “Is it possible to insurance an NFT?” Marsh Commercial, 20 June 2022, www​.marshcommercial​.co​.uk​
/articles​/can​-you​-insure​-an​-nft.
124 Ibid.

284
 T he R ise of F intech

As noted in the IAIS report:

The lack of interoperable standards and data privacy risks were again noted to be amongst the
strongest barriers to accessing data for TPPs, while the difficulty of partnering with incum-
bents was an additional barrier cited. Examples of good practice include TPPs and insurers
reciprocally auditing each other’s data, which could overcome partnering difficulties and lead
to speedier integrations.125

The cyber insurance market and marine insurance industry have developed to provide
insureds with an end-to-end solution. This involves a readiness to boost resilience and
preparedness, a practised response plan in the event of an insurance-related event such as
a cyber breach and advice on regulatory matters. Fintech businesses are particularly vul-
nerable to potential high dependency on external platforms and IT suppliers, which can
expand governance challenges. This is an area where due diligence from both the fintech
and the insurer as a team can help to mitigate risk by having recovery plans in place to
address and manage potential risks, including enhanced information and communications
technology (IT) and cyber resilience.126 Similarly, there could be risks related to maintain-
ing efficient internal controls, risk management and compliance functions.127
In due course, greater global regulation of the fintech sector, with a particular focus
on the crypto sphere, may help insurers to get more comfortable with not only broader
fintech risks but also crypto-specific risks. At that stage, there may be more tailored insur-
ance products emerging in the market to satisfy the sector’s needs. This may be crucial as
more incumbents partner up with or acquire fintechs. Most traditional financial services
insurance policies were not written with crypto-related firms, or indeed, broader fintechs,
in mind. This means that the likely underwriting intention was not for existing policies,
underwritten specifically for incumbents, to respond to the unique losses and risks that
these companies pose. At the time of writing this chapter, this has already led to several
insurers adding crypto-related exclusions to their existing wordings to ensure that they
are not inadvertently exposed to risks that have not been priced into the initial insurance
solutions that they provided to their existing insureds.
Looking forward, the industry is experimenting with the use of machine learning, spe-
cifically for fintech underwriting in terms of services.128 Cover Genius’ Geniebot can cat-
egorise transactions for fintechs and turn them into insurance transactions.129 Machine
learning has the capability to advance the knowledge gained from data available from
previous claims but, as outlined in Chapter 2, brings with it a multitude of other risks
associated with bias, inaccuracy and error.
In conclusion, exactly how the global fintech and crypto landscapes will look from
a regulatory perspective over the coming months, or years, is not yet clear. However,
it seems apparent that greater regulatory clarity in this sector is only likely to serve to
increase consumer trust and confidence, which may, in turn, also increase the appetite
from underwriters to be more readily involved in mitigating these developing risks.

125 TPP is a Third Party Provider, IAIS 2022 (n 121) 9.

126 IAIS 2022 (n 121) 12.
127 Ibid.
128 Mariia Bogdanova, “Fintech Underwriting using machine learning,” Thesis commissioned by WeBuust
Oy, Autumn 2019, Oulu University of Applied Sciences.
129 See https://covergenius​.com​/geniebot/.

285
 C hapter 1 1

Cyber Risk and Insurance

Reece Corbett-Wilkins, Chris McLaughlin, Adam Taylor,
Stuart Lloyd, Caitlyn Bellis, Ruth Yeend, and Kirsty Paynter

CON T EN TS
Introduction 288
Opening remarks on cyber risk 288
Cyber risk landscape and statistics 288
Introduction to cyber security risk management 288
Common cyber risk framework 288
Establishing incident response resilience 288
Cyber insurance fundamentals 288
Cyber insurance industry—future insights 289
Opening remarks on cyber risk 289
Cyber risk landscape and statistics 292
What does cyber risk mean in practice? 292
Cyber security incident/claims landscape 294
Risk to individuals and businesses from cyber security events 296
Introduction to cyber security risk management 297
Goals of cyber security and “getting the balance right” 297
Establishing cyber resilience 298
Patch management 299
Comprehensive asset registers 300
An application/asset tiering system 300
Anti-virus/anti-malware (and end-point monitoring) 301
Perimeter defences 301
Secure mobile devices 302
Encryption and backup 303
Change management 304
Incident response planning 304
Training and awareness 305
Quantitative versus qualitative risk 305
Common cyber risk frameworks 306
Frameworks that organisations can use to benchmark cyber maturity 306
NIST—open source—government—control framework 306
COBIT—open source—private—management framework 307
ESSENTIAL 8/TOP 35—open source—Australian government—system
hardening framework 308

286 DOI: 10.4324/9781003319054-11

 C yber R isk and I nsurance

ISO 27001/27002—paid—private—certification framework 308

SOC audit (formally SAS70)—private—audit framework 309
MITRE—open source—private—threat framework 310
Concluding remarks on effective cyber risk management 310
Establishing incident response resilience 310
Regulatory landscape update 310
Incident response planning—establishing incident response resilience 312
Late notification to insurers 313
Board engagement 313
Communication strategy 314
Supply chain risk management 314
Delayed investigations and notifications 315
Concluding Remarks on effective incident response preparation 315
Cyber insurance fundamentals 315
High-level overview of cyber insurance 315
Insurance clauses and how they operate in practice 316
High-level evolution of cyber insurance 317
Current insurance claims trends 319
Ransom payments 320
Does cyber insurance pay? 323
Examples where insurance has not paid 325
Responses from the industry and regulators to meet the challenges ahead 327
Conclusion on cyber insurance fundamentals 328
Cyber insurance industry—future insights 328
Changes in the uptake and availability of cyber insurance 328
Challenges and emerging trends 330
Concluding remarks 331

287
 C yber R isk and I nsurance

Introduction
This chapter is broken down into the following sections:

Opening remarks on cyber risk

This section introduces several macro factors which contribute to the challenge of
tackling cyber risk(s). While this area constantly evolves, there are also fundamental
elements of crisis management that organisations have developed during their COVID
response that could be replicated or adapted to enhance an organisation’s cyber risk
management.

Cyber risk landscape and statistics

This section analyses key concepts including claims statistics and event types to contex-
tualise and further define the concept of “cyber risk.” The aim is to let readers “under the
hood” and provide useful examples to bring the risk to life.

Introduction to cyber security risk management

This section describes key “controls” that insurers and cyber security consultants com-
monly identify when addressing this risk from a technical (and non-technical) perspective
as part of good cyber hygiene practices.

Common cyber risk framework

This section discusses various standards that organisations may follow to benchmark
themselves against and achieve a certain level of “maturity” or “competency” against a
particular framework. Achieving optimum levels of resilience is a crucial challenge, given
the speed of change in this area.

Establishing incident response resilience

This section acknowledges that, despite best efforts, something will inevitably go
wrong. Businesses need to anticipate incidents and develop resilient methods of
responding to such incidents so that they can maintain trust with their stakeholders
while managing a crisis and avoiding common pitfalls. Key steps are outlined that
organisations can take to manage a cyber incident well.

Cyber insurance fundamentals

This section addresses the benefits of cyber insurance for organisations and demystifies
some of the inflated headlines that emerge about the “diminishing” value of cyber insur-
ance; in particular, the idea that “cyber insurance doesn’t pay.” The emerging challenges
for regulators, insurers and policyholders are addressed.

288
 C yber R isk and I nsurance

Cyber insurance industry—future insights

The section provides insights into the challenges, opportunities and issues arising in rela-
tion to the cyber insurance market. The insights are written with contributions from spe-
ciality cyber insurance brokers.1

Opening remarks on cyber risk

Notwithstanding the theme of this book, arguably cyber security risk isn’t a new phenom-
enon or an emerging risk. For as long as computer technology has been around, there have
been individuals willing to break the rules to better understand the way technology works,
make a political statement or obtain something in return.
Take Steve Jobs and Steve Wozniak, who before starting Apple created “blue boxes”
which could emulate audible tones at a certain frequency to trick telephone networks
into making long-distance calls for free.2 It is reported that these early hacking ventures
inspired the pair to create Apple. Without their innate curiosity for tinkering with technol-
ogy, that company may never have existed.
Another example is Joseph Popp, who in 1989 distributed the first form of ransomware via
floppy disk at the World Health Organisation’s AIDS conference.3 The “attack” resulted in
file encryption and for US $189 the victim could send a cheque to a dedicated mailing address
to receive the decrypter. The attack had good intentions—the money was intended to raise
funds for AIDS research, but the same playbook is now adopted by organised criminals on a
daily basis.
If this risk has been present for so long, why is it then that cyber risks continue to pre-
sent as “new,” “elusive” or “emerging”? There are several reasons.
First, cyber risk, like any field of specialisation, takes time to learn. And with so many
risks to manage, learning the “ins” and “outs” of this niche is not something that most
business leaders have the time to master. However, for most of those leaders, mastery
should not be the end goal but rather a level of familiarity with the subject matter sufficient
to allow them to ask the right questions and seek the support necessary from those that can
assist, as well as drive top-down engagement.
Second, and one of the most engaging aspects of working in this field, is that the risk
landscape is constantly changing. As new technology is developed to bring convenience
and value to consumers and organisations, new vulnerabilities are discovered which offer
sufficiently motivated individuals the opportunity to exploit them.
COVID-19 was a great example of how the world shifted at lightning speed to allow
team members to work from their kitchens, but with a rapid shift in technology systems
came several risks which arguably led to, or significantly contributed to, a ransomware
pandemic that continues today.
Third, the world has become increasingly digitally connected and will continue to
become further connected—particularly with advancements in, and growth of, “internet

1 The authors thank the brokers whose contributions are recorded, and acknowledged, later in this chapter.
2 Dag Spicer, “Steve Jobs: From garage to world’s most valuable company,” Computer History Museum,
https://computerhistory​.org​/ blog​/steve​-jobs/.
3 Cary Kostka, “The first ransomware attack: lessons learned from history,” ransomware​.or​g, 17 March
2022, https://ransomware​.org​/ blog​/the​-first​-ransomware​-attack​-lessons​-learned​-from​-history/.

289
 C yber R isk and I nsurance

of things” technology going forward in areas such as driverless transport, automated prod-
uct ordering and manufacturing. In other words, the playground for cyber criminals and
nation-states only gets bigger every day. For as long as computer systems are connected
to the internet, there will always be doors and windows for criminals to enter through to
access digital environments.
Fourth, there is no “one expert” that can advise definitively on cyber risk, nor is there
a universally consistent position on what is considered best practice. Network security
(or traditional IT security) consultants responsible for building and protecting networks
will have a different view from DFIR (digital forensics and incident response) firms that
respond to and investigate suspected or actual cyber security events.
Similarly, privacy lawyers and regulators will often have a different lens on high-risk
areas and where investment should be deployed. Insurers will have their own breach pre-
vention and claims data informing those areas that need to be focused on. Government
agencies and law enforcement bodies will have their own classified information about
active threats and an agenda on how businesses should approach certain decisions (for
example, whether to pay a ransom). Communications strategists will have different ways
of communicating incidents and the relevant risks associated with each. Knowing who to
ask for help and advice on certain topics is key.
Fifth, and although it is an oft-stated cliché—cyber risk is not just the responsibility of
the information technology (IT) team and requires whole of business engagement. The
“golden triangle” framework of tackling cyber risk across three key domains (people,
processes and technology) to drive action is a good example of how this risk should be
addressed and responsibilities assigned across various business functions. For example,
the law firm Clyde & Co has developed Clyde & Co’s ONE team, a global, locally tailored,
cyber incident solution focused on three phases: Readiness (boosting resilience and pre-
paredness); response (decisive action following a cyber incident); and recovery (getting
back to business as quickly as possible). The operational disruption, financial exposure
and reputational damage from a cyber incident are significant. Clyde & Co ONE is an end-
to-end cyber risk solution, supporting policyholders and their insurers every step of the
way. The team is made up of lawyers, communications specialists and cyber professionals.
Engagement with stakeholders across IT, risk, legal, communications, human resources
(HR), finance, operations, insurance, people and culture, and the board is paramount. After
all, human error often (and arguably in every case) remains a leading cause of cyber events.4
Overlay all of this with the following macro factors, and you end up with an environ-
ment where it is a constant challenge to “stay on top” of it all:

• Constantly evolving law reform and regulatory investigations changing the

approach to expectations around data handling, ransomware payments, secu-
rity practices and breach reporting obligations. This includes the introduction
of sector-specific requirements for critical infrastructure and essential service
providers;

4 “Notifiable data breaches report January to June 2022,” Office of the Australian Information Commissioner,
10 November 2022, www​.oaic​.gov​.au​/privacy​/notifiable​- data​-breaches​/notifiable​- data​-breaches​-statistics​/
notifiable​- data​-breaches​-report​-january​-june​-2022.

290
 C yber R isk and I nsurance

• Geo-political issues creating friction between governments (and state-owned

corporations) and risk of spill-over to affiliated and innocent businesses (the
“NotPetya” ransomware attack is a good example of this);5
• Deteriorating financial economies driving legitimately trained computer scien-
tists and technologists into cybercrime, balanced against law enforcement efforts
to disrupt criminal supply chains;
• The conflict in Ukraine leading to a splintering and rebranding of criminal
groups, using each other’s toolkits to conduct attacks and presenting challenges
from an active defence perspective (and sanctions-related attribution require-
ments where ransom payments are made);
• Changing government appetite to intervene and drive certain practices, includ-
ing whether it is legal to fight back against organised cyber-criminal gangs, and
intervening on issues such as ID replacement post-breach and who should bear
the cost of such activity;6
• Insurance industry dynamism and an evolving approach to identifying and solv-
ing problems affecting policyholder clients and developing offerings for pre-
breach and post-breach support services. Further changes include improvements
to underwriting standards and adaptations in policy wordings to meet market
conditions as the market corrects to high severity claims;
• Changing expectations from consumers and employees about how their personal
information is managed, with many consumers and employees now demanding a
lot more from companies to protect their data (or not collect it at all);
• An active plaintiff bar (and litigation funders) ready to test the limits of the law
in privacy breach class actions, influencing behaviour through the threat of
litigation;
• Labour market challenges in key industry sectors such as IT, legal and insurance
(partly due to the pandemic and restrictive skilled migration policies of certain
governments) leading to expertise gaps, resource constraints and in some cases
“burnout” for various sectors; and
• Global interest rate rises, inflation and economic uncertainty creating financial
pressures and potential underinvestment in IT security spending by government
and industry.

Notwithstanding these challenges, business leaders are generally becoming much better
at relating their real-world individual experience of cyber risk issues (typically through
being the recipient of a breach notice from an entity that has had a cyber incident) or in
replicating their expertise in managing crises more generally (such as COVID or other
emerging risk crises) to the topic of cyber risk. As an example, the authors of this chapter
have noticed that organisations’ ability to operationally respond to cyber incidents post-
COVID is markedly improved from their ability to do so pre-COVID.

5 “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, 22 August 2018,
www​.wired​.com ​/story​/notpetya​- cyberattack​-ukraine​-russia​- code​- crashed​-the​-world/ (essential reading for
anyone wanting to understand the world of breach response).
6 “Australia tells SingTel-owned Optus to pay cost of replacing hacked ID documents,” Reuters, 29
September 2022, www​.reuters​.com​/technology​/australia​-tells​-singtel​- owned​- optus​-pay​- cost​-replacing​
-hacked​-id​- documents​-2022​- 09​-29/.

291
 C yber R isk and I nsurance

It is also apparent that there are significant improvements in the way in which organisa-
tions work together and boards are engaged. These are all positive legacies of organisa-
tions having to manage what will potentially be the largest crisis they will ever have to
manage in their professional careers (a global pandemic). Despite potentially never expe-
riencing a cyber event before, readers are encouraged to continue to bring their already
accumulated professional background and experience to the topic of managing cyber risk
and recognise that significant value can be added despite a lack of technical expertise.

Cyber risk landscape and statistics

What does cyber risk mean in practice?
The financial impact of cybercrime worldwide is considerable. Some reports have esti-
mated cybercrime loss at around 1% of global GDP.7 Others have estimated that the cost
of the average data breach has increased to a record US $4.35 m per breach in 20228 (how-
ever these numbers are heavily influenced by North American and Middle East regions’
statistics).
Most incidents will not cost nearly as much as this—and equally, some will cost sig-
nificantly more depending on the size and profile of the target entity, type of incident
experienced and types of losses sustained.
In Australia, the Australian Cyber Security Centre (ACSC) received over 76,000 cyber-
crime reports in the 2021–2022 financial year, an increase of nearly 13% from the previous
financial year.9 In the same report, the ACSC noted:

• An increase in financial losses due to business email compromise (BEC) events

(mailbox breaches with associated funds misdirection) to over AUD $98 million,
with an average loss of $64,000 per report;
• A rise in the average costs per cybercrime report to over $39,000 for small busi-
nesses, $88,000 for medium businesses and over $62,000 for large businesses—
an average increase of 14% from previous years; and
• A 25% increase in the number of publicly reported software vulnerabilities.

In practice, Clyde & Co estimates that only one in five cybercrime events in Australia
are reported to the ACSC, meaning that there is a significant level of underreporting, and
many more losses are occurring.
The UK’s equivalent, the National Cyber Security Centre (NCSC) releases a similar
annual report.10 Amongst other things, the NCSC specifically calls out specific state actors

7 James Andrew Lewis, “Economic Impact of Cybercrime,” Centre for Strategic and International Studies,
21 February 2018, www​.csis​.org ​/analysis​/economic​-impact​- cybercrime; “McAfee report says cybercrime to
cost world economy over $1 trillion,” Business Standard, 7 December 2020, www​.business​-standard​.com ​/arti-
cle​/technology​/mcafee​-report​-says​- cybercrime​-to​- cost​-world​- economy​- over​-1​-trillion​-120120700249​_1​.html.
8 “Cost of a Data Breach Report,” IBM Security, July 2022, www​.ibm​.com​/downloads​/cas​/3R8N1DZJ.
9 This equates to one report every seven minutes, compared to every eight minutes in the previous finan-
cial year; see Australian Signals Directorate, “Annual Cyber Threat Report, July 2021–June 2022,” Australian
Cyber Security Centre, 11, www​.cyber​.gov​.au​/sites​/default​/files​/2022​-11​/ACSC​-Annual​- Cyber​-Threat​-Report​
-2022​.pdf; figures in Australian dollars.
10 “NCSC Annual Review 2022,” National Cyber Security Centre, 1 November 2022, www​.ncsc​.gov​.uk​/
collection​/annual​-review​-2022.

292
 C yber R isk and I nsurance

and their activities responsible for conducting various actions, including attempting to
steal COVID vaccine research; targeting technology, service and supply chains; exploit-
ing Microsoft Exchange and Fortinet vulnerabilities; and engaging in cybercrime to miti-
gate the poor status of the country’s economy.
In another recent report issued by Coalition11 (a relevantly new entrant to the cyber
insurance market), claims data from its cyber losses in 2021–2022 (in relation to small
businesses with under AUD $25 m in revenue) reveal:

• Small businesses were particularly vulnerable in 2021. The report notes an 85%
increase in the average claim cost in the second half of 2021 from the first half of
2021, increasing from $88,000 to $163,000;
• However, in 2022, the severity of claim costs had decreased by 15% down to
$139,000 which while positive, was still 58% higher than 2021 levels; and
• Small businesses appear to be especially vulnerable to threat actors as they often
lack the resources to respond quickly to an attack.

In its previous claims report,12 in relation to middle market businesses with AUD $100 m
in revenue or more, Coalition noted:

• Claims severity increased 54% from $233,000 to $358,000 from the first half of
2021 to the second half of 2021; and
• While claims frequency fluctuated for this segment, it remained consistently two
to three times higher than the claims frequency for small businesses (with rev-
enues < $25 m).13

Several cyber insurers produce their own claims data, and readers are encouraged to
review alternative resources to obtain access to real-time claims data experienced across
the industry to gain a better picture of the risk to their jurisdiction or specific industry
type, including for small and medium-sized enterprises.14 More information about inci-
dent types and industries impacted can be found in the Verizon Data Breach Investigation
Report.15

11 “2022 Cyber Claim Claims Report, Mid-year Update,” Coalition, 2022, https://info​.coalitioninc​.com​/rs​
/566​-KWJ​-784​/images​/ DLC​-2022​- 09​- Claims​-Report​-Mid​-Year​-Update​.pdf, 5.
12 “2022 Cyber Claim Claims Report,” Coalition, 2022, https://info​.coalitioninc​.com​/rs​/566​-KWJ​-784​/
images​/ DLC​-2022​- 03​- Coalition​- Claims​-Report​-2022​.pdf, 3.
13 Ibid.
14 Several cyber insurers produce their own claims data and readers are encouraged to review alternative
resources to obtain access to real-time claims data experienced across the industry to gain a better picture
of the risk to their jurisdiction or specific industry type, including for small and medium-sized entreprises.
For example, the “Chubb Cyber Index” catalogues two decades of cyber claims data with key metrics includ-
ing trigger, source and scope, www​.chubb​.com​/au​- en​/ business​/cyber​- claims​- data​.html#:~​:text​= Chubb​%20has​
%20handled​%20cyber ​%20claims​%20for ​%20over ​%20two​,the​%20number ​%20of ​%20impacted​%20records​
%2C​%20and​%20much​%20more; CFC has also produced a series of claims examples and case studies which
sets out incident types, and costs and losses incurred. See www​.cfcunderwriting​.com​/en​-au​/resources​/articles​
/2021​/09​/cyber​- claims​- case​-study​-round​-up/.
15 “Verizon Data Breach Investigation Report,” 2022, www​.verizon​.com​/ business​/resources​/ T21d​/reports​
/dbir​/2022​- data​-breach​-investigations​-report​- dbir​.pdf.

293
 C yber R isk and I nsurance

Cyber security incident/claims landscape

The global law firm, Clyde & Co, collates its own statistics to help understand the cyber
claims landscape in Australia at any given point, to demonstrate the types of events that
often occur and to track trends across the country. These statistics regularly demonstrate
that the three most common incident types are:

• Business email compromise (mailbox breach)—this is where a threat actor gains

access to a mailbox with the intention to access personal information present in
the mailbox for secondary misuse and extortion against victim businesses and
individuals; intercept funds through falsified invoice/email instructions (often
called funds misdirection, funds transfer fraud or social engineering fraud); or
propagate phishing emails (and in some cases malware loaded emails) to gain
access to further mailboxes of third parties who receive the email and “click on
the link” and surrender credentials or download attachments;
• Ransomware—this is where cyber criminals will gain access to a computer sys-
tem and execute malware to encrypt data and interfere with the operation of the
system. Often users first experience this event when they see encrypted files on
their network, or a ransom demand present (some threat actors print thousands of
ransom demands off in the print room until the paper runs out).
Over the last few years, the sophistication and activities of threat actors have
evolved from just encryption events to “double extortion” events whereby threat
actors will also take data from the system before leaving to extort victims into
paying a ransom demand to suppress the publication of data. More recently, threat
actors have engaged in particularly hostile activities to increase their leverage,
including deleting data, contacting key staff members and threatening them, and
contacting third parties whose data they hold (individuals and businesses) to sec-
ondarily extort them, as well as publishing data and disseminating it through
email to victims to increase leverage or simply act in a destructive manner;
• Third-party system breaches—this is where a third-party system is attacked,
and data is compromised; that is, subject to unauthorised access or theft. Attacks
such as this often impact IT providers (managed service providers, MSPs), cloud
services providers (SAAS providers) or data hosting companies (e-discovery
providers). Their clients are the end victim, as they are responsible for assessing
the risk to data and notifying individuals and regulators, despite their systems
not being compromised. This is because while the end user client outsourced
the task of hosting and protecting data, it cannot outsource the responsibility in
circumstances where the information is jointly held. Often these incidents impact
entire industries at a time as multiple clients of the service provider are impacted
downstream from the “patient zero” target entity.

Other incidents include cybercrime, payment misdirection fraud, funds tracing and funds
recovery, system outage and data loss events, social engineering scams, e-safety, image-
based abuse and cyber bullying, employee IP and funds theft, inadvertent disclosure of
information, physical loss of devices or records, network outage events, website breaches
and account takeover events and email and social media account takeovers.

294
 C yber R isk and I nsurance

A quarter-on-quarter comparison of common incident types recorded between May

and July and August and October 2022 highlighted the following:

• 8% increase in third-party system incidents, up from 12%;

• 8% decrease in business email compromise incidents, down from 24%;
• 1% decrease in data loss incidents, down from 7%;
• 2% increase in inadvertent disclosure incidents, up from 4%;
• 2% decrease in network outage/interruption incidents, down from 5%;
• 1% increase in physical loss incidents, up from 2%; and
• 4% decrease in ransomware incidents, down from 31%.

The key industries impacted by an increase in cyber security incidents include:

• Healthcare (8% increase, up from 19%);

• Financial services/institutions (3% increase, up from 15%);
• Construction (4% increase, up from 10%);
• Entertainment/recreation/media (5% increase, up from 9%);
• Real estate (3% increase, up from 6%); and
• Utilities (3% increase, up from 4%).

Other sectors experiencing a decrease in cyber security incidents include:

• Professional services (4% decrease, down from 10%);

• Retail/hospitality (2% decrease, down from 8%);
• Technology (4% decrease, down from 5%);
• Education (2% decrease, down from 4%);
• Transportation/logistics (2% decrease, down from 4%);
• Manufacturing (1% decrease, down from 3%);
• Public entity (4% decrease, down from 2%);
• Charity (2% decrease, down from 1%); and
• Non-profit (5% decrease, down from 1%).

No industry is immune from cyber risk although some industries are more commonly
impacted than others, owing largely to the type of data they hold, the impact on their
business if hit by ransomware or their regulatory obligations (with some industries being
more highly regulated than others).16 These all impact the threat actor’s perception of the
ability of a victim to pay a ransom, or whether they hold funds or sensitive data which can
be monetised and weaponised.
Over 2021–2022, Clyde & Co tracked the number of ransomware events against the
monthly baseline average. Over the two years, there were periods of activity and inac-
tivity with threat actor groups, with “spike” and “quiet” periods. There was also a rela-
tionship between the conflict in Ukraine and the frequency of events initially in 2022,
as well as other geo-political events. For example, in 2021, the number of ransomware

16 Healthcare, financial services/institutions, professional services and construction make up over half of
the breaches identified in the Clyde & Co statistics.

295
 C yber R isk and I nsurance

events declined on four separate occasions, one of which occurred in January/February

2021 after the takedown of the Netwalker leak site and Emotet. In 2022, ransomware
declined considerably in late February–April, after Russia invaded Ukraine.
Generally, although ransomware numbers were down in 2022 (compared to 2021), there
still remained a constant threat of ransomware which persisted into late 2022 (and will
likely continue for the coming years).

Risk to individuals and businesses from cyber security events

With attacks increasing, threat actors are exploiting the cost-benefit balance in cyber-
crime. How individuals and businesses respond to this threat is vastly different.
Individuals largely inherit the security of the devices and software that they use. There
is best practice such as using unique passwords (and password managers to securely record
difficult and unique passwords), enabling access verification to online services via email
or SMS to log in (multi-factor authentication) and keeping device security up to date.
However, security for most personal users is mainly a passive exercise, and they rely on
the inherent “protection” offered by the level of security designs and activities of organisa-
tions whose products and services they use, as well as their own data protection practices
(such as not inadvertently giving away personal information to strangers or saving sensi-
tive documents in “freemium” products such as emails and cloud services with minimal
protections beyond requiring a username and password to gain access).
There are very few businesses that would not be vulnerable to poor cyber security prac-
tices. Almost every business now operates with some level of technical infrastructure.
It would be difficult to be competitive in business without the convenience and level of
service IT can provide.
For example, even a local coffee shop might have an electronic POS (point of sale/
register) system; EFTPOS gateway for online or in store payments; computer-based
records/accounting software for payroll and accounts receivable/payable; computer-based
inventory ordering; QR codes for ordering or check in (during COVID); CCTV security
cameras; free Wi-Fi as well as internal Wi-Fi to connect the business to the internet; near-
field communication technology (NFC or tap and pay); digitally controlled or connected
HVAC (heating, ventilation and air condition climate systems); internet connected alarms
or security; loyalty apps for discounted repeat business; mailing lists for marketing pur-
poses; VoIP or other data-based telephony;17 internet connected industrial technology for
maintenance; TVs displaying streamed content/ads/menu; a public facing website and/or
social media accounts; iPad/tablet/smart phone ordering; personal devices carried by staff
(BYOD device); and external providers interfacing with the business holding their data
or with access to systems (such as food delivery services, IT providers, SAAS providers).
All of the above items represent potential technology entry points (or technology vul-
nerabilities) that could affect business or customer experience if exploited, or if made
unavailable due to misconfiguration, system fault or service provider downtime. Some
of these services will be critical (coffee machine, payment gateway) while others might
cause a minor impact (free Wi-Fi or CCTV). Many of these services will be dependent on

17 Voice over Internet Protocol (VoIP) is a type of phone system that uses an internet connection to make
and receive calls.

296
 C yber R isk and I nsurance

access to a centralised network which, if not segregated, is likely the biggest SPOF (single
point of failure).
In a small business, basic redundancy and security measures are typically implemented
by a third-party provider (such as an MSP) and commonly without any internal IT capa-
bility within the business. This leads to complete dependency on third-party expertise for
support.
The situation evolves as companies increase in size, and as their environment becomes
more complex. The above coffee shop example would not be close to covering the technol-
ogy in place before a consumer even enters a local bank branch. Technology stack aside,
enterprise companies running multimillion-dollar cyber security and risk teams will have
multiple full-time employees, multiple security vendors and compliance teams dedicated
to cyber security risk management.
This hybrid risk management scenario, while introducing expertise into the organisa-
tion, requires very robust role and responsibility division and accountability requirements
to ensure that cyber risk is appropriately assessed and managed across several vendors
each who could be a potential attack vector to the organisation’s network.
As cyber risks increase and threaten almost every business, the following section
focuses on cyber security practices and controls to give insight into steps organisations
can take to protect their environment.

Introduction to cyber security risk management

Goals of cyber security and “getting the balance right”
Cyber security is the practice of protecting computer networks and devices against threats.
The threats are vast, and motivations include financial gain, collection of private data,
using the victim as a gateway to access third parties, using the victim’s network to mask
illegal activity and even exploiting the processing power of another computer network to
mine crypto currency.18
Data can be stolen for the sole purpose of being on-sold for financial gain, which can
end up being used for criminal ransoms, data leaks, or even to leak private images or vid-
eos for notoriety (such as the celebrity “iCloud” leak). Corporate espionage or intelligence
gathering by overseas governments and nation-state actors is also a risk, particularly
for certain industries aligned with government or to achieve political aims—for exam-
ple, in 2021 when the Australian government announced that it had identified activity
from China, not long after the COVID outbreak occurred and trade relations with China
deteriorated.19
Depending on the industry, some companies will have multi-layered legal and financial
obligations to employees, customers and the public. Not every company will have the
same obligations as the next, and depending on their size they can be wholly exempt from
certain requirements. For example, organisations in Australia with annual revenues less

18 See Chapter 10 for examples of cyber breaches related to crypto currency.

19 Daniel Hurst, “Australia joins allies in accusing China of ‘malicious cyber activities,’” The Guardian,
20 July 2021, www​.theguardian​.com​/world​/2021​/jul​/19​/australia​-joins​-allies​-in​-accusing​- china​- of​-malicious​
-cyber​-activities.

297
 C yber R isk and I nsurance

than AUD $3 million generally aren’t subject to the Privacy Act 1988 (Cth) unless they
hold certain types of data (although this is set to change in 2023–2024 should proposed
law reform come into place).
Further, certain industries are subject to their own specific requirements (for exam-
ple healthcare, banking and financial services, government agencies and critical
service providers), which often overlap with more general obligations that apply to
companies through privacy, financial services, healthcare, corporations and consumer
laws.
As such, organisations have to make several important decisions around cyber security
controls that are proportionate to their size, scope, industry, available resources and threat
level to critical supply chains and the protection of their data. Not all security controls
will be relevant to their environment, and if implemented without a clear strategy will be
cost-prohibitive or unnecessarily slow down business processes.
Therefore, careful consideration is required of the “reasonableness” or “adequacy”
(both legal terms to describe the relevant standard of care) of risk management strategies
that need to be employed to help strike a balance. This balance can be reflected in a risk
appetite statement or cyber security strategy. The goal of cyber security is not to eliminate
all threats, but to have a realistic appreciation for the threats and potential losses and set
the security programme accordingly. Increasingly, regulators (and B2B customers) are
asking for copies of these strategies to identify weaknesses in governance surrounding
cyber risk management and to protect their own supply chain.
It should also be noted that inherited controls (security) from software and hardware
providers, even at the enterprise-grade, are often not enough to stop sophisticated attacks,
particularly as the risk landscape changes over time and vulnerabilities are discovered,
and as digital assets become unsupported by the vendor (that is, legacy systems where
patches are not issued). This is a hot topic with legacy systems being seen as key weak-
nesses in organisations’ environments.
It should also be recognised that many of the decisions to implement greater security
controls will have an impact on business, people and processes. To manage this, a risk
management programme and governance structure should be implemented. During this
process, a dedicated responsible person (chief information security officer or chief infor-
mation officer) is often hired to assist, particularly to be able to bring together risk com-
mittees, boards and CEOs around the key issues.

Establishing cyber resilience

Set out below are several key controls that organisations can implement to improve their
cyber security position. A number of these controls will be a pre-requisite before risks are
placed with underwriters (or highly influential in underwriting decisions), and so brokers
and insureds (and prospective insureds) will likely be aware of these control requirements.
The below describes the key controls, what they mean, and their overall importance to
cyber risk management. This is not an exhaustive list of controls that entities can have in
place, and controls will need to be reviewed regularly.
For example, Marsh has produced a report of 12 security controls that are tied to insur-
ability and enhancing cyber resilience, and this is informed by years of working with
underwriters globally and regionally to understand their expectations of what being

298
 C yber R isk and I nsurance

“insurance fit” looks like. AJG has a similar checklist which is based on its experience
20

placing cyber risks and assisting organisations with uplifting their cyber controls.21
Regulators in countries such as Australia have also published various reports on what
they expect organisations will have in place to demonstrate compliance with cyber
security best practice.22 In other jurisdictions, there is legislation such as the Singapore
Cybersecurity Act23 which requires certain organisations to take measures to prevent,
manage and respond to cybersecurity threats and incidents. The United Kingdom has
developed a government-backed framework that sets out basic security controls and
encourages businesses to obtain certification.24 The “Cyber Essentials Readiness” toolkit
uses responses to the questions in the toolkit to create a personal action plan and includes
links to specific guidance on how to meet the Cyber Essentials requirements. Most juris-
dictions have similar advisory systems in place, but this largely generic advice is only a
starting point for organisations.25

Patch management
Patch management is the governance around when and how “patches” (or “hotfixes”) are
rolled out to an asset. Patches can be security patches which prevent the asset from being
vulnerable to misuse, or to fix bugs/implement programme improvements such as errors
in code which inhibit optimum functionality.
When it comes to security patching, not all vulnerabilities are deemed “critical,” so organi-
sations will typically develop a patch management process to identify the urgency associated
with patching based on severity and other factors. This could be hours, days or longer depend-
ing on the assessment criteria.
With patching comes potential downtime and the chance of system disruption. For this
reason, robust change management processes need to be in place. Change management
is concerned with identifying what change needs to occur, why it needs to occur, the
criticality of the change, what users will be affected, the pilot group (test user base) and
post-change reporting.
There are several frameworks and tools offered commercially that deal with patch man-
agement.26 As above, for patching to be effective, an organisation needs to ensure that it
has a robust change management process in place, as well as a process for identifying

20 See www​.marsh​.com ​/us​/services​/cyber​-risk ​/insights​/cyber​-resilience​-twelve​-key​-controls​-to​-strengthen​-

your​-security​.html.
21 ​ w ww​.ajg​.com ​/us​/cyber​-security​- controls​- che​cklist/.
22 See Office of the Australian Information Commissioner’s report on “Security of personal informa-
tion,” www​.oaic​.gov​.au​/privacy​/australian​-privacy​-principles​-guidelines​/chapter​-11​-app​-11​-security​- of​-per-
sonal​-information, and “Guide to securing personal information,” www​.oaic​.gov​.au​/privacy​/guidance​-and​
-advice​/guide​-to​-securing​-personal​-information; see Australian Securities and Investments Commission’s
“Regulatory Guide 259—Risk management systems of fund operators,” https://download​.asic​.gov​.au​/media​
/kglhqlvk ​/rg259​-published​- 06 ​- october​-2022​.pdf; and “Cyber resilience good practices,” https://asic​.gov​.au​/
regulatory​-resources​/corporate​-governance​/cyber​-resilience​/cyber​-resilience​-good​-practices/; see “Prudential
Practice Guide—CPG 234 Information Security,” Australian Prudential Regulation Authority, www​.apra​.gov​
.au​/sites​/default​/files​/cpg​_ 234​_information​_security​_ june​_ 2019​_1​.pdf.
23 Cybersecurity Act 2018 (No. 9 of 2018) https://sso​.agc​.gov​.sg​/Acts​-Supp​/9​-2018/.
24 ​w ww​.ncsc​.gov​.uk ​/cyberessentials​/ove​r view.
25 See Chapter 8, “Autonomous Ships: Liability and Insurance,” for details of the International Maritime
Organisations’ guidelines on maritime risk management.
26 See Crowdstrike’s offering available, www​.crowdstrike​.com ​/cybersecurity​-101​/patch​-management/.

299
 C yber R isk and I nsurance

critical vulnerabilities urgently. A key root cause of incidents is often due to poor or
missed patch management. Often patch alerts are issued but organisations miss them or
do not adequately respond in time.
Details of critical vulnerabilities that need urgent attention derive from various sources.
Data sources publish lists of security vulnerabilities,27 as do security vendors, application
owners (who identify vulnerabilities and release patches), and government advisory agen-
cies that provide details of critical vulnerabilities that need urgent attention, for example,
the ACSC publishes a running feed of critical vulnerabilities on its website.28

Comprehensive asset registers

An asset register is critical for several reasons. When patching, for example, an organisa-
tion needs to know what assets they have and what versions of software they are running
at any given point in time. This enables the business to track patch compliance and ensure
the most critical assets have been patched.
From a breach response perspective, knowing what assets are in place across the busi-
ness, what data is held on each asset, who has access to the asset and what level of access
is granted to personnel are all key questions. This is particularly relevant when developing
a containment and systems restoration plan (particularly after a ransomware attack), as
well as determining data risk in the absence of clear forensic findings where immediate
risk assessments are conducted and potential breach notices need to be issued.
Organisations without this register will find it very difficult to prioritise containment
and response efforts post-breach. This increases the costs associated with the response as
well as business interruption losses through extended outage periods. Separately, regula-
tors often call for copies of these documents in investigations to assess the level of gov-
ernance maturity of the organisation. The topography of a network and relevant access
restrictions (if any) in place prior to the event to prevent lateral movement of threat actors
once inside a network (which is often a severity factor which impacts on the overall ability
of a threat actor to conduct nefarious activity).

An application/asset tiering system

Vulnerabilities are rarely critical in isolation. What makes a vulnerability a threat is gen-
erally where the asset sits on the network, what kind of information is kept on the asset
and, finally, if it is internet-facing. By categorising assets in a tiered system, an organisa-
tion can prioritise what applications and assets need to be patched as a priority and what
systems require care when patching.
It may be time-consuming and complex to get accuracy in these databases if the com-
pany has a lot of undocumented infrastructure. However, if the foundations are correct,
patch management will be far more effective. The same comments above about the need
for asset registers equally apply here.

27 See, for example, “CVE Details,” www​.cvedetails​.com ​/vulnerability​-list​/year​-2022​/vulnerabilities​

.html; and “CVE List Downloads,” www​.cve​.org​/ Downloads and Information Technology Laboratory; and
“National Vulnerability Database,” NIST, https://nvd​.nist​.gov/.
28 ​w ww​.cyber​.gov​.au​/acsc​/view​-all​- content​​/alerts.

300
 C yber R isk and I nsurance

Anti-virus/anti-malware (and end-point monitoring)

Traditional anti-virus software works by detecting and removing viruses by known
“signatures.” Today the term incorporates a whole suite of security capabilities that are
designed to detect malware and block malicious activity.
Most antiviruses now have “heuristic scanning,” where the AV tooling will look for
virus “behaviour” or patterns and block them based on suspicious activity, even in the
absence of a signature. The term AV can also encompass technology to detect trojans,
browser hijackings, mining software, adware etc.
Companies generally will have enterprise-level solutions, and it is becoming increas-
ingly common for some of the functionality of an AV to be embedded into operating sys-
tems. All users including home and small businesses should have up-to-date functioning
anti-virus software and at least a basic firewall to prevent most common attacks from tak-
ing place.
Questions that come up in incident response are whether end-point monitoring is neces-
sary, and whether the associated costs are reasonable. Much depends on the incident type
and whether the environment in question is hosted locally or cloud-based. However, gen-
erally speaking, end-point monitoring is recommended where there is an open question
about whether the environment is secure (that is, are the threat actors still in the environ-
ment) and whether there are any persistence mechanisms (or “back doors”) installed that
would allow the threat actor to re-enter the environment.
Additionally, depending on the end-point solution adopted, the tooling can also provide
“active threat hunting” capabilities that can shortcut forensic investigations into questions
about the root cause, the extent of network intrusion, and the attribution of threat actors
(that is, whether they are a cyber-criminal group or nation-state), as well as whether or
what data access, copying or theft (at a folder or file level) occurred.
Most organisations will implement end-point monitoring for a short period of time
while the investigation is completed and containment can be confirmed. At this point,
organisations typically de-commission the monitoring (or continue to have it in place for
added protection). Not all monitoring is the same, and some DFIR vendors will typically
prefer particular tooling. Although relevant to the incident response stage, these are all
questions which organisations ought to consider at the point of implementing monitoring
pre-incident to ensure that they understand what they are implementing and what they can
expect as a result.

Perimeter defences
The primary perimeter defence is a firewall—which is essentially an electric fence or bar-
rier that sits around a network. Perimeter defence technology is designed to stop unwanted
external connections being made to the network and to stop malicious software that has
made it onto the network establishing a connection out.
Firewalls can be hardware or software-based. Hardware firewalls have their own inbuilt
operating system and are less likely to be compromised if a computer on the network is
compromised. A software firewall is reliant on the operating system on the host computer.
A good option is to run both, although advice needs to be sought about firewall configura-
tion options to best protect networks (particularly complex networks).

301
 C yber R isk and I nsurance

At its most basic, the objective of a firewall (software or hardware) is to monitor net-
work traffic and only allow approved connections based on pre-determined rules. A fire-
wall is one of the first lines of defence for internet-facing assets and is therefore critical
to good security.

Secure mobile devices

An emerging risk is the increase in companies allowing the use of BYOD or “bring your
own device” to access company resources (that is, personal laptops or phones).
When a person accesses company resources from a personal device, it can pose a threat
in two distinct ways. Firstly, company data can be lost intentionally or inadvertently (data
leak or breach). Secondly, infected personal devices can infect networks if the appropriate
segregations are not put in place.
The most effective tool that companies use to mitigate these threats is MDM solution
(mobile device management) software. This software will enable a company to control the
following: The patch level of the device and block it from the company network if patch
versions are behind; lock, secure or delete the device; enforce a strong passcode on the
device; have visibility over emails and files in the company “container” or partition the
device; have a register of assets that have access to the companies’ network or resources;
and “IAM” and “PAM” (identity access management and privileged access management).
Using an MDM is essential for good cyber hygiene; if a company allows the use of
personal devices with no MDM controls, they are putting their data at significant risk.
A fundamental area of hardening a network is having in place robust IAM and PAM
governance. Every user on a network has an “identity” or several “identities” where they
have different accounts or administrator accounts. Users will typically be given these
identities when they start employment and need modifications when they transfer roles
(role-based access) and timely removal from the system upon termination or resignation.
Together this will form a company’s “STL” (starters, transfers, leavers) governance
framework. Appropriate provisioning of accounts and the timely revoking of privileges
on the network is the goal of robust STL governance.29
Generally, companies should employ the principles of “least privilege”—that is, only
giving someone the level of access required to do their job. Audits and reconciliations
around the number and type of active accounts cross-checked against active employees
are a good way to routinely ensure that the controls around identity are working correctly.
Consumer connectable products are required to meet certain safety standards, but most
jurisdictions have no mandatory security requirements. The costs of a breach are not
borne by the manufacturers of software, and they therefore have less incentive to pri-
oritise security in development. There is growing concern about the risks to consumers
associated with some of these products through breaches in safety and privacy and their
potential for use in wider cyber attacks.
This risk is magnified when employees use their personal devices for work. Governments
have tried to tackle this vulnerability with education and voluntary codes of practice.

29 Software providers must also implement robust measures to ensure contact details are updated on
request of the relevant employees who are responsible for updating security fixes. See, for example, the matters
discussed in the settled case of Ace American Insurance Co. v Accellion Inc. 4:2021cv09615.

302
 C yber R isk and I nsurance

The European Telecommunications Standards Institute (ETSI) created a globally appli-

cable standard EN 303 645—Cyber Security for Consumer Internet of Things: Baseline
Requirements. This was the first globally applicable technical standard for the cyber secu-
rity of consumer connectable products.30
In the UK, the government published a voluntary Code of Practice for Consumer IoT
Security, in 2018.31 It provided manufacturers and others with guidance (13 principles)
on good practice to ensure connectable products were secure. In response to poor uptake
of the Code of Practice and continued risks to consumers, the UK government, follow-
ing extensive consultation, introduced mandatory security requirements for connect-
able products in December 2022 with The Product Security and Telecommunications
Infrastructure Act 2022.
The Act introduces the top three guidelines from the Code of Practice:

• A ban on default passwords;

• A requirement for products to have a vulnerability disclosure policy whereby any
security weakness in a product is identified and notified; and
• A requirement for transparency about the time period for which a manufacturer
will provide security updates for the product.

It will also place duties on manufacturers, importers and distributers of these products to
ensure compliance with the statutory requirements and to take action where a compliance
failure has occurred.
The Act sets out a number of enforcement measures that could be taken when there is a
breach of compliance. For serious issues of non-compliance, the maximum penalty is £10
million or 4% of the company’s worldwide revenue.32
The EU looks likely to follow the UK with the proposal of a regulation on cyber secu-
rity requirements for products with digital elements known as the Cyber Resilience Act to
ensure that manufacturers improve the security of products with digital elements from the
design and development phase and throughout the whole life cycle.33

Encryption and backup

Encryption and backup of data is one of the key protections against ransomware. The
regular encryption of backups that are not affected by an attack expedites the recovery of
files and minimises disruption. It is evident that implementing a proper backup strategy

30 ETSI has over 900 members from 65 countries.

31 ​ w ww​.gov​.uk​/government​/publications​/code​- of​-practice​-for​- consumer​-io​t​-security.
32 Further details on the background to these changes can be found in the House of Commons Library,
https://commonslibrary​.parliament​.uk​/research​-briefings​/cbp​-9430/.
33 Various member states are starting to take national measures requiring vendors of digital products to
enhance their cybersecurity; for example, in 2019, Finland created a labelling scheme for IoT devices, such as
smart TVs, smartphones and toys based on the ETSI standards. Germany has recently introduced a consumer
security label for broadband routers, smart TVs, cameras, speakers and toys, as well as cleaning and garden-
ing robots. See comments in the Proposal for a Regulation of the European Parliament and of the Council
on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU)
2019/1020.

303
 C yber R isk and I nsurance

helps to mitigate the rising threat of ransomware and can be seen as an effective strat-
egy.34 Often one of the first steps in ransomware breach response where encryption hasn’t
occurred (failed ransomware of pre-ransomware systems attacks) is to backup sensitive
data. Pre-2020 companies were getting better at backing up their data, and this is a factor
that led to double extortion occurring (because cyber criminals lost their edge in encrypt-
ing data as the only method of extortion leverage).
In practice, this can be difficult, and backups are complex. Regular offsite backups that
are segregated from the main network should be part of an organisation’s DRP (disaster
recovery plan). Encryption in transit and at rest should be enabled on devices and services
that allow it.

Change management
Changes to systems can be because of security, performance or new capabilities. There
can be hardware and software changes. Change management becomes more important
as the size and complexity of an organisation increase so that the organisation can have a
real-time sense of its operating environment.
As mentioned above, when changes to the systems are made, there is always a risk of
system disruption. A robust change management policy will generally allow for a test user
group, deploy changes after business hours and have a plan to “roll back” or reverse the
change if required. Changes should also be approved by the appropriate impacted busi-
ness areas and fall under a risk management framework.
A basic change management cycle might look like the following: Request a change;
impact analysis; approve or deny change; implement change; and review/report on out-
come and impact.
It is also important that these steps can be taken quickly if there is a security patch or
other critical change required. It can also help to have an “emergency change” policy or
plan in place for when there are time-sensitive reasons and the full change management
process cannot be followed.

Incident response planning

Incident response planning is essential in managing cyber risk. When an actual or suspected
incident occurs, it is important for key response members to know where and how to perform
critical tasks, such as isolating parts of the networks, preserving and restoring backups, col-
lecting potential evidence, investigating root causes, assessing data risk, communicating to
regulators and affected individuals, and managing the crisis holistically to maintain trust.
Incident response teams (including external support) need to know their own and each
others’ roles and responsibilities and be able to rapidly mobilise and perform tasks in a
short period of time without having to learn as they go. Often a lot of work needs to be
done in a short period, and key decisions need to be made with imperfect and cascading
levels of information.

34 As per the survey results for the majority of Singapore organisations, Singapore tended not to accede
to ransom requests and managed their recovery through backup files instead. See Neil Campbell and Berin
Lautenbach, “Telstra Cyber Security Report 2017; Managing Risk in a digital world,” 2017.

304
 C yber R isk and I nsurance

Key steps often missed initially include contacting insurers as soon as possible, engag-
ing multiple functions across the business and external consultants, and reporting to the
relevant crisis management team and board. If this is not well documented pre-breach, it
can delay recovery and restoration, and critical steps will be taken that may significantly
impact the overall response including reputationally.
Incident response planning can be done as part of a BCP framework (business continu-
ity plan). The BCP will outline how the business remains in continuous operation with the
loss of one or more systems, assets or critical staff members. However, there should also be
separate documents outside the operational response process such as “event-specific play-
books,” “data breach response plans” and “ransomware decision-making frameworks.”
Critically, incident response plans should be tested annually, at a minimum, or as often
as the core crisis management team changes. These exercises are called “tabletop exer-
cises” and can be technical, non-technical or board-specific. Often exercises run for a
four-hour period (although can extend across multiple days) and are intended to famil-
iarise participants with the process of breach response, workstreams required and key
decisions that need to be made.
The goal is to identify blind spots and develop muscle memory amongst internal and
external team members. Where cyber insurance is in place, it is highly advised to meet
the team that will be available to assist during an incident before an incident occurs. This
can be done through a “meet the breach coach” session, and brokers/insurers arrange this
for policyholders post-placement.

Training and awareness

A large percentage of network infiltration is the result of social engineering. Users are tar-
geted as part of phishing or social engineering campaigns to trick them into giving away
credentials, clicking on a link or plugging something malicious into the network. The
more privileges the target user has, the easier it will then be for the threat actor to carry
out their goals once network access has been granted.
User education training and awareness are critically important at all levels of an organi-
sation. The goal of training is for users to recognise the hallmarks of an attack and report
it through the correct channels to a dedicated assessment team. It is not about eliminating
the “click-through” rate by 100% or forcing every employee to become a security expert
but to lessen the attack surface.
For example, popular cyber security training providers claim that prior to undertaking
training, there is a 30% or higher willingness for staff to click on malware links that can
compromise a system. This can be reduced to less than 5% with the correct education.35

Quantitative versus qualitative risk

When undertaking any kind of risk management, there are two ways to think about risk.
Quantitative data is measured statistically with numbers and metrics. Qualitative data is
data that cannot be easily measured or counted.

35 Lance Spitzner, “Why a Phishing Click Rate of 0% is Bad,” Sans, 14 November 2017, www​.sans​.org​/
blog​/why​-a​-phishing​- click​-rate​- of​- 0​-is​-bad/.

305
 C y b e r R i s k a n d I n s u r a n c e

There is some debate over what has traditionally not been measured quantitatively and
if this type of measurement is possible. A lot of traditional risk management focuses on
subjective opinions on what the impact and likelihood of certain outcomes might be. This
means a large part of the risk assessment is based on the subjective experience of the risk
manager.
There is a growing trend to incorporate as many metrics and data points as possible
into risk assessments to give a data-driven probability. Unfortunately, to be accurate, good
data and the expertise of someone to collate and interpret the results are essential. Simply
using a “Monte Carlo” simulation or other maths-intensive probability calculation can
lead to sometimes unrealistic outcomes in practice.
Against this background, the next section discusses various cyber security risk frame-
works that organisations can refer to when benchmarking their own maturity level. Some
frameworks are more specific to certain industries (such as PCI DSS which applies spe-
cifically to companies that store, process and/or transmit credit card data).36

Common cyber risk frameworks

Frameworks that organisations can use to benchmark cyber maturity
The below represents a selection of commonly used frameworks in cyber security.
Included is a spread of frameworks that all have vastly different purposes. In the examples
listed, there are control, management, hardening, audit and threat frameworks.
Purposes range from giving guidance and structure to a cyber security programme;
demonstrating required steps for certification or accreditation; providing assurance to
third-party vendors or clients; general tips for system hardening; and a framework that
demonstrates how threat actors go about breaching systems.
There is a mixture of government-funded and maintained as well as private companies
that issue frameworks or run accreditation programmes as part of their business model.
Many are publicly available or “open source” to allow all organisations to access the cur-
rent and most revised standards and recommendations.
Certain organisations such as the International Standards Organisation (which gov-
erns accreditation and compliance to standards in many fields like medical, chemical, IT,
safety etc.) sell their standards as a product.
Organisations can also be assessed against some frameworks to determine a “maturity
level,” that being to what level of maturity (usually a reflection of redundancy, automation,
repeatability and governance) the security controls are operating at.

NIST—open source—government—control framework

In 2014, the United States Institute of Standards and Technology (NIST) worked with
government and private sector to create an IT control framework called the Cybersecurity

36 See, “Merchant Resources,” Pci Security Standards Council, www​.pci​secu​r ity​standards​.org​/merchants/​

#resources.

306
 C y b e r R i s k a n d I n s u r a n c e

Framework. The framework was designed to help organisations understand cyber secu-
37

rity risks and incorporate control measures that are to be used to minimise these risks.38
Under the following taxonomy, organisations are required to describe their current
cyber security posture; describe their target state for cyber security; identify and prioritise
opportunities for improvement within the context of a continuous and repeatable process;
assess progress toward the target state; and communicate with internal and external stake-
holders about cyber security risk.
The framework is centred around the following five concepts:

• Identify: Identify assets, risks, vulnerabilities and strategies to overcome threats;

• Protect: Implement security controls, processes and procedures to protect assets;
• Detect: Monitor and detect security incidents and anomalies;
• Respond: Plan for responding to security events and mitigating damage; and
• Recover: Restore systems and plan improvements to prevent future incidents.

NIST also has maturity benchmarks. It will give an indication of what the maturity levels
are and what kinds of controls should be expected to be operating at various maturity
levels. This can be helpful in both a benchmarking sense and to give an indication of how
far an organisation is from “best practice” and, what the next steps would be in achieving
best practice.

COBIT—open source—private—management framework

COBIT (Control Objectives for Information and Related Technologies) is a framework
created by ISACA (Information Systems Audit and Control Association) for information
technology management and IT governance.39
It differs from other frameworks, as it is designed to bridge the gap between business
units and IT/risk management rather than working siloed within IT. It is also designed to
complement other frameworks and provide a management and governance scaffold rather
than be one that is adopted in isolation.
It is divided between the governance objectives (evaluate, direct and monitor) and the
management objectives: Align, plan and organise; build, acquire and implement; deliver,
service and support; and monitor, evaluate and assess.
The objective is to implement a tailored governance process and have a performance
management and continual improvement system in place. COBIT also quantifies the
“capability level,” which is another analogue for maturity levels and, like NIST, uses a
1–5 scale.

37 ​www​.nist​.gov​/cyberframew​ork.
38 A version 2.0 of the framework is due for release shortly, https://blog​.6clicks​.com​/what​- do​-we​-know​
-about​-nist​- csf​-2​.0.
39 ​www​.isaca​.org​/resources​/c​obit.

307
 C yber R isk and I nsurance

ESSENTIAL 8/TOP 35—open source—Australian

government—system hardening framework
The Australian Government’s Australian Signals Directorate (ASD) is the head agency in
Australia for signals intelligence. Under this department, they set up the ACSC. One of
the ACSC’s goals is to publish and maintain a set of best-practice guidelines for Australian
businesses and government agencies, being the “Essential Eight” framework.40
The “Essential Eight” requirements also use a maturity model (1–3) that outlines
approximate resilience that can be achieved. For example:

• Maturity level one: To become resilient against adversaries that leverage com-
modity tradecraft who are using publicly available exploits for internet-facing
services. These are likely opportunistic attacks based on known vulnerabilities.
• Maturity level two: Adversaries at this level are willing to invest more time and
use target attacks such as phishing campaigns or social engineering. They will
invest more effort but will still be conservative with the time and money spent
on the attack; and
• Maturity level three: Level three is generally focused on adaptive adversaries
who are less reliant on public tools and techniques. They may be focused on a
particular target and are willing to invest time and effort including bypassing
multi-factor authentication and identity verification protections.

The framework also lists the controls expected to achieve resilience against each of these
maturity levels.
The ACSC also maintains the Information Security Manual (ISM). The ISM outlines
the required controls for information systems that deal with classified material and out-
lines a general cyber security framework that organisations can apply, using their risk
management framework, to protect their systems and data from cyber threats.41

ISO 27001/27002—paid—private—certification framework

The International Standards Organisation (ISO) maintains a list of controls that forms
the ISO 27001 compliance regime. The core objectives are for establishing, implement-
ing, maintaining and continually improving an information security management system
(ISMS). Its best-practice approach helps organisations manage their information security
by addressing people, processes and technology. The Standard offers a set of 114 best-
practice security controls that can be applied based on the risks faced.
The framework is comprehensive in that it goes into detailed requirements of what
controls an organisation must have in place to become ISO-compliant or certified.
Organisations can then be assessed independently to become certified. An organisation
can also use the standards as best practice to help guide a cyber security programme with-
out formal certification.

40 ​
w ww​.cyber​.gov​.au​/acsc​/view​-all​- content​/essenti​al​- eight.
41 ​
w ww​.cyber​.gov​.au​/acsc​/view​-all​- cont​ent​/ism.

308
 C yber R isk and I nsurance

ISO 27001 uses the “CIA triad” as the building blocks for its requirements. CIA refer-
ences confidentiality, integrity and availability. These are considered the three objectives
of developing an ISMS.

• Confidentiality: Only authorised persons have the right to access information;

• Integrity: Only authorised persons can change the information; and
• Availability: The information must be accessible to authorised persons whenever
it is needed.

The ISMS should form a policy set for running the information systems in a company
in accordance with these objectives. ISO 27001 itself lists all the control objectives that
should be included.
As 27001 is widely adopted, there are several examples or template policies developed
by third parties that meet the control objective in the standard. To become certified, the
organisation must demonstrate not only the existence of policies and risk management but
its effective operation to an independent assessor.

SOC audit (formally SAS70)—private—audit framework

The American Institute of Certified Public Accountants (AICPA) SOC (Systems and
Organisational Controls) is designed to allow organisations to issue validated reports of
independent controls.42
SOC2 is cyber focused being the information security, availability, process integrity,
confidentiality and privacy controls. The five categories are designed to look at:

• Security: Protection against unauthorised access, disclosure or system damage

that could compromise information or system availability, integrity, confidential-
ity and privacy;
• Availability: Information and systems are available for operation and use accord-
ing to the company’s objectives;
• Processing integrity: Complete, valid, accurate, timely and authorised system
processing;
• Confidentiality: Appropriate protection over data designated as “confidential”;
and
• Privacy: Collection, use, retention, disclosure and disposal of personal informa-
tion should meet company objectives.

SOC2 reports are the opinion of the auditor and not compliance with a framework. The
SOC2 as an audit test controls for design and operating effectiveness, not just for the pres-
ence of the control.

42 ​
w ww​.aicpa​.org​/resources​/ landing​/system​-and​- organization​- controls​-soc​-suite​-​of​-services.

309
 C yber R isk and I nsurance

MITRE—open source—private—threat framework

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-
world observations. It is used by security analysts, threat hunters and anyone interested in
a detailed look at the tools and techniques that form a cyber-attack “kill chain.”43
Mitre breaks down the general stages of a cyber attack as reconnaissance (10 tech-
niques); resource development (8 techniques); initial access (9 techniques); execution (13
techniques); persistence (19 techniques); privilege escalation (13 techniques); defence
evasion (42 techniques); credential access (17 techniques); discovery (30 techniques); lat-
eral movement (9 techniques); collection (17 techniques); command and control (16 tech-
niques); exfiltration (9 techniques); and impact (13 techniques).
Under these categories, the framework outlines all the tools and techniques by name
that would allow such an attack to occur along with information such as examples, operat-
ing systems affected, mitigations and where this technique or tool has been seen.
Many DFIR firms use the MITRE ATT&CK framework to report on the activities of
threat actors in forensic reports, and it is a useful guide to understand how threat actors
do what they do from end to end in an attack lifecycle (and where they can be stopped at
various points with appropriate defence capabilities).

Concluding remarks on effective cyber risk management

There is no best practice or “one size fits all” framework or standard, and it is generally
up to the information security manager or those performing this function to decide what
is appropriate for the size and function of the organisation and use one or many together
to achieve their goals.
There is overlap in many frameworks, and compliance with one often means cross-com-
pliance with equivalent frameworks. However, if an organisation requires accreditation or
certification, it will likely have to follow the framework as a strict checklist in preparation
for the auditor or assessor who will do the same. Compliance with a well-respected and
industry-suitable framework will assist in demonstrating to third-party stakeholders that
the fundamentals of cyber security risk management are in place.

Establishing incident response resilience

Regulatory landscape update
There have been significant recent developments in the cyber regulatory landscape as
governments work strenuously and proactively in their endeavours to manage, and prefer-
ably set the cyber agenda.
Various regulators have flexed their muscles in relation to implementing breach report-
ing regimes, tightening expectations around timeframes to report, and increasing fines
and penalties for privacy violations (not just the occurrence of incidents, but broader data-
handling issues such as the collection and retention of data including biometric data and
sensitive ID documents and health information).

43 https://attack​.mitre​.org/.

310
 C yber R isk and I nsurance

The primary privacy regulator in Australia, the Office of the Australian Information
Commissioner (OAIC), has obtained an increased budget to allocate towards regulatory
enforcement actions, with six investigations being launched in 2022. These investiga-
tions follow some notable mega-breaches of sensitive information (relating to a telco and
health insurer in the latter months of 2022) and are designed to identify systemic issues
relating to the storage of information and security controls in place to prevent incidents
from occurring. The industry is keeping a close eye on these investigations and out-
comes to determine the regulatory focus of the OAIC in 2023.44
Additionally, in December 2022, new laws were enacted with the goal of strengthen-
ing privacy protections for Australians.45 Most significantly, the laws include a quantum
leap in the maximum fine available for serious or repeated invasions of an individual’s
privacy. Previously, the maximum penalty for serious or repeated privacy breaches was
AUD $2.22 m.
The new maximum penalty for serious or repeated privacy breaches will increase to
whatever is the greater of AUD $50 million; three times the value of any benefit obtained
through the misuse of information; or 30% of “adjusted turnover” (essentially revenue)
during the “breach turnover period.”
The OAIC is also provided with greater powers to resolve privacy breaches and quickly
share information about data breaches to help protect customers. Although in practice,
the information-sharing powers with agencies may not be necessary if entities manage
the response well, this is an area to be closely watched. These amendments are the first
step of the attorney general’s ongoing review of the Privacy Act published in 2023 which
highlights the “vulnerability of people’s information in the digital age.”46 The Report pro-
poses new principles, such as the fair and reasonable test, as well as more detailed rules to
provide greater certainty where needed.
Separately, the corporate regulator, the Australian Securities and Investments
Commission (ASIC), has established an enforcement team to look specifically at risk
management practices with a cyber lens. Following the recent RI Group decision,47 it
is anticipated that further action in this space will dominate discussions over the next
12 months, as ASIC establish their role in ensuring that regulated entities place cyber risk
management at the top of the agenda.
The Australian Competition and Consumer Commission (ACCC) was successful in an
action against Google with a $60 m penalty being handed down in the Federal Court over
the collection of “location data.”48 The Court’s decision sends a clear signal that organisa-
tions (in particular “big tech” entities) need to ensure that they are clear and transparent
about what data they collect from individuals so as not to engage in misleading and decep-
tive conduct. The case is also a reminder that regulating data-handling practices doesn’t

44 ​w ww​.oaic​.gov​.​au/.
45 Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
46 For more information about the previous law reform process, terms of reference for the current review
and key submissions made is available online, see www​.ag​.gov​.au​/integrity​/consultations​/review​-privacy​-act​
-1988. The Provacy Act Review Report 2022, published in February 2023 is available at https://www​.ag​.gov​.au​
/rights​-and​-protections​/publications​/privacy​-act​-review​-report
47 https://asic​.gov​.au​/about​-asic​/news​- centre​/find​-a​-media​-release​/2022​-releases​/22​-104mr​- court​-finds​-ri​
-advice​-failed​-to​-adequately​-manage​- cybersecurity​-risks/.
48 Australian Competition and Consumer Commission v Google LLC (No 4) [2022] FCA 942;
www​.accc​.gov​.au ​/media​-release​/google​-llc​-to​-pay​- 60 ​-million​-for​-misleading​-representations.

311
 C yber R isk and I nsurance

just sit with the Privacy Commissioner, and multiple regulators are now prioritising this
within their remit.
Elsewhere in the world, data protection and privacy legislation are developing at a simi-
lar pace:

• All 50 states in the United States have passed breach notification laws that
require notifying state residents of a security breach involving more sensitive
categories of information, such as social security numbers and other government
identifiers.49 Federal laws require notification in the case of breaches of health-
care information, breaches of information from financial institutions, breaches
of telecom usage information held by telecommunication providers and breaches
of government agency information;
• The EU GDPR enforces data protection with heavy penalties with a maximum
fine of €20 million or 4% of annual global turnover, whichever is greater, for
infringements, and the UK GDPR sets a similar maximum fine;50
• In the Middle East, new data protection legislation has been passed since 2020 in
countries including the United Arab Emirates, Saudi Arabia, Bahrain, Oman
and Egypt. In most cases, there are breach notification obligations, and some of
these laws also provide for criminal sanctions in respect of violations. National
security requirements are a key feature of the laws in this region.

The topic of protecting critical infrastructure assets against cyber risk continues to domi-
nate headlines when it comes to protecting the economy, especially as we recover from the
economic impacts of recent years. With mandatory reporting now in place for significant
cyber security events, critical infrastructure asset owners need to ensure that their inci-
dent reporting playbooks are updated.51

Incident response planning—establishing incident response resilience

While there are many factors that contribute to the overall outcome of a breach investi-
gation and response strategy, one common factor that contributes to the severity of an
incident (i.e. cost, time and regulatory compliance) is whether an entity has a robust and
tested incident response plan in place.
This is because incident response planning decreases the likelihood of delays and poor
decision-making by ensuring all key members of the team are well-briefed and engaged

49 Following the 2017 data breach, Equifax were ordered to pay US $175 million in penalties to the states,
including more than US $18.7 million to California, to support continued oversight and enforcement of con-
sumer protection laws; see press release, “Attorney General Becerra Announces Settlement Against Equifax
Providing $600 Million in Consumer Restitution and State Penalties,” State of California, 22 July 2022, https://
oag​.ca​.gov​/news​/press​-releases​/attorney​-general​-becerra​-announces​-settlement​-against​- equifax​-providing​
-600.
50 British Airways was fined £20 million when it was found that the airline was processing a significant
amount of personal data without adequate security measures in place. This failure broke data protection law,
and, subsequently, BA was the subject of a cyber attack during 2018, which it did not detect for more than two
months. This was followed two weeks later by a £18.4 m fine for Marriot International Inc. See, “Information
Commissioner’s Annual Report and Financial Statements 2020–21,” July 2021, HC354.
51 Security of Critical Infrastructure Act 2018 (SOCI Act).

312
 C yber R isk and I nsurance

in the process. For example, some common issues entities may encounter when dealing
with a breach are set out below.

Late notification to insurers

Very rarely do incident response plans contemplate notifying insurers early in the incident
response process. This is typically because the incident response plans are developed by
the IT function, with a focus on containment, and without a meaningful understanding of
the need to notify insurers under the policy and the insurer’s role in helping provide sup-
port to policyholders throughout an incident beyond initial containment steps.
Further, there is typically a lack of understanding by policyholders that they can gain
access to the incident response panel that sits behind the insurance policy and that is
available 24/7 to assist with the investigation and response. Policyholders often explain
that they are not aware of this service being available to them until part-way through, or
after an event.
While policyholders generally are free to use their own vendors in response to an inci-
dent (subject to reasonableness of costs), some insurers will have requirements to use spe-
cific panel vendors who provide expert services at reduced insurance rates, and it clearly
is a matter that should be checked with insurers when purchasing a policy. There is also
sometimes confusion about the role of the panel incident response team, who they act for
and the benefits of using their special skills, expertise and surge capacity.
These issues can be addressed through early engagement with insurers post-placement.
Typically, these “meet the breach coach” calls will allow the policyholder to ask questions
about the process, ensure their incident response plan is tailored to accommodate the sup-
port available through the hotline, map out vendors who will be responsible for leading
various workstreams during an incident (internal and external) and distinguish between
simply accessing services through the hotline and lodging a formal notification of circum-
stances, or indeed lodging a formal claim for indemnity with insurers.

Board engagement
Ensuring that the board is engaged with the incident response enables a clear path for
decision-making, particularly around material decisions that need to be made such as
engaging with a threat actor, paying a ransom, reporting to regulators and reporting to the
market for publicly listed companies.
Detailing these processes in advance and delegating authority to the core response team
significantly reduces the time and cost of an incident—which may mean the difference
between a threat actor dumping personal information on the dark web without warning or
having in place a clear communications strategy for managing stakeholder concerns on a
proactive basis.52
Further, regulators are now asking questions about board engagement leading up to and
during all stages of an incident response.53 Every entity will have its own pre-determined

52 The dark web is part of the internet which is intentionally hidden and requires a specific browser to
access. Stolen credit card numbers and stolen subscription credentials etc. are often offered for sale via the
dark web.
53 See Chapter 12 “Professional Indemnity and Insurance.”

313
 C yber R isk and I nsurance

approach for when and if the board needs to exercise its decision-making function or just
be informed about the incident at various stages to provide oversight.

Communication strategy
How an entity communicates both with internal and external stakeholders has an immense
impact on the incident response outcome. As a priority, it is important for an organisation
to have clearly identified its key stakeholder groups by mapping out the ecosystem of those
who interact with the organisation and need to be notified under contract or generally as
part of the business relationship. Often simple tasks such as identifying key contacts in the
heat of the incident makes this process difficult.
Trying to settle on a communications strategy can be a hard balancing act between
proactiveness, transparency, accuracy and frequency of updates. Silence is a killer, but
worse than silence is putting out information too early which turns out to be incorrect.
Often, if organisations need to correct a prior statement they have made, they immediately
lose credibility and trust. Organisations are frequently judged on their response and third
parties might attribute perceived risk (which may not exist) to the way in which a com-
munications strategy is managed.
Technology journalists are key stakeholders to work with as are government agencies
responsible for applying protective measures to and replacing government-issued IDs
caught up in an incident (such as healthcare cards, driver’s licences and tax file numbers).
These agencies provide a statutory function in relation to the protection of this data but
also report to government ministers responsible for managing the agency as part of their
portfolio.
If the issuing agencies are not managed well, this creates a risk that the government
will intervene in the event, as was seen recently in the Australian telco and health insurer
breaches. Costs of ID replacement (and the overhead costs of the agencies responding to
the incident) can spike and potentially present liability risk to entities if costs are claimed
back from them post-remediation by the issuing agencies.54

Supply chain risk management

In preparing for an incident, it is important for an organisation to understand where its
risk lies outside the organisation. For example, if a third-party supplier has a breach and
jointly held personal information is impacted, downstream entities will be responsible
for assessing data risk and potentially notifying affected individuals despite not having a
breach on their systems.
Planning for this event is therefore key to an effective incident response involving
third-party breaches. Typically, contracts with third-party providers will not contemplate
the various trigger points, hurdles and questions that an entity may be faced with when

54 See for example, “Optus notifies customers of cyberattack compromising customer information,”
Optus, 22 September 2022, www​.optus​.com​.au​/about​/media​- centre​/media​-releases​/2022​/09​/optus​-notifies​
-customers​- of​- cyberattack.

314
 C yber R isk and I nsurance

experiencing a multi-party data breach. Knowing who critical supply chain vendors are
and the data that they hold, as well as key contact points for escalation, are all key steps to
mitigate risk associated with vendor breaches.

Delayed investigations and notifications

One major focus of the regulators in 2023 (particularly the OAIC) is expected to be
delayed investigations and notifications to affected individuals. Putting aside that affected
individuals expect that they are notified instantaneously of a breach (which is unrealistic),
the regulators are focusing on the contributing factors which lead to extended investiga-
tion timeframes and late notification.
Often the factors that lead to this occurring are not the lack of responsiveness of the
organisation or willingness to investigate (though this does occur sometimes), but rather
underlying residual factors that complicate or impede expeditious investigations and data
risk assessments from taking place. These issues include late escalation of incidents from
the IT team to the broader response team, an incomplete understanding of what data is
held by the organisation in various systems at any given point and large complex unstruc-
tured datasets that take time to reconstitute and review.
These factors are why the regulators are now focusing on severity factors including
data collection/retention/deletion, incident response preparedness and board engagement.

Concluding Remarks on effective incident response preparation

There are many things that organisations can do to better prepare for an incident occur-
ring and engage in “proactive incident response” as a strategy. Key steps include devel-
oping incident response plans, engaging with insurers pre-incident at the time of policy
placement, meeting the breach response team and assigning roles and responsibilities, and
testing the incident response plan through a tabletop exercise. Developing a communica-
tions strategy and board engagement materials in advance also provides significant value
in times of crisis.

Cyber insurance fundamentals

High-level overview of cyber insurance
The constantly evolving nature of the cyber threat landscape means that even organisa-
tions with best-in-class cyber security face a residual risk from cyber incidents and attacks.
Organisations, therefore, look to insurers to seek protection against that residual risk.
Some traditional commercial insurance products—property, liability or financial
lines—offer minimal protection from cyber risks, whether on an affirmative (where cyber
incidents or attacks are expressly affirmed or excluded from cover) or non-affirmative
or “silent cyber” basis (where the language of traditional insuring clauses may be wide
enough to, potentially unintentionally, provide cover for losses caused by cyber incidents
and attacks). However, relying on traditional insurance business lines alone risks leaving
an organisation with significant gaps in cover. Standalone cyber insurance was developed
to bridge those gaps.

315
 C yber R isk and I nsurance

Standalone cyber insurance, or simply cyber insurance, is an insurance product which

is intended to cover the costs, losses and liability exposure of named policyholders, aris-
ing out of a range of “cyber incident” types (which will typically be defined) and applies to
actual or suspected incidents thereby allowing suspected activity to be investigated even
if the findings are ultimately that a breach did not occur.
Like any contract of insurance, the scope of cover is always dependent on the terms of
the insurance policy itself. The comments below are not intended to interpret the applica-
tion of any one policy, which must be read on its own terms. Businesses looking for cyber
insurance coverage need to have a good understanding of the scope of cover available and
any applicable extensions of cover, conditions or exclusions, as well as retention periods
or amounts, and sub-limits and aggregate limits available.
Specific advice is essential when seeking excess layers of insurance to ensure that
insurance programmes respond as intended to primary layer insurance cover.55

Insurance clauses and how they operate in practice

Although each policy will differ on its terms, cyber insurance policies typically feature
two main heads of cover, each of which may have several different insuring clauses:

• First-party cover
This cover is designed to help an organisation respond to, investigate and
recover from cyber incidents and attacks. These can be described as the “miti-
gation,” “containment,” “remediation,” “investigation” and “regulatory compli-
ance” costs reasonably and necessarily incurred by a policyholder in responding
to an incident.
These will typically include external vendor’s fees for providing services to
assist the impacted entity, depending on the incident type and assistance required
(for example, legal, digital forensics, IT security, PR, notification expenses etc.),
as well as “business interruption” losses (that is, out of pocket expenses and lost
revenue as a result of the incident). Ransom payments are also typically covered,
but these will be subject to sanctions, regulation, exclusions and potentially also
co-insurance provisions.
• Cyber liability cover
These are the costs and losses associated with defending a third-party claim
or regulatory investigation, arising out of a cyber incident including the defence
costs, awards of compensation (that is, judgments or determinations), settle-
ments, and fines and penalties (to the extent insurable by law). The language used
is often similar to other legal liability insurance classes and policies are designed
to operate in the same manner and in accordance with the same legal principles.

55 A great resource recently published by CFC and BIBA is at www​.cfcunderwriting​.com​/en​-au​/resources​

/guides​/cyber​-insurance​-guide​-in​- collaboration​-with​-biba/. The Actuaries Institute of Australia published a
green paper which discusses cyber risk and the role of insurance; see Win-Li Toh and Ross Simmonds (both
of Taylor Fry) and Michael Neary (DXC Technology), “Cyber Risk and the Role of Insurance,” Green Paper,
Actuaries Institute, September 2022, www​.actuaries​.asn​.au ​/public​-policy​-and​-media ​/thought​-leadership​/
green​-papers​/cyber​-risk​-and​-the​-role​- of​-insurance.

316
 C yber R isk and I nsurance

In some cases, cyber insurance may also provide limited “first-party” or “third-party liabil-
ity” cover for reimbursing misdirected funds arising out of a BEC social engineering fraud
event (that is, invoice fraud, either paid by the policyholder or a third-party). However,
cover for social engineering fraud is not typically offered as a standard section of cover
and is usually endorsed as an “add-on” extension and subject to sub-limits of liability.
Typically crime, management liability and, in some cases, professional indemnity policies
will more readily pick up this loss or liability (for claims made against the policyholder).
Cyber insurance policies are “composite policies”—they are a mixture of two types of
policies grafted together to cover the insured entity’s losses and liability. Importantly, the
two types of policies are triggered in different ways, as follows:

• “Occurrence-based” sections of cover—whereby cover (typically under the “first-

party cover” sections of the policy) is triggered on the occurrence (or the policy-
holder’s discovery of that occurrence) of the incident or costs being incurred in
response to the incident, during the policy period. For example, the policyholder
first identifies suspicious activity on its network, and it needs to incur investiga-
tion costs to confirm if the activity is unauthorised, and remediation costs to
contain the threat and prevent ongoing systems access from continuing; and
• “Claims made sections of cover”—whereby cover (usually under the cyber liabil-
ity cover sections of the policy) is triggered on a “claim” first being made against
the policyholder during the policy period. The meaning of “claim” is typically
defined in the policy but will usually encompass a demand for compensation,
commencement of proceedings or regulatory investigation. For example, an indi-
vidual files a privacy complaint with the OAIC against an entity in relation to
an alleged breach of privacy, and the insured entity needs to incur defence costs
to respond to the complaint and potentially also pay compensation to settle the
claim. As with traditional lines of liability insurance, careful attention will need
to be given to the triggers to cover, for example where cover is on a “claims
made” or “claims made and notified” basis.

The distinction between the operation of the two policy types highlights the different ways
a cyber insurance policy might respond to risk. This is important, as often there is confu-
sion from policyholders about when they should formally notify their insurers depending
on the risk being faced (that is, a live incident or a dispute arising out of a historical inci-
dent) and how the insurance policy might respond in each scenario, including in relation
to incidents notified to an insurer which later turns into a “claim.” The policies may also
often contain a series of conditions about what a policyholder should do when an incident
occurs. Depending on the nature of the terms in question, failure to comply with those
conditions may impact whether cover is available under the policy.
Generally speaking, policyholders should notify insurers of an incident occurring, or suspi-
cion of an incident, as soon as possible to cover any later claims made under the same policy.

High-level evolution of cyber insurance

While traditional lines of insurance, marine, property and casualty, have developed over
centuries, cyber insurance as a product (and breach response service) has only been

317
 C yber R isk and I nsurance

around for 20 years or so. Its relative immaturity as a line of insurance business means
that cyber insurance has significantly evolved over this period and particularly over the
past five to ten years as it has become a mainstream product for more than just “tech” and
“.com” businesses and financial institutions where its origins lie.
As technology, the nature and anatomy of cyber attacks and the materialisation of loss
has evolved, so too have policy terms. The result is that modern cyber insurance policy
terms encompass a more expansive risk.
Although this is a very high-level overview, to demonstrate:

• Mainstream insurance policies entering the Australian market five years ago typ-
ically defined different types of “cyber incidents” as being a precursor for cover.
In other words, the policy would only respond to certain types of events (called
covered “causes of loss”). If the defined event did not arise, then the policy would
not trigger; and
• Often, when an incident arose and insurers were reviewing the policy to deter-
mine whether cover was available, questions would arise about whether the pol-
icy would respond, particularly where the event was unique or novel. Usually,
cover was only available for malicious events caused by third parties, meaning
that losses arising from trusted insiders (such as an employee or contractor) act-
ing inadvertently (that is, human error) were not covered.

This is just one example where the practical reality of how the constantly evolving nature
of cyber events (including root cause) and resulting losses did not always match up with
the policy wording or underwriting intent.
As a result, insurance wordings have broadened the scope of event types over time and
focused more on the types of losses and exposures insured entities will experience, rather
than the underlying types of cyber events, as a precursor to obtaining cover.
That said, insurance policies continue to develop wordings around specific event types.
For example, some cyber insurance policies provide specific cover “phreaking” (misuse
of telecommunications infrastructure) and “bricking” (destruction of hardware devices
following an incident). These are just two recent examples of types of cover offered to
the market in response to recent novel event types. It is expected this bespoke, scenario-
specific cover will continue in addition to broad loss-focused covers.
Additionally, some historical limitations on wording have been removed. For example,
earlier cyber insurance policies typically imposed “retroactive exclusions” whereby the
policy would not respond to events occurring or losses being incurred during the policy
period arising out of activities occurring prior to the policy period (even if the insured
entity was not aware of the prior malicious activities).
However, recent policies have removed this exclusion, recognising that often malicious
activities will go unnoticed for months or years before an entity will first identify a com-
promise. Industry statistics suggest that often threat actors will have gained access to
environments for over 200 days before their activities are noticed.56

56 See, for example, Phil Muncaster, “Hackers Spend 200+ Days Inside Systems Before Discovery,”
Infosecurity Magazine, 25 February 2015, www​.infosecurity​-magazine​.com ​/news​/ hackers​-spend​- over​-200​
-days​-inside.

318
 C yber R isk and I nsurance

Additionally, wordings have evolved to meet the risks of doing business in a digital
world. For example, recognising the rise of data hosting and sharing between entities over
the last ten years (that is, between SAAS providers, MSPs and cloud-based storage pro-
viders) and the continued interconnected nature of supply chains relying upon each other
and sometimes even sharing common systems to do business, wordings have evolved to
provide “contingent cover” for losses arising out of impacted third-party systems.
As a practical example of how this works, there have been a number of instances where
cyber insurance policies will respond to policyholders’ costs and losses incurred as a
result of a multi-party data breach impacting an independent third-party entity that held
and processed data on their behalf. This is significant, as practically speaking, the policy
technically responds to incidents that do not occur on policyholders’ systems but rather
the systems of a third party, which are beyond the physical control (and risk management
influence) of policyholders other than through contracts with providers.
However, insurers recognise that this is how organisations do business and that,
despite outsourcing possession over the handling of data, policyholders do not out-
source residual legal responsibility over that data. In other words, they still retain a
residual risk in relation to the handling of the data under contract and various privacy
laws, and it is this risk that is insurable, in addition to the policyholders’ own systems
being breached.
This is just one example of how cyber insurance has evolved over time to keep up
with modern technological and regulatory/legal developments. There are other examples
whereby insurance terms have evolved to acknowledge the changing nature of the risk
itself.
The surge in cyber incidents and attacks in recent years, particularly ransomware and
hybrid extortion incidents where attackers will both encrypt and steal data to increase the
pressure on the victim to pay the extortion demand, have seen insurers’ loss ratios (the
proportion of loss incurred to premium received) increase rapidly.
The cyber insurance market has responded by a number of insurers leaving the market,
and those that have remained have increased rates and tightened the terms of cover—care-
fully defining perils in insuring clauses and exclusions. Underwriting scrutiny has also
significantly increased, with underwriters imposing stringent minimum security stand-
ards and refusing cover, or declining claims, when those standards are not met.

Current insurance claims trends

As a general observation, the “first-party costs” section of cyber insurance policies
is more often called upon by policyholders. This is likely a by-product of insured
entities maximising the value of accessing specialist service providers through cyber
insurance panels to help them respond to incidents, and a lack of third-party consumer
claims or regulatory investigations being brought against businesses who have expe-
rienced a cyber event. Note this is not the typical experience in North America where
this risk is elevated.
That said, in Australia, there is an uptick in third-party claims activity between entities
who have experienced a multi-party data breach, in circumstances where parties affected
want to push on their costs and liability exposure to the breached entity, or where entities
wish to sheet liability for an incident to their IT service provider or MSP. There is also

319
 C yber R isk and I nsurance

evidence of an uptick in regulatory investigations, consumer claims and privacy class

actions, although not to the extent seen outside of Australia.57
In terms of the high frequency of first-party costs claims, SME entities generally call
upon assistance from insurer panels. This is likely because they do not have the internal
capabilities to manage incidents with existing resources. This is also aided by the fact that
they typically have lower deductibles (often around $1,000 to $25,000), and therefore the
insurer typically funds the costs of these providers’ services much sooner.
On the flip side, despite having larger retentions in place, large organisations with
incident response capability gaps will often still call upon insurers’ vendor panels for
assistance to access surge capacity and capability, or to ensure that there is a level of
independence and specialism brought to the response (particularly where their incumbent
provider may be responsible for causing or contributing to the event occurring).
This is even in circumstances where the larger organisations have deductibles of
between $25,000 to $500,000 and are therefore responsible for the payment of the insur-
ers’ panel vendor’s costs initially with the insurer to pick up any costs that exceed this
amount up to the limit of liability.
In future, it is expected that the third-party liability component of cyber insurance
policies will start to become more active and respond as a result of an increase in the
regulatory investigation and claims landscape. This will likely be a result of the increased
regulatory environment (including a number of active investigations and litigation by var-
ious regulators including the OAIC, ASIC and ACCC); fines and penalties being handed
down by overseas regulators (such as the ICO and other EU DPAs); and growing con-
sumer awareness and expectations around how data should be handled and privacy rights
more generally.

Ransom payments
As noted in the section below, there is an overfocus with respect to insurance policies fund-
ing and facilitating the payment of ransoms. Cyber insurance provides vital financial pro-
tection, education and operational support in the event of an attack. However, the topic of
ransom payments, especially those made by the insurer and the legality of such payments,
is gaining much interest across the globe with calls for regulatory change to ban ransom
payments recently prompted by high-profile cyber attacks.58 This political momentum is
starting to diffuse across jurisdictions.59 This section will discuss the impact of ransom
payments by insurers and the changes regulators are currently discussing.

57 Recent settlements in the United States include Capital One Finance Corp who agreed to pay US $190
million to settle a class-action lawsuit that customers filed against the firm after a hacker broke into its cloud-
computing systems and stole their personal information; the order and judgment granting final approval of
class-action settlement was granted on 13 September 2022. See re. Capital One Consumer Data Security
Breach Litigation, MDL No. 1:19-md-2915 (AJT/JFA).
58 Australia’s Home Affairs Minister Clare O’Neil said the government would consider making illegal
the paying of ransoms to cyber hackers, following cyber attacks affecting millions of Australians. See Sam
Mckeith, “Australia to consider banning paying of ransoms to cyber criminals,” Reuters, 15 November 2022,
www​.reuters​.com​/technology​/australia​- consider​-banning​-paying​-ransoms​- cyber​- criminals​-2022​-11​-12/.
59 In New York, Senate Bill S6806A has passed the Assembly and Senate. The Bill prohibits governmental
entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a
cyber ransom or ransomware attack. North Carolina, § 143-800(b), and Florida, CS/HB7055, have explicitly
banned state and local government agencies from paying hackers.

320
 C yber R isk and I nsurance

AM Best reports that ransomware accounted for up to 75% of all cyber insurance claims
in 2020.60 Ransom demands are the costs of paying a threat actor to provide decryption
keys to decrypt data, return data or prevent the public release of data or sale of data.
General costs can include the costs of specialists to negotiate with the threat actor, inves-
tigation of the threat and payment of the ransom request.
In most jurisdictions, it is not illegal to pay hacker ransoms although law enforcement
agencies and cyber security agencies discourage payment of ransoms, stating, correctly,
that payments incentivise hackers to carry out further attacks. Where ransomware pay-
ments are legal, the insurance industry must decide whether to a) provide cover for ransom
payments and b) what level of cover to include in the policy and how to price the risk. For
insurers who have agreed to include a ransom payment clause in their policy, their expo-
sure is maximised when the hackers identify the insurance policy itself, the circumstances
that will trigger payment and the policy’s payment ceiling. The ransom request is then tai-
lored to the policy with the ransom demand being the maximum coverage identified under
the policy.61 This increases the likelihood of payment to the threat actor. Some insurers
are responding and mitigating this threat by introducing policy encryption to provide an
additional layer of security, and brokers are given the policy decryption key via email
when the policy is bound.62
Businesses are paying, many stating they “had no choice but to pay the ransom”63 and
that making the payment is a very “painful” but necessary decision.64 Between 27% to
58% of businesses subjected to a ransomware attack have paid the hackers to get back
their data.65 In the UK the average is even higher, estimated at 82%. JBS Foods paid an
$11 million ransom,66 and Colonial Pipeline,67 a carrier of gasoline and jet fuel, paid $4.4
million. Startling figures, but the “average” is impossible to fully know as most victims
of ransomware attacks do not willingly disclose the fact they suffer a ransomware attack
making an accurate picture difficult.

60 “Best’s Market Segment Report: Ransomware and Aggregation Issues Call for New Approaches to
Cyber Risk,” AM Best Report, 2 June 2021, https://news​. ambest​.com​/presscontent​. aspx​? refnum​= 30762​
&altsrc​= 9.
61 Ransomware Action Plan Australian Government 2021. This issue was also identified by a former FBI
agent; see Rachel Lerman and Gerrit De Vynck, “Ransomware claims are roiling an entire segment of the
insurance industry,” 17 June 2021, The Washington Post, www​.washingtonpost​.com ​/technology​/2021​/06​/17​/
ransomware​-axa​-insurance​-attacks/.
62 See, for example, CFC Underwriting, which commenced encryption of cyber policies from 1 March
2023, www​.cfcunderwriting​.com​/en​-au​/resources​/news​/2023​/02​/cfc​-introduces​-policy​- encryption​-for​- cyber​
-insurance​-in​-another​-market​-first/.
63 A majority of respondents (62%) to CNBC’s Global CFO Council survey for Q2 2021 said that Colonial
had “no choice but to pay the ransom”; see www​.cnbc​.com​/global​- cfo​- council/.
64 See comments from the CEO of JBS foods, the world’s largest meat supplier, who paid $4.5 million in
ransom, Jacob Bunge, “JBS Paid $11 Million to Resolve Ransomware Attack,” 9 June 2011, www​.wsj​.com ​/
articles​/jbs​-paid​-11​-million​-to​-resolve​-ransomware​-attack​-11623280781.
65 Michael Sentonas, “2020 Global Security Attitude Survey: How Organizations Fear Cyberattacks
Will Impact Their Digital Transformation and Future Growth,” CrowdStrike Blog, 17 November 2020. www​
.crowdstrike​.com​/ blog​/globalsecurity​-attitude​-survey​-takeaways​-2020, cited in Ransomware Task Force,
“Combatting Ransomware,” Institute for Technology and Security, https://sec​u rit ​yand​tech ​nology​.org​/ransom-
waretaskforce​/report/.
66 https://jbsfoodsgroup​.com ​/articles​/jbs​-usa​- cyberattack​-media​-statement​-june​-9.
67 “Colonial Pipeline Confirms It Paid $4.4m Ransom to Hacker Gang after Attack,” The Guardian, 20
May 2021, www​.theguardian​.com ​/technology​/2021​/may​/19​/colonial​-pipeline​- cyber​-attack​-ransom.

321
 C yber R isk and I nsurance

The insurance industry has come under considerable criticism for reimbursing ransom
payments, with calls for insurers to take the initiative and suspend or stop providing ran-
som insurance to businesses, an action reportedly taken by AXA in France.68 It is difficult
to see how insurers removing coverage for ransom payments in policy offerings would
stop payments from being made.
Banning ransom payments or their reimbursement by insurers may be an ineffective
tool, as it is more likely to encourage secret payments from hacked businesses which are
then deprived of access to specialist support to negotiate with the threat actor, often paid
for and arranged by the insurer. An outright ban on ransom payments could cause further
issues as a ban may encourage threat actors to engage in more malicious extortion, such as
blackmailing entities who make ransomware payments in violation of a ban.
Where transactions are made in secret, authorities forfeit the ability to record and ana-
lyse incidents and prosecute criminals. As this chapter has demonstrated, one societal
benefit of cyber insurance lies in the education and encouragement provided by the insurer
to the policyholder to improve security measures before a cyber-attack. Banning ransom
payments might discourage smaller firms from taking out cyber insurance,69 which in turn
can increase vulnerability to a cyber attack and financial exposure. Indeed, regulators
have acknowledged that “paying up” can sometimes be the only way an afflicted business
deems it can avoid insolvency.70
If ransom payments are made illegal and the board making the payment is identified,
the defence of duress may be possible where the board can demonstrate that they believed
the threat actor’s threat would be carried out unless the ransom was paid; there was no
reasonable way the threat could have been rendered ineffective; and the payment of the
ransom was a reasonable response to the threat. If a defence is possible, then the “solution”
of making a payment illegal is rendered even less effective.
When trying to decide whether to pay a ransom, stakeholders have a difficult decision
and must weigh the government’s position to refuse to pay a ransom against avoiding
insolvency and/or irreparable reputational damage.71 Against this background, companies
and insurers also need to navigate the risks and criminal offences in most jurisdictions
relating to the instruments of crime and financing terrorism.72
With regards to law firms paying a cyber ransom, a solicitor’s duty of loyalty to a
client requires a solicitor to take all lawful steps to protect such interests, subject to
broader duties to uphold the administration of justice. The clear obligation to protect

68 Frank Bajak, “Insurer AXA halts ransomware crime reimbursement in France,” AP News, 7 May 2021,
https://apnews​.com ​/article​/europe​-france​-technology​-business​- caa​bb13​2033​ef2a​aee9​f589​02f3e8fba.
69 Some reports indicate that more than a third of SME’s had no cyber insurance cover, see SME Pulse
survey conducted by YouGov, on behalf of Aviva, in which 512 British SMEs were questioned between 5 and
12 October 2022, https://connect​.avivab2b​.co​.uk ​/ broker​/articles​/news​/smes​-fall​-victim​-to​- online​- crime--​-yet​
-many​-have​-no​- cyber​-insura/.
70 See comments from the White House, “A comprehensive framework for Action, ransomware task
force,” https://sec​u rit​yand​tech​nology​.org​/ransomwaretaskforce​/report/.
71 Similar conversations have taken place over the last few decades with regards to ransom payments made
by shipowners and/or their insurers to pirates. The general conclusion being that “There are only elements of
conflicting public interests, which push and pull in different directions, and have yet to be resolved in any legal
enactments or international consensus as to a solution”; see comments from Rix, LJ in Masefield AG v Amlin
Corporate Member Ltd [2011] EWCA Civ 24.
72 In Australia, Division 400 of the Criminal Code Act 1995 (Cth), which deals with money laundering,
makes it an offence to deal with money or property when there’s a risk that it will become an instrument of
crime, and you are reckless or negligent as to whether it will be used as an instrument of crime.

322
 C yber R isk and I nsurance

client interests tends to outweigh the general public policy objection to paying crimi-
nals. Payment of the ransom may therefore be an option available to the firm once all
of the competing alternatives have been considered,73 however in the UK, the Law
Society does not advise members to pay ransoms, nor suggests that this is what mem-
bers advise their clients.74
As Australia and other countries examine whether new laws are needed to stop ran-
som payments and tackle the ethical dilemma75 and potential mitigation strategies, any
imposed ban will need to be closely monitored for its effectiveness. In addition to encour-
aging insurers to remove ransom insurance from cyber cover, other options suggested
include the removal of tax relief associated with ransom payments. In some jurisdictions
in the United States for instance, companies may currently be able to write off ransom-
ware payments as “ordinary, necessary and reasonable” expenses on their profit and loss
statements, and stronger penalties for making payments to criminals or higher liability
costs for harm caused to third parties may encourage victims to refuse to pay, in turn dis-
couraging ransomware threat actors.76 Mandatory reporting of ransom payments across
jurisdictions may also prove essential; currently, there are only open-source initiatives to
gather data on the extent of the problem.77
Irrespective of whether there is a ban or not on ransom payments, it is clear that the
most effective strategy is prevention and implementing a proper backup strategy to miti-
gate the rising threat of ransomware.78

Does cyber insurance pay?

Often there is scepticism from the industry that cyber insurers “do not pay.” Debunking
this myth and understanding when and why an insurer does not pay is one of the criti-
cal challenges that must be focused on to improve the growth of the cyber insurance
industry.
There is evidence of insurers paying out for a range of expenses that have been incurred
by entities during various types of incidents including network interruption (denial of
service, ransomware, system unavailability), data breach (inadvertent disclosure, mali-
cious third-party systems access, loss of physical documents) and cybercrime (fraud,
misdirected funds, extortion) incidents. This is shown by the ever-increasing loss ratios
sustained by insurers in recent years.

73 See further discussion of the ethics for a law firm to pay a ransom in QLS ethics centre in David Bowles
“Is it Ethical (or legal) for law firms to pay cyber-ransom?,” 8 December 2017.
74 “How we can help you in the fight against ransomware,” Law Society UK, 11 August 2022,
www​.lawsociety​.org​.uk​/topics​/cybersecurity​/ how​-we​- can​-help​-you​-in​-the​-fight​-against​-ransomware.
75 See, for example, the discussion in Aleksandra Pawlicka et al., “A $10 million question and other
cybersecurity-related ethical dilemmas amid the COVID-19 pandemic.” Business Horizons vol 64, 6 (2021)
729–734, doi:10.1016/j.bushor.2021.07.010.
76 See report by Darren Pain and Dennis Noordhoek, “Ransomware: An insurance market perspective,”
The Geneva Association, 19 July 2022, 17, www​.genevaassociation​.org​/publication ​/cyber​/ransomware​-insur-
ance​-market​-perspective.
77 See, for example, https://ransomwhe​.re​/index​.html, an open, crowdsourced ransomware payment
tracker.
78 As noted at n 34, according to the survey results for the majority of Singapore organisations, Singapore
tended not to accede to ransom requests and managed their recovery through backup files instead. See Neil
Campbell and Berin Lautenbach, “Telstra Cyber Security Report 2017, Managing Risk in a digital world,”
Telstra.

323
 C yber R isk and I nsurance

These include the following costs/losses:

• Incident response management—costs of an incident response manager or

“breach coach” coordinating the response to an incident and ensuring that the
impacted entity takes the right steps to respond to an incident in a timely fashion;
• IT security—costs of engaging an IT security provider to provide services to
remediate the root cause of an incident and contain the threat. Often this role is
played by the policyholder’s previously engaged MSP although often independ-
ent speciality services are required/desirable;
• Digital forensics costs—costs of investigating the incident to identify the root
cause of incidents, scope of unauthorised activity and information at risk. This
often requires a different skill set from IT security providers;
• Dark web monitoring/threat intelligence—costs to investigate if data has been
posted online on the surface or dark web, and identify the profile, intent and
capabilities of threat actors responsible. This is often required to assess the
response to actual incidents, validate suspected incidents and assess the privacy
implications of an incident;
• Ransom demands—costs of paying a threat actor to provide decryption keys
to decrypt data, including the costs of specialists to negotiate with the threat
actor and pay where required. Often insurers (rightly) require that a due dili-
gence process be undertaken before the payment of any ransom demand, which
policyholders also must undertake to ensure that they are not paying a sanctioned
entity;
• Data recovery—costs of restoring and reinstating data from available sources
including backup copies and encrypted data sources, as well as manually recreat-
ing data where data remains encrypted or otherwise unavailable;
• E-discovery/data cataloguing—costs of reviewing and extracting personal infor-
mation from datasets for the purpose of assessing privacy implications and noti-
fying affected individuals and regulators, where required;
• Legal costs—costs of coordinating the forensic investigation into an incident
(to maintain privilege), advising the policyholder on legal/regulatory obligations,
preparing notifications to regulators and affected individuals (if required) and
defending third-party claims and regulatory interactions;
• Public relations—costs of monitoring social media and traditional media chan-
nels to assess responses to public notification of incidents to assist in mitigating
the public scrutiny that sometimes arises from incidents (in particular, large or
complex incidents);
• Communications/call centre—costs to execute notification campaign and man-
age inbound and outbound communications. Positively, in Australia there is flex-
ibility with this approach (i.e., unlike the United States, notifications in Australia
do not need to be sent by letter, which is extremely costly) however these costs
can still be significant;
• Credit monitoring and ID protection—costs to provide identity protection and
counselling services to individuals whose information has or may have been
compromised and to manage risks around data misuse. This also includes ID
replacement where required;

324
 C yber R isk and I nsurance

• Business interruption losses—reimbursing the policyholder for the loss of profit

sustained while its business operations were impacted by the cyber incident and
for the extra expense it incurs mitigating the impact of the incident; and
• Loss adjusting—costs of a specialist loss adjuster to determine the business
interruption costs or losses incurred by a policyholder in responding to an inci-
dent (although typically insurers may pay this out of their own pocket and not
under the policy limit).

As demonstrated above, there is a wide range of additional costs and losses that can arise
from a cyber incident and are typically covered by insurance. The above are just exam-
ples—and depending on the incident and the required response, as well as the impact on
the impacted business, other loss types might arise.
For example, there are cases where some insurers have covered the security improvement
costs incurred to prevent re-occurrence of a particular type of incident, and replacement of
hardware costs in certain circumstances where hardware is rendered inoperable or where to
continue to reuse existing hardware would be more expensive or present a risk of re-occurrence.
However, this type of cover is often not available and is often excluded under “bet-
terment” exclusion clauses. These clauses generally exclude cover for improvements to
policyholders’ systems or processes, on the basis that to reimburse a policyholder for such
losses risks running contrary to the purpose of insurance policies—to put policyholders
in the position they would have otherwise been in but for the incident occurring. This
situation can be managed as part of the incident response process where prior consent is
obtained from insurers.
It is vital that the benefits and role that the insurance industry plays in absorbing the
perils of cyber risk are strongly promoted by government, industry, media and service
providers (particularly the IT security industry and media which is most sceptical).
In addition to assisting entities to respond appropriately to cyber incidents, insurers
are continuing to work with their policyholder clients to mitigate the likelihood or sever-
ity of incidents occurring and providing financial incentives to undertake risk mitigation
activities in advance of an incident occurring, or indeed offering complimentary services
directly at no costs to the policyholder.
These “pre-breach” services, and the increased barrier to entry represented by enhanced
underwriting scrutiny and insurers’ evolving minimum security standards, means that
insurance is driving increased resilience against and reduction of the overall risk. The
beneficial impact of the insurance industry is also felt during the incident response phase.
Given that insurers sit across several industry and jurisdictional risks, insurers can see
trends emerge often before any other industry sector or government agency and are there-
fore able to provide a very important function by disseminating information to a broad
audience in real time.

Examples where insurance has not paid

There are examples of where insurance has not paid with some parties reaching to the
courts after an unfavourable decision. Following litigation outcomes, insurers are con-
tinuing to improve the clarity of policies and encourage policyholders to fully understand
their policies, policy limits and exclusions.

325
 C yber R isk and I nsurance

The examples of where insurance has not paid are relatively rare. Disputes will gener-
ally occur where the parties disagree about what is and what isn’t covered under the spe-
cific language of the policy in question. For example:

• An incident occurring in a different year to the policy’s operation (for which the
insurer is on risk);
• A non-business related computer system being impacted (say a personal online
social media account or personal bank account was impacted) as opposed to the
named policyholder’s business which is insured;
• Cover for the loss was expressly excluded (i.e. social engineering loss not cov-
ered) or non-cyber policies (say property/ISR policies) having cyber exclusion
clauses in place that were never intended to respond;
• The policyholder fails to acquire and/or maintain minimum risk controls that are
a condition of their coverage;79
• The initial incident compromises a business partner and not the policyholder;80
and
• Cover for loss resulting from the damage or destruction of data is limited to the
cost of the data, and the policy does not extend to providing cover for the broader
range of consequential losses by the policyholder.81

Against the above examples, perceived gaps in cover most often occur as a result of:

• A misunderstanding or confusion about whether a non-cyber policy ought to

respond to a “cyber event”—there needs to be a greater emphasis on clarity of
coverage and exclusions for all stakeholders;82
• Geo-political and state-sponsored cyber events that may invoke war and terror-
ism exclusion clauses in policies;83 and
• New and novel forms of cyber events—this is where activity occurs that is not
anticipated or contemplated at the time that the policy was underwritten and
simply does not match the wording.

79 See, for example, Columbia Casualty Co. v Cottage Health System 2:15-cv-03432 (C.D. Cal. 7 May
2015) where the insurer demonstrated Cottage Health “stored medical records on a system that was fully acces-
sible to the internet but failed to install encryption or take other security measures to protect patient informa-
tion from becoming available to anyone who ‘surfed’ the internet.” See also the case of Travelers Property
Casualty Co. of America v International Control Services Inc., No. 22-cv-2145 where Travelers argued for a
policy to be rescinded with International Control Services because the insured allegedly misrepresented its use
of multi-factor authentication (MFA) which was a condition to get cyber coverage.
80 See, for example, BitPay v Massachusetts Bay Insurance Company where the policy did not afford
coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
81 See, for example, the Australian Federal Court decision in Inchcape Australia Ltd v Chubb Insurance
Australia Ltd [2022] FCA 88.
82 See, for example, the Australian Federal Court decision in Inchcape Australia Ltd v Chubb Insurance
Australia Ltd [2022] FCA 88, where the claims attempted by Inchcape were done so under Chubb’s electronic
and computer crime policy, rather than its cyber insurance policy.
83 See the Lloyd’s of London Market Bulletin, 16 August 2022, Y5381 discussed below.

326
 C yber R isk and I nsurance

Responses from the industry and regulators to meet the challenges ahead
Cyber risk can severely disrupt lives and, as discussed above, spiralling cyber losses in
recent years have prompted emergency measures by the sector’s underwriters to limit
their exposure. The insurance industry is still building knowledge of evolving cyber risk,
and some insurers have responded by increasing prices and revising policies so clients
retain more loss.
Along with increasing loss ratios from individual incidents, one of the threats the cyber
insurance industry faces is that of systemic losses. That is a particular incident or event
affecting multiple insureds or even an entire book of business. Often quoted examples are
a failure of the internet itself, supply chain attacks that affect many thousands of organisa-
tions or the use of cyber operations by nation-states for espionage or outright warfare. If
these risks are managed properly, they pose threats not just to the profitability of a particu-
lar book of business but to the solvency of the insurance company itself.
Lloyd’s of London will require state-backed cyber-attack exclusions in policies begin-
ning in March 2023. The bulletin sent out by Lloyd’s stated that in addition to any existing
war exclusion, any new or renewed cyber policies should exclude losses from a war—
whether or not the policies already have a separate “war exclusion.” How those behind the
attacks can be identified and their affiliations will be difficult.
Options for the worst accumulated scenarios should be explored. There have been calls
for governments to “set up private-public schemes to handle systemic cyber risks that
can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or
terror attacks.”84 It may be that some of the larger scenarios are too big to be borne by the
private industry alone, and government-backed solutions may allow insurers to pay claims
sustainably and innovate.85 The US government called for views on whether a federal
insurance response to cyber was warranted, which could be part of or outside of its current
public-private insurance programme for acts of terrorism.
A recent report highlighted some insurers still had work to do, particularly in the silent
cyber area, to ensure they fully understood their potential aggregate exposures.86 As
with any emerging areas of risk, insurers need to ensure there is no mismatch between
insurers’ policy wordings and the reinsurance contracts covering risk. Any misalignment
exposes insurers to the potential reinsurance failing to respond, leaving them vulnerable.
As identified in the opening remarks, the cybersecurity skills gap is also a major chal-
lenge facing organisations, with a shortage of qualified cybersecurity professionals with
the necessary skills and training.87 Universities and colleges are responding by bringing
qualifications and curriculums up to date,88 and businesses are retraining and upskilling

84 Comments from Mario Greco, Ian Smith “Cyber attacks set to become ‘uninsurable’, says Zurich chief,”
26 December 2022, Financial Times, www​.ft​.com​/content​/63ea94fa​- c6fc​- 449f​-b2b8​- ea29cc83637d.
85 Susan Muldowney, “Strengthening Cyber reinsurance,” ANZIIF, 26 May 2022 (vol 45 issue 1, March
2022).
86 “Letter to all General Insurer’s Insurance Risk Self-assessment thematic review,” APRA, 26 October
2022, www​.apra​.gov​.au ​/insurance​-risk​-self​-assessment​-thematic​-review.
87 Max Mason, “Cyber skills shortage ‘to hit 30,000 in four years,’” Australian Financial Review, 13
September 2022.
88 Ibid.

327
 C yber R isk and I nsurance

staff. For directors, cyber resilience and discussion of cyber insurance need to be a
89

board-level priority.

Conclusion on cyber insurance fundamentals

Continuing education about cyber risk and understanding evolving insurance policy cov-
erage terms is a must to avoid surprises. There is an opportunity for specialist cyber
insurance brokers and insurers, supported by government endorsement, to take the lead in
filling this gap in knowledge and awareness. Insurers will need to demonstrate their abil-
ity to operate within impact tolerances under a range of severe but plausible cyber-attack
scenarios.
Further conversations around debunking cyber insurance myths to encourage insur-
ance purchasing, maximising insurance support available during incidents, wordings,
limit adequacy and pre-incident engagement with policyholders are all key focus areas.

Cyber insurance industry—future insights

The following insights were written with contributions from speciality cyber insurance
brokers. They provide perspective on the challenges, opportunities, the uptake of insur-
ance and ways the industry can encourage more entities to take out insurance.90
The brokers collaborating in this section were asked to provide future observations
about where the market is heading and areas for future engagement with the cyber insur-
ance market.

Changes in the uptake and availability of cyber insurance

Cyber insurance was historically considered a discretionary purchase. While organisa-
tions’ intangible asset base has significantly evolved over the last 20 years, and in many
instances now exceeds the tangible asset base of organisations, the risk protections an
organisation can deploy, including cyber insurance, have not stepped in tandem.
Insurance demand surged globally during 2020–202291 due to remote working amid
COVID-19, the media spotlight on cyber attacks,92 previous claims or “close calls,” and
global regulatory changes and scrutiny, especially around data breaches and increases in

89 The 2022 UK report found 85% of the individuals fulfilling cyber roles in the cyber sector have transi-
tioned into the position from non-cyber roles. See Gabriele Zatterin, Grace Atkins, Alex Bollen, Jayesh Navin
Shah, and Ipsos Sam Donaldson “Cyber security skills in the UK labour market 2022: Findings Report,”
Perspective Economics, Department for Digital Culture, Media & Sport.
90 The authors wish to thank the following contributors for their industry insights, opinions and sup-
port. The contributors, job title and affiliation in alphabetical order are, Henry Clark, Head of Professional
and Executive Risks, Honan; Kristine Salgado, Head of Corporate, Marsh Specialty; Mark Luckin, Manager,
Cyber & Technology, Lockton; Michael Joseph, Director, Austbrokers Cyber Pro; Michael Parrant, Client
Director & Cyber Insurance Practice Leader, AON; and Robyn Adcock, Cyber/Technology Practice Leader,
AJG (Gallagher).
91 See, for example, “Market Research Report,” October 2021, Fortune Business Insights, www​.for​t une​
busi​ness​insights​.com ​/cyber​-insurance​-market​-106287.
92 Particularly the Colonial Ransomware Pipeline attack in the United States, the far-reaching Microsoft
Exchange breach that prompted the European Banking Authority to pull its entire email system offline and the
Optus and Medibank matters in Australia.

328
 C yber R isk and I nsurance

fines. Customers are now typically required to maintain cyber coverage contractually,
and the accessibility of comprehensive data and analytics (such as the Australian Cyber
Security Centre annual reports) has also driven purchasing. Furthermore, the global insur-
ance market’s position and clarity with respect to “silent cyber” has also driven awareness
around effective risk transfer across insureds’ entire insurance programmes.
Challenging cyber insurance market conditions with increasing loss ratios have domi-
nated the last few years, with insurers being swift and unwavering in the corrections
implemented to re-establish sustainability in an environment experiencing heavy claims
losses.93 Paying claims is a driver in confidence, where insureds can transfer their risk
and exposure to the insurance market, impacting uptake. However, this is simultaneously
driving premium increases and scrutiny, which can be counterproductive to uptake.
Reduced capacity and therefore limited availability, increasing retentions and signifi-
cant premium uplift led to clients reviewing the value of cyber insurance and the limits
purchased.94 The lack of availability, increased pricing and restricted cover developed a
sense of urgency, focused priorities and elevated the conversation with clients to a much
higher level within businesses.
With the improvement in underwriting, businesses are no longer able to push all of their
cyber risk over to an insurance policy. Insurers are driving businesses to improve and invest
in increased security measures by introducing minimum cyber security standards,95 edu-
cating customers about their risk and providing risk reviews and gap analyses. Improving
cyber security as the primary use of insurance as a preventative approach is starting to
reduce claims activity. Moving away from a binary approach, insurers are using a cyber
questionnaire, detailed ransomware addendums and supplementary information, which is
now often required to obtain a quotation. The process itself, of completing the documen-
tation, can be used by clients as a health check on the quality of their network security
controls, cyber governance policies and the effectiveness of the business continuity (BCP)
and disaster recovery plans (DRP) in place. These pre-binding reports provide clients with
critical insights about their security preparedness and maturity.
If minimum standards are not met by the business, insurers are not quoting on a new
business basis; refusing to renew programmes; or imposing significant coverage restric-
tions on programmes they are renewing.96
Insurers can help to improve the policyholder’s cyber incident response process in the
event of a data breach, which needs to be thoroughly understood and integrated into the
insured’s BCP and DRP plans.
Cyber insurance policies are proving to be of critical importance when insureds have
experienced a cyber attack. The level of support the policy provides is unlike any other
insurance policy. Involvement of the breach response team from an early position can be

93 See, for example, the Memorandum, National Association of Insurance Commissioners, 18 October
2022, discussing changes in the US cyber market; see also N Jones, “6 reasons cyber insurance prices are
on the rise,” Egnyte, 18 March 2022, www​.egnyte​.com​/ blog​/post​/why​-are​- cyberinsurance​- costs​- on​-the​-rise.
94 2021 brought about another decrease in available cyber insurance limits. These limits were often
reduced to $1 million—$3 million, even at renewal; see for example, Report, “US Cyber Market Outlook,”
Risk Placement Services, 2021, www​.rpsins​.com ​/ learn ​/2021​/oct​/us​- cyber​-market​- outlook/.
95 One of the standard requirements to qualify for coverage is the requirement for MFA to be deployed on
any remote access into an insured’s network, including cloud-based emails, such as O365.
96 Memorandum, “Report on the Cyber Insurance Market,” National Association of Insurance
Commissioners, 18 October 2022, 5.

329
 C yber R isk and I nsurance

the differentiator between the total cost of the claim and the difference in time in taking a
business back to business as usual.
Cyber risk has often not been considered an enterprise risk that requires the same organ-
isational focus as other risks, and therefore the investment in the risk could be lacking or
could be on a longer time scale for improvement. Insurance brokers are now regularly
engaged by boards to understand the extent of coverage under their policy and discuss the
appropriateness of the limits purchased. This discussion and understanding of cyber risks
specific to the business can help directors understand the underwriting requirements of
cyber insurers and justify the costs of a cyber insurance policy. A key facet of the govern-
ance component of ESG is risk management. Companies that manage risks, whether from
natural disasters or financial uncertainties, are more likely to remain profitable in the long
term.97 Cybersecurity breaches are a particular governance risk to the long-term sustain-
ability and solvency of a company and the safety of its employees and customers.98 While
cyber risk management is always the priority, insurance is a form of protection if cyber
risk controls fail.

Challenges and emerging trends

As noted above, cyber insurance is generally not available to businesses that are not prop-
erly addressing this risk. If the insurance market remains firm on requiring controls to
be the driver of access to insurance, the uplift across businesses should continue. The
evidence suggests underwriters are raising both premiums and raising standards.99 A
properly implemented policy can be one of the most financially significant items that an
insured might hold. Especially in this transitioning market, cost and premium increases
have taken centre stage in conversations about the value of insurance, rather than the qual-
ity of cover. Up front, the main tangible driver of the perception of value, especially in a
hard market, has been dominated by cost. The number of recent data breaches in Australia
has reignited interest in purchasing cyber insurance but also resurfaced past prejudices
about this class of insurance not responding to the types of cyber events that have domi-
nated news headlines.
The main hurdle is finding measurable indicators that can help demonstrate the value of
the programme at the point of purchase and before losses are triggered. The performance
of insurance can only be evidenced retrospectively after a claim has occurred and been
covered.
Clients need to understand their policies. Insurers need to go even further to remove
any ambiguity.100 Instances have arisen during an incident response where a client does

97 See comments describing how ESG accelerates the need for increased cybersecurity. Report, Thematic
Intelligence: Insurance, “Global Data Thematic Research: Cybersecurity in Insurance (2022),” 29 June 2022,
29, www​.globaldata​.com​/reports​/thematic​-research​- cybersecurity​-in​-insurance​-2022/.
98 Ibid.
99 There are indications a “race to the bottom” is slowing and the insurance market is hardening. See,
for example the comments on p 26, Report, Jamie MacColl, Jason R C Nurse and James Sullivan, “Cyber
Insurance and the Cyber Security Challenge,” RUSI Occasional Paper, June 2021.
100 See recommendations set out in the report, OECD (2020), “Encouraging Clarity in Cyber Insurance
Coverage: The Role of Public Policy and Regulation,” www​.oecd​.org​/finance​/insurance​/ Encouraging​- Clarity​
-in​- Cyber​-Insurance​- Coverage​.pdf. See also EIOPA Consultation paper, “Supervisory Statement on exclu-
sions in insurance products related to risks arising from systemic events,” 10 May 2022, www​.eiopa​.europa​
.eu ​/document​-library​/consultation ​/consultation​- supervisory​- statement​- exclusions​-insurance ​-products ​_en;

330
 C yber R isk and I nsurance

not feel they have the correct support, and they essentially go out and incur costs on their
own in a desperate attempt to get their networks back up and running. This then leads to
a large bill at the end, with an insurer and the client usually arguing about what is reason-
able and the process for an insured to be paid taking months into years. Understandably,
clients then have the attitude the insurer is trying to avoid paying, which increases preju-
dices even further around cyber insurance. Clarity around coverage by all stakeholders is
key to reducing assumptions and/or misconceptions with respect to how cyber insurance
will or will not respond in the event of a claim. If clients have purchased insurance without
understanding the fundamental operation of how the services of the policy can work in
collaboration with their business, they may fail to engage the processes that are core to the
successful outcome of a cyber breach in the early stages of the attack.
With increased scrutiny has come a very high level of questioning required for cli-
ents to access cyber insurance. The process to obtain insurance is now much longer and
involves additional stakeholders. Collecting the right comprehensive information at the
front end is key to accessing reasonable turnaround times and terms from the insurance
market. The market has been constantly changing, reactive to breaches and new risks, and
policy wordings have been rewritten on a regular basis to address these risks and known
vulnerabilities.
Security and technology have become a new language for insurance brokers—without
an understanding of this industry jargon it is very challenging for insurance brokers to
have the right conversation with their clients and therefore achieve the right outcome for
their clients. The type of information is in constant flux, as there is an expectation and
requirement that each business is investing in the continuous improvement of their cyber
security controls based on their knowledge of their specific risk.
When incident response is done correctly and all parties are working together seam-
lessly, the outcomes are extremely good and clients see a real value in the policy, not just
from the fact that the costs incurred are paid for by the insurance policy but that they have
been assisted in their time of need through a raft of expert vendors who have guided them
through the situation, worked closely with their business and ensured they are back up and
running as soon as possible.
There was a lack of understanding as to the criticality of the need for investing in bet-
ter cyber security tools, which is reducing but still exists, particularly with small busi-
nesses.101 Improving small businesses’ understanding of coverages and protections is an
important step toward closing the gap.102

Concluding remarks
As this chapter and the insights shared have demonstrated, there are several elements of
cyber risk management, incident response preparedness and cyber insurance that form

see also a 2019 EIOPA survey, which found that there is still significant work to be done by companies in
the European Union to accomplish full clarity, “Cyber Risk for Insurers—Challenges and Opportunities,
European Insurance and Occupational Pensions Authority,” EIOPA, 2019. https://eiopa​.europa​.eu​/ Publications​
/Reports​/ EIOPA​_Cyber​%20risk​%20for​%20insurers​_ Sept2019​.pdf.
101 H Forouzan, A Hosseinian-Far, D Sarwar, ”Are Small Medium Enterprises Cyber Aware?” in:
H Jahankhani (eds) Cybersecurity in the Age of Smart Societies. Advanced Sciences and Technologies for
Security Applications (Springer, 2023), https://doi​.org​/10​.1007​/978​-3​- 031​-20160​-8​_ 20.
102 Sean Kevelighan, “Smaller doesn’t mean safer,” Insurance Information Institute, October 2019.

331
 C yber R isk and I nsurance

part of the difficult decisions that businesses, insurers and regulators must make to reduce
and mitigate risk. The availability of the global capacity and sustainability of cyber insur-
ance in the future will be determined by the diligence and profitability of the underwriting
practices of these insurers and the uptake of businesses facing cyber risks.
Regulators are responding with education, technical support and new laws to focus on
security. The insurance industry is responding firstly in a preventative role by requiring
businesses to implement and maintain security controls before insurance is offered and,
secondly, by constantly reviewing and revising policy wordings to improve clarity and
cover to address the risks and known vulnerabilities. This is encouraging businesses and,
in particular, boards of corporations to invest in cyber security and overall cyber risk
management.
As dependence on technology grows across all industries, technology, law and insur-
ance must continue to come together to tackle this risk in a holistic and sustainable way.

332
 C hapter 1 2

Professional Indemnity Insurance

Darryl Smith, Kirsty Paynter and Steven Donley1

1
CON T EN TS
Introduction 334
Brief background to the PI insurance market 335
A combination of challenges 338
Supervision and staffing 340
Increased regulatory oversight 343
Environmental, social and governance challenges 344
Economic headwinds 347
Social inflation 349
Cyber risks 353
Risk trends in key areas 353
Legislative changes during and after COVID-19 353
Risk trends in construction PI 355
Building regulatory reform 356
Complexity and emerging risks 357
Risk trends in medical malpractice 358
Telemedicine 359
Robotic surgeries 362
Electronic health records 363
Risk trends in other professions 364
Financial advisers 364
Accountants and auditors 366
Alternative risk transfer structures 367
Captives 368
Mutuals 368
Other risk transfer mechanisms 369
The impact of technology 370
The rapidity of change 370
Technology in underwriting 370
Technology in claims 372
Conclusions 372

1 The authors wish to acknowledge and thank Ross Donaldson, Special Counsel at Clyde & Co, Melbourne,
and Alfred Thornton, Partner, Clyde & Co, Abu Dhabi for assistance in preparing this chapter. The authors
also thank the contributors to Clyde & Co’s “London Market Professional Indemnity Report July 2021” and

DOI: 10.4324/9781003319054-12 333

 P rofessional I ndemnity I nsurance

Introduction
The challenges currently facing participants in the global professional indemnity (PI)
insurance market are markedly different to the challenges faced prior to the COVID-19
pandemic. Much has changed in just a few short years. And, as set out in this chapter,
many of those challenges will continue to evolve rapidly over the coming years.
Early on and in the midst of the pandemic, many professions were affected by lock-
downs and a shift to remote working. At that stage carriers and insurance buyers were
concerned about the consequences this shift might bring in terms of volume and sever-
ity of PI claims. Those concerns were well-founded given the almost unprecedented
circumstances. The risks were significant: Staffing oversight challenges, staff absences,
illness and resignations, the potential for cyber incidents, data breaches and ransom-
ware attacks, and the prospect of breaches of duty and missed timelines and time-
frames in the absence of proper supervision, to name just a few.
The way in which professionals handled these challenges and adapted to them has,
perhaps, exceeded expectations. Technology has enabled market participants to do busi-
ness more efficiently and with greater accuracy, and in some cases, those technologies
have been fast-tracked and have rapidly improved due to the circumstances created by the
pandemic.
The claims that were expected to arise from the pandemic have, in large part, not yet
materialised on the scale that may have been expected. But that is not to say that they will
not materialise. One factor that could be in play is the lead time between an event and a
claim—PI insurance is generally written on a “claims made” basis,2 and therefore the trig-
ger for a claim will often be when the loss is sustained by the professional’s client, rather
than the date when the professional service was performed, or the advice was provided.3
The PI insurance market’s concerns have shifted as the world adapts to the new normal.
Some challenges have continued or have become more pronounced, for example, insur-
ance buyers remain keenly aware of the impact of the pandemic on their risk exposure, in
particular with regard to the shift to remote or hybrid working, with the added complexity
of staff attrition. Privacy, cyber and ransomware exposures remain constant and expand-
ing risks.
Other new challenges have emerged, including increased regulatory oversight, reces-
sionary pressures and economic headwinds, caused in part by the crisis in Ukraine, which

“London Market Professional Indemnity Report July 2022.” These reports were prepared by the Clyde & Co
Global Professional Liability team. In preparing those reports, Clyde & Co “surveyed a targeted range of insur-
ance professionals across underwriting, broking and claims for their take on developments in the PI market.”
The authors also thank those who participated in the surveys. This chapter is based on the content and the find-
ings contained in those reports and expands upon the insights contained within them.
2 Alison Padfield, “Specific types of insurance,” In Insurance Claims, 431–454. London: Bloomsbury
Professional (hereafter Padfield).
3 To illustrate the point, an architect in the United States designed a bridge in 1929 and it fell down in the
middle of the 1980s. See, “Professional Indemnity Insurance Factsheet,” CPA Australia, p 8, www​.cpaaustralia​
.com​.au​/public​-practice​/your​-public​-practice​-firm​/professional​-indemnity​-insurance. Limitation of actions
legislation restricts the time a plaintiff can commence proceeding with limitations from 1 year to 12 years in
some jurisdictions. See, for example, https://uk​.practicallaw​.thomsonreuters​.com​/1​-518​-8770​?transitionType​
=Default​&contextData=(sc.Default)&firstPage=true

334
 P rofessional I ndemnity I nsurance

have and will continue to contribute to a rise in insolvencies. For carriers, the severity of
claims has also increased, with inflation being particularly prevalent in claims brought
against construction professionals.
This chapter examines the fallout from the pandemic and the key challenges and oppor-
tunities that are likely to be at the forefront of the minds of PI insurance market partici-
pants in the future, from both the carrier and insurance buyer perspective.
We also examine in some detail the risk trends emerging within specific industries,
including construction, medicine and financial professionals, and how professionals
within those industries (and by extension, insurance carriers) are likely to be affected. As
set out in this chapter, some of the impacts anticipated will result in the use of more alter-
native risk transfer models and more captive insurers, mutuals and government-backed
programmes. This chapter examines some of these types of structures and how they will
continue to emerge as certain risks become more difficult to place or become commer-
cially uninsurable.
Finally, we consider developments in how PI insurance is transacted and how claims are
processed, and how we see technologies and solutions being used in the future to deliver
products to market and process claims. We also examine some fundamental shifts in the
way in which professions operate, including the automation of tasks and the rapid devel-
opment of artificial intelligence, and some of the unique challenges that the PI market has
when it comes to adopting new technologies.
This chapter contains the following sections:

1. Brief background to the PI market;

2. A combination of challenges;
3. Risk trends in key areas;
4. Alternative risk transfer structures;
5. The impact of technology;
6. Conclusions.

Brief background to the PI insurance market

To properly understand the direction in which PI insurance may be headed, it is first nec-
essary to briefly consider the background, the “professional” and the duties owed, and the
factors that have shaped the development of the PI market.
Historically, PI insurance is regarded as having been introduced by Lloyd’s in the
1920s.4 Before that time, the established professions such as accountants, solicitors and
architects traded with “unlimited liability” as a guarantee of the quality of their work.
The definition of a “professional” is generally regarded to mean a person who professes
special skills and in doing so, attracts the associated duty to practise the skill in a proper
manner. Professional negligence claims based on tortious liability are long established
within the medical industry. Claims based on negligent misstatement/advice followed on

4 Thomas Sheehan, “The History of Lawyers’ Professional Liability Insurance.” The Forum (Section of
Insurance, Negligence and Compensation Law, American Bar Association) 13, no. 3 (1978), 808–841. www​
.jstor​.org ​/stable​/25761394.

335
 P rofessional I ndemnity I nsurance

from the House of Lords decision in Hedley Byrne v Heller5 in 1964, with some temper-
ing in certain jurisdictions constraining recovery for pure economic loss in a negligence
claim.6 The standard of care in professional negligence claims is that of “reasonable skill
and care” as formulated in Bolam v Friern,7 professionals have a duty to bring attention
to risk,8 and inexperience is irrelevant.9 Most jurisdictions apply a similar duty to exercise
reasonable skill or reasonable diligence. As claims increased10 and professionals started to
pay compensation from their own pockets, the clear and definable risk of being sued by a
client or third party was identified. Even more concerning to a professional is the length
of time in which the professional remains vulnerable to the risk of a claim. If a mistake is
not immediately apparent, a justified claim may follow years after the advice was given
or work carried out, in some instances after the professional has sold their business and/
or retired.
From the 1960s, PI insurance began to provide assurance across industries. The
purpose and benefits of PI insurance have far-reaching consequences. Obviously,
the primary purpose is to provide financial protection against the risks and personal
losses that professionals are heavily exposed to and to fairly compensate those who
suffer loss as a result of errors made by the professional. In most instances, the policy
provides cover for claims made against the insured and is notified to the insurer dur-
ing the live policy period of insurance only. No claim is available against a PI policy
that has already expired. As earlier insurance crises have demonstrated, it is the avail-
ability and accessibility of this insurance which can support an industry to grow or, in
the absence of PI insurance, can cause an industry or activity to shrink or disappear.
Lack of insurance can deter or even prevent architects from taking on innovative pro-
jects, move accountants away from working in high-risk areas such as tax, and force
doctors to leave the medical profession11 altogether. For an economy to function well,
PI insurance is essential.
Established professions do not always remain so, and new professions have sprung up
over the course of the past few decades (particularly in the information technology space),
while very established and old professions may start to fall away under societal influences
or diminish due to technological advances. PI insurance has a role not only in underwrit-
ing the risks of existing professions, but it also contributes to the development of new
ones—it is a fundamental component in developing and maintaining the public’s faith in
an emerging profession.
The present application of PI insurance can be described as:

5 Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964] AC 465.
6 Murphy v Brentwood DC [1991] 1 AC 398. Compare, for example, Ontario Inc. v Maple Leaf Foods Inc.
2020 SCC 35 (Supreme Court Canada), The Council of the Shire of Sutherland v Heyman (1985) 157 CLR 424
(High Court of Australia).
7 [1957] 1 W.L.R. 583, 587.
8 Chappel v Hart (1998) 195 CLR 232.
9 Jones v Manchester Corporation [1952] 2 QB 852.
10 Boyd v Ackley (1962), 32 D.L.R. (2d) 77 at 80 (B.C. S.C.), Accountants Held Liable for Breach of Duty
to Previous Shareholders of Company.
11 “The future of medical indemnity,” Australian Medical Association, New South Wales, 12 May 2017,
www​.amansw​.com​.au ​/the​-future​- of​-medical​-indemnity/.

336
 P rofessional I ndemnity I nsurance

Members of established professions who provide advice to their clients typically hold profes-
sional indemnity insurance (“PI insurance”), either because it is mandatory or because they
choose to do so (including to protect their assets against potential claims or to take advan-
tage of statutory schemes for the limitation of liability). PI insurance indemnifies the adviser
against certain liabilities arising out of the practice of his or her profession, including liability
to compensate clients for professional failures. The development of PI insurance has mirrored
the expansion, over the last 60 years, of legal liability for pure economic loss arising from
defective advice.12

PI insurance products generally provide insurance cover to professionals for claims

made against them in their capacity as a professional.13 Most of the insurance is writ-
ten within established categories of professional activity or established professions.
A body of law has accompanied the development of the market, including judicial
decisions14 and codification,15 with key principles developing and providing more cer-
tainty to both carriers and insurance buyers, and to some extent, those requesting
professional services.
The scope of PI insurance cover has also changed over time. Broadly speaking, the
cover can be viewed as protecting both professionals, who are indemnified for a breach
of professional duty, and protecting the professionals’ clients, who will not be left pursu-
ing someone with no assets. The traditional form of third-party liability policy (that is, to
indemnify the insured for its liability to third parties), now also generally contains a form
of legal defence costs cover, which is first-party in nature, and enables a professional to
defend themselves against claims.
Another very significant factor impacting the PI insurance market is the effect of
professional services firms becoming far more global than they were say 15 years
ago.16 In many instances this throws up complications such as (a) the need for a “local”
policy to “front” for a global PI policy on the basis that many jurisdictions having
admitted insurance regimes17 (“fronting” of course may result in various unintended
consequences18); (b) English wordings that underwriters may be familiar with and that
have been developed on the basis of well-established legal principles in, say, a com-
mon law jurisdiction that may be interpreted very differently if, say, translated into
Arabic and sought to be applied in a civil law jurisdiction where the insureds may be
conducting business; and (c) rapidly changing liability regimes and legal systems in
developing economies. For example, notwithstanding Saudi Arabia planning multiple
“giga” projects, it was only in the last five years that there was any law that could be

12 John Morgan and Pamela Hanrahan, “Professional indemnity insurance: Protecting clients and regulat-
ing professionals,” University of New South Wales Law Journal, 40, no. 1 (2017), 353–384, at 353 (hereafter
Morgan), wherein the authors note the development in Australia of the authorities following the UK case of
Hedley Byrne & Co Ltd v Heller & Partners Ltd 1964 AC 465, and Australian legislative enactments prohibit-
ing misleading and deceptive conduct.
13 Padfield (n 2) 449.
14 For example, the recent cases of MBS v Grant Thornton [2021] 3 WLR 81; Khan v Meadows [2021] 3
WLR 147 clarified the approach to causation, loss and damage in the context of negligence.
15 See, for example, Insurance Contracts Act 1984 (Cth) (Australia).
16 Alfred Thornton, Partner, Clyde & Co, Abu Dhabi, email to General Editors, dated 16 February 2023.
17 Andrew Blomenthal, “Admitted Insurance Defined,” Investopedia, 4 January 2021,
www​.investopedia​.com​/terms​/a​/admitted​-insurance​.asp.
18 See, for example, David Isherwood, “Local and Fronting policies: What they are and why you might
need one,” Lockton Construction, 25 June 2019, www​.loc​k ton​cons​t ruc​tionpii​.co​.uk ​/news​/ local​-and​-fronting​
-policies​-what​-they​-are​-and​-why​-you​-might​-need​- one​.html.

337
 P rofessional I ndemnity I nsurance

relied on/referred to for purposes of bringing a “negligence” type claim against a con-
struction professional,19 which did not rely on the express terms of the professional’s
engagement or did not involve a government project.
The most significant developments in the PI insurance market tend to occur during
periods of economic uncertainty. PI insurance made the headlines during the 1980s when
the medical malpractice “crisis” of escalating judgments and legal costs spread to most
other professions and businesses that needed liability insurance. At the time, 1984 was the
worst year for the P&C insurance business.20 Then the 2007–2008 Global Financial Crisis
contributed to the economic environment impact on financial advisers and financial plan-
ners more than a decade ago. As past experience has demonstrated, when liquidity starts
to dry up, or inflation soars, and/or interest rates rise, there is more emphasis on profit
margins, which creates a more litigious environment21 and this chain of events then leads
to more PI insurance claims.
Other significant developments in the PI insurance market also tend to occur when
particular professions are, from time to time, impacted by an issue or an event that
has broad-ranging impact. A specific example is the impact on building certifiers
and building surveyors caused by the use of combustible cladding in construction.
The difficulty with these kinds of risks is that they are rarely priced in, and it leaves
insurers with a large exposure for which little or no premium has been written. These
types of events often necessitate triaging of PI insurance arrangements, where it may
be necessary for particular professions—or even governments—to look to alternative
structures or arrangements to manage or underwrite risks (statutory insurers, captives
or mutuals, for example) to enable the profession to survive. A more general example
of a broad-ranging event is the pandemic, but much of the potential fallout from that
is yet to play out.
History tells us that periods of economic uncertainty (which we are presently in) along-
side issues or events with broad-ranging impact (such as the pandemic) are likely to result
in significant developments in the PI insurance market. In the sections that follow, we will
examine what some of those developments are likely to be.

A combination of challenges
The insurance market is cyclical and it fluctuates, moving into a hard market where pre-
miums increase and capacity for many types of insurance decreases. The economy expe-
riences high inflation and “risky” professions which are difficult to insure as part of this
cycle, but the present combination of challenges is undoubtedly unique and will require a

19 See, for example, Chibli Mallat, “Civil Law II Torts,” in The Normalization of Saudi Law, Oxford
University Press, 2022, DOI: 10.1093/oso/9780190092757.003.0005.
20  Michael Abramowitz, “Liability Insurance Skyrockets,“ The Washington Post, 4 August 1985, www​
.washingtonpost​.com ​/archive​/ business​/1985​/08​/04​/ liability​-insurance ​- skyrockets​/e8c58152​- a63d​- 4879​
-9db2​-bdc3f18a22eb/; “2022 P&C Underwriting Results Expected to be Worst Year since 2011: Geopolitical
Risk Highest in Decades and Threat to Overall Growth, New Triple-I/Milliman Report Shows,” Insurance
Information Institute, 3 November 2022, www​.iii​.org​/press​-release​/2022​-pc​-underwriting​-results​- expected​
-to​-be​-worst​-year​-since​-2011​-geopolitical​-risk​-highest​-in​- decades​-and​-threat​-to​- overall​-growth​-new​-triple​-i​
-milliman​-report​-shows​-110322.
21 Richard W. Painter, “Pro Se Litigation in Times of Financial Hardship-A Legal Crisis and Its Solutions,”
45 FAM. L.Q. 45, 45 (2011).

338
 P rofessional I ndemnity I nsurance

combination of agile responses from insurance carriers, regulators and professional bod-
ies to address and meet these challenges. This is not a typical hard market, and stakehold-
ers need to demonstrate resilience and innovation to avoid a similar crisis to the 1980s.
An interesting starting point for this section is to compare how the perceptions of PI
insurance market stakeholders changed during the course of the pandemic.
The concerns about the shift to remote or hybrid working were a significant concern
during 2020 and 2021,22 with the added complexity of staff attrition.23 By the middle of
2021, a survey forming part of the “London Market Professional Indemnity Report July
2021”24 revealed:
Looking ahead, our research shows that the insurance industry and buyers are united
in the view that the fallout from the pandemic will dominate the market over next five
years. COVID-19 appears to have brought something of a trinity of challenges for the PI
market—recession, increased cyber threat from remote working and a continued uptick
in regulatory oversight.
From an insurance industry perspective, the fallout from COVID-19 in terms of economic
and recessionary pressures and insolvencies is the biggest factor that will shape the PI market
over the next five years, cited by 77%. In contrast, for buyers it ranks only fourth of the risks
keeping them up at night, behind regulatory oversight, cyber and fraud & crime.

The results of the survey suggest that carriers were more concerned with the broad-rang-
ing impacts of the pandemic while insurance buyers were more concerned with the chal-
lenges that were on the immediate horizon. From an insurance buyer perspective, some of
the key concerns were around the impacts of the pandemic and whether their PI insurance
coverage would be adequate for whatever that impact might be.25
In the same report in 2021, it was predicted that:
Where economies stumble, an increase in claims will follow against residential conveyancers,
surveyors, property valuers, investment advisers, and accountants and law firms which risk
being caught on the wrong side of a variety of deal types and investments driven by “frothy”
valuations and “buyer remorse”. The profile will vary by jurisdiction, but the broad pattern of
volatility will have similar if not identical impacts internationally.26

This prediction in 2021 was a good one. Monetary policy around the globe was generally,
at this stage, easing, and financial markets were booming. But unease remained, and eco-
nomic stumbles in the wake of the pandemic were anticipated. Also, importantly, events
were yet to fully unfold in Ukraine.
In 2021, both carriers and insurance buyers were also concerned about an increase in
claims, although “there [was] no real consensus on what the trigger will be and how the
impact will be felt across books of business.”27 The report showed that 95% of surveyed PI

22 “London Market Professional Indemnity Report,” July 2021, Clyde & Co, 6, www​.clydeco​.com​/en​/
reports​/2021​/07​/ london​-pi​-market​-remains​- confident​-in​-the​-face​- of (hereafter London Market 2021).
23 Aaron De Smet, Bonnie Dowling, Marino Mugayar-Baldocchi and Bill Schaning, “Great Attrition or
Great Attraction? The choice is yours,” McKinsey Quarterly, September 2021, www​.mckinsey​.com ​/capa-
bilities​/people​-and​- organizational​-performance​/our​-insights​/great​-attrition​- or​-great​-attraction​-the​- choice​-is​
-yours (hereafter McKinsey 2021).
24 London Market 2021 (n 22) 7.
25 London Market 2021 (n 22) 10.
26 London Market 2021 (n 22) 9.
27 London Market 2021 (n 22) 3.

339
 P rofessional I ndemnity I nsurance

insurers expected more claims in the following two years, and 67% expected those claims
to be more severe.28
Moving on to 2022, and the outlook was more optimistic, although economic concerns
were increasing.29 In part these economic concerns appear to have been due to the pan-
demic, and in part due to other factors such as the conflict in Ukraine.30
A few specific risk trends have emerged out of the pandemic. Social inflation, which
has been present for some time, has intensified.31 This is discussed later in this chap-
ter. Cyber risk 32 remains present and is increasing in complexity, and the potential for
climate change liability33 is now also affecting the PI insurance market, particularly
construction PI. These two issues are covered in more detail in other chapters within
this book.
To some extent, the risks that emerged through the pandemic and other events in the
immediately preceding years—supervision, increased regulatory oversight, ESG matters,
economic headwinds, cyber risks and the impact of social inflation, in particular—have
continued, and have become more complex as time passes. It is worth delving into those
risks in more detail, particularly as we expect that these risks will continue to present
challenges to the market moving forward.

Supervision and staffing

Before the pandemic, “work from home”34 and hybrid working arrangements were gradu-
ally becoming more common as organisations and employees alike slowly moved towards
finding a balance that worked. There were, undoubtedly, pockets of resistance to hybrid
working arrangements in some professions, particularly traditional professions. The
pandemic, however, changed this, with many large businesses being compelled to make
urgent arrangements for their employees to work safely from home.35
Coming out of the pandemic, businesses found that there were benefits to keeping their
staff working remotely,36 for example, a reduction in real estate costs and an increase in
staff satisfaction when they have the flexibility to choose whether to work in the office or
at home, or a combination of the two. Employers found that many employees were more

28 London Market 2021 (n 22) Introduction.

29 “London Market Professional Indemnity Report,” Clyde & Co, July 2022, Contents, www​.clydeco​.com​/
en ​/reports​/2022​/07​/ london​-market​-professional​-indemnity​-report​-ju-1 (hereafter London Market 2022).
30 London Market 2022 (n 29) 9.
31 Jim Lynch and Dave Moore, “Social Inflation and Loss Development,” Casualty Actuarial Society and
Insurance Information Institute, 2022 (hereafter Lynch).
32 See Chapter 11.
33 See Chapters 14 and 15.
34 Also referred to as “remote work” or “telework.” Before COVID-19, 17% of US employees worked from
home. This figure increased to 44% during the pandemic, see Statista, “Change in remote work trends due to
COVID-19 in the United States in 2020,” 16 February 2022 www​.statista​.com ​/statistics​/1122987​/change​-in​
-remote​-work​-trends​-after​- covid​-in​-usa/. Similar figures were reported in the UK and elsewhere; see Tony
Dobbins, “Report 9391, House of Commons Library Research Briefing, Flexible Working: Remote and hybrid
work,” House of Commons, 30 November 2021.
35 Tony Dobbins, “Report 9391, House of Commons Library Research Briefing, Flexible Working: Remote
and hybrid work,” 30 November 2021, 27.
36 Sarah Forbes, Holly Birkett, Lori Evans, Heejung Chung and Julie Whiteman. “Managing employees
during the COVID-19 pandemic: Flexible working and the future of work.” Centre for Responsible Business
(2020), retrieved from Equal Parenting Project, United Kingdom, www.birmingham. ac​.uk ​​/scho​​ols​/ b​​usine​​ss​/
re​​searc​​h​/res​​earch​​​-proj​​ects/​ equal-parenting/research​.asp​x.

340
 P rofessional I ndemnity I nsurance

productive working on hybrid arrangements, and in any event, the pandemic has prompted
many white-collar workers to make a permanent shift to flexible and remote working.37
Many regulators are reviewing current rights for employees and employers; for example,
in the UK, new legislation will give employees the right to request flexible working from
“day one of their employment.”38
Remote working, however, encompasses some potential risks. For many professions,
working outside of the office has brought with it the risk that staff:
[w]orking outside the usual management and quality control parameters of a face-to-face
working environment can bring with it an increased exposure to errors. The ongoing issue of
staff absences due to COVID-19 may also contribute to communication issues or a perceived
downturn in service levels. If a mistake is made and a client decides to make a negligence
claim … it could prove extremely costly without adequate professional indemnity cover in
place (regardless of whether a claim is valid or not).39

The perceived breakdown in knowledge and specialisations where the mentoring aspect
is virtual, rather than office-based, also appears to be a concern as a potential longer-term
driver of PI claims. A survey forming part of the “London Market Professional Indemnity
Report July 2022” showed that 80% of respondents identified the “increased threat associ-
ated with weaker supervision” as a new working practice that will change the risk profile
of professional firms.40
Some professions, finance for example, have been hit harder than others. As one com-
mentator states:
A study by McKinsey finds that 65% of those who resigned from a job in insurance or finance
between April 2020 and April 2022, left the industry entirely. That percentage is exceeded
only by the 76% in consumer/retail, which has always had a problem retaining people, and the
72% in government/social sector. And the departures from insurance come as the industry is
starting to experience a long-anticipated sort of Great Retirement as an awful lot of talent is
ageing out of the workforce.41

37 Office for National Statists, “Business and individual attitudes towards the future of homeworking,”
14 June 2021, www​.ons​.gov​.uk ​/emp​loym​enta​ndla​bour ​market​/peopleinwork ​/emp​loym​enta​ndem​ploy​eetypes​/
articles​/ bus​ines​sand​indi​vidu​alat​titu​dest​owar​dsth​efut​u reo​f hom​ewor​k inguk​/apriltomay2021​# main​-points; see
also “COVID-19: Post-pandemic flexible working,” Market Insight, Clyde & Co, 21 May 2021, www​.clydeco​
.com​/en​/insights​/2021​/05​/covid​-19​-post​-pandemic​-flexible​-working.
38 Previously, employees could make a request for flexible working request after 26 weeks in a job; see,
Department for Business, Energy & Industrial Strategy and Kevin Hollinrake MP
“Millions of Britons to be able to request flexible working on day one of employment,” 5 December 2022,
which the Minister for Small Business describes as a “no-brainer,” www​.gov​.uk​/government​/news​/millions​- of​
-britons​-to​-be​-able​-to​-request​-flexible​-working​- on​- day​- one​- of​- employment#:~​:text​= If​%20an​%20employer​
%20cannot​%20accommodate​,change​%20for​%20certain​%20days​%20instead. In Australia, a Queensland
tribunal upheld an employer’s decision to refuse a work from home request where face-to-face contact was
deemed a necessary part of the employee’s role—see Hair v State of Queensland (Queensland Health) [2021]
QIRC 422—but since then the federal government introduced draft legislation to strengthen worker’s right to
flexible work arrangements; see Fair Work Legislation Amendment (Secure Jobs, Better Pay) Bill 2022 Part 11.
39 “Hybrid working—how it could affect your business insurance,” RIBA Architecture, www​.architecture​
.com​/riba​-business​/insurance​/ business​-insurance​/ how​-the​- change​-in​- office​-working​-may​-affect​-your​-insur-
ance​-policy.
40 London Market 2022 (n 29) 11.
41 P Carroll, “The Staffing Crisis In Insurance,” Insurance Thought Leadership, 2022, www​.ins​u ran​ceth​
ough​tlea​dership​.com​/six​-things​- commentary​/staffing​- crisis​-insurance, citing McKinsey 2021 (n 23).

341
 P rofessional I ndemnity I nsurance

The challenges and concerns coming out of the pandemic are twofold: Firstly, there is a
continuing focus on cyber security with hybrid working arrangements;42 and secondly,
there is more focus on staffing challenges as the professional labour pool has dried up.
At the start of the pandemic, organisations were laying people off in anticipation of a
recession or a downturn. As a consequence, “nearly 21 million jobs were lost in the U.S.
as the coronavirus pandemic took an immediate and devastating blow to the domestic and
global economy.”43 The challenges now are different, and “[d]espite improvements over
the past two years, business owners all over the U.S. are struggling to fill job vacancies.”44
The same challenges are arising in other countries. It appears that many employees
reassessed their priorities as we have come out of the pandemic. Retirement plans have
been brought forward. Work/life balance has become more important. This has led to
the “Great Resignation” or the “Great Reshuffle,”45 whereby the way in which employees
think about their work and life balance has changed.46
In the United States, this:
self-reflection has been dubbed “COVID clarity,” where Americans are prioritising work-life
balance—with the life portion taking precedent. Amid the phenomenon known as the Great
Resignation, workers continue to leave their jobs, which is also partly in response to increased
mobility in the labor market as job openings strongly outnumber those looking for work.
For many business owners, the current labor market is creating various professional liability
insurance exposures.47

For those who remain in their role, both the professional manager and insurance carriers
need to mitigate the broader range of “resilience” risks, including well-being and mental
health.48
Despite remote supervision and staffing issues, however, the standard to which profes-
sionals are held remains the same49 or indeed has become higher. In many jurisdictions
regulation of professionals—particularly certain categories of professionals—has experi-
enced a notable increase.50 As set out further below, the trend toward increased regulation
of professionals is one which is expected to continue.

42 These challenges are set out in more detail in Chapter 11.

43 Olivia Overman, “The Great Resignation, Remote Work Creates Professional Liability Mayhem,” Big
Independent Agent, 1 August 2020, www​.iamagazine​.com ​/markets​/the​-great​-resignation​-remote​-work​- cre-
ates​-professional​-liability​-mayhem (hereafter Overman).
44 Overman (n 43).
45 “AON Professional Indemnity Market Insights,” AON Q2 2022, https://aoninsights​.com​.au ​/wp ​- content​
/uploads​/ Professional​_Indemnity ​_Insurance​_ Market​_Insights​_ Q2​_ 2022​-V3​.pdf.
46 Overman (n 43).
47 Overman (n 43).
48 Fenton Green, “Manage mental health to avoid professional indemnity claims,” In the Black, CPA
Australia, 7 December 2021,
https://intheblack​.cpaaustralia​.com​.au ​/sponsored​- content ​/manage ​-mental​-health​-to ​- avoid​- professional​
-indemnity​- claims.
49 Professionals owe a standard of care both in common law and in statute in most jurisdictions, see Bolam
v Friern [1957] 1 W.L.R. 583, 587; the standard of care is a matter of medical judgment, bringing the attention
of risk, see Chappel v Hart (1998) 195 CLR 232; inexperience is irrelevant Jones v Manchester Corporation
[1952] 2 QB 852.
50 “January 2023 Market Update—Professional Indemnity,” Bellrock, 17 January 2023,
www​.bellrock​.com​.au​/jan​-2023​-market​-update​-professional​-indemnity/.

342
 P rofessional I ndemnity I nsurance

Increased regulatory oversight

PI insurance has always been sensitive to regulatory changes as it needs to rapidly adapt.
There is, of course, potential exposure to professionals if there is non-compliance with
regulations as they develop. Insurance carriers, in particular, are exposed to increased
regulations. For example, in the Netherlands, concerns are revolving around the levels of
nitrogen that are allowed on construction sites following the introduction of strict rules
which are now being enforced against professionals51 increasing the potential exposure to
PI insurers.
An increase in regulation is, however, according to a survey of the London PI market,
not a bad thing for insurance carriers in the longer term. A survey in 202252 found that:
While insureds dread the impact of increased regulation, underwriters’ caution is more tem-
pered. While in the short term increasing regulation and enforcement will create significant
difficulties for professionals that will drive claims and costs, their impact should be positive
in the longer term—for example changes to ESW1 cladding regulations will improve fire risk
in buildings in the future.

In short, increases in regulation may in fact prevent a profession from being impacted by
an issue or an event that would otherwise have had a broad-ranging impact.
Although increased regulation creates some certainty for underwriters in the longer
term, the short-term impact on the market remains, from both a carrier and an insur-
ance buyer perspective. And the increase in the regulation of professionals appears to
have been gaining pace over the past decade. In part, this is due to events that have had
a significant impact, such as the use of combustible cladding in construction. In other
cases, it may be due to cultural issues within a particular profession. In Australia, a Royal
Commission53 identified shortcomings in the finance and insurance industries and made
recommendations for greater oversight—through legislation and through industry bod-
ies and their codes of conduct.54 Many finance-oriented professions, including financial
advisers and accountants, are now subject to more stringent regulation following the
Royal Commission.
When a profession becomes too heavily regulated, it becomes difficult for commercial
insurers to provide cover. Presently, for example, there is less of an appetite to provide
insurance for a number of professions that have been impacted by regulation, including
financial advisers, planners and surveyors.55 Later in this chapter, we examine the impact
that this may have on the level of cover available to particular professions, including limits
of liability and exclusions, and we also examine other risk transfer arrangements that have
sprung up in a PI context where cover is not available on the open market.

51 See “Recovery Amidst Recession? Design and Construction Professional Liability Sentinel,” AON,
Issue 20: Q4 2022, 22.
52 London Market 2021 (n 22) 7.
53 The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services
Industry was a royal commission established on 14 December 2017 under the Royal Commissions Act 1902
(Cth) (hereafter Hayne Report).
54 Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial
Services Industry, 4 February 2019, https://treasury​.gov​.au​/publication​/p2019​-fsrc​-final​-report.
55 London Market July 2022 (n 29) 15.

343
 P rofessional I ndemnity I nsurance

One theme that emerges, and that is expected to continue to develop, is the shift
towards more intra-profession regulation.56 To that end, we expect that PI insurance
itself may continue to operate, with more force, as a form of regulation on certain pro-
fessions.57 Compliance with that form of regulation will be necessary in order to obtain
insurance cover, which in turn will be essential to operate within a particular profession.
Some commentators identified this development prior to the pandemic, in the following
terms:
One of the key ways in which PI insurance is said to operate as a form of regulation is through
insurers adjusting the terms on which they offer cover in order to reduce their risk. This can
be done in a number of ways for example the insurer may decline to provide cover in particu-
lar situations (such as the decision by US insurers not to provide cover to lawyers providing
advice in situations of conflict, …) or by adjusting the premium to reward steps taken by
insureds to reduce their risk.
Requirements imposed by statute or by professional associations to hold PI insurance as
a condition of practising a particular profession are clearly regulatory in character, because
a person who is refused cover is thereby precluded from practising that profession or joining
the professional body.58

As insurers influence the actions of professions to mitigate their risk, the increasing cost
of obtaining PI in some areas is seeing professional standards councils seeking to boost
insurer recognition of such schemes that encourage and improve risk management.59

Environmental, social and governance challenges

In recent years, there have also been more regulatory crackdowns and litigation regarding
ESG commitments. Although the potential exposure is largely at board level, and a D&O
risk at this stage, there are potential exposures on the PI side too. AGCS60 comment in
their 2022 global claims review as follows:
Activity around environmental, social and governance (ESG) and sustainability issues is
increasing as governments and citizens exert pressure on businesses to change their ways for
the greater good. Climate change is already a top boardroom issue, as companies face an array
of physical and liability-related risks from a more extreme climate and from the transition to a
low- or no-carbon economy. However, social issues are also a growing area of exposure, from
diversity and inclusion through to an organization’s impact on local communities and supply
chains. Climate change-related litigation is likely to become a significant source of liability
exposure for companies and their directors in coming years. The D&O insurance market has
already seen claims related to climate change, such as in the aftermath of the California wild-
fires in 2018, and companies increasingly face the prospect of litigation from activist share-
holders seeking to influence company policy or compensation for alleged damage related to

56 See, for example, the recommendations contained in the Hayne Report relating to developing enforce-
able industry codes of conduct, Recommendation 1.15.
57 Morgan (n 12) 354, in which the authors also refer to the views of Tom Baker and Kyle D Logue in
Insurance Law and Policy: Cases, Materials and Problems (Walters Kluwer Law Business, 3rd ed, 2013).
58 Ibid.
59 “Professions seek PI recognition for risk-reducing schemes,” Insurance News, 24 October 2022,
www​.insurancenews​.com​.au ​/the​-professional​/professions​-seek​-pi​-recognition​-for​-risk​-reducing​-schemes.
60 “Global claims review 2022—Trends and developments in corporate insurance losses,” Allianz Global
Corporate & Specialty, www​.agcs​.allianz​.com​/news​-and​-insights​/news​/claims​-review​-2022​.html#:~​:text​
= Global​%20Claims​%20Review​%202022​%3A​%20Allianz​,key​%20for​%20companies​%20and​%20insurers.

344
 P rofessional I ndemnity I nsurance

past pollution. Almost 2,000 climate change-related lawsuits have been launched to date—
half of them in the past seven years.

Another potential exposure comes from claims of “greenwashing,” where a company is

sued for unsubstantiated or misleading ESG claims, or its failure to match commitments
with action. With growing reporting requirements, companies and their directors will
face growing liability from climate-related disclosure and breach of fiduciary duty.61 For
example, on 7 February 2023, ClientEarth filed a derivative action lawsuit at the High
Court in England against the board of directors of Shell plc in what is described as a global
first, seeking to hold 11 of Shell’s directors liable for alleged inaction on climate change.
While in many jurisdictions shareholder claims against directors (whether on behalf of
a company or otherwise) are commonplace, this action appears to be the first of its kind
to base such a claim solely on the alleged mismanagement of climate risk by a board of
directors.62
Insurers are also facing increasing risks from “social washing.” Jacques Jacobs63 com-
ments that:
Until now, the “s” part of environmental, social and governance (ESG) factors has taken
a back seat to the “e” part and the issue of greenwashing. We’re very familiar with green-
washing and many clients and regulators have been dealing with it for the past few years so
it’s now a concept that’s fairly well defined. But we’re seeing consumers and also investors
increasingly focusing on the “S” part of ESG and that’s where social washing can come in.
Reputational damage, liability and directors and officers (D&O) risks are some of the threats.
It’s really similar to greenwashing. It looks at the extent to which a company’s social commit-
ments match what they’re actually doing.
The implementation of ESG reporting requirements in Europe and the US will make it
easier to hold directors to account for the impact of their organizations on the environment
and society, as well as adding a further level of reporting and disclosure.64

Edward Kirk, a New York-based partner with Clyde & Co, predicts that, in 2023, there
will be a significant increase in regulatory and shareholder actions against companies
and their directors and officers (D&Os) relating to ESG risks as new regulations come
into force and political debate around ESG intensifies. He comments that the Securities
and Exchange Commission (SEC) is focusing on improving climate change disclosures.
On 21 March 2022, it proposed comprehensive rules for all registered companies, which
will require “consistent, clear, intelligible, comparable and accurate disclosure of climate-
related financial risk.” He observes that:

The SEC has already targeted companies’ ESG disclosures. For example, an April 2022 SEC
enforcement action alleged that Brazilian mining company Vale, S.A. misled investors in
ESG disclosures. In May 2022, the SEC fined Bank of New York $1.5 million for misleading
clients about ESG investments. In November 2022, the SEC fined Goldman Sachs $4 million

61 Idem.
62 See, Jane O’Reilly et al., “Global first: Shell’s board of directors sued for climate risk mismanagement,”
Clyde & Co, 17 February 2023, https://connectedworld​.clydeco​.com​/post​/102i815​/global​-first​-shells​-board​- of​
-directors​-sued​-for​- climate​-risk​-mismanagement.
63 Partner, Clyde & Co, Sydney, Australia, 23 July 2022; see, www​.ins​u ran​cebu​sinessmag​.com ​/au ​/news​/
breaking​-news​/global​-law​-firm​-warns​-insurers​-against​-social​-washing​- 414194​.aspx.
64 For example, the European Commission’s Sustainable Finance Disclosures Regulation (SFDR) for asset
managers came into effect on 10 March 2021.

345
 P rofessional I ndemnity I nsurance

for failing to implement ESG investment procedures. There will be more ESG-related regula-
tory actions in 2023, particularly after implementation of the new ESG rules.
Shareholder lawsuits arising from ESG disclosures will also increase. In recent years,
activist shareholders have closely scrutinized whether boards sufficiently addressed ESG
issues and brought cases regarding board diversity and positions on racial inequality. A recent
action alleges that Pfizer is discriminating against white and Asian-American applicants for
fellowships, and the Supreme Court is expected to rule in 2023 on the use of race and ethnicity
in college admissions.
Even companies that actively engage on ESG face increasing litigation and regulatory
risk. There has been a political backlash against ESG, and some states have taken “anti-
ESG” measures, including divestment policies and “anti-boycott laws” limiting business with
companies that prioritize ESG. A recent securities class action complaint alleges that wood
products company Enviva is the “latest ESG farce” and engages in “textbook greenwashing”
by misrepresenting the environmental sustainability of its wood pallets.
As a result, there will be a significant increase in D&O insurance claims for regulatory and
shareholder actions against companies and D&Os relating to ESG issues.65

Similarly, in Europe, on 10 November 2022, the EU Parliament formally adopted the

Corporate Sustainability Reporting Directive (CSRD) in a move to make businesses
within the European Union and those that operate within the EU disclose information
on their ESG credentials. This goes further than earlier legislation deemed insufficient
to meet the global impacts of climate and social change. The new piece of legislation
(CSRD) will use independent auditing to ensure companies are complying with EU Law.
In an effort to develop a comprehensive strategy in line with the European Green Deal,66
it is a move by the EU to implement more detailed reporting requirements on businesses’
impacts on the environment, human rights and social norms.67
Sarah Crowther and Pavan Trivedi68 comment that:
Undeniably ESG presents vast opportunities to companies and their directors—strong ESG
credentials attract stakeholders, from investors to talent, and can play an integral part in the
success of a company. On the other hand, with ESG becoming subject to increasing scrutiny,
any false step could leave directors vulnerable to claims. Directors making statements about
ESG credentials should take care to ensure the accuracy of that information—drawing a clear
distinction drawn between aspiration and attainment. With regulation around ESG reporting
on the rise, it is possible that official guidance will emerge as to the form and content of ESG
disclosures. Until such time, modesty is likely to be the best policy.

As set out earlier, claims relating to failures in ESG commitments or representations

(i.e. against a company making unfounded claims that a product is environmentally
friendly, sustainable or ethical, including financial products), however, have tended
to be captured by D&O policies, rather than PI policies. That said, the PI insurance
market has some potential exposure to claims against financial professionals, such as

65 “ESG claims under D&O policies will increase significantly in 2023,” Clyde & Co, 4 January 2023,
www​.clydeco​.com ​/en ​/insights​/2023​/01​/esg​- claims​-under​- d​- o​-policies​-will​-increase.
66 https://commission​.europa​.eu​/strategy​-and​-policy​/priorities​-2019​-2024​/european​-green​- deal​_en.
67 See “EU Parliament expands ESG requirements for SMEs and large companies,” 11 November 2022, www​
.lexology​.com​/ library​/detail​.aspx​?g​= 0a1949b9​- 4854​- 4786​-9ccf​- 8e6191675eac#:~​:text​= EU​%20Parliament​
%20expands​%20ESG​%20requirements​%20for​%20SMEs​%20and​%20large​%20companies,​-Prospect​%20Law​
&text= ​​On​%20​​10th%​​20Nov​​ember​​%2020​​22​%2C​​%20th​​e​,inf​​ormat​​ion​%2​​0on​%2​​0thei​​r​%20E​​SG​%20​​crede​​ntial​​s.
68 “ESG claims against Directors: will it all come out in the wash?,” DAC Beachcroft, 14 October 2022,
www​.lexology​.com​/ library​/detail​.aspx​?g​= 93cd9b83​-72fb​- 4ad8​-a6eb​- 44616d712bcb.

346
 P rofessional I ndemnity I nsurance

financial advisers who recommend financial products where ESG claims are not properly
founded. Statements from other professionals, for example, an architect who designs a
building and claims to have integrated sustainability-related factors when undertaking
their professional role, may face future liability claims where this claim of integration
is not proven.
Insurance brokers themselves are also facing these emerging risks and may face claims
in the future if the broker presents an insurance product as “green” when, in fact, it is not,
thereby leaving the insured potentially exposed to a criticism of not adhering to the sus-
tainable principles it claims to support. This could lead to a possible claim for breach of
duty against the broker.69 Diego Assef, Allianz Global Corporate and Speciality, describes
the PI risks for a broker relating to ESG risks as follows:

• Not fully advising the insured as to what they need to disclose in relation to ESG;
• Not asking the insured clear and specific questions about information relevant to
the cover required in terms of ESG—generic or standardised questions may not
be sufficient to discharge this duty;
• Not giving suitable advice due to insufficient knowledge of the insured’s business
and/or insufficient knowledge of ESG;
• Not recommending cover that fits with the insured’s needs and demands for ESG
cover;
• Failing to explain accurately/fully any limitations on cover in relation to ESG; or
• Failing to provide appropriate information about a policy in good time and in a
comprehensible form so the insured can make informed decisions about the pro-
posed arrangements—in England and Wales, this is known as the “appropriate
information rule.”70

ESG is a major challenge for insurance and insurance carriers are already integrating the
societal expectation that ESG matters will be taken into consideration.71 Insurers need to
understand how to help professionals manage related risks and determine the many ways
ESG affects them.72 It is an area which will continue to grow and challenge with particular
attention needed to policy wording, exclusions and maintaining knowledge of changing
expectations.

Economic headwinds
According to the 2022 London Market survey:
The broader macroeconomic trends are impossible to ignore, however. The unfolding crisis
in Ukraine, the inflationary environment, supply-chain issues, and Britain’s exist from the

69 See, Diego Assef, “ESG: Brokers' exposure to professional indemnity claims,” ALM Property Casualty
360, 6 October 2022,
www​.propertycasualty360​.com​/2022​/10​/06​/esg​-brokers​- exposure​-to​-professional​-indemnity​- claims/.
70 “ESG: brokers’ exposure to professional indemnity claims,” Allianz Global Corporate & Specialty, 10
October 2022, https://afahpublishing​.com ​/esg​-brokers​- exposure​-to​-professional​-indemnity​- claims/.
71 See, “ESG: A growing sense of urgency,” PWC 2022, www​.pwc​.com​/us​/en​/industries​/financial​-services​
/library​/next​-in​-insurance​-top​-issues​/esg​-insurance​-industry​.html.
72 Ibid.

347
 P rofessional I ndemnity I nsurance

European Union, among other factors, are giving underwriters and brokers in this market-
place pause. …
While most experts believe the direct impact on the PI market is likely to be less severe and
widespread than in the wake of the Global Financial Crisis of 2008, they stress that underwrit-
ers should be pricing in the effect of inflation, in particular, as we move forwards although
some expressed doubt that this was yet fully part of the underwriting decision.73

A cost-of-living crisis, high inflation, supply chain disruptions, an unpredictable finan-

cial and housing market together with the fatigue of COVID-19 are all factors pointing
towards a global economic downturn.
The words of John Kenneth Galbraith after the Great Crash of 1929 continue to ring
true during each market recession or downturn:
In good times people are relaxed, trusting, and money is plentiful. But even though money is
plentiful, there are always many people who need more … In depression all this is reversed.
Money is watched with a narrow, suspicious eye. The man who handles it is assumed to be
dishonest until he proves himself otherwise. Audits are penetrating and meticulous.74

Negligence claims against professionals in the finance and legal industry are likely to rise
as those in financial difficulty review advice and previous transactions and pursue claims
where (perceived) poor advice was provided during preceding years. As set out in the
previous section, during a boom, economies often deregulate,75 but as markets tighten, so
do regulators, by raising standards for professionals and actively enforcing these stand-
ards.76 While PI premium costs have been rising since late 2001 attributable to increasing
regulation and (as discussed below) active litigation, increases since 2019 are increasing
far more quickly. In Australia, the average premium for PI insurance increased by 76%
between March 2019 and March 2022.77
Some professions have been impacted by not only the spectre of a recession, but they
have also been impacted by the constriction in supply chains caused by the pandemic and,
later, the crisis in Ukraine. A leading broker suggests that insurance buyers who are reli-
ant on supply chains should, in their underwriting submissions, “look to provide informa-
tion about how they are addressing supply chain challenges. This may include contractual
considerations to increase fees, to take into account increased costs.”78

73 London Market 2022 (n 29) 10.

74 John Kenneth Galbraith, “The Great Crash, 1929,” 1955.
75 Jihad Dagher, “Regulatory cycles: revisiting the political economy of financial crises,” International
Monetary Fund, 2018.
76 See, for example, in the UK Corporate Report, HM Revenue and Customer, “Raising standards in the
tax advice market—HMRC’s review of powers to uphold its Standard for Agents,” 10 March 2022, www​.gov​
.uk ​/government​/publications​/raising​-standards​-in​-the​-tax​-advice​-market​-hmrcs​-review​- of​-powers​-to​-uphold​
-its​-standard​-for​-agents​/raising​-standards​-in​-the​-tax​-advice​-market​-hmrcs​-review​- of​-powers​-to​-uphold​-its​
-standard​-for​-agents. The European Union is currently reviewing capital market rules through its MiFID/
IIMiFIR proposal; see, “Report on the current framework for qualification of financial advisors in the EU and
assessment of possible ways forward,” Brussels, 30 June 2022 SWD (2022) 184 final. In the financial advice
markets, regulatory changes aimed at improving financial advice were commenced before 2020 but the effects
and implementation of some of the changes are only being experienced in 2023; see for example, Australia,
Professional standards for financial advisers Financial Sector Reform (Hayne Royal Commission Response—
Better Advice) Act 2021 (Better Advice Act).
77 “Quarterly general insurance statistics,” APRA, 24 November 2022, www​.apra​.gov​.au ​/quarterly​-gen-
eral​-insurance​-statistics.
78 “AON Professional Indemnity Market Insights Q2 2022,” AON, https://aoninsights​.com​.au ​/wp ​- content ​/
uploads​/ Professional​_Indemnity ​_Insurance​_ Market​_Insights​_ Q2​_ 2022​-V3​.pdf.

348
 P rofessional I ndemnity I nsurance

Sectors facing significant industry reform such as aged care and the cryptocurrency
industry also continue to be at situational-specific insolvency risk and operators who are
unable to meet new obligations may be at an increased risk of negligence.

Social inflation
The phenomenon of social inflation has gained a great deal of attention from the insurance
industry and regulators, with increased scrutiny as this becomes a significant issue for the
PI insurance market moving forward.
“Social inflation” has many definitions, but broadly it refers to the impact of ris-
ing litigation costs on insurers’ claim pay-outs, loss ratios and, ultimately, how much
insurance buyers pay for coverage.79 Reports suggest social inflation increased com-
mercial auto liability claims by more than US $20 billion between 2010 and 2019, and
there is evidence of a similar trend that is present in PI insurance, particularly medi-
cal malpractice claims made.80 More broadly, social inflation was listed as a growing
concern among the participants in the PI market, with a large proportion of respond-
ents putting social inflation as one of the top three claims influencers in the next five
years.81
Insurers need to accurately model the risks they underwrite and price them accord-
ingly, and the unexpected claim payments that are increasingly being awarded by juries
can seriously damage an insurer’s balance sheets and challenge their capacity to provide
risk transfer mechanisms.82
Keeping on top of social inflation is increasingly difficult due to the longer tail for
claims, being the intervening period between the provision of the professional service and
when the claim is ultimately made by the client (i.e. after a loss is alleged to have been
sustained).83 Some of the drivers of social inflation include:

• A large increase in class action suits and settlements;84

• Growing awards from sympathetic juries (“nuclear verdicts” discussed below);
• “Litigation funding”—in which investors finance lawsuits against large compa-
nies in return for a share in the settlement;
• Rollbacks of tort reforms that were intended to control costs;
• Cultural attitudes, intensified after COVID-19; and

79 “Social Inflation: What it is and why it matters,” Insurance information Institute Trends and Insights,
February 2022. The term social inflation is not new, Warren Buffett used it in the 1970s to describe “a broad-
ening definition by society and juries of what is covered by insurance policies,” Warren Buffett, “Chairman’s
Letter—1977,” 14 March 1978, www​.berkshirehathaway​.com ​/ letters​/1977​.html; see generally, William
Swallow and Alistair Kinley, “Nuclear verdicts on the rise in the US, while UK legal delays could see inflation
driving up costs,” Market Insight, Clyde & Co, 10 January 2023, www​.clydeco​.com ​/en ​/insights​/2023​/01​/social​
-inflation​- continues​-to​- dog​- casualty​-market (hereafter Kinley).
80 Lynch (n 31).
81 London Market 2022 (n 29).
82 Darren Pain, “Social Inflation: Navigating the evolving claims environment,” The Geneva Association,
2020, Foreword (hereafter Geneva Association 2020).
83 Padfield (n 2) 450.
84 2022 had the most billion-dollar class action settlements in the history of the American court system,
with 15 class actions that resolved cases for US $1 billion or more in settlements; see Report, Duane Morris
Class Action Review, 2023, www​.dua​nemo​r ris​clas​sact​ionreview​.com/.

349
 P rofessional I ndemnity I nsurance

• Court closures due to COVID-19 lockdowns result in delays in the legal system
and with current inflationary pressure, delays could mean a significant increase
in resulting court awards.85

Countries such as the United States and the UK, which operate a common law legal system, are
more affected by social inflation than those that operate a civil law system.86 One of the most
controversial remedies in private law is that of punitive (or exemplary) damages. Damages are
more limited in the UK than in the United States, particularly punitive, exemplary and statu-
tory damages. In the UK, awards are made by judges, not juries, and courts have been histori-
cally averse to punitive damages.87In the United States, plaintiffs generally have the right to a
jury trial.88 US-based insurers are far more vulnerable to large claims including class actions
which have a much more well-established history than in the UK and Australia.89
Nuclear verdicts, defined as jury verdicts of US $10 million or more, are increasing in
both amount and frequency.90 In the United States nationwide, nuclear verdicts in personal
injury and wrongful death cases were most frequent in product liability (23.6%), auto
accident (22.8%) and medical liability (20.6%) cases.91 These jury awards are “nuclear” in
the sense that such a verdict can have devastating impacts on businesses, entire industries
and society at large. These verdicts can drive up the costs of goods and services, adversely
affect the cost and availability of insurance, and undermine fundamental fairness and
predictability in the rule of law.92
An article in Bloomberg suggests “nuclear punitives” are becoming more common in
California, which, unlike many other states, has no limit on punitive awards.93
Nuclear verdicts also contribute to the underlying attitudes and opinions associated
with social inflation by normalising litigiousness and entitlement to compensation and

85 Kinley (n 79).
86 Robert Mazzuoli, “Coronavirus Pandemic Will Have Severe Impact on Social Inflation: Fitch’s
Mazzuoli,” Insurance Journal, 15 September 2020,
www​.insurancejournal​.com​/news​/international​/2020​/09​/15​/582627​.htm#:~​:text​= Countries​%20such​%20as​
%20the​%20U​.S.​,liability​%20(D%26O)%20in%20particular.
87 The clear policy of the law, as Lord Bingham observed in Watkins v Secretary of State for the Home
Department [2006] UKHL 17, [2006] 2 AC 395 at [26] “is not in general to encourage” judges to exercise it. For
full discussion see James Goudkamp and Eleni Katsampouka, “Punitive damages and the place of punishment
in private law.” The Modern Law Review 84, no. 6 (2021), 1257–1293.
88 The general standard for PI cover would be to cover anywhere in the world, excluding the United States
and Canada (due to the high costs of litigation in those jurisdictions).
89 Class actions in the United States go back 200 years. See West v Randall, 29 F. Cas. 718 (R.I. 1820).
90 In the United States, the number of malpractice verdicts greater than US $25 million grew from 4 in
2014 to 17 in 2018; see Richard E Anderson, “Behind the Rise in Large Outlier Medical Malpractice Verdicts,”
Physicians Practice, 21 February 2020, www​.physicianspractice​.com​/article​/ behind​-rise​-large​- outlier​-medical​
-malpractice​-verdicts.
91 “Nuclear Verdicts, Trends, Causes and Solutions,” US Chamber of Commerce Institute for Legal
Reform, September 2022, 36, https://ins​titu​tefo​rleg​alreform​.com​/ blog​/ how​-state​-legislators​- can​-rein​-in​-third​
-party​-litigation​-funding/ (hereafter US Chamber of Commerce).
92 US Chamber of Commerce (n 91) 2.
93 California Civil Code § 3294, California has no cap on either punitive or compensatory damages, subject
to some limited exceptions. It should be noted that there is a 2021 case that demonstrates the courts’ require-
ment for specific evidence showing corporate defendants authorised or ratified wrongdoing; see Morgan v
J-M Manufacturing Company, Inc. 0 Cal. App. 5th 1078 (2021) where the court vacated a $15 million punitive
damages award because there was insufficient evidence to support the award.

350
 P rofessional I ndemnity I nsurance

thus encouraging even more claiming activity and litigation.94 Another reason some plain-
tiffs’ lawyers aggressively pursue ever-higher damage awards is that they are increasingly
splitting recoveries with third parties.95 According to a Swiss Re Institute study, an esti-
mated US $17 billion was invested in litigation funding globally in 2021, with more than
half that amount directed at litigation in the United States.96 Third-party litigation funder
investments also increased 16% between 2020 and 2021 alone and are projected to balloon
to US $31 billion annually by 2028.97
Many insurers see social inflation as a long-term issue and, as expected, have been fac-
toring the trend into their pricing and underwriting for several years;98 however, the recent
and unprecedented increases are causing immense pressure throughout the industry.
The Medical Professional Liability Association, for instance, found that the number of
multi-million dollar awards in medical malpractice cases has been increasing and that the
average verdict increased by 50% between 2016 and 2019.99
In the UK, the costs of clinical negligence are also rising at an unsustainable rate,
eating into resources for patient care. Annual cash payments have quadrupled in the
last 15 years to £2.2 billion in 2020–21. That figure is equivalent to 1.5% of the NHS
budget, and these costs are forecast to continue rising. This is despite substantial safety
programmes.100 NHS Resolution also has to account for claims likely to be received in
the future. Now standing at £83.4 billion [2018–19], the amount “set aside” for such
claims is among the most substantial public sector financial liabilities faced by the UK
government, second only to nuclear decommissioning (£131bn).101 In March 2021, the
government referenced the 2017 report by the National Audit Office (NAO) which the
government said “confirmed that developments in the legal market are amongst the big-
gest factors influencing the changing costs of medical litigation, rather than any detect-
able decline in patient safety.”102
The outcome of a Supreme Court set of cases in the UK may see an extension of clini-
cal negligence liability in the UK clinical negligence case extending liability.103 The three
cases all concerned claims where the defendant was alleged to have failed to diagnose the
primary victim’s life-threatening condition, and their subsequent traumatic death was said
to have caused psychiatric injury to their close relatives.

94 “Social Inflation: Evidence and Impact on Property-Casualty Insurance,” The Institutes Risks and
Insurance Knowledge Group, www​.insuranceresearch​.org​/sites​/default​/files​/news​_ releases​/ IRC​Soci​alIn​flat​
ion2020​.pdf (hereafter The Institutes Risks and Insurance Knowledge Group).
95 US Chamber of Commerce (n 91) 31.
96 “U.S. Litigation Funding and Social Inflation,” Swiss Re Institute, December 2021, 8, www​.claim-
sjournal​.com ​/app​/uploads​/2021​/12​/swissre​.litigation​.funding2021​.pdf​.pdf (hereafter Swiss Re).
97 Ibid.
98 “Travelers sounds alarm as P&C insurers seek to constrain social inflation,” S&P Global Market
Intelligence, 4 March 2020.
99 Amy Buttell, “Nuclear Verdicts Escalate,” Inside Medical Liability, First Quarter 2021, cited in US
Chamber of Commerce (n 91).
100 ​h tt ps:/​ / hansard ​ . parliament ​ . uk ​ / Lords ​ / 2021​ -11​ -10 ​ / debates ​ / 65F0CC78 ​ - DE6D ​ - 4AE6 ​ - 986D​
-239586D83958​/Cli​nica​​lNeg​lige​nceClaims.
101 ​ w ww​.bmj​.com ​/content ​/368​/ bmj​.m552.
102 10 March 2021, https://questions​-statements​.parliament​.uk​/written​- questions​/detail​/2021​- 03​-10​/
HL14117.
103 See, for example, discussion and details in, Sam Tobin, “Landmark ‘secondary victims’ cases head-
ing for Supreme Court,” The Law Society Gazette, 14 January 2022, www​.lawgazette​.co​.uk ​/news​/ landmark​
-secondary​-victims​- cases​-heading​-for​-supreme​- court​/5111148​.article.

351
 P rofessional I ndemnity I nsurance

Rollbacks of the tort reforms that were originally intended to control costs may also
be contributing to social inflation. In the past, insurance carriers often took the view
that the best way to approach tort reforms is to let the effect of highly subjective reforms
be reflected in the loss experience.104 Damages caps, particularly in medical malprac-
tice, reduce insurance losses and foster insurer profitability, consistent with the objec-
tive of caps; the impacts of caps are greatest for insurance carriers that otherwise would
have experienced the greatest losses.105 Although loss history is now available, insurers
are once again facing uncertainty with a rollback of some of these reforms. The Geneva
Association report explains that in the United States, of the 32 states that have reformed
punitive damages, four had reforms struck down as unconstitutional and have not enacted
additional reforms.106 Likewise, since 2010, the supreme courts of at least five states with
caps on non-economic damages have overturned the reforms.107 The Florida Supreme
Court held that the limit on non-economic damages is unconstitutional in all medical lia-
bility cases.108 By removing any limits on potential damage awards, an additional incen-
tive is created for further actions to be filed and for claimants and plaintiffs to seek higher
settlements from defendants and their insurers.
Cultural attitudes are another driver of social inflation, where a greater recognition of
income inequality may encourage juries and judges to increase awards as a way (in their
opinion) to address such inequalities.109 Beliefs about entitlement to compensation and
anti-corporation attitudes are also driving up claims, particularly D&O.110 Higher settle-
ment costs, for example, nuclear verdicts, also contribute to the underlying attitudes and
opinions associated with social inflation by normalising litigiousness and entitlement to
compensation and thus encouraging even more claiming activity and litigation.111
There is no quick fix to the problems caused by social inflation, nor can the industry
accurately predict how the market will or will not recover after the fallout and recovery
from COVID-19. However, there are ways to increase and build resilience for the future.
As the McKinsey report suggests, one way is for insurance carriers to focus on creat-
ing maximum insight into product profitability, developing rate indications frequently
and with the most granularity possible to enable quick action.112 Leading carriers should
maintain visibility into data indicators that provide early warning113 and continue to take
an active role in any law reform discussions.

104 Allan Kerin, “The Analysis of the Effect of Tort Reform Legislation on Expected Liability Insurance
Losses.” Cited in “Including the Ratemaking Call Papers,” Casualty Actuarial Society Forum Winter 1998, 153.
105 W Viscusi, ”Medical malpractice reform: what works and what doesn’t,” Denver Law Review (2019)
96, 775–792; Leonard J. Nelson III, Michael A. Morrisey and Meredith L. Kilgore, “Damages Caps in Medical
Malpractice Cases,” The Milbank Quarterly, 2007, vol 85(2), 259–286.
106 Geneva Association 2020 (n 82) 15.
107 Geneva Association 2020 (n 82) 16.
108 North Broward Hospital District v Kalitan, No. 8C14-1858. FL. 8 June 2017.
109 Geneva Association 2020 (n 81) 22; see also, The Institutes Risks and Insurance Knowledge Group (n 95).
110 “The impact of social inflation on US commercial liability claims,” Munich Re, 21 April 2022
www​.munichre​.com​/topics​- online​/en​/economy​/the​-impact​- of​- social​-inflation​- on​-us​- commercial​-liability​
-claims​.html.
111 The Institutes Risks and Insurance Knowledge Group (n 94).
112 Kia Javanmardian, Sebastian Kohls, Gavin McPhail and Fritz Nauck, “Countering inflation: How US
P&C insurers can build resilience,” McKinsey, 25 August 2022,
www​.mckinsey​.com​/industries​/financial​-services​/our​-insights​/countering​-inflation​-how​-us​-p​-and​- c​-insur-
ers​- can​-build​-resilienceö
113 Ibid.

352
 P rofessional I ndemnity I nsurance

Cyber risks
As set out in detail in Chapter 11, the financial impact of cybercrime worldwide is consid-
erable. Some reports have estimated cybercrime loss at around 1% of global GDP.114 The
constantly evolving nature of the cyber threat landscape means that even organisations
with heightened cyber security face a residual risk from cyber incidents and attacks.
Most traditional PI insurance policies offer minimal protection from cyber risks whether
on an affirmative (where cyber incidents or attacks are expressly affirmed or excluded
from cover) or non-affirmative or “silent cyber” basis (where the language of traditional
insuring clauses may be wide enough to, potentially unintentionally, provide cover for
losses caused by cyber incidents and attacks).
If the PI insurance policy does not provide cover for first-party losses it is unlikely
to cover the losses associated with a cyber breach which can include ransom payments,
breach response costs and reputational harm. Insurers need to manage their cyber expo-
sure, and some have, for example, added a clause to PI policies which specifically excludes
regulatory investigations arising from a “cyber act / cyber incident.”115 Both coverage and
exclusions need to be clearly explained to the insured, and the active role insurers are
currently taking driving risk prevention and mitigation will continue to provide tangible
benefits going forward.

Risk trends in key areas

As noted above, the impact of the COVID-19 era is not yet being fully felt by insurance
carriers.116 In part, this may be due to the fact that professional indemnity insurance is
generally written on a “claims made” basis, but it is also likely that part of the impact has
been postponed—but not extinguished—by the regulatory amendments during and after
COVID-19. This section examines some of those regulatory amendments and explores the
risk trends in particular professions that have been most affected by the events of the past
three to four years.

Legislative changes during and after COVID-19

Professionals have a duty to adhere to current legislation and codes of conduct when car-
rying out their roles. Under normal situations, this requirement should not be particularly
onerous because usually legislative changes are incremental and organic with extensive
stakeholder engagement and consultations undertaken. COVID-19, however, was not a
normal situation and the usual processes, understandably, did not occur during the pan-
demic. To put the speed and size of the legislative changes into perspective:
The UK Government laid 582 Coronavirus-related Statutory Instruments (SIs)
before the UK Parliament between the start of 2020 and 3 March 2022. The first two

114 James Andrew Lewis, “Economic Impact of Cybercrime,” Center for Strategic & International Studies,
21 February 2018, www​.csis​.org ​/analysis​/economic​-impact​- cybercrime, www​.business​-standard​.com ​/article​/
technology​/mcafee​-report​-says​- cybercrime​-to​- cost​-world​- economy​- over​-1​-trillion​-120120700249​_1​.html.
115 Hollie Mortlock, “Cyber v Professional Indemnity,” WTW, 7 May 2021, www​.wtwco​.com​/en​- GB​/
Insights​/2021​/05​/cyber​-v​-professional​-indemnity​-pi.
116 London Market 2022 (n 29).

353
 P rofessional I ndemnity I nsurance

Coronavirus-related SIs were laid on 28 January and 10 February 2020, respectively. The
rest were laid from 6 March 2020, at an average rate between then and 3 March 2022 of six
per complete week. Of the 104 complete weeks in this period, there were four in which no
Coronavirus-related SI was laid.
Between the start of the week commencing 27 January 2020 (when the first Coronavirus-
related SI was laid) and 3 March 2022, the government laid a total of 1,946 SIs covering all
subjects.
Coronavirus-related SIs thus accounted for 30% of all the SIs laid before Parliament in
this period.117

Other jurisdictions reacted in a similar manner118 with economic response packages119 and
wholesale changes across areas such as tax,120 insolvency,121 company reporting require-
ments122 and changes to limitation periods for commencement and filing.123 Temporary
changes were modified, extended,124 revoked or made into permanent measures.125 Claims
related to professional services undertaken during COVID-19 are not yet fully realised
and extensions to limitation periods during this period will further extend the time for
claims.126 It is likely insurers are contemplating an increase in claims due to breaches of
(new) laws and potentially incorrect advice and errors made during this period. Advice
and decisions provided under stressful, isolated and often unsupervised conditions, with,
perhaps, limited access to office files and other necessary documentation. Add this to an
increase in insolvencies and economic downturn, and it provides the ingredients for an
expected increase in negligence-related PI claims. Regulators need to keep a close eye
on claim trends and legislative corrections, as a societal consensus may be required if
jurisdictions or professions begin to see “an indeterminate number of claims by an inde-
terminate number of parties in indeterminate amounts of money for an indeterminate
amount of time.”127
Against this background of change and the combination of challenges identified above,
insurance carriers and those insured need to review existing policies, identify problematic
or imminent payments and consider the adequacy of their policies.

117 See www​.hansardsociety​.org​.uk​/publications​/data​/coronavirus​-statutory​-instruments​- dashboard​#how​

-many​- coronavirus​-related​-statutory​-instruments​- did​-t.
118 In Australia, 727 legislative instruments were made in response to COVID-19 during the period 18
March 2020 to 17 April 2022; see www​.aph​.gov​.au​/ Parliamentary​_ Business​/Committees​/Senate​/Scrutiny​_of​
_Delegated​_Legislation ​/Scrutiny ​_of​_COVID​-19​_instruments.
119 Coronavirus Economic Response Package Omnibus Act 2020 (Cth).
120 Tax reform in the United States, H.R.5376 Inflation Reduction Act 2022.
121 Eighteen SIs were laid out under the Corporate Insolvency and Governance Act 2020, see www​.legisla-
tion​.gov​.uk​/ukpga​/2020​/12​/contents​?utm​_source​= www​.hansardsociety​.org​.uk.
122 See, for example, in New Zealand, the Business Debt Hibernation Regime, www​.business​.govt​.nz​/
covid​-19​/ business​- debt​-hibernation/.
123 For example in Ontario, Canada, Regulation 200073 and in New York, Executive Order No. 202.8,
limitations periods were temporarily suspended during COVID-19.
124 For example, 588GAAA into the Corporations Act 2001 granting temporary relief for financially dis-
tressed businesses was extended three times.
125 In Australia, the Corporations Amendment (Meetings and Documents) Bill 2021.
126 See n 123; in British Columbia the limitation period was suspended from 26 March 2020 to 25 March
2021, providing an even longer “tail” for claims and exposure for insurers. See Attorney General, BC Gov
News, “Suspension of limitation periods to end March 2021,” 21 December 2020, https://news​.gov​.bc​.ca ​/
releases​/2020AG0079​- 002121.
127 See comments from Cardozo, CJ in Ultramares Corporation v Touche, 174 N.E. 441 (1932), on “flood-
gates” in relation to negligent misstatement of an auditor.

354
 P rofessional I ndemnity I nsurance

Risk trends in construction PI

The construction industry is dynamic and has a good track record of responding to disrup-
tion and change. By and large, the industry was able to respond quickly to the challenges
of the COVID-19 pandemic such as remote working, disrupted supply chains, restricted
workforce numbers allowed on-site and illness.128
The global construction market is set for a sustained period of strong growth, with
the global industry forecast to grow 42% to US $15 trillion by 2030.129 The growth is
expected to be driven by a growing world population, urbanisation, an expected surge in
government spending on infrastructure, carbon-neutrality targets and the push towards
sustainability. The transition to a low-carbon economy will require significant investment
in alternative forms of energy, such as wind, solar and hydrogen, as well as power storage,
transmission and supporting services.130
According to a recent KMPG global survey, the pandemic has seen a move to more col-
laboration between owners and contractors and a rebalancing of contract risk, describing
the emerging trend as follows:
For many years now the sector has been looking at ways to break the cycle of at-risk, lump-
sum contracts. These “bet the farm” projects carry a significant risk imbalance weighted
heavily in favor of owners, placing existential pressure on contractors. All it takes is for one
contractor to accept such a burden, and others follow suit in a vicious cycle. Recently, how-
ever, for complex, multi-year, megaprojects, contractors have been shifting to hybrid or cost-
plus arrangements with lower liability for cost and schedule overruns.
Consequently, project owners, faced with a shared responsibility for risks, are now taking
greater interest in controls over scoping, budgeting, and planning, and investing in risk man-
agement to support their capital investment decisions.
The pandemic accelerated the risk transfer away from contractors and also saw an unusu-
ally high level of cooperation, to cope with the increased impacts on cost and schedule.131

Despite an optimistic forecast, the industry is still faced with challenges in overcom-
ing the shortage of key equipment and materials, a spike in procurement costs, longer
lead times, schedule and cost overruns, compromised supply chains, skilled labour short-
ages and increased competition for limited work.132 Most jurisdictions have also seen an
increase in regulation, in response to shifting societal expectations about building quality,
safety, usability and energy efficiency. The switch to sustainable energy and the adop-
tion of modern building methods is also transforming the risk landscape, with radical
changes in design, materials and construction processes.133 New materials and construc-
tion methods are being introduced across the market in short periods of time, and with this
comes increased risks of defects and the potential for unexpected safety, environmental
and health consequences.134

128 “No Turning Back: An industry ready to transcend,” KPMG, 2021 Global Construction Survey, 2021
(hereafter KPMG 2021).
129 Oxford Economics, “Future of Construction: A Global Forecast for Construction to 2030,” Marsh &
Guy Carpenter (2021).
130 Ibid.
131 KPMG 2021 (n 126).
132 Ibid.
133 “Managing the new age of construction risk—10 trends to watch as the sector builds back better,”
Allianz Global Corporate and Specialty SE, November 2021, www​.agcs​.allianz​.com ​/news​-and​-insights​/
reports​/10 ​-trends​- construction​-risks​.html (hereafter Allianz).
134 Ibid.

355
 P rofessional I ndemnity I nsurance

Coming out of the pandemic, the construction industry is experiencing worker short-
ages, which exacerbate risks of design and technical errors, and project delays are being
experienced through the loss of institutional knowledge caused by the “Great Resignation.”
Further, in the current economic climate, the way in which contracts are negotiated is
changing: Law firms and project owners will increasingly try to insert onerous contrac-
tual language to transfer as much risk as possible to design firms.135 Increases in insurance
premiums and onerous policy exclusions have a detrimental effect on the industry which
will see over-design and anti-innovation bias increasing the costs of services.
The industry will continue to look to PI insurance to assist with managing these emerg-
ing risks.

Building regulatory reform

The construction industry regulatory landscape in most jurisdictions has changed dra-
matically since the shocking UK Grenfell Tower fire in mid-2017, and other high-profile
residential building failures including the cladding fire at the Lacrosse Apartments in
Melbourne, Australia, and the structural collapse of the Champlain Towers South in Miami,
United States, brought into sharp focus concerns that the privatised building approval and
regulatory systems of the past 30 years have prioritised cost-effective construction and
have not kept pace with building complexity and society’s expectations about quality and
safety. Governments in many jurisdictions were quick to respond by conducting reviews
into building regulation. Common themes that have emerged from these reviews are a
need to upgrade the building control and professional licensing statutes to more clearly
assign risk and responsibility to the various construction professionals; to change and sim-
plify building codes and standards to focus on the required outcomes rather than provid-
ing prescriptive guidance; and more aggressive enforcement to impose cultural change.136
Many jurisdictions have also imposed tighter regulations on the marketing and sale of
building products, which is directed at more consistent and accurate assessment and veri-
fication of material performance.137
These regulatory changes are potentially both beneficial and detrimental to PI
insurers.
On the benefit side of the ledger, clearer building codes and standards are likely to
increase the quality of design and construction, thereby reducing the prevalence of defects
and associated claims. Clearer accountability and division of responsibility between
the professional disciplines involved in the project (owners, project managers, builders,
designers and certifiers) is also likely to decrease the incidence of building defects and
reduce the complexity of disputes.
The various building professions are adapting by seeking to more clearly define the
roles, responsibilities and competencies of the profession concerned. They have also

135 Ames & Gough Survey, ”PLI Market 2022: A/E Firms Face Headwinds Due to Adverse Economic
Factors,” cited in “Architects, engineers face economic headwinds in 2022; steeper hikes in professional liabil-
ity insurance rates,” Civil and Structural Engineer media, 28 February 2022 https://csengineermag​.com ​/archi-
tects​- engineers​-face​- economic​-headwinds​-in​-2022​-steeper​-hikes​-in​-professional​-liability​-insurance​-rates/.
136 See for example the UK’s report, Judith Hackett, “Building a Safer Future Independent Review of
Building Regulations and Fire Safety: Final Report,” Cm 9607, 2018.
137 See for example the EU’s COM (2022) 144, Proposal for a Regulation laying down harmonised con-
ditions for the marketing of construction products, amending Regulation (EU) 2019/1020 and repealing
Regulation (EU) 305/2011.

356
 P rofessional I ndemnity I nsurance

focused on professional development, codes of conduct and risk management systems. A

good example of this is the fire safety engineering profession. It is expected that over time
the roles of the consulting professions will evolve in such a way as to reduce the concen-
tration of risk that their members take on for design defects. Many of the major insurers
are betting on this trend, turning their focus to the small-to-medium enterprise (SME)
consultant market with “light touch” underwriting.
There has also been a rapid “professionalisation” of the project management discipline,
as current practice sees most major builders do very little “hands-on” construction, and
their role on-site is mostly to schedule, control cost, ensure quality and coordinate the
consultants and subcontractors. Design and construction PI insurance has become popu-
lar as a result. Insurers are also recognising project management as a professional service
covered under PI insurance, rather than characterising the role as building work which is
typically excluded from cover under such policies.
On the detriment side of the ledger, many jurisdictions have enacted legislation to
increase protections for building owners and make it easier for them to obtain compen-
sation for building defects. Common features of this legislation include the imposition
of statutory duties of care on all parties involved in the development process (including
developers) in favour of subsequent owners; prohibitions and restrictions on the use of
certain building materials; imposing liability on directors and parent companies; stricter
liability for certifications; and the extension of limitation periods on building defect
claims.138 While the societal benefit of such measures is clear, there is a clear policy intent
to place the burden of defect remediation on PI insurers.

Complexity and emerging risks

Construction projects are becoming larger and more complex, and this has the potential to
increase PI insurance losses. To quote AGCS, a leading construction PI insurer:

More innovative designs, new materials and methods of construction are creating fertile
ground for large liability claims against architects, engineers, developers and construction
companies. Large complex construction projects increasingly rely on input from external
professionals that are highly specialized in providing technical expertise in their fields, such
as water resources and environmental engineers, geologists, metallurgists or design archi-
tects. However, errors in data, statistical process control, detailed design and performance
assessment or simply poor advice are leading to problems that are difficult and expensive to
rectify …
Complex projects—where new technology, materials and innovative building designs are
pushing boundaries—are where we see the biggest and most complex claims against profes-
sionals and construction companies for design work and supervision of works. In particular,
we have seen claims relating to third party specialists, such as geologists used in designing
highways, or specialist engineers for designing cladding, ventilation, heating and air-condi-
tioning systems for hospitals and residential buildings.139

The volume and complexity of project documentation is increasing in proportion to the

size and complexity of construction projects. Project databases are commonly used to

138 See, for example, the UK Building Safety Act 2022, www​.legislation​.gov​.uk​/ukpga​/2022​/30​/enacted.
139 “Complex construction projects generate large PI claims,” AGCS, 2022.

357
 P rofessional I ndemnity I nsurance

manage document control, communications, approvals and scheduling. On large projects,

it is usual for communications and documents to be issued, often automatically, to all
project consultants, even if the document’s subject matter bears little or no relevance to
a particular consultant’s scope of work. For consultants, the ability to administer and
integrate vast amounts of incoming data is important to reduce professional liability risk.
The use of “Building Information Modeling” (BIM) is becoming increasingly popu-
lar. BIM involves a collaborative process that allows the owner, builder and designers to
plan and design a building within one computer model. Information about the building’s
requirements, design and specifications is accessed and edited by all parties through an
online platform. If any element is changed, BIM software updates the model to reflect that
change, with the aim of allowing the model to remain consistent and coordinated. The
traditional method of manually checking the design of a building is no longer efficient,
and BIM and similar automated processes for quality and safety checking are emerging as
the alternative. While these processes have the potential to reduce errors in human quality
control oversight, the collaborative nature has the potential to cut across the roles desig-
nated by statute and contract, and there is also the potential for liability to be imposed
on those involved in the establishment, operation and verification of the BIM system and
modelling.
There is also an increasing use of technology on-site. Robots will increasingly be
deployed for specialist tasks such as welding and bricklaying, and automated excava-
tors will become more common. Connected equipment and tools, virtual reality, sensors,
wearable devices and cloud-based platforms are also being introduced to manage supply
chains to improve safety and project management.140 It will be interesting to see how
trial courts approach the attribution of liability for defects that arise from the use of such
technology. Presumably, the designers and operators of the automated technology will be
exposed to professional liability claims, together with the project managers and design
consultants who facilitate the integration of the technology into the project and verify the
accuracy of the work.
Another emerging trend of interest to PI insurers is the increased use of off-site pre-
fabrication and “modular” construction. The size of the global modular construction mar-
ket size is projected to grow from $82 billion in 2020 to $109 billion by 2025, with the
healthcare industry projected to be the fastest-growing end user.141 Off-site fabrication has
the potential for better design verification and quality control. However, there are also
different risk profiles for off-site fabrication. Many design codes and standards do not
have adequate guidance for modular construction, and there is the potential for incorrect
installation and repetitive loss scenarios.

Risk trends in medical malpractice

Medical malpractice (or medical negligence insurance) covers the legal liabilities of the
insured to third parties for bodily injury arising from the insured’s negligent activities as
a practitioner in medicine or a related profession.142 More than one in three physicians,

140 Allianz (n 133).

141 Allianz (n 133).
142 “Casualty,” Lloyd’s, www​.lloyds​.com​/conducting​-business​/regulatory​-tools​/risk​-location​-guidance​/
class​- of​-business​/casualty​#chapter5.

358
 P rofessional I ndemnity I nsurance

34%, have had a medical liability claim filed against them at some point in their careers.143
According to data from the US National Association of Insurance Commissioners, total
(incurred) indemnity losses in 2020 were US $5.6 billion—an increase of over US $1 bil-
lion from 2018, and defence costs were an additional US $2.9 billion.144
Some of the immediate risks in the immediate aftermath of the pandemic are apparent.
Many places are experiencing critical shortages of staffing of medical staff. Under-staffing
will generally contribute to a reduced quality of care and create errors, therefore claims.
Cosmetic surgery claims are also becoming more prevalent, particularly those involving
errors or mishaps with minor procedures, such as burns resulting from laser treatments.
The prevalence of smaller claims is an area of regulatory focus. In the UK, the current
system of clinical negligence claims may be reformed with a proposal for fixed recover-
able costs in lower value clinical negligence claims “to reduce these costs and delays
throughout the claims process through a structural reform that ensures all parties are
motivated to process claims efficiently and cost-effectively, so that all parties can benefit
from early resolution.”145
Traditional malpractice risks and claims continue to exist, and malpractice insurers,
relying on their experience and historical data, can usually accurately quantify and price
those risks. In emerging areas of practice, where historical claims data is low or non-
existent and liability unclear, quantifying and mitigating those risks are more challenging.
This section identifies and discusses some of the key emerging areas of risk for clinicians
which can lead to medical malpractice claims, including telemedicine, robotic surgeries
and electronic health records.

Telemedicine
Described as “10 years of reform in only 10 days,”146 telehealth usage surged as consumers
and providers sought ways to safely access and deliver healthcare during the pandem-
ic.147 In April 2020, overall telehealth utilisation in the United States for office visits and
outpatient care was 78 times higher than in February 2020.148 Even after the pandemic
surge, telehealth use remains 38 times from its pre-pandemic baseline.149 Many of the
emergency regulatory changes that facilitated expanded use of telehealth have been made

143 Kevin O’Reilly, “1 in 3 physicians has been sued; by age 55, 1 in 2 hit with suit,” AMA, 26 January 2018,
www​.ama​-assn​.org​/practice​-management​/sustainability​/1​-3​-physicians​-has​-been​-sued​-age​-55​-1​-2​-hit​-suit.
144 “Report on Profitability by Line by State in 2020,” National Association of Insurance Commissioners,
NAIC, 2021, https://content​.naic​.org​/sites​/default​/files​/publication​-pbl​-pb​-profitability​-line​-state​.pdf.
145 “Fixed recoverable costs in lower value clinical negligence claims: A consultation,” Department of
Health & Social Care, January 2022.
146 “Expansion of Telehealth Services,” Australian National Audit Office, 19 January 2023, www​.anao​.gov​
.au ​/work ​/performance​-audit​/expansion​-telehealth​-services.
147 Telehealth involves a patient consulting a healthcare provider remotely when they have determined
a physical examination isn’t needed and you can’t see them in person. Services can include diagnosis, treat-
ment and prevention; see generally, www​.health​.gov​.au​/topics​/ health​-technologies​-and​- digital​-health​/about​/
telehealth.
148 Oleg Bestsennyy, Greg Gilbert, Alex Harris and Jennifer Rost “Telehealth: A quarter-trillion-dollar
post-COVID-19 reality? “ McKinsey, 9 July 2021, www​.mckinsey​.com ​/industries​/ healthcare​/our​-insights​/tel-
ehealth​-a​- quarter​-trillion​- dollar​-post​- covid​-19​-reality (hereafter McKinsey Telehealth). In the UK there was
a similar increase from 25% to 71%; see Peter Walker, “All GP Consultations Should Be Remote by Default,
Says Matt Hancock,” The Guardian, 30 July 2020, sec. Society, www​.theguardian​.com ​/society​/2020​/jul ​/30​/all​
-gp​- consultations​-should​-be​-remote​-by​- default​-says​-matt​-hancock​-nhs.
149 McKinsey Telehealth (n 148).

359
 P rofessional I ndemnity I nsurance

permanent, and governments are investing funding into telehealth as it becomes a per-
150

manent feature of primary healthcare.151

Telehealth has allowed more vulnerable areas of the community and those living in
rural and remote areas to have improved access to timely services and is projected to
reach a value of AUD 285.7 billion by 2027.152 The rising demand to expand healthcare
access, the growing incidence and prevalence of chronic diseases, the shortage of physi-
cians and healthcare workforce, developments associated with telecommunications and
cost-benefits of telehealth solutions are just some of the key factors attributed towards the
growth of telehealth and the telemedicine market.153
Against the benefits of increased access to telehealth, with the potential for a delay in
claims, it is possible the rapid expansion of telehealth during the pandemic and amended
regulations and guidelines have created an increased potential for liability and legal
issues.154 A probable lack of a long-standing provider-patient relationship and a risk of fail-
ure to diagnose a serious disease could lead to increased liability losses.155 Going forward,
the increasing use of telehealth is likely to lead to more potential malpractice exposures
and subsequent losses for insurers.
Professional liability policies may not include telehealth in the scope of coverage and
simply applying existing principles of malpractice liability to telehealth is not straightfor-
ward, especially when it is unclear what an appropriate “standard of care” is.156. Special
attention should be given to prevent errors and omissions, negligent credentialing, breaches
of privacy and interruptions of service during equipment or technology failures.157
The US Department of Health and Human Services relaxed guidelines on using cer-
tain platforms for telemedicine during the COVID-19 pandemic158 as long as the visit
is in “good faith” when telehealth is used for any treatment or diagnostic purpose.159 In
addition, the guidance states software supporting video platforms including Zoom are
allowed for use, but those with social media capabilities (Facebook Live, Twitch) may not

150 For example in the United States, The Centers for Medicare & Medicaid Services’ expansion of reim-
bursable telehealth codes for the 2021 physician fee schedule, in Australia 211 telehealth items were retained
permanently (n 143).
151 In Australia the government pledged AUD 106 million over four years to support permanent telehealth
services; see www​.health​.gov​.au ​/ministers​/the​-hon​-greg​-hunt​-mp​/media ​/permanent​-telehealth​-to​-strengthen​
-universal​-medicare.
152 “Telehealth Market worth $285.7 billion by 2027,” Markets and Markets, 10 March 2022, www​.market-
sandmarkets​.com​/ PressReleases​/telehealth​.asp.
153 Ibid.
154 M Balestra, “Telehealth and legal implications for nurse practitioners,” J Nurse Pract., 2018, 14(1),
33–39. doi: 10.1016/j.nurpra.2017.10.003 (hereafter Balestra). See generally, Shilpa Gajarawala and Jessica N.
Pelkowski. “Telehealth benefits and barriers.” The Journal for Nurse Practitioners 17, no. 2 (2021), 218–221.
155 “Medical Professional Liability Risks of Telemedicine,” News & Insights, Gallagher, www​.ajg​.com​/us​
/news​-and​-insights​/2020​/may​/ healthcare​-medical​-professional​-liability​-risks​- of​-telemedicine/.
156 Y T Yang and K B Kozhimannil, “Medication abortion through telemedicine: implications of a ruling
by the Iowa Supreme Court,” Obstet Gynecol. 2016, 127(2), 313–316. doi: 10.1097/AOG.0000000000001251.
157 Balestra (n 154).
158 The Administration’s plan is to end the COVID-19 public health emergency (PHE) on 11 May 2023,
see “HIPAA flexibility for telehealth technology,” Telehealth, Health and Human Services (HHS), https://
telehealth​.hhs​.gov​/providers​/policy​- changes​- during​-the​- covid​-19​-public​-health​- emergency​/ hipaa​-flexibility​
-for​-telehealth​-technology/.
159 “OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications
During the COVID-19 Nationwide Public Health Emergency,” Department of Health Human Services, https://
www​.hhs​.gov​/about​/news​/2020​/03​/17​/ocr​-announces​-notification​- of​- enforcement​- discretion​-for​-telehealth​
-remote​- communications​- during​-the​- covid​-19​.html.

360
 P rofessional I ndemnity I nsurance

be used. While specific guidelines, for example, about which software provider may or
160

may not be used, are useful, it will be interesting to see how the use of a “non-compliant”
technology may form part of a claim. In Australia, the minimum standard provided is for
hardware and software to be of “a high enough quality to provide seamless function to ful-
fil its healthcare task.”161 How this technology-neutral approach relates to claims is yet to
be seen. Information gathered in a telemedicine visit needs to be maintained in the medi-
cal record in order to meet the standard of care162 and in an online environment, it will be
important for the the physician to document any poor connectivity issues or outages.163
Medical professionals providing virtual consultations must work harder to reduce liabil-
ity exposures. In an expanding area with many unknowns, insurance carriers are taking
a role in risk prevention. Norcal, for example, provides a page of advice to reduce liabil-
ity and compliance risks.164 TDC Group set out a range of videos, “Telehealth, Lessons
Learned,” which feature patient safety leaders and risk management experts who provide
guidance and practice management and cover legal and technical issues.165
It is difficult for insurers to predict the type of healthcare services that will be provided
by telehealth in the coming years and the severity of claims. However, given that the larg-
est percentage of claims are caused by misdiagnosis, failure to treat and prescription drug
errors, there is a high probability that these errors will be carried out as part of telehealth
consultations.166
The rapidity with which telehealth has taken off has meant that medical malpractice
insurance policies have been playing “catch-up.” Due to the potential risks, many insur-
ance policies have an exclusion for telehealth if there is no pre-existing clinical relation-
ship with the patient. Yet changes in rules during COVID-19 have not only allowed167 but
also encouraged clinicians to provide telehealth consultation with new patients but have
not, it seems, provided any immunity for liability which is in contrast to the forms of
indemnities and immunities from liability provided to administer COVID-19 vaccines.168

160 For the technology considerations, see, “HIPAA flexibility for telehealth technology,” Telehealth,
Health and Human Services (HHS), https://telehealth​.hhs​.gov​/providers​/policy​- changes​- during​-the​- covid​-19​
-public​-health​- emergency​/ hipaa​-flexibility​-for​-telehealth​-technology/.
161 “AMA Guidelines, 10 Minimum Standards for Telemedicine,” AMA, 31 March 2021, www​.ama​.com​
.au ​/articles​/10 ​-minimum​-standards​-telemedicine.
162 H K Bruhn, “Telemedicine: dos and don’ts to mitigate liability risk,” J AAPOS, August 2020, 24(4),
195–196. doi: 10.1016/j.jaapos.2020.07.002. Epub 2020 July 23. PMID: 32712159; PMCID: PMC7376347.
163 “Telehealth Offers Advantages for Practices, But Liability Risks Remain,” Norcal Group, 24 August
2022,
www​.norcal​-group​.com​/ library​/telehealth​- offers​-advantages​-for​-practices​-but​-liability​-risks​-remain.
164 Ibid.
165 “What Not to Do: Telehealth Lessons Learned—a Video Series,” TDC Group and Candello, www​.tdcg​
.com ​/insights​/what​-not​-to​- do​-telehealth​-lessons​-learned/.
166 Graham Neale et al., “Misdiagnosis: analysis based on case record review with proposals aimed to
improve diagnostic processes.” Clinical medicine (London, England) vol 11, 4 (2011), 317–321. doi:10.7861/
clinmedicine.11-4-317.
167 See www​.fsmb​.org/ for an overview of how US states modified their telehealth rules and which States
continued to provide relaxed requirements.
168 For an international overview of the COVID-19 vaccination immunity schemes and injury compensa-
tion programmes, see Flavia Beccia et al., “COVID-19 Vaccination and Medical Liability: An International
Perspective in 18 Countries.” Vaccines vol 10, 8, 1275, 7 August 2022, doi:10.3390/vaccines10081275.

361
 P rofessional I ndemnity I nsurance

It may be that the delay in claims, after the wide adoption of telehealth, is simply because
lawyers do not know (yet) how to value these claims.169
From an underwriting perspective, there are also challenges in pricing the risk. At this
stage, there are few claims, and the methods to capture data about telemedicine claims are
not consistent. Brokers and industry groups have stressed the importance of aligning the
approach to enable a useful data set to be produced, upon which more accurate underwrit-
ing can then be based.170

Robotic surgeries
As with construction discussed above, the use of robots is becoming more prevalent. More
than a third of general surgeons performed robotic surgery in 2021, up from 8.7% in 2018,
and this number is growing across other surgical specialities.171 According to Intuitive
Surgical, the manufacturer of the da Vinci Surgical System, a surgeon needs a minimum
of only 20 completed cases to qualify to serve as a proctor yet172 malfunctions in robotic
devices have been blamed for many patient injuries. In most cases, injured patients sue the
hospital, healthcare providers and the company that manufactured the robot. A failure to
disclose training levels to patients may raise concerns in terms of informed consent should
an action be filed.173
The courts examine the circumstances to determine whether faulty programming or a
mechanical breakdown caused the injury or whether the surgeon’s improper use or reli-
ance on the device caused the injury, for example, a doctor that fails to install the most
recent software update. Searcy asks the following questions:
If a robotic device injures a patient in surgery, for instance, is the making of the device liable,
or is the doctor who elected to use it? Should liability be based on a negligence standard or
will accountable parties be held to a strict liability standard? Will it matter if a patient was
given a choice about the use of robotic technology in treatment?174

Litigation associated with robotic surgery is extremely complex due to the intermingled
relationship between the manufacturer’s duty and the surgeon’s duty. Legal frameworks
need to be further developed as surgical robotic systems become increasingly autono-
mous and unique but not rare and concerning risks such as cyber security risks need to
be mitigated.

169 See the discussion in Arnold Mackles, “Stay vigilant about malpractice risks with telemedicine,”
Relias Media, 1 February 2022, www​.reliasmedia​.com​/articles​/149012​-stay​-vigilant​-about​-malpractice​-risks​
-with​-telemedicine.
170 See, for example, Bethan Moorcraft, “’Jury is out’ for how telemedicine will impact medical profes-
sional liability,” Insurance Business America, 13 January 2021, www​.ins​u ran​cebu​sinessmag​.com ​/us​/news​/
healthcare​/jury​-is​- out​-for​-how​-telemedicine​-will​-impact​-medical​-professional​-liability​-243420​.aspx.
171 W J Gordon, N Ikoma, H Lyu et al., “Protecting procedural care—cybersecurity considerations for
robotic surgery,” npj Digit. Med. 5, 148 (2022). https://doi​.org​/10​.1038​/s41746​- 022​- 00693​-8.
172 Z C Zorn, G Gautam, A L Shalhav et al., “Training, credentialing, proctoring and medicolegal risks of
robotic urological surgery: Recommendations of the Society of Urological Robotic Surgeons,” 1 Urol 2009,
182(3), 1126–1132.
173 Y L Lee, G S Kilic, J Y Phelps, “Medicolegal review of liability risks for gynecologists stemming from
lack of training in robot assisted surgery,” Minim Invasive Gyneco 2011, 18(4), 512–515.
174 “When Robot Doctors Injure, Who is to Blame?” Searcy Law, 23 December 2023, www​.searcylaw​.com​
/when​-robot​- doctors​-injure​-who​-is​-to​-blame/.

362
 P rofessional I ndemnity I nsurance

Electronic health records

Digitalisation has allowed for the use of electronic health records (EHRs); a digital version
of a patient’s paper chart which contains personal information such as medical history,
diagnoses, medications and test results. The records are held “securely,” are real-time and
make information instantly available to “authorised” users.175 The records and the systems
in which they are held can be shared with laboratories and allow access to evidence-based
tools that providers can use to make decisions about a patient’s care.
There is a huge push towards electronic health records, with, for example, the UK’s
National Health Service (NHS) stating it is committed to implementing electronic health
records for all hospitals and community practices by 2025, backed by £2 billion in fund-
ing.176 “My Health Record” in Australia is another example.177 The use of EHR’s has
opened up a rise in malpractice claims claiming EHR use contributed to patient injuries
and may give rise to new and unforeseen liability risks for healthcare providers.
Time-saving IT options such as drop-down boxes, auto-population of fields and the
requirement or choice to “copy and paste” information can all contribute to significant
negative patient outcomes and claims for malpractice. Greater access to existing diagnos-
tic data and economic pressures to avoid duplicating tests could, in turn, lead to errors
from inappropriate reliance on outdated or inadequate prior testing, and clinicians may be
faulted for ignoring critical prompts and alerts from decision support features.178
Some examples from a 2019 research paper are described below:

• System and software design: Drug order altered by a decimal point; patient died.
• System malfunction: Multiple reports of system being “down,” staff unable to
access information; in one case, medication reconciliation could not be com-
pleted, resulting in an injurious medication error.
• Routing of electronic data: Order for blood delayed reaching lab; patient expired
before blood arrived.
• Integration problems and incompatible systems: OB patient requested tubal liga-
tion at the time of her fourth planned Caesarean section. Noted on office record
but not integrated with the delivery room system. Covering MD delivered the
baby but did not know/see the request for tubal ligation; patient became pregnant
six months later.179

175 Any electronic records are subject to a data breach and/or cyber attack.
176 “UK govt promises to sink billions into electronic health records for England,” The Register, 30
June 2022, www​.theregister​.com​/2022​/06​/30​/uk​_electronic​_ health​_ records/. In the United States, Oracle is
planning to build a national database of individuals’ health records for the whole of the United States fol-
lowing its $28.3 billion acquisition of electronic health records specialist Cerner; see Sai Balasubramanian,
“Larry Ellison’s Latest Ambition: Create A National Healthcare Database,” Forbes, 26 June 2022, www​
.forbes​.com ​/sites​/saibala ​/2022​/06​/26​/ larry​- ellisons​-latest​-ambition​- create​-a​-national​-healthcare​- database/​?sh​
=59c840015114.
177 ​ w ww​.health​.gov​.au ​/contacts​/my​-health​​-record.
178 Sharona Hoffman and Andy Podgurski. “E-Health hazards: provider liability and electronic health
record systems.” Berkeley Tech. LJ 24 (2009), 1523.
179 M L Graber, D Siegal , H Riah , D Johnston, K Kenyon, “Electronic Health Record-Related Events in
Medical Malpractice Claims,” J Patient Saf. June 2019, 15(2), 77–85. doi: 10.1097/PTS.0000000000000240.
PMID: 26558652; PMCID: PMC6553982.

363
 P rofessional I ndemnity I nsurance

Similarly with telehealth-related liabilities, the figures are currently low180 with electronic
health records typically contributing factors rather than the primary cause of claims, but
claims are steadily increasing. As jurisdictions move towards complete adoption, the use of
EHRs and reliance on more IT systemswill continue to pose the type of risks identified above.

Risk trends in other professions

As set out earlier in this chapter, increased regulation and economic uncertainty are
impacting all professions; however, it is perhaps most prominent in finance professions.
Objectives and aims of clients change quickly during turbulent times and changing mar-
kets. New contracts may not have been drawn up reflecting changes in instructions, addi-
tional tasks and responsibilities. It may be difficult for professionals to demonstrate why
they chose a particular course of action with less comprehensive record-keeping during
stay-at-home orders. And when investment returns or accounting/tax strategies begin to
be stress-tested, the spotlight will often turn back on the professional that provided the
initial advice.

Financial advisers
As with any economic shock, a downturn can create anxiety, fear and trepidation amongst
consumers and prompt them to take a closer look at their investment advisers181 and re-
evaluate not only the provider themselves but also the advice provided.182
In Australia, new compliance and regulatory guidelines have challenged financial advis-
ers navigating not only COVID-19 requirements but also the need to adapt to new com-
pliance and regulatory guidelines with heightened education requirements. Furthermore,
increasing PI insurance costs have prompted many to leave the industry altogether.183 As
more experienced advisers leave the industry, they are replaced by less experienced advis-
ers who have less access to supervision and mentoring.184 Inexperienced advisors who
entered the profession during the pandemic for short-term gain may also contribute to an
increase in the number of PI claims. At the time of writing financial advisors in Australia
are responding to draft legislation designed to recognise the experience of advisers to

180 Figures are 1.1% of all claims closed since 2010. See Darrell Ranum, “Electronic Health Records
Continue to Lead to Medical Malpractice Suits,” The Doctors Group, www​.thedoctors​.com​/articles​/electronic​
-health​-records​- continue​-to​-lead​-to​-medical​-malpractice​-suits/; see generally, Mark Graber et al., “Electronic
Health Record-Related Events in Medical Malpractice Claims.” Journal of patient safety vol 15, 2 (2019),
77–85. doi:10.1097/PTS.0000000000000240, www​.ncbi​.nlm​.nih​.gov​/pmc​/articles​/ PMC6553982/.
181 Lukas R Dean “Examining Asset Flows and Type of Adviser Compensation After an Economic
Downturn,” Journal of Financial Planning Association (United States), March 2019, www​.fin​anci​alpl​anni​
ngas​sociation​.org​/article​/journal​/ MAR19​- examining​-asset​-flows​-and​-type​-adviser​- compensation​-after​- eco-
nomic​- downturn.
182 Ibid.
183 In Australia, regulations introduced to address misconduct before and since the Hayne Royal
Commission are said to have prompted a 40% reduction in the number of licensed financial advisors; see, for
example, Aleks Vivkovich, “Wealth adviser exodus opens door to fraudsters,” AFR, 10 March 2022, www​.afr​
.com​/companies​/financial​-services​/wealth​-adviser​- exodus​- opens​- door​-to​-fraudsters​-20220310​-p5a3fj. The
Final Report was published in 2019. The United States and the UK are also seeing declining numbers but at a
much slower rate.
184 “One Big Change Could Halt The Mass Adviser Exodus,” Adviser Ratings, 9 March 2022, www​
.adviserratings​.com​.au ​/news​/one​-big​- change​- could​-halt​-the​-mass​-adviser​- exodus/, which suggests the older,
more experienced advisers who would have remained working part-time have left the industry early after they
were required to pass additional exams. This departure is at the time that experience is needed the most.

364
 P rofessional I ndemnity I nsurance

arrest the brain drain from the sector, recognising the recent education requirements have
had a negative and unintended effect on the industry by further prompting exodus.
When the UK introduces the new Consumer Duty, the Financial Conduct Authority
will be able to take quicker action when it sees practices that do not deliver the right out-
comes for consumers.185 The reforms will require insurers to deepen their understanding
of the requirements and risks as consumers become aware of, and begin to enforce, their
enhanced rights. The reforms will increase the exposure of financial planners to regula-
tory investigations and consumer complaints. This exposure will have an impact on PI
cover, and insurance carriers will need to carefully review and clarify both language and
the likely effect of any exclusions.
Legislative prohibitions on conduct in the financial services industry186 have, in many
jurisdictions, been tightened or are being enforced187 or prosecuted by plaintiff law firms
with greater skill, and with more funds to back them,188 and all the while there is a con-
tinuing focus on adviser’s fees.189 The cost of financial advice has risen 40% over three
years to December 2021.190
PI exposures will also arise from the delivery of financial advice through non-tradi-
tional channels, primarily social media platforms. Although much of that advice would,
most likely, be inadvertent, the tightening of regulations with respect to what comprises
“financial advice” and a growing trend towards a client-oriented approach to the suitabil-
ity of a financial product (rather than a more objective approach)191 means that this risk is
likely to increase in the years to come.
In a tightening economic climate, cutting costs and resorting to free advertising using
social media platforms to generate leads192 may also increase liability exposures, as the
line between advice and marketing is blurred. The use of social media platforms, which
expanded rapidly through the pandemic, has given rise to a category of “financial influ-
encers,” who may unintentionally provide financial advice or find themselves in breach
of local regulations; this has drawn headlines193 and, perhaps, has the ability to erode
the public’s confidence in the broader financial advice profession moving forward. Using

185 PS22/9, www​.fca​.org​.uk ​/publications​/policy​-statements​/ps22​-9​-new​- consumer​- duty.

186 For example, in Australia, see section 12DA of the Australian Securities and Investments Commission
Act 2001 (ASIC Act) and section 1041H of the Corporations Act 2001 (Cth), which both prohibit misleading
conduct in relation to financial services.
187 “The AFCA Approach to misleading conduct,” AFCA, June 2021.
188 Swiss Re (n 92) 8.
189 “Michael Taffe, “Most Clients Don’t Know How Much Their Advisor Costs,” Financial Advisor IQ,
23 January 2023, www​.financialadvisoriq​.com​/c​/3902134​/503124​/most​_clients​_ know​_much​_their​_ advisor​
_costs​?referrer​_module​= mostPopularRead​&module​_order​= 4.
190 Aleks Vivkovich, “100,000 quit financial advice as fees jump another 8pc,” AFR, 18 April 2022, www​
.afr​.com​/companies​/financial​- services​/100​- 000​- quit​-financial​-advice​-as​-fees​-jump​-another​- 8pc​-20220418​
-p5ae5t.
191 See, for example, “Giving financial product advice,” ASIC, https://asic​.gov​.au​/regulatory​-resources​/
financial​-services​/giving​-financial​-product​-advice/.
192 “4th annual trends report, Financial Advisor Marketing Playbook,” Broadridge, 2023; the research
consists of a quantitative survey of 401 financial advisors conducted in September 2022.
193 Sarah Danckert, “‘Finfluencer’ follower wins nearly $500,000 in court over failed investment,” The
Sydney Morning Herald, 15 October 2021, www​.smh​.com​.au​/ business​/markets​/finfluencer​-follower​-wins​
-nearly​-500​- 000​-in​- court​- over​-failed​-investment​-20211015​-p59094​.html.

365
 P rofessional I ndemnity I nsurance

messaging platforms also involves risk, particularly with respect to confidential client
information.194
These challenges, combined with the increase in regulation discussed above, could con-
tinue to cause PI capacity to exit the financial adviser market, adding to the “sharp falls
in appetite”195 seen in 2022. To reverse this trend, swift action is required by regulators to
ensure that the regulatory requirements within the financial advice profession are fit for
purpose and achieve a balance between protecting the interests of the person receiving
advice while allowing the financial industry to continue in such a way that liability can be
adequately insured.

Accountants and auditors

Going forward, accountants and auditors will face increased vulnerability to cyber-attacks
and GDPR claims given the large amount of data they hold. Auditors and accountants are
held to a high standard, especially when clients are not financially sophisticated196 and as
described above, regulations in the areas of business law and taxation have undergone
several amendments, often with little notice provided for the professional to understand
the changes and put it into practice.
Following the last recession, there was an increase in claims against auditors and
accountants, with claimants alleging a number of failings by auditors and accountants.
Business deals may have failed, loans gone into default and investments not performed
as expected. As a result, many businesspeople, lenders and shareholders are looking for
someone to blame for these business failings. With insolvencies rising, claims will further
increase.197 Professionals such as auditors, who have liability insurance, are an attractive
“deep pocket” from which to recover these losses.198 Claims include negligently failing to
detect fraud of directors (which often increases in times of economic turmoil), negligently
overvaluing assets and, in relation to tax advisers, negligently miss-selling tax schemes
or failing to identify tax exemptions.199 As with previous recessions, claims may emerge a
few years after the onset of the economic downturn.
Auditing deficiencies may also be identified due to a lack of technological competence
by the auditor. By failing to properly apply the latest technology to comb large data sets
for anomalies, auditors may add to their already large workload and reduce their ability to
spot financial misconduct.200 Auditors can deploy artificial intelligence to analyse trans-
actions and assess them according to their risk. By doing so, they can reduce the use of

194 Alex Padalke, ”Morgan Stanley Whacks Staffers with Fines Up to $1M for Text, Messaging Breaches,”
Financial Advisor IQ, 26 January 2023, www​.financialadvisoriq​.com​/c​/3909244​/503154​/morgan​_stanley​
_whacks​_staffers​_with​_ fines​_text​_messaging​_breaches​?referrer​_module​= mostPopularRead,
195 London Market 2022 (n 29).
196 Cam & Bear Pty Ltd v McGoldrick [2018] NSWCA 110; Ryan Wealth Holdings Pty Ltd v Baumgartner
[2018] NSWSC 1502.
197 “Increasing claims against accountants and auditor firms,” Insurance Day, Lloyd’s List, 16 January
2009, https://lloydslist​.mar​itim​eint​elligence​.informa​.com​/ ID029296​/ Increasing​- claims​-against​-accountants​
-and​-auditor​-firms.
198 Stanley Sterna, “Defending third-party audit claims,” Journal of Accountancy, AICPA & CIMA, www​
.jou​r nal​ofac​countancy​.com ​/issues​/2013​/may​/20137570​.html.
199 See, “Trends update for financial risks and professions,” Thought Leadership, Kennedys, 11 December
2020, https://kennedyslaw​.com​/thought​-leadership​/reports​/trends​-update​-for​-financial​-risks​-and​-professions/.
200 Ralph Q Summerford, “When auditors aren’t using their professional skepticism, accounting malprac-
tice claims may rise,” Forensic Strategic Solutions, 25 February 2022, www​.forensicstrategic​.com ​/when​-audi-
tors​-arent​-using​-their​-professional​-skepticism​-accounting​-malpractice​- claims​-may​-arise/.

366
 P rofessional I ndemnity I nsurance

time-consuming manual samples for transactions and increase the odds of spotting trends
in the data that can point to fraud.201 Failing to use (or use appropriately) such technologies
may become part of a negligence claim.

Alternative risk transfer structures

What happens when PI insurance is no longer available for a profession? There have been
areas where insurers have come off risk or have limited appetite for certain risks, such as
contractors, construction and financial services professionals.202 When capacity is limited
in certain pockets or cover is no longer commercially available or affordable, there is a
necessary growth in the development of mutuals or government-backed programmes or
the use of alternative risk transfer products, such as captives, to enable some professions,
or larger professional firms, to continue to operate.203
Even before the outbreak of COVID-19, some major insurers were leaving the PI mar-
ket.204 Nine Lloyd’s syndicates withdrew from the market in 2019 following the Lloyd’s
Performance Management Directive Decile 10 review which found non-US PI was a main
driver of underperformance.205
In a hard market, insurance carriers focus on profitability and may stop writing what
is perceived, predicted or proven to be unprofitable business. This leads to increases in
pricing from the remaining insurance carriers and reductions in the breadth of cover with
increased exclusions, deductibles and other methods to reduce risk for the insurer. For
example, a study found 57% of architects have accepted exclusions related to fire safety in
their PI insurance covers.206 Exclusions limit the type of work the architect can undertake,
narrow the availability of experts working in the area and leave the architect exposed to
historic claims. The limit of cover available may also affect the work that a professional
can take on.
The growth of captives and mutual insurance in the PI insurance market is reflective of
the fragile character of professions. Earlier in this chapter we examined how PI insurance
is an essential part of a profession. As new professions emerge that are either complex or
bespoke or not large enough to warrant the attention of the commercial insurance pool,
other risk transfer options may be either more attractive or, indeed, the only solution.

201 Ibid.
202 For London Market capacity into Australia, for example, see, www​.bellrock​.com​.au​/jan​-2023​-market​
-update​-professional​-indemnity/.
203 A very good illustration of this type of situation is the Texas Windstorm Insurance Association,
which “was established by the Texas Legislature in 1971 in response to regional market conditions following
Hurricane Celia in August 1970.” Its purpose is to insure the Texas coast, so it can remain a vital part of the
state. To qualify for insurance, an applicant must have been denied coverage by at least one authorised insurer.
See www​.twia​.org/.
204 For example, AIG in 2022; see, www​.professionalplanner​.com​.au ​/2020​/02​/pi​-insurance​-woes​-to​- con-
tinue​-another​-2​-years/, and AIG withdrawing from the UK market in 2019, see, https://todaysconveyancer​.co​
.uk ​/exodus​- continues​-another​-pi​-insurer​- escapes​-hardening​-market/.
205 See Isobel Rafferty “Lloyd’s of London won’t ‘tolerate loss making syndicates’,” Insurance Times,
13 September 2021, www​.insurancetimes​.co​.uk ​/news​/ lloyds​- of​-london​-wont​-tolerate​-loss​-making​-syndicates​
/1438796​.article.
206 Will Ing, “Insurance crisis: a ticking timebomb for architects,” Architects Journal, 28 January 2021,
www​.architectsjournal​.co​.uk ​/news​/insurance​- crisis​-a​-ticking​-timebomb​-for​-architects (hereafter Ing).

367
 P rofessional I ndemnity I nsurance

Captives
When a market hardens, captives may spring up in larger organisations as a way of man-
aging premium increases. Aon observes that:
Large risk clients are considering increased retentions to offset the premium increases, and
often using captives. The increased retentions tend to only affect the premiums for primary
coverage, this is another reason why premium/ rate increases on excess layers oftentimes are
higher than the primary coverage.207

Captives may also give larger organisations more control over the way in which claims are
processed and assist with the management of their client stakeholders. Aon observes that:
“with the growth of the lateral market, firms are paying more attention to maintaining a
stable environment for their partners, and captives may be one additional tool to do so.”208
In an increasingly complex regulatory environment where stakeholder management
is key, it is expected that captives will remain a popular form of risk transfer for larger
professional organisations.

Mutuals
Mutuals increased in the same way in the 1980s after many municipalities (some whose
only option was to tear “down all jungle gyms and slides over 6½ ft. high and cart them
out of the city’s 513 playgrounds”209) were unable to obtain open market insurance.
Operations for these municipalities could only continue after joining the mutual insur-
ance groups.210 Following the insurance crisis, 40% of medical malpractice insurance was
written by doctors’ small mutual or captives in the 1980s.211 According to one report,
“Generally speaking, since the financial crisis regulators and policymakers have come
to recognise the benefit of diverse organisational forms in financial sectors, and this has
boosted the appreciation of mutuals.”212
Based on analysis from the International Cooperative and Mutual Insurance Federation
(ICMIF), mutual insurers account for approximately 27% of the global insurance industry
market share.213 Over 5,000 mutual, cooperative and member-owned insurers generated
$1.3 trillion in gross written premiums in 2017 and achieved a 30% growth in premiums
in the ten-year period since the onset of the financial crisis (2007 to 2017), compared to
17% growth of the total global insurance industry.214

207 AON, “Recovery Amidst Recession? Design and Construction Professional Liability Sentinel,” AON,
Issue 20: Q4 2022, 22, www​.aon​.com​/risk​-services​/professional​-services​/recovery​-amidst​-recession​- design​
-and​- construction​-professional​-liability​- q4​-2022.
208 David Christensen, “How are law firms using captives?” Aon Insights, February 2020, www​.aon​.com​
/risk​-services​/professional​-services​/ how​-are​-law​-firms​-using​- captives​.jsp.
209 George C Church, “Nation: Sorry, your policy is cancelled,” TIME, 21 June 2005, 10, https://content​
.time​.com ​/time​/subscriber​/article​/0​,33009​,1075044​-10​,00​.html (hereafter Church).
210 George L Priest, “The current insurance crisis and modern tort law.” Yale L.J. 96 (1986), 1521 at 1522
(hereafter Priest).
211 Patricia M Danzon, “Liability and liability insurance for medical malpractice.” Journal of Health
Economics 4, no. 4 (1985), 309–331, cited in Priest (n 203).
212 “Mutual insurance in the 21st century—back to the future?” Sigma, Swiss Re, No 4 2016, 8, www​.icmif​
.org​/mutual​-insurance​-in​-the​-21st​- century​-back​-to​-the​-future/.
213 “Global Mutual Market Share 10,” ICMIF, February 2019, Foreword, www​.icmif​.org​/global​-mutual​
-market​-share​-10/.
214 Ibid, 2.

368
 P rofessional I ndemnity I nsurance

Some mutuals are profession-wide, for example, those covering barristers and solici-
tors. Others are limited in scope, set up by groups which presumably consider that they
are low risk and that they can save money by withdrawing from the insurance market.215
These types of profession-wide mutuals may be detrimental, however, to capacity by
removing large amounts of business from commercial insurers, thus potentially threaten-
ing the availability of some carriers in respect of this line of business.216 Limited mutuals
and self-insurance may also be detrimental to the market by removing from the market’s
low-risk insureds, leaving a pool of risks containing a disproportionate number of high-
risk insureds.217

Other risk transfer mechanisms

Recently there has been a distinct trend toward the use of risk transfer mechanisms or
arrangements which arise from particular sets of circumstances, for example, as set out
above, in the construction industry where project-specific or individual project insurance
is taken out to avoid the potential patchwork of covers (and exclusions) that are otherwise
held by the various building professionals. Project-specific insurance is:
a model of insurance and procurement that its supporters claim ends buck-passing and
encourages collaboration between a project team. But it is currently only seen as effective for
larger projects that carry a lot of risk. Insurers are generally uninterested in pricing up lots
of medium-sized jobs and are put off by project insurance typically lasting 20 years—during
which time building regulations and requirements could get tougher, prompting pay-outs.218

The combustible cladding crisis and the pandemic have also shown us that governments
will also step in as an insurer where the circumstances require. Examples are the govern-
ment-backed PI insurance scheme for EWS1 assessors in the UK 219 and the COVID-19
indemnity scheme for general practitioners and health professionals in Australia.220 The
difficulty with government-backed schemes, however, is that they are subject to political
forces. History contains examples of this, for example, where government entities would
not or could no longer pay premium increases for day care centres, which were forced to
close,221 or an example where some cities removed all playground equipment from their
public parks.222 Ultimately, history suggests that governments may step in to absorb some
of the shock from events with large-scale impacts; however, the PI market ultimately
adapts and fresh capital begins to flow back in.

215 Peter Cane, “Liability Rules and the Cost of Professional Indemnity Insurance.” Geneva Papers on
Risk and Insurance (1989), 347–359, 356.
216 Ibid.
217 Priest (n 211).
218 Ing (n 207).
219 “New Government backed professional indemnity insurance scheme for EWS1 assessors to be deliv-
ered by MGAM and SCOR,” SCOR, 28 June 2022,
www​.scor​.com ​/en ​/news​/new​-government​-backed​-professional​-indemnity​-insurance​-scheme​- ews1​-asses-
sors​-be​- delivered​-mgam.
220 Greg Hunt,”COVID-19 indemnity scheme to protect health professionals and patients,” 2 July 2021,
www​.health​.gov​.au ​/ministers​/the​-hon​-greg​-hunt​-mp​/media ​/covid​-19​-indemnity​-scheme​-to​-protect​-health​
-professionals​-and​-patients.
221 Wall St. J., 21 January 1986, at 31, col. 1, cited in Priest (n 203).
222 Church (n 209).

369
 P rofessional I ndemnity I nsurance

The impact of technology

While technology already plays a significant role in PI insurance, in the coming years it is
likely to grow exponentially: Professions will capture their data more accurately for their
insurance proposals, underwriting tools will be more accurate in pricing risks using data-
sets, modelling and AI, and PI claims will be processed more efficiently. AI will be used
as part of the underwriting process to detect and prevent non-disclosure prior to insurers
going on risk. Technology will be used to process claims more efficiently, although there
are unique challenges for automation in a PI context.

The rapidity of change

Widespread adoption of a form of technology within a profession may alter the risk profile
of the profession. To use a simple example, the mandated use of electronic records and
platforms to perform conveyancing may eradicate claims arising from misplaced records.
The adoption of technology as an industry standard, though, cuts both ways. Those who
fail to employ and use technology may fall behind and find themselves exposed to claims.
For example, in a case in the United States, a court found that a broker ought to have prop-
erly estimated the replacement value of a client’s premises by “using a computer program
and his visual inspection of the property to assist him.”223
Many lines of insurance and reinsurance are being shaken up by technological devel-
opments. Distributed ledger technology is being used to create new products and to pro-
vide insurance and reinsurance, such as: “Re, a blockchain-powered reinsurance company
… [which] aims to fill a function similar to the Lloyd’s of London insurance market.”224
These new forms of technology are often applied first to lines of insurance where there is
high volume and high-frequency, such as home and motor insurance. Applying new forms
of technology, such as automation, to traditional forms of insurance such as PI involves
more complex dynamics and different challenges.
An Accenture report in 2022 identified that insurers are some way behind other indus-
tries in terms of using AI,225 and “Accenture calculates that unless AI is embraced to
improve customer retention, $250 billion in premiums is at risk over the next five years
across the insurance sector, creating winners and losers.”226

Technology in underwriting
Successful underwriting generally involves capturing a large volume of relevant informa-
tion, which is then translated into risk and dictates the terms upon which the insurer is

223 Ambroselli v C.S. Burrall & Son, Inc., 932F. Supp. 2d 431, 435 (W.D.N.Y. 2013).
224 Will Canny, “Blockchain-Powered Reinsurer Re Raises $14 Million Seed Round to Build Decentralized
Market,” 4 October 2022, CoinDesk, www​.coindesk​.com​/ business​/2022​/09​/28​/ blockchain​-powered​-reinsurer​
-re​-raises​-14​-million​-seed​-round​-to​-build​- decentralized​-market/.
225 See, “Why AI in Insurance Claims and Underwriting? Improving the Insurance experience,”
Accenture, 2022, www​.accenture​.com​/content​/dam​/accenture​/final​/accenture​- com​/document​/Accenture​-Why​
-AI​-In​-Insurance​- Claims​-And​-Underwriting​.pdf​#zoom​= 40 cited in “Insurance industry yet to fully embrace
AI benefit: Accenture,” Insurance News, 29 August 2022, www​.insurancenews​.com​.au ​/insurtech ​/insurance​
-industry​-yet​-to​-fully​- embrace​-ai​-benefit​-accenture (hereafter Accenture).
226 Ibid, generally see Chapter 2.

370
 P rofessional I ndemnity I nsurance

willing to bind cover. A report from Deloitte identifies the problem with using manual
systems:
Underwriters using legacy platforms are increasingly weighed down with several unproduc-
tive tasks, such as manually compiling information from disparate sources and interfacing
with multiple systems. The result is often lost productivity and higher costs. Solutions utilis-
ing intelligent, automation, including AI, can process repetitive tasks more efficiently, while
freeing up underwriters time, and supporting them to perform, more value added tasks.227

A report from Accenture sets out the benefits of utilising AI within the underwriting func-
tion, as follows:
AI enhances underwriting funnel metrics (e.g., submission to quote, quote to bind) with intel-
ligent submission ingestion, data enrichment, triage, and appetite and propensity to bind scor-
ing. AI-powered analytical models and profitability insights can help underwriters determine
which submissions to pursue, more quickly assess their quality and win propensity, and bet-
ter prepare for price negotiation. In addition, AI helps underwriters assess risk and identify
cross-selling opportunities through analysis of similar accounts/risks in the portfolio.228

Automation of some aspects of underwriting, however, presents challenges in the PI con-

text due to the very specific nature of disclosure requirements. As set out earlier in this
chapter, most PI policies are written on a “claims made” basis. This means that a profes-
sional provides services and then there is an intervening period where a new insurer will
come on risk prior to a claim being made. In this relatively common scenario, it should
come as no surprise that many of the significant insurance coverage disputes in the PI
space relate to non-disclosure—that is, whether the professional has made proper dis-
closure to the insurer of relevant matters before the insurer accepted the risk. In many
jurisdictions, legislation229 has developed to address disclosure issues.
The best way to prevent a non-disclosure issue from arising is to match, with precision,
the knowledge of the insurance buyer with the expectation of the carrier, before the cover
is bound. In the first instance, the “knowledge” component of the insurance buyer may be
largely subjective and therefore it appears to be difficult to automate a process around it.
That said, AI is developing more and more ways to accommodate matters that appear at
first instance to be largely subjective. If, for example, a carrier was able to access a broad
dataset (there are, of course, privacy issues here, which are discussed elsewhere in this
book 230) and used natural language processing (NLP) cast across that dataset, the prospect
of a claim being made against a particular prospective insurance buyer may be more read-
ily discernible.231
Most PI claims are settled, so there is a lack of reliable industry-wide data about the
frequency, size and basis of PI claims. A comment raised in a 1989 article explains that,
in relation to PI premiums and exclusions, “the PI market is relatively small and given
the diversity of professions and risks covered, detailed information which is statistically
significant and reliable enough to justify meaningful adjustments of individual premiums

227 “The rise of the exponential underwriter,” Deloitte Insights, 2021, 6, www2​.deloitte​.com​/content​/dam​/
insights​/articles​/6794​_CFS​-Exponential​-underwriters​/ DI​_ Rise​- exponential​-u​nderwriter​.pdf.
228 Accenture (n 226).
229 In Australia, for example, see section 21 of the Insurance Contracts Act 1984 (Cth).
230 See Chapter 2.
231 As set out in Chapter 2, NLP not only captures historical data, it also captures patterns and trends.

371
 P rofessional I ndemnity I nsurance

must be hard to come by.”232 That situation has changed dramatically since 1989, but there
is still some way to go. The development of AI and its application to the question of dis-
closure in PI policies will be an area to watch. Obtaining uniform and comprehensive
datasets for underwriters to access, though, will be the key to future automation.

Technology in claims
Automation of claims processing is now well advanced, particularly in the casualty claims
space.
Clyde & Co’s AI casualty claims solution “Newton,” for example, “has the ability to
‘read’ 99% of all documents required for claims evaluation and can automatically produce
valuations for 89% of employers’ liability and public liability claims.”233
Technology assisted review is used and accepted by insurers and courts,234 and many
aspects of the claims-handling process that previously required a large volume of manual
work are now capable of being automated. There are significant benefits, with Accenture
reporting:
With claims indemnity representing approximately 60 to 70 percent of the economics of P&C
insurers, decision accuracy is the highest impact lever. AI-driven intelligent solutions can pro-
vide decision support to claims adjusters and reduce leakage by assisting with coverage deter-
mination, informing litigation strategies, plans/budgets and counsel selection, proactively
monitoring and escalating open inventory, and detecting fraud throughout the process.235

In PI claims, however, there is one common feature that presents challenges to automa-
tion, which is the maintenance of professional reputation. The purpose of PI insurance
is, of course, to indemnify a professional against loss arising from defective advice, not
necessarily to protect a professional’s reputation. Insurance products have been developed
specifically to address professional reputational risk.236 But an intrinsic element of these
claims is often one in which the professional standing of the insured is put in issue and
needs to be maintained as an essential part of the defence to a claim. So while aspects of
a PI claim will see more and more automation—document review, checking for fraud and
calculating ranges of damages, to name a few—the “human” element is likely to resist
technology and automated processing of claims for some time to come.

Conclusions
The forward-looking aspects of the PI insurance market have never been so important.
It will take a continued effort and collaboration between all stakeholders to monitor and
respond to new claims trends and new technologies, and to prepare for the future.

232 Priest (n 211).

233 See, “Clyde & Co Newton,” Clyde & Co, www​.clydeco​.com ​/en ​/expertise​/products​/casualty​-innovation.
234 See the Australian example of McConnell Dowell Constructors (Aust) Pty Ltd v Santam Ltd &
Ors [2016] VSC 734, with further commentary available at, “The first Australian case to endorse the use of
technology assisted review for discovery … and it won’t be the last,” KordaMentha, 15 November 2018, https://
kordamentha​.com​/insights​/first​-australian​- case​-to​- endorse​-tar​-review.
235 “Fuel the future of insurance,” Accenture, 2022, www​.accenture​.com​/content​/dam​/accenture​/a​- com​
-no​-follow​-no​-index​/document​/Accenture​-Fuel​-Future​-Insurance​-Technology​.pdf​?elqcst​= 272​&elqcsid​= 2453.
236 See, for example, “Reputational Risk and Crisis Management,” Marsh, www​.marsh​.com ​/ie​/services​/
risk​- consulting​/products​/reputational​-risk​- crisis​-management​.html.

372
 P rofessional I ndemnity I nsurance

Regulators will need to step up and continue to acknowledge that PI insurance is a criti-
cal piece of infrastructure that has a continuing and evolving application to both existing
and emerging professions. In some areas, further regulation may be needed to deal with
the forms of crisis, or professions will need to look to alternative structures to continue
to operate.
The shifting sands underfoot have been difficult to navigate over the past few years, and
things will continue to be difficult to navigate in the years to come as new risks emerge
post-pandemic and the geopolitical and economic climate continues to change. But the
more fundamental changes within the PI insurance market are more likely to come from
social trends and from technology. Social inflation is likely to stay around and increase
until it is curbed, whether by legislation or by other means. Emerging technologies includ-
ing big data and automation will continue to develop and will enable market participants
to do business more efficiently and improve the accuracy of risk pricing for PI underwrit-
ers. And, as set out in this chapter, while there are some significant challenges to over-
come with applying some of those technologies to PI insurance claims, if developments
continue apace, then many of those challenges may be overcome in a few short years.

373
 C hapter 1 3

Pandemics and Insurance

Gary Meggitt

CON T EN TS
Introduction 375
The nature of business interruption insurance 377
Purpose 377
Who and what is covered 378
Duration and indemnity 380
Exclusions 381
Summary 382
Business interruption insurance and COVID-19 claims 382
Impact of COVID-19 382
United Kingdom 383
United States 387
Australia and other common law jurisdictions 389
Summary 392
Business interruption insurance and future pandemics and catastrophes 392
Extending BII cover 393
Private pandemic risk insurance 395
The Lloyd’s proposals 402
The US Pandemic Risk Insurance Act 405
Summary 407
Conclusions 407

374 DOI: 10.4324/9781003319054-13

 P andemics and I nsurance

Introduction
“A pandemic is inevitable.” Those were the opening words of the Lloyd’s of London report
“Pandemic: Potential insurance impacts” published in May 2008.1 It referred to several
pandemics of the past, including the 1918 influenza outbreak, and others of the (then)
future.2 The potential threats included a SARS variant albeit the greatest danger was per-
ceived to be from influenza or MRSA. The report then discussed the measures in place
to deal with such future pandemics; their consequences for society, the economy and the
insurance industry; and concluded:
Many classes of business will be affected by a pandemic. Clear cut cases include life and health
insurance. Other forms of cover including D&O, General Liability, Medical Malpractice
and Event Cancellation policies may be affected depending on policy wordings and legal
judgements.

Prophetic words. Ones echoed by many others prior to the outbreak of the COVID-19
pandemic but which produced little tangible action, not least in the development of pan-
demic risk insurance for businesses.3 Only a handful of such policies were produced by
the industry and those which were available engendered little interest among would-be
policyholders. Why? Many insurers were allegedly reluctant to offer such cover because
the—often huge—losses associated with pandemics arise from uninsurable correlated
risks. Such risks, including floods or earthquakes and other natural catastrophes,4 result in
multiple losses in the same geographic area at approximately the same time. This makes
estimating potential payments to policyholders and, in turn, setting appropriate premiums
exceptionally difficult. Pandemic risk cover is even more problematical than other forms
of NatCat cover because the—usually far greater—multiple losses are not restricted to a
particular geographical area and may continue for months or years.
Yet, despite such difficulties, some pandemic risk insurance policies do exist. For
example, a parametric pandemic risk insurance product, PathogenRX, was developed
by Marsh, Munich Re and Metabiota and introduced to the market in May 2018, but it
seems that almost no one was interested in buying.5 The reason is that many potential
policyholders apparently viewed such cover as an unnecessary expense given the per-
ceived low probability of it being called upon. A costly misconception! Interestingly, one
of the few policyholders to obtain any form of pandemic cover was the All-England Lawn

1 The report is available at www​.lloyds​.com ​/news​-and​-insights​/risk​-reports​/ library​/pandemic​-potential​

-insurance​-impacts.
2 The report defined a pandemic as “An epidemic (a sudden outbreak) that becomes very widespread and
affects a whole region, a continent, or the world.” There is no agreed definition of pandemic, see “Epidemic,
Endemic, Pandemic: What are the Differences?” (Mailman School of Public Health, 19 February 2021) avail-
able at www​.publichealth​.columbia​.edu​/public​-health​-now​/news​/epidemic​- endemic​-pandemic​-what​-are​
-differences.
3 The chapter uses the terms “pandemic risk insurance” and “pandemic risk cover” to refer to policies
which, like business interruption insurance, are designed to cover losses suffered by commercial enterprises
and the like. The former has, among other things, the virtue of being used in the proposed US Pandemic Risk
Insurance Act (PRIA).
4 Commonly referred to as “NatCat” risks.
5 R Banham, “This Insurance Would Have Helped in Coronavirus Crisis But Nobody Bought It,”
(Insurance Journal, 3 April 2020) www​.insurancejournal​.com ​/news​/national​/2020​/04​/03​/563224​.htm. It has
also been reported that only one policy was sold prior to the onset of the pandemic, see E Ratliff, “We Can
Protect the Economy from Pandemics. Why Didn’t We?” (Wired, 16 June 2020) https ://www​.wired​.com​/story​
/nathan​-wolfe​-global​- economic​-fallout​-pandemic​-insurance/.

375
 Pandemics and I nsurance

Tennis and Croquet Club Ltd (AELTC). The host and organiser of the Wimbledon tennis
championships consequently received a payment of £114m from Lloyd’s (and others) upon
the cancellation of its 2020 annual tournament.6 By contrast, a group of English Premier
League (EPL) football clubs have resorted to proceedings against Allianz, Aviva, Zurich
and others for compensation under their, presumably non-pandemic risk specific, events
cancellation or business interruption insurance (BII) cover to make good their losses from
the chaotic 2019–20 season.7
Indeed, in the absence of a specialist pandemic risk product—a problem commonly
referred to as a “coverage gap”—BII policies have borne the brunt of COVID-19 pan-
demic-related claims. While there have been some, and there may be more, professional
negligence claims against solicitors, insurance brokers and others in relation to the
pandemic,8 most of the insurance industry’s estimated US $44 billion global losses from
COVID-19 are in relation to businesses which were adversely affected by anti-pandemic
government measures such as “lockdowns.”9 Intriguingly, despite the terrible human toll
exacted by COVID-19, life insurers have, in Rachel Hillier’s words “been largely unaf-
fected by the pandemic.”10 She suggests that this is a consequence, in part, of the fact that
most purchasers of life cover are relatively young (i.e. people covering their mortgages)
while COVID-19 fatalities have largely been among the older generations who do not seek
such cover. Simple, blunt, cruel demographics.
It is in light of this appalling toll on lives and livelihoods that this chapter considers the
challenges faced by the insurance industry, and especially by those who provide BII cover,
to future “inevitable” pandemics.11 It looks, first, at the nature of BII cover across several
markets. It then examines the most significant judgments from the UK and other common
law jurisdictions on the response of BII cover to pandemic-related claims. Next, it consid-
ers the role of BII cover and the development of forms of private or public pandemic cover
in the future. It concludes with an assessment of the likelihood of the pandemic “coverage
gap” being closed before the next outbreak.

6 See J Piggott and J Richmond, “Court coverage: insuring against the impact of COVID-19 on major
sporting events and suppliers,” www​.linklaters​.com ​/en​-hk ​/insights​/ blogs​/sportinglinks​/2020​/june​/court​- cov-
erage​-insuring​-against​-the​-impact​- of​- covid​-19​- on​-major​-sporting​- events​-and​-suppliers.
7 See Y Kotoulas, “Top Premier League clubs to pursue BI claim against major insurers,” (Insurance
Times, 19 May 2022) www​.insurancetimes​.co​.uk ​/news​/top​-premier​-league​- clubs​-to​-pursue​-bi​- claim​-against​
-major​-insurers​/1441208​.article.
8 See C Laird, “Post COVID-19 UK: What Will the Professional Negligence Claims Landscape Look
Like?” (RPC, 28 June 2022) www​.rpc​.co​.uk​/perspectives​/professional​-and​-financial​-risks​/post​- covid​-19​-uk​
-what​-will​-the​-professional​-negligence​- claims​-landscape​-look​-like/.
9 See “COVID-19 loss of $44 bln is 3rd largest catastrophe cost to insurers—Howden,” (Reuters, 5
January 2022) www​.reuters​.com​/markets​/commodities​/covid​-19​-loss​- 44​-bln​-is​-3rd​-largest​- catastrophe​- cost​
-insurers​-howden​-2022​- 01​- 04/.
10 See R Hillier “The Legal Challenges of Insuring Against a Pandemic,” M del Carmen Boado-Penas, J
Eisenberg and S Sahin (Ed) Pandemics: Insurance and Social Protection (Springer, 2021).
11 There is a general expectation of such future pandemics by those in the scientific community. See
Jones, K E, Patel, N G, Levy, M A, Storeygard, A, Balk, D, Gittleman, J L and Daszak, P (2008). “Global
trends in emerging infectious diseases.” Nature 451 (7181), 990–993; Smith, K F, Goldberg, M, Rosenthal, S,
Carlson, L, Chen, J, Chen, C and Ramachandran, S (2014) “Global rise in human infectious disease outbreaks.”
Journal of the Royal Society Interface, 11 (101), 20140950; and Jon Hilsenrath, “Global Viral Outbreaks Like
Coronavirus, Once Rare, Will Become More Common.” (Wall Street Journal, 6 March 2020) www​.wsj​.com ​/
articles​/viral​- outbreaks​- once​-rare​-become​-part​- of​-the​-global​-landscape​-11583455309.

376
 P andemics and I nsurance

The nature of business interruption insurance

As a preliminary point, it should be understood that most BII cover throughout the world
is written in either the UK or US form (the particulars of which are dealt with below). It
should also be appreciated that the UK and US insurance markets are the first and fourth
largest in the world.12 Consequently, this chapter concentrates on these two jurisdictions
with additional consideration given to other common law jurisdictions.13 That is not, of
course, to suggest that the impact of the pandemic on other common law or civil jurisdic-
tions is of no consequence. It simply reflects both the reality of the insurance market and
the fact that the interpretation of BII wordings by US and UK courts may have conse-
quences beyond those jurisdictions, even when a policy is being considered by a court in,
say, Norway, Poland or India.14

Purpose15
It is long established English law that an ordinary insurance policy, such as a property pol-
icy, will not cover lost profits or markets.16 BII cover is a specie of financial insurance (or
insurance against pecuniary loss) that arose, in part, as a consequence of this lacuna.17 It
is intended to place a policyholder into the financial position it would have enjoyed had its
business operations not been disrupted by an insured peril. It is difficult to determine the
number of businesses that actually have current BII cover, albeit Jill Bisco suggested that
only 29% of small businesses in the United States were covered as of 2017, and Frances
Stebbing reported that 50% of UK businesses were underinsured in terms of BII cover in
mid-2022.18
As will be seen below, insurers have argued that the “purpose” of BII cover is not
the automatic protection of policyholders against pandemics such as COVID-19 but only
against specific insured perils, which may-or-may-not include pandemics depending upon
the wording of the BII policy in question. Policyholders have, unsurprisingly, argued the
contrary and demanded recompense from insurers for their COVID-19-related losses.

12 See “Top Ranking the World’s Largest Insurance Markets” (BeInsure, 14 July 2022) https://beinsure​
.com ​/top​-ranking​-the​-worlds​-largest​-insurance​-markets/.
13 A useful comparison of BII coverage across a number of jurisdictions is available at Chapter 10 of D
Glynn and T Rogers Riley on Business Interruption Insurance 11th ed (Sweet & Maxwell 2021), referred to
hereafter as Riley, the leading UK legal text on business interruption insurance.
14 Insurers in all three jurisdictions adopt the UK BII wording.
15 See Riley Chapters 1 and 2 for a detailed discussion of the purpose of BII cover and an overview of
policy wordings.
16 See Re Wright & Pole (1843) 1 Ad. & Ed. 621, Theobold v Railways Passengers Assurance Company
(1854) 10 Exch 45 and Lewis Emanuel & Son Ltd v Hepburn [1960] 1 Ll Rep 304. The principle also applies in
other common law jurisdictions.
17 In addition to Riley, mentioned at n 13 above, see also Chapter 24. Financial Insurance in R Merkin
Colinvaux’s Law of Insurance 12th ed (Sweet & Maxwell, 2019) and Chapter 31. “Insurance against Pecuniary
Loss” in J Birds, B Lynch and S Paul MacGillivray on Insurance Law: Relating to all Risks Other than Marine
15th ed (Sweet & Maxwell, 2022) for a discussion of the various forms of financial insurance. Chapter 15.
Business Interruption Insurance in Ö Gürses The Insurance of Commercial Risks: Law and Practice 5th ed
(Sweet & Maxwell, 2017) is also helpful. Another, short, introduction to BII cover from a US point of view is
given in Miller, A G (1975). Business interruption insurance, legal primer. Drake Law Review, 24 (4), 799–808.
18 J M Bisco, S G Fier, D M Pooser, “Business Interruption Insurance and COVID-19: Coverage and Issues
and Public Policy Implications,” Journal of Insurance Regulation, vol 39, no. 5, 1–24, and F Stebbing “Brokers
urged to be proactive amid concerns half of businesses are underinsured” (Insurance Post, 24 June 2022).

377
 Pandemics and I nsurance

Beyond this specific issue of pandemic coverage, the important questions for considera-
tion, as with any insurance policy, are:
(i) The identity of the policyholder (i.e. who or what is covered);
(ii) The insured perils (including extensions);
(iii) The duration of cover;
(iv) The measure of indemnity; and
(v) Any exclusions or other limitations to the cover.
The answers to these questions are almost invariably found in the wording of the policy,
a point which will be emphasised throughout this chapter. These questions will now be
addressed, briefly, in general terms before being examined in the context of the COVID-
19 pandemic.

Who and what is covered

In the UK, BII cover usually forms part of the policyholder’s19 commercial property policy
(which is usually written on an “All Risks” basis) rather than being purchased separately
as a freestanding policy.20 Consequently, the primary insured peril in BII cover tends
to be some form of physical damage or disruption, such as a fire or flood, to the policy-
holder’s business premises.21 The necessity for physical damage was emphasised recently
in TKC London Ltd v Allianz Insurance Plc.22 The policyholder’s café was insured under
an All Risks policy which covered “Damage to Property Insured at the Premises,” with
“Damage” defined as “Accidental loss or destruction of or damage to Property Insured.”
BII cover was in place for:
Loss resulting from interruption of or interference with the Business carried on by the Insured
at the Premises in consequence of an event to property used by the Insured at the Premises for
the purpose of the Business.

An “event” was defined here as “Accidental loss or destruction of or damage to prop-

erty used by the Insured at the Premises for the purpose of the Business.” There were
also exclusions for “loss caused by or consisting of inherent vice, latent defect, grad-
ual deterioration.”23 The café’s closure during the UK’s first COVID-19 “lockdown” in

19 It is vital that the policyholder, or “insured,” is correctly identified in the policy wording, especially
when one is dealing with parent companies and their subsidiaries. It is also vital to identify the nature of the
policyholder’s business operations and the insured premises in the policy wording.
20 It is standard provision in BII cover that there is an underlying policy in place which covered material
damage. Consequently, avoidance of, or repudiation of liability under, this underlying policy will prohibit
recovery under the BII cover.
21 Numerous English cases have considered what does or does not amount to “physical damage” for the
purposes of insurance cover and in tort, including Quorum v Schramm [2002] 1 Lloyd’s Rep 2492, Pilkington
United Kingdom Ltd v CGU Insurance plc [2004] 1 Lloyd’s Rep IR 891 and Network Rail Infrastructure
Limited v Simon Handy [2015] EWHC 1175. In Rothwell v Chemical & Insulating Co. Ltd [2008] 1 AC 281,
Lord Hoffmann remarked “Damage in this sense is an abstract concept of being worse off, physically or eco-
nomically, so that compensation is an appropriate remedy.”
22 [2020] EWHC 2710 (Comm).
23 See also Midland Mainline Ltd v Eagle Star Insurance Co Ltd [2004] All ER (D) 499 which arose from
the disruption to train services following the imposition of emergency speed restrictions after the Hatfield rail
disaster. “Wear and tear,” which was excluded under the train operator’s policy, was held to be a proximate
cause of its loss of profits, hence there was no recovery under the policy.

378
 P andemics and I nsurance

2020 led to the loss of its food stock. It was held that this loss was a “deterioration” rather
than accidental loss, destruction or damage. The claim for the lost stock therefore failed.24
UK BII cover is often extended to losses which result from secondary insured peril
“triggers” beyond physical damage to the policyholder’s property or premises, albeit such
secondary triggers often usually relate to the policyholder’s premises or their immediate
physical environs. Such secondary triggers are, as will be seen, at the heart of much of
the litigation relating to BII cover for COVID-19-related losses. Some insurers provide
additional cover for other, more esoteric, insured perils. One Hiscox UK policy, for exam-
ple, covers the costs and expenses incurred by policyholders resulting from “employees
resigning from employment with you during the period of insurance as a direct conse-
quence of their securing a win in a lottery.”25 Some insurers also provide BII cover in the
event that one or more of the policyholder’s suppliers or customers suffers from an insured
peril, which can be vital to these policyholders that are reliant on one or a few manufactur-
ers, suppliers of raw materials or customers (i.e. for the bulk of their sales).26
In the United States, the Insurance Services Office’s “ISO Business Income (and Extra
Expense) (BIEE) Coverage Form (CP 00 30 10 12)” is apparently the most widely-adopted
form of BII policy wording, albeit some businesses purchase policies are based on the
“ISO Business Owners Policy (BOP)” wording.27 Other policies are, of course, available.
The coverage in the former is set out thus:
We will pay for the actual loss of Business Income you sustain due to the necessary “sus-
pension” of your “operations” during the “period of restoration.” The “suspension” must be
caused by direct physical loss of or damage to property at premises which are described
in the Declarations and for which a Business Income Limit of Insurance is shown in the
Declarations. The loss or damage must be caused by or result from a Covered Cause of Loss.

The BII cover in the BOP wording is also predicated on “direct physical loss of or dam-
age to property at the described premises.” Additional coverage in the BIEE wording is
provided, in a similar fashion to UK BII wordings, for the “action of civil authority that
prohibits access to the described premises (i.e. the insured’s premises) due to direct physical
loss of or damage to property, other than at the described premises.” There are also provi-
sions in other US BII wordings (but not the BIEE form) for cover in the event of physical
loss or damage to “dependent property” (i.e. to a supplier or customer) or for “contamina-
tion,” which is defined as a “dangerous condition” at the insured premises. The centrality of
“direct physical loss” to both the primary and many of the secondary triggers is notable.28

24 The need for physical loss or damage was also addressed, again in the context of a catastrophe, in the US
cases of United Airlines, Inc. v Insurance Co. of the State of Pennsylvania 385 F. Supp. 2d 343 (S.D.N.Y. 2005)
and Schlamm Stone & Dolan, LLP. V Seneca Ins. Co., No. 603009/2002, 2005 WL 600021 (N.Y. Sup. Ct. Mar.
4, 2005), both of which concerned the 9/11 terrorist attacks.
25 The Hiscox UK WD-PROF-UK-PYI(3) 16089 09/19 wording. Available at https://ascendbroking​.co​.uk​/
wp​- content​/uploads​/2020​/02​/ DC565​-Hiscox​-Business​-Wording327850​.pdf.
26 Such contingent cover may raise a question over the policyholder’s insurable interest in its suppliers or
customers. See National Oilwell (UK) Ltd v Davy Offshore Ltd [1993] 2 Lloyd’s Rep 582 and Feasey v Sun Life
Assurance Co [2003] EWCA Civ 885, [2003] 2 All ER (Comm) 587.
27 The Insurance Services Office (ISO) was established in 1971 as an advisory and rating organisation for
the US insurance industry. ISO forms were introduced in 1986 but some insurers use their own policy word-
ings. The ISO website is available at www​.verisk​.com ​/insurance​/ brands​/iso/.
28 A sample of the ISO policy wording is available at www​.pro​pert​yins​u ran​ceco​veragelaw​.com​/files​/file​/
CP00300402​.pdf. It is worth noting that the “contamination” provision does not necessitate “physical loss or
damage.”

379
 Pandemics and I nsurance

Australian BII policies tend to follow the UK wording in terms of coverage, includ-
ing extensions, as do those in India, Ireland and South Africa. US wordings are far less
prevalent outside their “home” country albeit they are used in Canada, Japan and Mexico.

Duration and indemnity

The indemnity period for BII cover is specified in the policy wording and can differ
depending on the nature of the policyholder’s business. In the UK, one year is the stand-
ard duration and the financial loss to the policyholder must be incurred in that period. In
Loyaltrend Ltd v Creechurch Dedicated Ltd,29 the policyholder’s claim for losses arising
from subsidence to its premises actually failed because it neglected to give immediate
notice of the damage to the insurer (as required by the policy), but it was also held that
much of the material damage and business interruption occurred after the period of cover
and, consequently, would have been irrecoverable in any event.
Australia (among others) follows the UK approach with 12-month indemnity periods,
whereas US insurers will usually indemnify the policyholder for what is referred to as the
“period of restoration,” which begins 72 hours after the occurrence of the direct physical
loss and ends when the premises are repaired or rebuilt (or should have been repaired or
rebuilt with “reasonable speed”).30 The expiration of the policy does not terminate this
“period of restoration.”
The indemnity provided to a policyholder under UK BII cover is usually calculated by
reference to the turnover of its business and comprises three elements:
(i) The prime costs—sums that vary according to turnover such as electricity (and
other utilities) and stock purchases;
(ii) Overhead expenses—sums that will not vary according to turnover such as rent,
salaries, insurance premiums; and
(iii) The residual net profit.31
BII cover in the UK is usually written on a “gross profits” basis, which was traditionally
calculated as a combination of net profit and standing charges. New calculations of “gross
profit” have, however, been developed, and much UK BII cover is now written on the
“difference basis,” which is determined by taking the turnover and subtracting the vari-
able charges. European insurers tend to use the traditional definition of “gross profits”
while US BII cover is written on a “business income” basis or “gross earnings” basis.32
The scope for confusion and conflict, both at the underwriting and claims stage, cre-
ated by these varying methods of writing the cover is self-evident.33 Consequently, some
policyholders take out cover which provides an indemnity based on a fixed sum for each
day upon which the business does not operate or a specified percentage of the amount by

29 [2010] Ll Rep IR 466.

30 See Rogers v American Ins. Co., 338 F.2d 240 (8th Cir. 1964), where the policyholder was unable to
recover its continuing losses after the end of the “restoration” period.
31 See Riley chapter 1, para 1.10.
32 See Riley chapter 10 for a discussion of differing BII wordings throughout the world.
33 The UK’s Chartered Institute of Loss Adjusters (CILA) discussed the problem with the use of “gross
profit” or “loss of gross profit” in its 2012 report, Business Interruption Policy Wordings—Challenges
Highlighted by Claims Experience, available at www​.cila​.co​.uk ​/cila​/downloads​/sig​- downloads​/ business​-inter-
ruptions​/files​-9​/13​-bi​-policy​-wordings​/file.

380
 P andemics and I nsurance

which the policyholder’s turnover falls following an insured peril, subject to an auditor’s
assessment of the loss.34

Exclusions
As previously noted in relation to TKC London Ltd v Allianz Insurance Plc, BII cover
commonly contains a variety of exclusions, including those for latent defects or “wear and
tear.” The Hiscox UK cover mentioned above contains exclusions for losses arising from
numerous perils such as infrastructure failures (e.g. of internet service or utilities), ter-
rorism, war and fines or penalties. Another limit on cover is imposed by “trends clauses,”
which are intended to prevent the recovery of losses wholly outside the insured peril e.g.
those due to a downturn in the wider economy. A discussion of the operation of these
clauses featured in The Financial Conduct Authority (FCA) v Arch, the leading UK case
on BII cover for COVID-19 pandemic-related losses.35
BII cover also features, as would be expected, a deductible or excess which, as occurred
in the case of Ted Baker Plc v Axa Insurance UK Plc,36 can reduce or even eliminate the
policyholder’s recovery under the cover. Finally, it is common for policies to provide for
voiding of the cover in the event that the policyholder’s business is wound up.37 Australia,
Ireland and other common law jurisdictions tend to follow the UK approach.
The relevant exclusions to US BII cover in respect of the pandemic are a “virus” exclu-
sion, which the ISO introduced in 2006 following the SARS pandemic, and a “pollution”
exclusion.38 The wording of the former, “Exclusion for Loss Due To Virus Or Bacteria CP
01 40 07 06” (the ISO Virus Exclusion) is “We will not pay for loss or damage caused by
or resulting from any virus, bacterium or other microorganism that induces or is capable
of inducing physical distress, illness or disease.”
The wording goes on to explain that this exclusion does not apply to “fungus,” wet rot
or dry rot but, this aside, the wide-ranging nature of the provision is quite clear. For the
“pollution” exclusion, the ISO defines “pollutants” as any solid, liquid, gaseous or thermal
irritant or contaminant, including smoke, vapour, soot, fumes, acids, alkalis, chemicals
and waste. It does not, however, appear to define “pollution.”

34 This former basis of recovery is commonly referred to as “valued loss of profits” and the latter as
“unvalued lost of profits.” The latter was addressed in Recher & Co v North British and Mercantile Insurance
Co [1915] 3 KB 277. The definitions of valued and unvalued policies generally are given in sections 27 and 28
MIA 1906 respectively. They are also discussed in Kyzuna Investments Ltd v Ocean Marine Mutual Insurance
Association (Europe) [2000] 1 All ER (Comm) 557, Thor Navigation Inc v Ingosstrakh Insurance Co Ltd
[2005] Ll Rep. IR 490 and Quorum A/S v Schramm (Costs) [2002] 2 All ER (Comm) 179 & (Damage) [2002]
2 All ER (Comm) 147.
35 [2021] UKSC 1; [2021] A.C. 649. Hereinafter FCA v Arch. Discussed below.
36 [2015] Lloyd’s Rep. IR 325. Eder J held that the policyholder’s claim in respect of stolen stock would
have failed, irrespective of other problems with it, because the lost profit resulting from each theft fell within
the policy excess of £5,000 “for each and every loss.” The learned judge’s decision was reversed in part by the
Court of Appeal in Ted Baker Plc v Axa Insurance UK Plc [2017] Lloyd’s Rep. IR 682, but this aspect went
unchallenged.
37 The Hiscox UK policy merely states “What is not covered […] your insolvency or the insolvency of your
suppliers, sub-contractors and outsourcers.”
38 See Edward Koch, Randy Maniloff and Margo Meta “Iso Excluded Coronavirus Coverage 15 Years
Ago” (15 March 2020) available at www​.whiteandwilliams​.com​/resources​-alerts​-ISO​-Excluded​- Coronavirus​
-Coverage​-15​-Years​-Ago.

381
 Pandemics and I nsurance

Summary
This relatively brief discussion demonstrates that BII cover is a precise rather than broad
form of insurance, intended to ameliorate the damage done to a policyholder’s balance
sheet by insured perils. Originally, when BII cover was first developed, those insured
perils largely comprised floods, fire and explosions that caused physical damage to a
policyholder’s premises. They have since been expanded, often in a rather ad-hoc and
unsystematic manner, to cover numerous other perils. Yet, at the same time, insurers
have resisted or sought to limit this expansion by way of exclusions for many of the same
potentially costly perils.
Given the growth of insured perils such as cybersecurity risks, NatCats (including pan-
demics) and socio-political risks (such as terrorism and mass protests) and the fact that
BII wordings often sit within “All Risks” policies, this haphazard approach to the devel-
opment of BII cover on the part of the market was always bound to lead to confusion and
conflict. When many policyholders discovered that their claims would not be met with
respect to the COVID-19 pandemic, conflict thus ensued. If nothing else, the resulting
misunderstandings and litigation have demonstrated how the importance, if not centrality,
of clear, unambiguous language in policies, as will now be seen.39

Business interruption insurance and COVID-19 claims

Impact of COVID-19
The story of the COVID-19 pandemic will be well-known to readers, and it is hardly nec-
essary to retell it at length here. It is, however, worth mentioning some of its most salient
consequences. At the time of writing, there have been approximately 604 million recorded
cases of the infection and in the region of 6.5 million deaths.40 Of these, the United States
suffered 94.5 million cases and 1.03 million deaths and the UK suffered 23.5 million
cases and 205,000 deaths. A total of 12.5 billion vaccine doses have been given, covering
approximately 63% of the world’s population.41 The deleterious effect of the pandemic
on mental health as well as social, cultural and educational development has been well
documented.42
It has been estimated that the economic consequences of the COVID-19 pandemic were
greater than those of any peacetime event since the Wall Street Crash of 1929, with a

39 As noted previously, Riley provides a much more detailed discussion of BII policy wordings than that
which can be provided here. There is also a collection of sample policy wordings available in its Appendices.
40 The World Health Organisation (WHO) estimates that excess deaths as a result of COVID-19 could be
in the region of 15 million; see “Estimated cumulative excess deaths during COVID, from the WHO, World”
available at https://ourworldindata​.org​/world​-population​-update​-2022.
41 Overall statistics sourced from Our World in Data, John Hopkins University and others, available at
https://news​.google​.com​/covid19​/map​?hl​= en​-US​&mid= ​%2Fm​%2F02j71​&gl​= US​&ceid​= US​%3Aen.
42 See “COVID-19 mental health and wellbeing surveillance: report” (April 2022) from the UK Office
for Health Improvement and Disparities available at www​.gov​.uk​/government​/publications​/covid​-19​-men-
tal​-health​-and​-wellbeing​-surveillance​-report; the Education Endowment Fund’s “Best evidence on impact
of COVID-19 on pupil attainment” (May 2022) available at https://edu​cati​onen​dowm​entf​oundation​.org​.uk ​/
guidance​-for​-teachers​/covid​-19​-resources​/ best​- evidence​- on​-impact​- of​- covid​-19​- on​-pupil​-attainment; and
“Culture shock: COVID-19 and the cultural and creative sectors” (September 2020) from the OECD available
at www​.oecd​.org​/coronavirus​/policy​-responses​/culture​-shock​- covid​-19​-and​-the​- cultural​-and​- creative​-sectors​
-08da9e0e/.

382
 P andemics and I nsurance

fall in global GDP of 3.2% and global trade of 5.3% in 2020.43 In the UK, GDP fell by
9.7% in 2020, the greatest annual decline since records began in 1948.44 While there had
been, prior to a renewed downturn late in 2022, a degree of economic recovery since the
height of the COVID-19 pandemic, there has been a notable shift in labour markets. The
growth of “working from home,” aided by technology, in many sectors has been pro-
found. Stubborn supply chain difficulties also remain, exacerbated by the Russian attack
on Ukraine. Indeed, the economic effect of the pandemic is expected to “scar” the UK
economy (and that of many other countries) for years to come.45
As noted above, the insurance industry has suffered an estimated US $44 billion in
losses as a consequence of the COVID-19 pandemic. It is, therefore, understandable that
some insurers adopted a less than charitable attitude to COVID-19-related claims by their
policyholders when many of them, at least in the early stages of the pandemic, believed
that the magnitude of such claims—in terms of both their number and cost—could lead
to their own financial collapse.46 As will now be seen, insurers in numerous jurisdic-
tions were prepared to litigate over the very nature of their BII cover rather than accept
the financial burden of meeting such claims.47 In all of this litigation, the essential issue
before the courts has been the intent of the relevant BII policy as determined by its lan-
guage, rather than some philosophical enquiry into the relationship between insurers and
policyholders or, for want of a better term, the “public good.” In short, policy language is
paramount.

United Kingdom
The most significant COVID-19-related judgment was that of the UK Supreme Court in
FCA v Arch. The intended purpose of the proceedings was to determine—in advance of
any specific claim by a policyholder—the correct interpretation of BII policy wordings in
respect of claims for COVID-19 pandemic-related losses. Before it reached the Supreme
Court, the parameters of the case were set out by Flaux LJ and Butcher J in the High
Court, who considered 21 “lead” BII policy wordings issued by eight insurers, although
the FCA estimated that a further 700 policies provided by 60 different insurers to 370,000
policyholders could be affected by the outcome of the case.48

43 See Congressional Research Service “Global Economic Effects of Covid 19” (10 November 2021) avail-
able at https://sgp​.fas​.org​/crs​/row​/ R46270​.pdf.
44 See UK Parliament “Coronovirus: Economic Impact” (17 December 2021) available at https://common-
slibrary​.parliament​.uk​/research​-briefings​/cbp​-8866/ and UK office of Budget Responsibility “International
comparisons of the economic impact of the pandemic” (March 2021) available at https://obr​.uk ​/ box ​/interna-
tional​- comparisons​- of​-the​- economic​-impact​- of​-the​-pandemic/l
45 The UK economy was also damaged by the short-lived Truss government’s so-called “mini-Budget” of
September 2022.
46 See the IMF’s “Impact of COVID-19 on Insurers” (May 2020) available at www.oecd.org/coronavirus/
policy-responses/culture-shock-covid-19-and-the-cultural-and-creative-sectors-08da9e0e/.
47 There are several websites which record or track this litigation, including Womble Bond Dickinson’s
“Business interruption insurance claims arising from COVID-19” available at www​.womblebonddickin-
son​.com​/uk​/insights​/timelines​/ business​-interruption​-insurance​- claims​-arising​- covid​-19; the University of
Pennsylvania’s “Covid Coverage Litigation Tracker” available at https://cclt​.law​.upenn​.edu/.
48 These were a policy issued by Arch; one by Argenta; two by Ecclesiastical; four by Hiscox; three by MS
Amlin; three by QBE; five by Royal & Sun Alliance; and two issued by Zurich.

383
 Pandemics and I nsurance

It was agreed by all concerned that there was no cover under the policies’ “primary
trigger” of physical damage,49 so the High Court considered the following categories of
“secondary triggers”:
(i) Disease clauses—which cover losses from the occurrence of a notifiable disease
within a specified distance of an insured premises;
(ii) Prevention of access (PoA) clauses—which provide cover where access to or use of
an insured premises has been prevented or hindered by the government or another
public authority (e.g. the police); and
(iii) Hybrid clauses—cover both government restrictions and the occurrence of a
notifiable disease.
The High Court also considered the operation of trends clauses and the leading decision
thereon in Orient-Express Hotels Ltd v Assicurazioni Generali SA.50
In its September 2020 judgment, the High Court generally found in favour of the FCA.51
It rejected the insurers’ argument that disease clauses only covered local occurrences of
notifiable diseases irrespective of any wider outbreak and held, instead, that the proxi-
mate cause of the policyholders’ loss was the notifiable disease of which the individual
local occurrences formed indivisible parts (alternatively, local occurrences were separate,
concurrent causes). The learned judges also held that only the total—not merely partial—
closure of a policyholder’s premises triggered the PoA clauses and that any such action
by public authorities required the force of law (i.e. this meant that the UK government’s
announcements of “lockdowns” in March 2020 did not trigger PoA cover but its subse-
quent regulations implementing those “lockdowns” did—a distinction with significant
financial consequences for policyholders).52
Hybrid clauses were interpreted in much the same way as their constituent parts. Finally,
on trends clauses, the High Court held that the reduced turnover of a business during the
period of interruption should be compared to its turnover prior to the pandemic (or the
implementation of the regulations) and it distinguished the decision in Orient-Express
Hotels Limited as it included a “misidentification of the insured peril” and as it did not
concern the same type of insured perils as those in FCA v Arch.
The appeals by the FCA and six of the eight insurers from this decision were heard by
the UK Supreme Court under the “leapfrog” procedure, bypassing the Court of Appeal.53
In its judgment of 15 January 2021, it dismissed the insurers’ appeals and upheld the FCA’s
grounds of appeal (albeit two with qualifications).54 Prior to addressing the specific issues
relating to the policies, their Lordships stressed:

49 As would be expected given the decision in TKC London Ltd v Allianz Insurance Plc.
50 [2010] Lloyd’s Rep IR 531. The policyholder’s New Orleans hotel was damaged by hurricanes and could
not operate for several months thereafter. The BII cover trends clause was applied so as to compare its business
interruption losses with the trading position in New Orleans after the hurricanes’ damage rather than prior to
or without the damage.
51 [2020] Lloyd’s Rep IR 527.
52 These were the Health Protection (Coronavirus, Business Closure) (England) Regulations 2020 and the
Health Protection (Coronavirus, Restrictions) (England) Regulations 2020.
53 See Supreme Court Practice Direction 1, available at www​.supremecourt​.uk ​/procedures​/practice​- direc-
tion​- 01​.html.
54 The Supreme Court also allowed all three appeals (two qualified) by the Hiscox Action Group of policy-
holders, which had intervened in the proceedings.

384
 P andemics and I nsurance

The core principle is that an insurance policy, like any other contract, must be interpreted
objectively by asking what a reasonable person, with all the background knowledge which
would reasonably have been available to the parties when they entered into the contract,
would have understood the language of the contract to mean.

As noted previously, the objective assessment of the policy’s language is crucial to the
application of cover.
The Supreme Court accepted the insurers’ submission that each individual case of
COVID-19 was a separate “occurrence,” rather than part of a greater “occurrence,” and
that disease clauses only covered losses arising from individual cases within the specified
distance of the insured premises.55 As far as PoA (and hybrid) clauses were concerned, the
Supreme Court rejected the High Court’s view that action by public authorities required
the force of law. Their Lordships held, instead, that the clauses would be triggered if such
action “carries the imminent threat of legal compulsion or is in mandatory and clear terms
and indicates that compliance is required without recourse to legal powers.” Insofar as
cover which was triggered by an “inability to use the insured premises” was concerned,
this requirement could be satisfied where a policyholder was unable to use the premises
for a discrete business activity or was unable to use a discrete part of the premises for its
business activities.
In arguably the most significant section of the judgment, the Supreme Court held that
all the individual cases of COVID-19 which had occurred by the date of any action by the
authorities (e.g. the “lockdown” regulations) were “proximate” causes of that action. It
was therefore sufficient for a policyholder to demonstrate that there was at least one case of
COVID-19 within the relevant specified distance of its insured premises at the time of any
such action. Their Lordships rejected the insurers’ contention that the “but for” test should
be applied in each case and observed—not for the first time—that the test was sometimes
inadequate. The Supreme Court explained, “there can be situations [such as the pandemic]
where a series of events all cause a result although none of them was individually either
necessary or sufficient to cause the result by itself.”
Moreover, it would be “contrary to the commercial intent” of the policies if uninsured
cases of COVID-19 deprived policyholders of compensation for losses caused by cases
that they did cover.56 Reiterating the fact that the language of the policy agreed between
the parties was the paramount consideration, their Lordships stated “If the insurers had
wished to impose such an exclusion, it was incumbent on them to include it in the terms
of the policy.”57
While the decision was an undoubted success for policyholders, the following words
from the judgment (on the issue of causation but of wider significance, nonetheless) are of
fundamental importance:

55 Lords Briggs and Hodge would have upheld the High Court’s interpretation, albeit they otherwise
agreed with the main judgment.
56 For a further discussion of causation in the context of insurance contracts see Meixian Song, “Revisiting
concurrent causation and principles in English insurance law: a legal fiction?” (2021) J.B.L. 457.
57 The Supreme Court agreed with the High Court that trends clauses should be construed consistently
with the insuring clause and “not so as to take away cover prima facie provided by that clause.” Consequently,
losses suffered by policyholders should be calculated without reference to the fact that the wider UK economy
had been devastated by the pandemic. In this vein, the Supreme Court also conclusively overturned Orient-
Express Hotels Limited. In that vein, the Supreme Court was highly critical of an attempt by one of the insurers
to rely on an exclusion for epidemics which appeared on the very last page of the 93-page policy wording.

385
 Pandemics and I nsurance

All that matters is what risks the insurers have agreed to cover. We have already indicated
that this is a question of contractual interpretation which must accordingly be answered by
identifying (objectively) the intended effect of the policy as applied to the relevant factual
situation.58

As already noted, in TKC London Ltd v Allianz Insurance Plc, the Commercial Court
held that a policy which only covered business interruption losses arising from physi-
cal damage did not cover the policyholder’s losses when its premises were closed as a
result of the UK government’s March 2020 regulations. Similarly, in Rockliffe Hall Ltd
v Travelers Insurance Co Ltd,59 it was held that a BII policy which covered 34 listed
“Infectious Disease[s]” did not cover losses incurred as a consequence of the pandemic
given that COVID-19 did not appear in the policy’s list.60 Further, in an arbitration award
issued in Certain Policyholders -and- China Taiping Insurance (UK) Co Ltd, Lord Mance
stressed the importance of the principles of contractual construction, including the fact
that “no phrase can or should be detached from its context.” His Lordship also reiterated
Lord Neuberger’s tenet in Arnold v Britton “[W]hen interpreting a contract a judge should
avoid re-writing it in an attempt to assist an unwise party or to penalise an astute party.” 61
The High Court’s approach to contractual construction in FCA v Arch was also consid-
ered in Corbin & King Ltd v AXA,62 where Cockerill J decided that the policy in this case
differed from those considered in FCA v Arch; the submissions before her also differed;
and, most crucially, the Supreme Court’s approach to causation in relation to disease
“opened up the field for a different iteration of the construction argument.” Consequently,
the learned judge concluded that she was “not bound by the Divisional Court’s conclu-
sions on construction” and went on to hold that the policy, in this case, covered the poli-
cyholder’s loss.
Finally, there was a flurry of decisions on preliminary issues from Butcher J in the
High Court late in 2022, namely Stonegate Pub Company v MS Amlin,63 Greggs PLC
v Zurich Insurance PLC64 and Various Eateries Trading Ltd v Allianz.65 Although each
trial was separate, they dealt with common issues and, consequently, were managed in a
coordinated fashion and heard in sequence before the same judge. Arguably, the two most
significant outcomes were, firstly, that Butcher J rejected the insurer’s argument that there
was only one “single occurrence” under the policy in Greggs and that the policyholder’s
losses should be aggregated by reference to the UK government’s sundry regulations.
Secondly, in respect of the Stonegate claim, the learned judge accepted that payments

58 For a more detailed discussion of FCA v Arch, see Gary Meggitt, “Business not as usual—The Financial
Conduct Authority v Arch Insurance (UK) Ltd” (2022) J.B.L., Issue 4, 257–281. See also Ö Gürses (2021)
“The Supreme Court on Business Interruption Insurance and COVID-19: Financial Conduct Authority v Arch
Insurance (UK) Ltd [2021] UKSC 1,” King’s Law Journal, 32, 1, 71–83; Riley Chapter 4, paras 4.6–4.15 and
Chapter 14; and J Lowry, P Rawlings and R Merkin, Insurance Law: Doctrines and Principles 4th ed (Hart,
2022) Chapter 19.
59 [2021] EWHC 412 (Comm); [2022] 1 All ER (Comm) 723.
60 Cover for diseases is usually written on a “notifiable disease” basis or by reference to a list of covered
diseases. Not only did COVID-19 not appear within this policy’s list, it also did not come within its definition
of “Plague.”
61 [2015] UKSC 36; [2015] A.C. 1619.
62 [2022] EWHC 409 (Comm).
63 [2022] EWHC 2548 (Comm).
64 [2002] EWHC 2545 (Comm).
65 [2022] EWHC 2549 (Comm).

386
 P andemics and I nsurance

received by the policyholder under the UK government’s pandemic-related relief schemes

should be taken into account when calculating the sums recoverable under the BII cover.66

United States
Before considering the treatment of COVID-19-related BII claims by the US courts, it is
worth reflecting on one way in which the United States differs from the rest of the com-
mon law world. Generally speaking, unlike the courts in England and Wales, Australia
and Hong Kong, those in the United States pay far less attention to decisions in other juris-
dictions when considering cases before them on the same issues. This is not to say that US
courts never look at non-US jurisprudence but there is a significant degree of controversy
over when and to what extent they should do so.
Former US Court of Appeals Judge Richard Posner once remarked “To cite foreign law
as authority is to flirt with the discredited […] idea of a universal natural law; or to sup-
pose fantastically that the world’s judges constitute a single, elite community of wisdom
and conscience.”67 Ruth Bader Ginsburg, Associate Justice of the US Supreme Court did
not share this animosity towards “foreign laws.”68 Indeed, some academics have noted that
the US courts have often referred to non-US legislation and case law in the course of their
deliberations.69 The extent, however, to which they may do so in relation to COVID-19
insurance claims, especially given the volume of US litigation, is uncertain.
In the United States, the McCarran-Ferguson Act of 1945 provides that individual
states have primary responsibility for the regulation of insurance and reinsurance, includ-
ing the composition of the substantive law thereon.70 That said, the National Association
of Insurance Commissioners (NAIC)71 assists in the development and implementation of
a “national” policy on insurance.72 It is therefore worth noting that the NAIC stated in
March 2020 that:
Business interruption policies were generally not designed or priced to provide coverage
against communicable diseases, such as COVID-19 and therefore include exclusions for that

66 This is contrary to the decision in the Australian cases of Star Entertainment Group Limited v Chubb
Insurance Australia Ltd [2022] FCAFC 16 and Swiss Re International v LCA Marrickville (see below). Butcher
J noted that the policy wordings in the former and the case before him differed.
67 R Posner “No thanks, we already have our own laws—The court should never view a foreign legal deci-
sion as a precedent in any way,” Legal Affairs, July/August 2004, www​.legalaffairs​.org​/issues​/July​-August​
-2004​/feature​_ posner​_ julaug04​.msp.
68 R B Ginsberg “A decent Respect to the Opinions of [Human]kind: The Value of a Comparative
Perspective in Constitutional Adjudication” (Speech, Constitutional Court of South Africa, 7 February 2006)
www​.supremecourt​.gov​/publicinfo​/speeches​/viewspeech ​/sp ​_02​- 07b​- 06.
69 See R C Black, R J Owens and J L Brookhart “We Are the World: The U.S. Supreme Court’s Use of
Foreign Sources of Law” (British Journal of Political Science Vol. 46, No. 4 (October 2016), 891–913; and
Stephen Yeazell, “When and How U.S. Courts Should Cite Foreign Law” (2009). Constitutional Commentary,
1028.
70 15 U.S.C. §§ 1011–1015. The Act was passed by the US Congress in response to the Supreme Court’s
decision in United States v South-Eastern Underwriters Association 322 U.S. 533 (1944) that the federal gov-
ernment could regulate insurance companies pursuant to the “Commerce Clause” (Article I, Section 8, Clause
3) of the US Constitution and that the federal antitrust laws applied to the insurance industry.
71 The NAIC is a voluntary association comprising the state insurance regulators all the 50 states (plus the
District of Columbia and five US territories). Its website is available at https://content​.naic​.org/.
72 At least one academic has argued that the NAIC’s activities are contrary to the spirit of the McCarran-
Ferguson Act and US Constitution. See Daniel B Schwarcz, “Is U.S. Insurance Regulation Unconstitutional?”
(28 August 2018). 25 Connecticut Insurance Law Journal 191 (2018), https://ssrn​.com​/abstract​=3239966.

387
 Pandemics and I nsurance

risk. Insurance works well and remains affordable when a relatively small number of claims
are spread across a broader group, and therefore it is not typically well suited for a global
pandemic where virtually every policyholder suffers significant losses at the same time for an
extended period.73

Moreover, the state and federal courts in the United States have, on the whole, favoured
BII insurers over policyholders when it has come to pandemic-related claims.74 Why? The
answer is simple—the language of the policies.
As noted previously, US BII cover generally requires “direct physical loss of or dam-
age” to an insured premises or, for secondary triggers, another premises. Consequently,
unlike FCA v Arch, much of the litigation in the United States has been focused on the
question of whether there has been physical damage or loss to or at an insured prem-
ises and what constitutes such damage or loss. For example, in the Florida case of Dime
Fitness, LLC v Markel Ins Co,75 where the BII policy provided only that “We will pay
for direct physical loss of or damage to Covered Property at the premises described in
the Declarations caused by or resulting from any Covered Cause of Loss,” the court held
that “Insurance companies cannot bear the burden of this crisis where, as here, the Policy
does not provide for coverage of purely economic losses resulting from the COVID-19
pandemic.” In Rye Ridge Corp v Cincinnati Ins Co,76 the court held that a delicatessen
operator had not successfully demonstrated that its properties were “damaged” as a result
of government lockdown orders for the purpose of its BII cover.77
Similarly, the California Court of Appeal held, in The Inns By The Sea v California
Mutual Insurance Co,78 that there was no physical loss or damage caused by the COVID-
19 virus, which meant that any such loss was not covered by the relevant policies. The
three-panel court noted that “The overwhelming majority of federal district court cases
find no possibility of coverage under commercial property insurance policies for a busi-
ness’s pandemic-related loss of income” and went on “we conclude that [the policyholder]
has not alleged ‘direct physical loss of’ property, based on the fact that it lost the ability
to use its physical premises to generate income.”79 The absence from the policy of an

73 NAIC Statement on Congressional Action Relating to COVID-19 (25 March 2020) available at https://
campbell​-bissell​.com ​/wp ​- content ​/uploads​/2020​/04​/ NAIC​-Statement​- on​- Congressional​-Action​-Relating​-to​
-COVID​-19​.pdf To be fair, the NAIC was not alone in this assessment, given that the French financial regula-
tor, the Autorite de Controle Prudentiel et de Resolution (ACPR), conducted an investigation into pandemic
coverage by BII policies in 2020 and concluded that only 3% of the policies available in the French market did
so. By contrast, pandemic risks were excluded in 93% of the policies which were reviewed. See CGPA Europe
report, www​.cgpa​- europe​.com ​/the​-french​-supervisory​-authority​-states​-that​- covid​-19​-is​-not​- covered​-for​-most​
-policyholders/.
74 Professor Tom Baker of The University of Pennsylvania has stated that “85 percent of [COVID-19
insurance claim] cases considered for dismissal in federal court get tossed, compared with 66 percent in state
court.” See “Tom Baker on Covid-19 and Insurance Claims,” www​.ali​.org​/news​/articles​/tom​-baker​- covid​-19​
-and​-insurance​- claims/ Professor Baker is responsible for the “Covid Coverage Litigation Tracker” available
at https://cclt​.law​.upenn​.edu/.
75 No 20-CA- 5467, 2020 WL 6691467.
76 No 21-1323-cv, 2022 WL 120782 (2d Cir 2022).
77 Further, it is arguable that the BIEE wording requires a complete lack of access to than insured premises
rather than a partial lockdown.
78 Super Ct No 20CV001274 (Cal App Ct 17 Nov 2021).
79 See also Social Life Magazine, Inc. v Sentinel Ins. Co., No. 20-cv-03311, Telephonic Conference
(S.D.N.Y. 14 May 2020) where the court held that even when COVID-19 is present in insured premises, it does
not cause damage to physical property.

388
 P andemics and I nsurance

exclusion for losses arising from a virus was irrelevant.80 The California Supreme Court
subsequently declined to hear the policyholder’s appeal of the Court of Appeal’s decision.
That said, in September 2022, in Huntington Ingalls Industries Inc. et al. v Ace American
Insurance Co. et al.,81 the Vermont Supreme Court upheld a policyholder’s claim that the
virus may have caused direct physical damage. The policyholder in this case was the larg-
est military shipbuilder in the United States and was covered “against all risks of direct
physical loss or damage to property” including, in its policy’s BII provisions, for “[l]oss
due to the necessary interruption of business conducted by [the policyholder], whether
total or partial … caused by physical loss or damage insured herein.” The policyholder—
and its captive insurer—sought a declaratory judgment against its reinsurers that it was
entitled to coverage for property damage, business interruption and other losses incurred
as a result of COVID-19 and related government action. It submitted that the pandemic
had caused “direct physical loss or damage to property” when the virus adhered to sur-
faces and remained in the air at its premises. Prior to the discovery phase of the proceed-
ings, the reinsurers sought and obtained judgment on the pleadings in its favour.82
Though the Vermont Supreme Court did not actually determine that the policyholder
had suffered “direct physical loss,” it was decided that “experts and evidence [should]
come in to evaluate the validity of insured’s novel legal argument before dismissing this
case.” Consequently, the matter will proceed to discovery and—presumably—beyond.
While this decision does not amount to a conclusive finding in favour of policyholders, it
does run counter to the predominantly pro-insurer trend exhibited by several other state
supreme courts and many federal district and appeals courts. It also demonstrates that,
despite a number of decisions to the contrary, the definition of “physical damage and loss”
for the purposes of US BII cover has not been settled. If and when it is, however, it will
be done on the basis of US jurisprudence on contractual interpretation and construction
rather than some other criteria. The views of their Lordships in FCA v Arch have held
almost no sway in this process so far and are unlikely to do so in the future. The same,
however, cannot be said of other jurisdictions.

Australia and other common law jurisdictions

Despite the fact that Australian BII policies are written on a UK basis and the similarities
between the UK and Australian law and practice, the approach of the courts in Australia
towards COVID-19-related claims has not resembled that in the UK. After a limited suc-
cess for policyholders in Australia’s first COVID-19 BII test case, HDI Global Specialty
SE v Wonkana No. 3 Pty Ltd,83 in relation to exclusion clauses, insurers prevailed in the

80 The 2006 SARS-motivated ISO exclusion or similar exclusion mentioned above. In those cases where
the policy has included such an exclusion, such as Mauricio Martinez DMD, P.A. v Allied Ins. Co. of America,
No. 20-00401, Order Granting Insurer’s Motion to Dismiss (M.D. Fla. Sep. 2, 2020), they have been upheld
by the courts.
81 No. 2021-173.
82 In the US federal and state courts, the discovery phase of civil proceedings is not just to the discovery—
or disclosure as it is now under the CPR—of documents by the parties but to depositions, interrogatories and
other processes. See the “US Federal Rules of Civil Procedure,” Title V. Disclosures and Discovery, www​.fed​
eral​r ule​sofc​ivil​procedure​.org​/frcp/.
83 [2020] NSWCA 296.

389
 Pandemics and I nsurance

second test case. Swiss Re International v LCA Marrickville,84 unlike its predecessor,
concerned the much wider question of whether the BII policies before the court covered
pandemic-related losses.
As in FCA v Arch, a number of secondary triggers were considered, these being
(i) Hybrid clauses—which cover losses due to the authorities closing or restricting
access to an insured premises due to an infectious disease at or within a specified
distance of them;
(ii) Infectious disease clauses—which cover losses arising from the outbreak of an
infectious disease at or within a specified radius of the insured premises;
(iii) PoA clauses—which cover losses arising from the authorities preventing or
restricting access to insured premises due to damage or a threat of damage to
property or persons; and
(iv) Catastrophe clauses—cover losses resulting from the action of the authorities dur-
ing a catastrophe for the purpose of retarding the catastrophe.
In the Federal Court, Jagot J held that infectious disease clauses were the only ones which
would provide cover for the policyholders’ losses in the circumstances of the case. The
learned judge also held that the pandemic was not a “Catastrophe” (NB upper case “C”)
within the meaning of the policies, which provided:
The Insurer will indemnify the Insured in accordance with the provisions of Clause 10 (Basis
of Settlement) against loss resulting from the interruption of or interference with the Business,
provided the interruption or interference […] is in consequence of […] the action of a civil
authority during a conflagration or other catastrophe for the purpose of retarding same.

Further, the PoA clauses and Hybrid Clauses were not triggered because the various
“lockdown” orders and regulations issued by national and state governments during the
pandemic had not been issued due to an outbreak of COVID-19 at—or in the vicinity of—
the policyholders’ premises. Jagot J declined to adopt the approach of the UK Supreme
Court in FCA v Arch and explained:
FCA v Arch UKSC contains much which is useful. However, it is necessary to recognise that
their Lordships’ reasoning depended on the proper construction of specific insuring clauses
in the context of the policies as relevant in that case.

The “relevant context” in FCA v Arch included the fact “the outbreak of COVID-19 in the
United Kingdom was ‘widespread’ and a ‘national outbreak’” and, moreover, the learned
judge stressed that “the text and the context of the particular policy is determinative.” The
Australian context was “materially different” from that in FCA v Arch, and, consequently,
the UK Supreme Court’s approach towards contractual construction and causation would
not be adopted. Jagot J also reiterated the point made in the earlier Australian case of
WorkPac Pty Ltd v Rossato85 (and elsewhere, often) that:
it is not a legitimate role for a court to force upon the words of the parties’ bargain ‘a meaning
which they cannot fairly bear [to] substitute for the bargain actually made one which the court
believes could better have been made.

84 [2021] FCA 1206.

85 [2021] HCA 23.

390
 P andemics and I nsurance

The Full Court of the Federal Court “substantially agreed” with Jagot J’s conclusions.86 In
particular, it reiterated that FCA v Arch had no bearing on the present case(s) given that
“the relevant circumstances underpinning the issues in FCA v Arch [were] substantially
different from those which occurred in Australia [and] rather unique in themselves” and
the “underlying fortuity principle.”87 The Full Court also agreed with Jagot J that the pan-
demic was not a “Catastrophe” within the wording of the relevant BII policies, as it was
linked to the word “conflagration,” which also implies that there is or has been physical
action by the authority seeking to retard it.88
By contrast, the Irish courts took a less dismissive approach towards FCA v Arch in The
Leopardstown Inn v FBD Insurance Plc,89 where McDonald J indicated that, while aspects
of his decision had been influenced by the High Court and Supreme Court’s judgments,
he had not “substantially altered” his own determination of the relevant issues as a result
thereof. With respect to the application of the “but for” test, the learned judge remarked
that when:
Two sufficient causes of an event of a given kind are present and, however fine-grained or
precise we make our description of the event, we can find nothing which shows that it was the
outcome of the causal process initiated by the one rather than the other. It is perfectly intelligi-
ble that in the circumstances a legal system should treat each as the cause rather than neither,
as the sine qua non test would require.

This was “an entirely sensible and appropriate approach” and led, inter alia, to McDonald J
finding in favour of the policyholders. Conversely, in Brushfield v Arachas,90 the same
learned judge held that the absence of COVID-19 from a list of human diseases specified
in a BII policy meant that the policyholder could not claim for pandemic-related losses.91
Similarly, in Premier Dale v RSA & Arachas,92 McDonald J held that the policyholder was
not entitled to insurance cover for pandemic losses, as the BII cover required a notifiable
disease to be “manifesting itself at the premises.” Given that there was no evidence that
anyone at the policyholder’s premises—a hotel—had suffered from COVID-19 during the
period of indemnity, the claim failed.
Finally, the South African courts approved of the High Court’s reasoning in FCA v Arch
when they considered the same issues in Ma-Afrika Hotels (Pty) Ltd v Santam Limited93
and Guardrisk Insurance Company Limited v Cafe Chameleon CC94 and found in favour
of policyholders’ claims for business interruption losses due to the pandemic and restric-
tions imposed by the South African authorities. In the latter case, Cachalia JA observed:

86 [2022] FCAFC 17. The court comprised Moshinsky J, Derrington J and Colvin J—the latter two learned
judges producing the main judgment.
87 This second difference appears to have been something of an over-interpretation by the Full Court of a
passage in the Supreme Court’s judgment in FCA v Arch.
88 Leave to appeal the Full Court’s decision was not granted, see “It’s over: High Court refuses second
BI test case appeal applications” (14 October 2022), www​.insurancenews​.com​.au ​/ breaking​-news​/its​- over​-high​
-court​-refuses​-second​-bi​-test​- case​-appeal​-applications.
89 [2021] IEHC 78.
90 [2021] IEHC 263.
91 In Corbin & King Cockerill J discussed McDonald J’s reasoning on denial of access clauses in Brushfield
and remarked “I therefore conclude that I cannot concur with MacDonald J on this point.”
92 [2022] IEHC 178.
93 [2020] ZAWCHC 160 and the appeal [2021] ZASCA 141.
94 [2020] ZASCA 173.

391
 Pandemics and I nsurance

The parties must have contemplated that the [insuring] clause would provide cover for any
public health response to any outbreak of a notifiable disease, whether or not it occurs in mul-
tiple localities, provided only that it also occurs within the 50 km radius. Guardrisk’s inter-
pretation [that it did not] is therefore neither commercially sensible, nor does it reasonably or
fairly accord with the purpose of the clause.

Again, as elsewhere, the paramount consideration for the courts was the language of the
policy.

Summary
This review of some of the more consequential decisions by the courts in relation to pan-
demic-related BII claims demonstrates that they are concerned—first and foremost—with
the intent of the policies as revealed by an objective analysis of their language. That analy-
sis also includes, as both Lord Mance and Jagot J observed, the context in which the poli-
cies operate. Consequently, despite the fact that all the policies considered by the courts in
these cases were BII policies, some were deemed to provide cover for COVID-19-related
losses while others were not. The discussion about the so-called “coverage gaps” or “pro-
tection gaps” for pandemic-related losses and possible solutions to those “gaps” has, to
some extent, been conducted with very little recognition of the importance of policy lan-
guage. That has been an error.

Business interruption insurance and future pandemics and catastrophes

So we return then to the prediction made by Lloyd’s 15 years ago and what, if anything,
can be done about it.
In the event of another global pandemic, how will businesses be able to ameliorate their
losses, avoid insolvency and return to normal operations while avoiding becoming part of
and contributing to widespread economic breakdown? Since the start of the COVID-19
pandemic, numerous commentators have lamented the absence of adequate cover for such
situations. Yet, as has been observed, those pandemic policies which were available found
few, if any, willing buyers.
Moreover, the fact that some claims for BII cover for pandemic-related losses were
successful, at least in the UK, should not obscure the fact that many were denied.95 This
demonstrates the truth, as argued by insurers in numerous jurisdictions, that basic BII
cover—as it is presently designed—is not intended for pandemic-related or other NatCat
risks. Indeed, those cases in which BII cover has been held to apply to COVID-19-related
losses are unlikely to be repeated in the future as insurers tighten their policy wordings.
In response to the pandemic, the Lloyd’s Market Association (LMA) published a model
“LMA5396 Communicable Disease Exclusion,” for use in liability policies. It excludes
from cover:
all actual or alleged loss, liability, damage, compensation, injury, sickness, disease, death,
medical payment, defence cost, cost, expense or any other amount, directly or indirectly and
regardless of any other cause contributing concurrently or in any sequence, originating from,

95 For example, in the United States, only 3,648 of the 183,562 business interruption claims submitted (and
closed) resulted in a payment to the policyholder (i.e. less than 2%) as of November 2020.

392
 P andemics and I nsurance

caused by, arising out of, contributed to by, resulting from, or otherwise in connection with a
Communicable Disease or the fear or threat (whether actual or perceived) of a Communicable
Disease.96

It should also be recognised that the battle between policyholders and insurers over the
scope of BII cover did not take place in a vacuum. As any informed observer will appre-
ciate, the breadth and scale of government action to maintain normal business opera-
tions and economic activity in the face of the pandemic was unprecedented in peacetime.
Many governments and central banks intervened in numerous ways including interest rate
cuts; tax reductions and/or deferrals; wage subsidy or “furlough” schemes to encourage
employers to retain staff; grants, loans and guarantees to prevent businesses from going
insolvent; and additional help to those individuals who had been made redundant or were
other in need of financial assistance.97
In the UK, the total cost estimate for various COVID-19 public relief measures
(announced from February 2020 and on or before 31 March 2022) is £376 billion, with
£132 billion being loaned or guaranteed by the Bank of England.98 In the United States,
the federal government has spent (or is pledged to spend) in the region of US $4.6 tril-
lion on COVID-19-related relief measures.99 In Australia, direct economic support by the
government from the beginning of the pandemic to May 2021 was in the region of AUD
291 billion.100
It is hardly surprising then that many parties have suggested various ways in which
such future pandemics may be addressed by private and public means or a combination of
the two. Some of these proposals shall now be examined.

Extending BII cover

Is it realistic to expand the scope of BII cover to pandemics? As noted, many existing
policies already do so, not least the 700 policies identified by the FCA in the context of
FCA v Arch. As also noted, however, the eight insurers providing some of these poli-
cies objected, in FCA v Arch, to their application to COVID-19 pandemic-related losses.
Their objections failed, but others in the UK have succeeded, as have similar objections
in Australia and in the majority of cases in the United States. These objections will also,
no doubt, be among the reasons for many insurers restricting the scope of their BII cover
in the future, as evidenced by the LMA model exclusion. Indeed, such restrictions to the
scope of cover were widespread following the SARS epidemic, not only by way of the ISO
Virus Exclusion in 2006 but by similar action by private insurers in various jurisdictions,
including Hong Kong (which was heavily affected by SARS).

96 The full text of the exclusion (of which the foregoing is a part) is available at www​.lmalloyds​.com​/
LMA ​/ News​/ LMA​_bulletins​/ LMA​_ Bulletins​/ LMA​-20​- 017​-PD​.aspx.
97 A review of the various forms of public intervention can be found in OECD Working Paper by L
Wolfrom “Could insurance provide an alternative to fiscal support in crisis response?” (OECD Working Papers
on Fiscal Federalism, September 2022 No. 40) available at www​.oecd​-ilibrary​.org​/finance​-and​-investment​/
could​-insurance​-provide​-an​-alternative​-to​-fiscal​-support​-in​- crisis​-response​_4b3dd441​- en.
98 See UK National Audit Office “Covid 19 Cost Tracker,” www​.nao​.org​.uk ​/overviews​/covid​-19​- cost​
-tracker/.
99 See “The Federal Response to COVID-19” available at www​.usaspending​.gov​/disaster​/covid​-19​?pub-
licLaw​= all.
100 See “Economic Response to COVID-19” available at https://treasury​.gov​.au ​/coronavirus.

393
 Pandemics and I nsurance

Following the reliance of some insurers on the strict wording of existing BII policies to
avoid paying for COVID-19-related losses, some politicians entered the fray. Early in the
pandemic, the UK House of Commons Treasury Select Committee asked the Association
of British Insurers (ABI) for information on the approach its members would take towards
BII claims.101 For its part, the UK government focused its attention on the various meas-
ures it had introduced to support businesses during the pandemic while noting that moves
to retrospectively change BII policies so that insurers would be obliged to cover COVID-
19-related losses “would most likely cause solvency issues with insurance companies, so
it is perhaps not the most appropriate course of action.”102
In France, in April 2020, Senator Sylvie Robert asked the Minister of Economy and
Finance whether the pandemic justified retroactive legislation to extend coverage for busi-
ness interruption losses through the country’s natural catastrophe insurance programme.
The French government responded that the scheme was not adapted to cover risks linked
to a serious health threat such as the pandemic and that alternative measures were being
considered and would be implemented.103
In the United States, in a classic display of “politicians’ logic,” twelve states and the
District of Columbia introduced legislation to oblige insurers to cover COVID-19-related
losses.104 The various proposed laws differed in their details but shared the same broad
objectives, namely:
(i) Increasing cover under existing BII policies to compensate for COVID-19 pan-
demic-related losses;
(ii) Applying that cover retroactively;
(iii) Redefining property damage within existing BII policies to include the presence
of individuals infected with COVID-19 at an insured premises;
(iv) Voiding any exclusion clauses in relation to viruses such as COVID-19; and
(v) Obliging insurers to cover COVID-19-related damages irrespective of the appli-
cable policy’s language.105

101 The ABI responded to the Committee’s queries, stressing its members’ commitment to supporting
policyholders while also noting the pressures they faced and added “We recognise this is a very worrying time
for those businesses and agree strongly that the UK should examine public-private partnership models to find a
lasting solution that can provide more extensive and more affordable coverage in future for businesses wishing
to purchase insurance against pandemics.” The body has also published a set of “ABI Principles for Handling
Business Interruption Claims related to COVID-19” available at www​.abi​.org​.uk ​/products​-and​-issues​/topics​
-and​-issues​/coronavirus​-hub​/ business​-insurance/.
102 See S Browning “Coronavirus: business interruption insurance” (House of Commons Library, 19
November 2021) https://researchbriefings​.files​.parliament​.uk​/documents​/CBP​-8917​/CBP​-8917​.pdf.
103 See legislative adaptation to insure business operating and stock losses in the face of COVID-19 avail-
able at https://sylvie​-robert​.fr​/adaptation​-legislative​- en​-vue​- dassurer​-les​-pertes​- dexploitation​- et​- de​-stock​- des​
-entreprises​-face​-au​- covid​-19/.
104 Politicians’ logic is a logical fallacy comprising the terms “We must do something. This is something.
Therefore, we must do it.” It was discussed by the characters Sir Humphrey Appleby and Sir Arnold Robinson
(the serving and prior Cabinet Secretary) in an episode of the BBC TV’s “Yes, Prime Minister.” The latter
likened it to the equally perverse (but probably far less destructive) logical fallacy “All cats have four legs. My
dog has four legs. Therefore, my dog is a cat.”
105 See “Insurance Coverage for Pandemic-Related Business Interruption Losses: Legislative Tracker
(US): 2022” available at https://uk​.practicallaw​.thomsonreuters​.com​/w​- 034​- 4796​?transitionType​= Default​
&contextData=(sc.Default)&firstPage=true.

394
 P andemics and I nsurance

Understandably, the insurance industry opposed such measures on the basis, inter alia,
that they would place unsustainable financial pressures on those providing BII cover. In
one commentary, Marcos Alvarez stated:
Because the number of potential claims under such hypothetical retroactive changes would be
extraordinarily high in the current environment, we estimate that this would have a material
adverse impact on the capitalization of the industry globally, and it could cause a liquidity
crunch for some companies facing an unexpected surge in BI losses […] This would leave
direct insurance companies in a very precarious situation that could make them not viable
within a very short time, unless there were to be a government backstop.106

The International Association of Insurance Supervisors (IAIS) also expressed disquiet

about such measures:
At the same time, the IAIS cautions against initiatives seeking to require insurers to ret-
roactively cover Covid-19 related losses, such as business interruption, that are specifically
excluded in existing insurance contracts. In such cases, the costs of claims against losses have
not been built into the premiums that policyholders have paid for their insurance. Requiring
insurers to cover such claims could create material solvency risks and significantly undermine
the ability of insurers to pay other types of claims. Such initiatives could ultimately threaten
policyholder protection and financial stability, further aggravating the financial and economic
impacts of Covid-19.107

To such concerns can be added criticisms about the US state legislation’s interference with
the freedom to contract, which is enshrined in the US Constitution, and its retroactive
nature, which is also contrary to the US Constitution.108 Small wonder, then, that most of
the proposed state laws fell by the legislative wayside. By contrast, the US federal govern-
ment’s efforts to close the insurance “protection gap” or “coverage gap” for pandemic-
related losses are ongoing and are discussed further below.

Private pandemic risk insurance

The OECD identified some of the challenges faced by insurers seeking to develop cover-
age for pandemics and other catastrophic perils, such as widespread cyber-attacks, social
unrest and extreme weather events:
(i) A lack of relevant data for underwriting and premium-setting purposes;
(ii) The need for insurers to hold large reserves and/or capital to cover the potentially
huge losses incurred by policyholders upon such events;
(iii) The inability of insurers to diversify such risks given that they often affect many
different policyholders (i.e. businesses and private individuals) simultaneously
across different geographical areas;

106 M Alverez “P&C Insurance: The Conundrum of Business Interruption Coverage during the
Coronavirus Pandemic,” DBRS Morningstar, 8 April 2020.
107 See “IAIS facilitates global coordination on financial stability and policyholder protection during
Covid-19 crisis” (7 May 2020) available at www​.iaisweb​.org​/uploads​/2022​/01​/200507​-IAIS​-media​-release​
-Financial​-Stability​-and​-Policyholder​-Protection​.pdf.
108 See M R Uhls, “Business Interruption Insurance: The Future of Pandemic Exclusions,” 46 S. ILL. U.
LJ 131 (2021).

395
 Pandemics and I nsurance

(iv) The reluctance of potential policyholders to purchase such “expensive” cover

given the perceived expectation (NB at least prior to the COVID-19 pandemic)
that it may never be needed; and
(v) The expectation of “free” government assistance in the event of a pandemic or
similar catastrophe.109
Such challenges have been mentioned by insurers and others in respect of the feasibil-
ity of pandemic risk insurance prior to and since the onset of the COVID-19 pandemic.
The attitude of potential policyholders was discussed by Simone Krummaker in 2019,
who observed that demand for insurance products was affected by a complex interplay
of the potential policyholder’s “ownership structure and managerial discretion, financial
strength and volatility of earnings, services of the insurer, size of the firm, and business
diversification” and, most importantly, “managerial risk attitudes in the decision process
about insurance demand in companies.”110 The pandemic and subsequent economic dis-
quiet will, if anything, have made this interplay even more complex and problematical.
The attitude of insurers was described by Christopher French thus:
Insurers also argue that the reason pandemic claims, such as COVID-19 business interruption
losses, are not covered by their policies is because the losses associated with pandemics are
uninsurable correlated risks […] Private insurers avoid insuring correlated risks because of
insurers' alleged inability to accurately predict when, where and how many losses associated
with the peril will occur. This uncertainty makes it difficult to establish actuarially sound pre-
miums and spread the risk across a large enough pool of insureds with diverse risk profiles.111

French dismisses the insurers’ assertions by reference to the fact that some insurers have
sold pandemic cover and mentions that obtained by the AELTC for the Wimbledon tennis
championships and PathogenRX as examples. Yet this counter-assertion does not stand
up to analysis. Firstly, the AELTC cover was discontinued and, secondly, PathogenRX
did not sell.112
Why didn’t PathogenRX sell? It has not been possible to obtain the policy wording or
details of the underwriting processes, which is understandable in the circumstances given
their commercial value to Marsh and its partners, but a series of “fact sheets” are availa-
ble.113 According to the current fact sheet, coverage is available under the policy for the
“loss of gross profits, loss of revenue, and extra expenses” suffered as “a result of an infec-
tious disease event in a designated geographical coverage area.” Further, the fact sheet
goes on to explain that “All three triggers must be satisfied for the policy to respond,”
these “typically” being:
1. The World Health Organization (WHO) issues a Disease Outbreak Notice (DON)
during the policy period;

109 L Wolfrom, OECD Working Paper No. 40.

110 Simon Krummaker, “Firm’s demand for insurance: An explorative approach,” Risk Manag Insur Rev.
2019; 22, 279–301.
111 Christopher C French, “COVID-19 Business Interruption Insurance Losses: The Cases for and against
Coverage,” 27 CONN. Ins. LJ 1 (2020).
112 K Scott “Wimbledon boss confirms the championship will not have pandemic risk insurance in 2021”
(Insurance Times, 29 June 2020) available at www​.insurancetimes​.co​.uk​/news​/wimbledon​-boss​- confirms​-the​
-championship​-will​-not​-have​-pandemic​-insurance​-in​-2021​/1433726​.article.
113 Some predate the COVID-19 pandemic and some have been released subsequently. The current Marsh
PathogenRX details are available at www​.marsh​.com ​/us​/industries​/ healthcare​/products​/pathogenrx​.html.

396
 P andemics and I nsurance

2. The WHO issues a Public Health Emergency of International Concern for the dis-
ease specified in the DON;
3. A civil authority orders restrictions—including sheltering-in-place or partial or
full cessation of business—for the area covered by the policy or a respective clus-
ter of the insured’s property.114
Finally, coverage is provided on “an occurrence basis” and “[while the] DON must be
issued during the policy period, insured losses are typically covered if they take place
within a year of the policy period’s end.”
Although it would be foolish, without more precise details of its operation, to speculate
in detail about PathogenRX’s failure to gain traction in the market, the above precis gives
some clues. As previously noted, BII policies vary in their treatment of gross profits, rev-
enue and suchlike. It may have been that some potential policyholders did not agree with
PathogenRX’s proposed treatment of these figures. Further, it appears that PathogenRX
may be conceived as a parametric cover, which some potential policyholders may not have
cared for.115 Further, the terms “infectious disease” and “designated geographical area”
are capable of a wide range of interpretations, as has been seen from the discussion of the
COVID-19 litigation above. The definitions thereof in the PathogenRX wording may be
too broad for some potential policyholders or (more likely) too tight.
There is also the combination of the three triggers required for the policy to respond.
The FCA v Arch litigation addressed, among other things, the public action required to
trigger coverage and when it was deemed to have been triggered. Just one trigger, the
UK government’s “lockdown,” was problematic enough to require a determination by the
UK Supreme Court. Three triggers, two at the behest of WHO and another from a “civil
authority,” may have proved to be too much for many potential policyholders to accept, not
least in those jurisdictions where, unlike in FCA v Arch, a pro-policyholder approach by
the courts would not be anticipated.116 Finally, while it is perfectly understandable that the
policy is written on an “occurrence basis,” this in itself is not free from difficulty.
It is important to appreciate that these issues are not raised as a criticism of Marsh or its
partners, who—at the very least—have attempted to bring a pandemic policy to the mar-
ket, but simply to illustrate some of the difficulties that would be encountered in design-
ing such a policy. As noted previously in respect of BII cover, the language of a policy is
crucial. The possible interpretation of such terms as “infectious disease” has already been
mentioned but one may ask whether the PathogenRX wording contains other potentially
contentious terms. The fact sheet refers to an “outbreak, epidemic, or pandemic.” How
are these defined in the wording? Does the policy refer to catastrophes and, if so, does its
definition resemble that addressed in Swiss Re International v LCA Marrickville? Even if
Marsh and its partners have resolved these issues (and there is every reason to believe that,
as experienced and resourceful insurers, they are aware of them and have been working on

114 A pre-COVID-19 version of the fact sheet stated “Coverage can be triggered by straightforward, objec-
tive metrics, such as mortality count, or explicitly defined events, such as a civil authority lockdown or the
declaration of a public health emergency.”
115 See Chapter 6 “Parametric Insurance.”
116 As in Hong Kong, where the Court of Final Appeal held in New World Harbourview Hotel Co Ltd v Ace
Insurance Ltd [2012] HKCFA that the date on which a BII clause covering losses for “infectious or contagious
disease” was triggered when SARS became officially notifiable under Hong Kong Government measures and
not simply notifiable on an advisory basis under recommendations issued by health authorities.

397
 Pandemics and I nsurance

such resolutions), their solutions may not be capable of adoption by other insurers inter-
ested in offering pandemic cover.
Yet, beyond the questions of policy language, the greatest obstacle to the availabil-
ity and take-up of private pandemic cover is its cost. In 2020, Robert Hartwig and his
colleagues looked at the factors which contribute to the limited supply and demand of
pandemic policies.117 While recognising that there were problems on the “demand” side
(i.e. potential policyholders’ reluctance to pay for pandemic cover), their work focused
on the “supply” side of pandemic cover. Hartwig and his colleagues made use of a set of
hypothetical examples to demonstrate how the relative amount of capital needed by insur-
ers to cover potential claims varied in relation to the features of pandemic risk, namely
“uncertain loss severity, cross-sectional correlation in the frequency of losses, and cross-
sectional correlation in the severity of losses.” Having done so, they determined:
The most important problem facing the private supply of pandemic risk insurance is the large
amount of capital required to make the insurance credible […] While a private market could
provide some coverage by limiting the amount of coverage and the number of entities covered,
widespread, high-limit coverage is not likely to be forthcoming from the private market.

After discussing a range of possible public-private measures to address the pandemic risk
insurance “protection gap” (which shall be addressed below), Hartwig and his colleagues
reiterated that:
While acknowledging there might be reasons on the demand side, such as underestimation of
the frequency and severity of pandemics, we argue […] that a pandemic risk insurance market
fails largely because the amount of capital needed to supply credible insurance coverage is
prohibitively high. More specifically, we use hypothetical examples to explain how correla-
tion in the frequency and severity of losses, both key characteristics of pandemics, leads to an
extraordinarily high capital requirement.

These views were shared by Helmut Gründl and his colleagues.118 They sought to answer
the questions “How can the insurance industry contribute to building resilience to future
pandemic events?” “Is pandemic risk insurable?” and “What is the appropriate allocation
of functions between the insurance industry, the financial market, and the government in
pandemic risk transfer?” by way of a hypothetical pandemic risk insurance policy. It was
intended to ameliorate the financial losses of an SME as a consequence of the pandemic
(i.e. much like BII cover). The hypothetical policy provided monthly compensation during
the imagined pandemic in respect of the policyholder’s lost revenues or its employees’ lost
wages.
Gründl and his colleagues concluded that “it is unlikely that the insurance industry
alone will be able to provide sufficient coverage for business interruption losses like
those occurring during the COVID‐19 crisis.” Their work demonstrated that the price
markup for such a pandemic policy was in the top 20% of the realised price markups for
NatCat insurance. The reason for this higher markup was the large accumulation risk (i.e.
large numbers of claims being brought at the same time). This accumulation risk leads
to a shortfall of loss distribution which was approximately 100 times higher than that for

117 R Hartwig, G Niehaus and J Qiu “Insurance for economic losses caused by pandemics,” The Geneva
Risk and Insurance Review (2020) 45, 134–170.
118 H Gründl, D Guxha, A Kartasheva and H Schmeiser “Insurability of pandemic risks,” J Risk Insur.
2021, 88, 863–902.

398
 P andemics and I nsurance

NatCat cover. Gründl and his colleagues suggested that the shortfall caused by this accu-
mulation risk could be reduced by an intertemporal risk‐sharing scheme over 50 years.
They indicated that such a scheme would require government and private sector participa-
tion and that it would benefit from developments in the field of insurtech (e.g. “big data”
analytical tools).
Other than the legislative proposals already touched upon, the “protection gap” and
perceived resistance of BII providers to covering COVID-19 have led to numerous pro-
posals for insurance schemes in which the risks resulting from pandemics would be
shared among the affected industries, insurers and government. As noted by the OECD in
September 2022, “These proposals differed in terms of the amount of coverage that would
be provided, the types of policyholders covered and the distribution of losses between
insurers and the private sector.”
Hartwig and his colleagues suggested four potential approaches by governments “to
facilitate and support the sharing of pandemic risk” in light of the inability of the private
insurance market to address the problem on its own. These approaches are summarised
thus:
(i) Post‑event assistance—the private insurance market deals with potential pan-
demic risks without government participation in any programmes or schemes for
risk management or cover. The government is only involved after the event (ATE)
to assist those affected by the pandemic. It is a “reactive” approach with little
or no advanced planning on the part of the government (or market). The mon-
ies needed for the ATE assistance are raised by public borrowing and (possibly
increased) taxation. This was the approach adopted by the UK, the United States
and many other governments in response to the COVID-19 pandemic;
(ii) Reinsurance—a government reinsurer provides cover to those private insurers
offering primary pandemic coverage to policyholders.119 The French, German and
US governments established such a reinsurance provision for terrorism-related
risks following the 9/11 attacks while the UK operates an alternative system by
way of Pool Re;
(iii) Insurance—a government insurer offers cover directly to policyholders. Hartwig
and his colleagues suggest that such a scheme would best be operated through
existing private insurers rather than through a “new organizational structure.”
The US National Flood Insurance Program (NFIP) is cited by them as an example
of such a scheme;
(iv) Social insurance—in the words of Hartwig’s team, “many or all entities are
required to participate, and all participating entities are entitled to receive event-
contingent benefits.” Funding is by way of taxation (or its equivalent) and the
administration of the scheme is—usually—by public bodies. The US social
security system, UK National Insurance and the schemes administered by the
Australian Centrelink Master Program are examples of such social insurance
programmes.

119 Hartwig and his colleagues do not specify how the government would carry out this task. Possibly an
independent, albeit public-owned reinsurer, would do so in some jurisdictions.

399
 Pandemics and I nsurance

Hartwig and his colleagues evaluated these approaches in terms of the following objec-
tives or, in their words, “goals”:
(i) Operational efficiency;
(ii) Ability to match compensation with losses;
(iii) Incentives for risk mitigation; and
(iv) Macroeconomic impact.
Operational efficiency was defined as “how much money is used to cover operating
expenses as opposed to indemnify losses.” The team determined that the social insurance
approach was the most operationally efficient, as it cut out “middlemen,” albeit this view
seems to be predicated on an overly optimistic appraisal of public services (at least as far
as the UK is concerned). It was accepted, however, that the social insurance approach was
unlikely to achieve the goal of matching compensation with losses as it was likely to pro-
vide uniform levels of compensation to its recipients. In this respect, the provision of cover
by private insurers on a voluntary basis (with government-provided reinsurance) was best
placed to achieve the second of the four goals set by the team.
The combination of private insurance and government reinsurance was also “likely
the most effective approach from the [third] risk mitigation perspective.” In respect of
the fourth goal of (presumably positive) macroeconomic impact, the team determined
that the social insurance approach would be of the greatest benefit given its “broad reach
and because a large proportion of benefits paid will go to those with a high marginal pro-
pensity to consume (e.g., low-to-middle income families, small businesses).” Again, this
assessment seems to be founded on a certain set of socio-economic or political precon-
ceptions. Overall, post-event assistance was deemed to be the least effective of the four
approaches. Indeed, the team went so far as to say “our sense is that the worst option is to
wait until another pandemic occurs, and then provide post-event aid.”
It appears, however, that Hartwig’s team neglected to mention a fifth approach by gov-
ernments and the market to deal with future pandemics. It is, to be fair to them, a vari-
ation on the post-event assistance approach and may not have seemed likely when they
conducted their work early in the life of the COVID-19 pandemic. This fifth approach
is to discuss various ways in which to deal with a future pandemic, at length and in
great detail; produce plans or schemes thereon, and then do nothing. Sadly, this appears
to be exactly the approach adopted to date. As the OECD lamented in its September
2022 Working Paper, when discussing the various proposed pandemic risk insurance pro-
grammes “at the time of writing, none of these proposals have led to the establishment of
such a programme.”
Nevertheless, in spite of this failure, the OECD reiterated the need for such schemes or
programmes and restated—in abbreviated form—the design features of such a scheme or
programme which it previously set out in its March 2021 report. These features, which
contain both similarities with and differences from the “goals” set out by Hartwig’s team,
were as follows:
(i) Broad coverage, potentially through automatic coverage extensions—this entails
automatic extensions of cover in relevant BII policies for pandemic-related losses
or the voiding virus/disease exclusions in relation to specific pandemics (i.e.
when a pandemic has been formally certified by a government authority);

400
 P a n d e m i c s a n d I n s u r a n c e

(ii) Limit public exposure by leveraging available private sector capacity—a scheme
or programme might operate in a bifurcated manner in which “government-
backing should target higher layers of losses, allowing private insurance (and
reinsurance) markets to develop for losses below a threshold for government
involvement.” The OECD recognised that “It is unlikely that private (re)insur-
ance markets would ever have the capacity to manage the losses resulting from
a pandemic on the scale of COVID-19.” All the same, participation by private
insurers and reinsurers would “reduce public sector exposure” and was to be
encouraged;
(iii) Provide incentives (or requirements) for risk reduction—those providing pan-
demic cover could be required to “ensure that policyholders have business con-
tinuity plans or other risk mitigation measures in place” to hasten the return
to business operations and reduce any losses incurred. The OECD suggested,
further, that such requirements upon policyholders could be extended to “meas-
ures to limit the spread of the virus” (such as a strengthened capacity for remote
working). Requirements upon policyholders to mitigate their losses often appear
in BII wordings; and
(iv) Consider whether insurance is the most efficient mechanism—The OECD noted
that “governments will need to consider whether it is more cost-effective to
provide financial support for a catastrophe risk insurance programme for these
losses or simply provide this support directly to businesses from the general gov-
ernment budget.” This is not so much a feature of a programme or scheme but,
rather, the alternative suggestion that pandemics could be dealt with by way of
social insurance.120
As noted above, the OECD reiterated features (i) to (iii) in its September 2022 Working
Paper and added a new one:
(v) Ensuring rapid payments for covered events—these were described as “critical”
and, consequently, the OECD maintained that any pandemic risk insurance pro-
gramme or scheme should have a “simple payment trigger,” possibly a parametric
trigger.
Which criteria, Hartwig’s team’s “goals” or the OECD’s features, should be used to assess
the value of any public-private pandemic risk insurance programme? There are merits
in both but, on the whole, Hartwig’s “goals” appear to be preferable, not least because
the OECD’s “features” are, in places, inconsistent. The most glaring conflict is between
the call for automatic extensions of BII cover to all pandemic-related losses (in the first
feature) and the recognition that private insurers would never have the capacity to meet
such losses (in the third). Moreover, even where they do not conflict, the OECD’s “fea-
tures” largely echo Hartwig’s earlier “goals.” That said, neither set of “goals” or “features”
included the need for precision in the language of any such schemes to minimise the

120 The OECD added, in this context, that “An insurance programme would be most beneficial if it
increases private market appetite for assuming pandemic-related risks, supports risk understanding and risk
reduction and provides certainty to business regarding their coverage for future pandemic-related business
interruption losses” which would actually seem to be features in their own right.

401
 Pa n d e m i c s a n d I n s u r a n c e

potential for the level of confusion and conflict seen in relation to claims for COVID-19-
related losses.121
Moving on from “features” (or “goals”), in its September 2022 Working Paper, the
OECD also discussed the fact that many of its member nations had developed catastrophe
risk insurance programmes in response to terrorism and NatCat risks. It went on to list
a number of these programmes, including the UK’s Flood Re and Pool Re reinsurance
programmes, which deal with flood and terrorism risks respectively. It also referred to
the US National Flood Insurance Program (NFIP) and the Australian Reinsurance Pool
Corporation (ARPC). Common features of these and other programmes are their fixed
cost or simplified premium structure and a measure of public financial and administra-
tive support. An earlier OECD report had concluded that these various programmes have
“generally lead to high levels of insurance coverage for the types of perils and or policy
holders included within the scope of the program.”122
The OECD made the sensible suggestion that the “lessons” learned during the COVID-
19 pandemic and the experience of establishing these other catastrophe risk programmes
could be utilised in the creation of future pandemic risk insurance programmes. It also
listed a number of the pandemic risk insurance programmes that had been proposed—but
not yet implemented—by various parties. Among these programmes were the ReStart,
Recover Re and Black Swan Re proposals by Lloyd’s and the US Pandemic Risk Insurance
Act. While it would be asinine in a chapter of this length to discuss the details of each
and every NatCat programme or proposed pandemic risk insurance programme, it makes
sense to give some consideration to these proposals, not least because they originate from
two of the four top insurance markets.

The Lloyd’s proposals

In its July 2020 White Paper “Supporting global recovery and resilience for customers and
economies,”123 Lloyd’s identified three potential solutions to the financial pressures upon
businesses of the (then and now) ongoing COVID-19 pandemic and future pandemics.
The first potential solution was the provision of a “short-term government backstop” in
advance ahead of a “longer-term solution.” This is, of course, the “post-event assistance”
approach identified by Hartwig’s team and Lloyd’s also recognised that it had been carried
out in response to the COVID-19 pandemic—albeit without any sign of a “longer-term
solution.”
The second potential solution was to “pool insurance capital to provide some of the
capacity to cover a second wave of COVID-19” by way of a scheme named ReStart.
The second and subsequent waves of the COVID-19 pandemic have since occurred, and
ReStart has not appeared. The third potential solution was to offer long-term commercial

121 These are not, of course, the only analyses of pandemic risk insurance. See also Rand Corporation’s
“Improving the Availability and Affordability of Pandemic Risk Insurance” (2021) available at www​.rand​.org​
/pubs​/research​_ reports​/ RRA1223​-1​.html.
122 “Enhancing Financial Protection Against Catastrophe Risks: The Role of Catastrophe Risk Insurance
Programmes” (11 October 2021) www​.oecd​.org​/finance​/insurance​/ Enhancing​-financial​-protection​-against​
-catastrophe​-risks​.htm.
123 Available at https://assets​.lloyds​.com​/assets​/ lloyds​- covid19​-response​-package​-lloyds​- covid​-19​-white​
-paper​-appendix​-final​/2​/ lloyds​- covid19​-response​-package​-Lloyds​_covid​-19​_white​-paper​_ appendix​-FINAL​
.pdf.

402
 P a n d e m i c s a n d I n s u r a n c e

cover to policyholders (i.e. so that insurers could “recoup the claims made in the early
part of the policy term over a longer period”). Lloyd’s recognised that such long-term
commercial policies would probably require government support and, to this end, devel-
oped its Recover Re product.
Finally, Black Swan Re, a reinsurance “framework for government and insurance indus-
try partnership,” was proposed by Lloyd’s as a means by which insurers could provide
non-damage BII cover in respect of “the devastating and long-term impacts of systemic
catastrophic events.” The details of how these three proposals would operate were set
out in the White Paper and its supporting “Open Source Frameworks for Systemic Risk”
(OSF) and will not be replicated in full here.124 Instead, given that it is intended to address
future long-term problems rather than the aftermath of the COVID-19 pandemic, the fol-
lowing text focuses on the Black Swan Re proposal.
Black Swan Re was described by Lloyd’s as a framework for the provision of coverage
for “future systemic risks through insurance industry-pooled capital” backed by a govern-
ment guarantee to make up any shortfall in provision. Lloyd’s described such systemic
risks as including major public health emergencies (such as pandemics); widespread tel-
ecommunications or utilities failures (caused by cyber-attacks or extreme solar storms);
failures in the supply chains for food or other critical resources; and accelerated climate
change. In Lloyd’s view, which is credible, any of these systemic risks could result in
aggregate losses in excess of “multiple trillions of dollars.”
The objective of the Black Swan Re framework would be singular. It would provide no
more than non-damage BII cover for future systemic events (i.e. rather like the secondary
triggers under some existing BII covers) and the “secondary impacts” of such events, such
as supply chain disruption. Lloyd’s envisaged that pandemic risks would be the first to be
covered, followed (presumably as the framework’s capacity increased) by other systemic
risks. As Black Swan Re premiums would be written only on the basis of these future
systemic risks, it was anticipated that these would be smaller and more affordable than
would otherwise be the case. In any event, it was Lloyd’s expectation that the full cost
of the future risks would not be placed on policyholders given the proposed government
“backstop.”
The framework would have three layers of funds, with a primary “commercial layer;”
followed by an intermediate “pool layer;” and a final “government layer.” The aim of this
structure was to enable insurers to provide coverage for future systemic events with a gov-
ernment guarantee (or backstop) if the pooled assets were exhausted. It was believed that
the government’s agreement to accept the excess claims for non-damage BII cover, above
an agreed insurance industry retention, would enable Black Swan Re to provide a broader
range and level of cover and enable the primary and intermediate layers to be built up in
size (by way of contributions from insurance policies or from taxation).
Beyond this “big picture,” the White Paper and OSF offered little by way of concrete
details, especially nothing approaching a set of anticipated clauses or a draft policy word-
ing or reinsurance treaty. Whether or not the framework would be compulsory (or not),
the triggers for cover and the pricing structure were all discussed but no conclusions were

124 Available at https://assets​.lloyds​.com​/assets​/ lloyds​- covid19​-response​-package​-lloyds​- covid​-19​-white​

-paper​-appendix​-final​/2​/ lloyds​- covid19​-response​-package​-Lloyds​_covid​-19​_white​-paper​_ appendix​-FINAL​
.pdf.

403
 Pa n d e m i c s a n d I n s u r a n c e

drawn by the White Paper. When it came to the issue of compulsory or voluntary cover,
Lloyd’s held that “unless there is mandatory participation, the scheme may fail to garner
sufficient funds/take-up” but did not mandate such an approach. In respect of the triggers,
arguably the most crucial aspect of the framework, it was observed that:
Given the variety and nature of systemic risks, defining triggers is one potential option, for
example: setting the appropriate triggers to identify when claims should be paid is invariably
going to be complex.

The possible triggers (which Lloyd’s opined could operate alone or in combination) for
cover discussed in the White Paper and OSF resembled those already seen in relation to
BII policies and the PathogenRX cover, including WHO pandemic declarations, a certain
level of decline in economic activity and government certification of loss events. Yet,
no particular triggers or any hierarchy of the same or other system was endorsed within
the White Paper or OSF. As for premiums, the White Paper and OSF mulled over rela-
tive risk pricing and fixed premiums but, again, nothing concrete—such as the Pool Re
approach—was proposed.
What are we to make of Black Swan Re? Does it offer a solution to the so-called “cover-
age gaps” in pandemic risk insurance? Does it satisfy the “goals” and “features” identified
by Hartwig and his colleagues and the OECD? How robust is the language of the proposed
framework? Unfortunately, we cannot answer any of these questions because we simply
do not have the information with which to do so. While, as with any efficiently designed
insurance programme, it may match compensation with losses and provide incentives
for risk mitigation, we do not know if it will do so in practice. It also seems to limit
public exposure to future pandemic-related losses with its three layers of cover but how
effective this process may be in practice (especially if insurers chose not to participate
in the absence of any government or industry-imposed-obligation to do so) is unknown.
Moreover, we know nothing of the language of the cover, including its scope, beyond its
possible resemblance to the secondary BII triggers.
Another problem, not mentioned by the OECD or Hartwig’s team, is the fickleness of
governments. It is all very well proposing grand schemes for public-private collaboration
but, to paraphrase Hotspur, will the “public” part of the scheme come when it is called
upon?125 Since the release of the White Paper and OSF in 2020, there appears to have been
no progress whatsoever with the three Lloyd’s COVID-19 and future pandemic “solu-
tions.” The last “news” or “press release” post on Lloyd’s website relating the COVID-
19 concerns the UK Supreme Court’s judgment in FCA v Arch.126 Perhaps it is unfair
to blame the UK government for the apparent lack of action, but it is also worth noting
that ministers and officials have not met the representatives of the Pandemic Re, another
industry-backed initiative, since March 2022.127 At the risk of overdoing the cultural refer-
ences, perhaps it is a case of “No interest, Minister.”

125 Henry IV Part 1, Act III, Scene 1 features the following exchange between Glendower and Hotspur—
GLENDOWER: I can call spirits from the vasty deep. HOTSPUR: Why, so can I, or so can any man, But will
they come when you do call for them?
126 See “Stay up to date with the latest news from Lloyd’s” available at www​.lloyds​.com​/news​-and​-insights​
/market​- communications​/covid​-19​/coronavirus​-news.
127 See S Barton “Pandemic Re—no meetings with Treasury since March” (Insurance Age, 3 August
2022) www​.insuranceage​.co​.uk ​/insight​/7950256​/pandemic​-re​-no​-meetings​-with​-treasury​-since​-march.

404
 P andemics and I nsurance

The US Pandemic Risk Insurance Act

Over the course of 2020 and 2021, members of the US Congress introduced five items of
legislation to address the so-called pandemic risk insurance gap revealed by the outbreak
of COVID-19. These were:
(i) The Business Interruption Relief Act of 2020;
(ii) The Business Interruption Insurance Coverage Act of 2020;
(iii) The Never Again Small Business Protection Act;
(iv) The Pandemic Risk Insurance Act; and
(v) H.R. 114.
The Business Interruption Relief Act envisaged a voluntary programme by which par-
ticipating insurers would cover policyholders’ COVID-19-related BII claims and be
reimbursed by the US government for doing so. The Business Interruption Insurance
Coverage Act, much like some of the state legislation discussed previously, would have
obliged insurers to provide coverage under existing BII policies for “losses due to viral
pandemics, forced closures of businesses, mandatory evacuations, and public safety
power shut-offs, and for other purposes” irrespective of any policy terms requiring physi-
cal damage or any virus exclusions.
The Never Again Small Business Protection Act and Pandemic Risk Insurance Act
(PRIA) were both prospective in their approach rather than focused on ameliorating the
consequences of the COVID-19 pandemic. The former required insurers to “make avail-
able insurance coverage for business interruption losses due to national emergencies,
and for other purposes,” and the latter established “a Federal program that provides for a
transparent system of shared public and private compensation for business interruption
losses resulting from a pandemic or outbreak of communicable disease.” Finally, H.R.
114 required the US Comptroller General to prepare a report on the practicability of a
“national all-hazards disaster insurance program.”128
As of the time of writing, only the PRIA is still under consideration by the US
Congress.129 Representative Carolyn Maloney introduced the original version of the PRIA
in April 2020. That version was not passed into law before the end of that session of the
US Congress (i.e. the 2020 Presidential and Congressional elections interceded), and she
subsequently introduced a second version of the proposed legislation in November 2021.
In a manner similar to that of the US Terrorism Risk Insurance Act 2002 (TRIA), which
was introduced in the wake of 9/11 to provide a federal reinsurance “backstop” for pro-
viders of coverage for property damage following terrorist incidents, the PRIA would be
triggered by a government declaration of a “public health emergency” (i.e. a pandemic).

128 See Insurance for COVID-19 Related Business Income Losses: Key Legislative and Regulatory
Developments Tracker (US): 2020 and 2021 available at https://content​.next​.westlaw​.com​/practical​
-law​/document ​/ If5​a c0e​5584​a711​e a80 ​a fec​e799​150095​/ Practice ​- Note ​- Insurance ​-for​- COVID ​-19 ​- Related​
-Business​-Income​-Losses​-Key​-Legislative​-and​-Regulatory​-Developments​-Tracker​-US​-2020 ​-and​-2021​-Key​
-Federal​-Legislative​-Developments​? viewType​= FullText​& originationContext​= document​& transitionType​
= DocumentItem​& ppcid​= 93f​27bd​0 689​5 484​f 99b​213f​7cf83e7c4​& conte​​x tDat​​a = (sc​. Sear​c h)#c​o _anc​h or_a​
93829​8.
129 See US Congress website page on the current version of the PRIA, available at www​.congress​.gov​/
bill​/117thcongress​/ housebill​/5823​?s​= 1​&r​= 34#​:~​:te​​xt​= Th​​is​%20​​bill%​​20est​​ablis​​hes​%2​​0the%​​20Pan​​demic​​,pand​​
emics​​%20an​​d​%20o​​utbre​​aks​%2​​0of ​%2​​0dise​​ase.

405
 Pandemics and I nsurance

Under the original version of the PRIA, insurers would retain 5% of their losses above
their deductibles, with the government taking responsibility for the remaining 95%. There
would, however, be no government reimbursements to the participating insurers until the
aggregate industry losses exceeded US $250 million, and there would be a cap of US $750
billion on these reimbursements. It was noted that the original version of the PRIA scheme
had no post-event method for the recovery of reinsurance payments made and other costs.
Nor was there any pre-event financing mechanism for the US government’s costs, sug-
gesting that these would be funded by tax revenues (rather than through ex-post financing
as under the TRIA programme).
The reintroduced version of the PRIA shared many of the features of its fallen predeces-
sor, but it went further in obligating insurers to make pandemic loss coverage available
in their excess insurance, workers’ compensation, BII, commercial general liability and
D&O policies. It also required them to make parametric non-damage BII cover available
in their commercial property insurance policies. While the US government would con-
tinue to be responsible for 95% of the losses and the insurers for the remaining 5%, the US
$750 billion total loss cap was removed from the second version of the PRIA.
Robert W. Klein and Harold Weston raised a number of concerns about the original
version of the PRIA, which also apply to the reintroduced version (and may even be exac-
erbated in the latter).130 First, they identified an ambiguity in the text of the PRIA over
what would constitute a covered loss. Despite a change in the wording of the reintro-
duced PRIA, the ambiguity remains. Secondly, the current version of the PRIA defines an
“insured loss” as “any loss resulting from an outbreak of infectious disease or pandemic
for which a covered public health emergency is certified that is covered by primary or
excess property and casualty insurance issued by an insurer if such loss occurs.” The
wording of the earlier version of the PRIA was in similar terms and, as Klein and Weston
pointed out at the time, “assumes a pandemic-caused loss is the same as the perils covered
by typical BI insurance.”
They also raised concerns over the lack of detail on rate-setting and funding of the
PRIA programme and the fact that participation would be voluntary. The latter of these
two concerns appears to have been addressed insofar as the reintroduced version of PRIA
provides that insurers would be obliged to participate, which raises the “freedom to con-
tract” issue which was discussed earlier in relation to US state legislation.
As with the Lloyd’s proposals, it is very difficult to say whether a PRIA scheme would
fulfil the “goals” and “features” discussed above. Moreover, as with the Lloyd’s propos-
als, the question may be academic. At the time of writing, the PRIA is still before the
House (of Representatives) Committee on Financial Services, where it has sat since 2021.
It still has to pass in the House and the Senate and be approved by the President before
it becomes law. Given that the proposed legislation is still “in limbo,” the odds of it, or a
third iteration of PRIA, reaching the statute books seem challenging.

130 R W Klein, H Weston, “Feasibility Questions About Government-Sponsored Insurance for Business
Interruption Losses from Pandemics” Journal of Insurance Regulation 39, no. 7 (2020), 1–19.

406
 P andemics and I nsurance

Summary
Despite the severity of the ongoing COVID-19 pandemic and the initial bout of activ-
ity from the insurance industry, financial regulators and other public bodies in respect
of “filling” the perceived “coverage gap” which it exposed, no comprehensive medium
or long-term insurance-based solution has been implemented. The broad parameters of
such solutions have been amply set out by Hartwig, the OECD and others but that is
about as far as matters have proceeded. The details, in terms of such matters as policy
wordings and funding, have barely been touched upon, let alone been cast into schemes,
programmes and products that have been made available to the industry or prospective
policyholders. Moreover, as time goes on, it seems unlikely that any of the schemes and
programmes identified by the OECD or others—except for small-scale measures—may
be implemented.131

Conclusions
This chapter has sought to consider the challenges faced by the insurance industry with
respect to future “inevitable” pandemics. Those challenges, as has been seen, are consid-
erable. They are, as has also been seen, not being met with the level of industriousness that
one would have hoped for, if not necessarily expected. When the next pandemic arrives—
and it will—it seems likely that it will not be met with a PRIA programme or Pandemic
Re but with another flurry of after-the-event government action and little else. It may fall
to individual BII providers to step up to the mark once again and, even more so than in
respect to COVID-19, they may not be willing to do so. Some would say “Why should
they?” and there would be much justification for them doing so. After all, as has also been
seen, BII policies are not generally intended to respond to NatCat risks such as pandemics.
The courts have repeatedly made it clear that the purpose of BII cover, as with all other
insurance policies, is determined by its policy language and have held in different cases
that it does—or does not—cover COVID-19 accordingly. For every FCA v Arch, there is
a Swiss Re International v LCA Marrickville.
As to the development of pandemic risk cover, there is little indication that the market
has any appetite for doing so. Indeed, according to recent reports, NatCat premiums are
expected to increase by a third following a number of extreme weather events, such as
Hurricane Ian in the United States in September 2022, which is not conducive to the addi-
tion of cover for “new” NatCat risks.132 In any event, such cover would still have to address
the same issues as those faced by Marsh and Munich Re’s PathogenRX. The reluctance,
even after COVID-19, of potential policyholders to pay for such “expensive” insurance
and the need to set out, in definitive terms, what was covered and what was not remain.
Any failure to address these issues would lead to the same flurry of policyholder v insurer
litigation as that brought about by the COVID-19 pandemic.
The same issues apply to any comprehensive medium or long-term public-private pan-
demic risk programme. In fact, they are even greater. What would be the scope of such

131 One such modest measure was a programme implemented in 2020 in the Hainan province in China for
“key enterprises.” Maximum compensation was RMB 2 million (US $300,000) per enterprise.
132 I Smith, “Catastrophe reinsurance set to soar after year of extreme weather, industry warns,” (Financial
Times, 26 November 2022) available at www​.ft​.com​/content​/cddcae5c​-2783​- 4b40​-9715​- 06104774248.

407
 Pandemics and I nsurance

a programme? If it was some form of reinsurance, would participating insurers have to

agree to a uniform set of policy wordings for their own offers to prospective policyhold-
ers? If not, why not, and how would any differences be resolved? Where does the doctrine
of “follow the fortunes” stand in such a situation, when the reinsurer is the state and
has many other calls upon its resources? There are many examples of existing NatCat
programmes, such as Pool Re, to draw upon for guidance but, crucially, pandemic risks
are not like other NatCat risks. Given these difficulties, it is, arguably, hardly surprising
that the words and the warning of the Lloyd’s report of 2008 still ring true and remain
unanswered. Future reviews, commissions and consultations, such as the UK COVID-19
Inquiry,133 may provide a renewed “push” to the efforts to develop comprehensive pan-
demic risk insurance products, but it is equally likely that they may not. Hartwig’s “worst
option” remains in place.

133 The Inquiry website is available at https://covid19​.public​-inquiry​.uk/.

408
 C hapter 1 4

Climate Change and Insurance

Nigel Brook, Wynne Lawrence and Zaneta Sedilekova1

CON T EN TS
The problem of climate change 410
The international response to climate change 412
Climate change and financial markets: Physical, transition and liability risk 415
Physical risk: Loss and insurance impacts 416
Transition risk: The pace of change 417
The history of insurance industry leadership: Two decades of climate action 419
The global regulatory response to climate change: Impacts on insurers 423
National regulatory developments 425
United Kingdom 426
Germany 427
United States 428
Australia 429
Post-COVID progress on financial regulation 429
Voluntary commitments to net zero 430
Financed emissions 434
Insurance-associated emissions 435
Opportunities for the insurance sector 435
New products and de-risking innovation 436
National risk pools for natural catastrophe risk 438
New partnerships for disaster resilience 439
Risk pools 441
The Global Shield 441
Conclusion—climate, biodiversity, planetary boundaries and ESG 443

1 The authors acknowledge and express their appreciation for the contributions to this chapter by Benjamin
Soh, Magnus Taylor, Matthew Loy, Anna Harkin, Paige Matthews, Saskia Wolters, Arina Naumova and Chiara
Vigneri.

DOI: 10.4324/9781003319054-14 409

 C limate C hange and I nsurance

The problem of climate change

Since the mid-1800s, scientists have understood in principle that greenhouse gases (GHGs)
such as carbon dioxide (CO2) could cause atmospheric warming.2 Widespread scien-
tific agreement that climate change was in fact occurring emerged in the late 1980s. In
1988 the Intergovernmental Panel on Climate Change (IPCC) was founded by the World
Meteorological Organization (WMO) and the United Nations Environment Programme
(UNEP) to provide governments at all levels with scientific information to develop climate
policies. The IPCC does not conduct its own research, but through assessments of exist-
ing research identifies the strength of scientific consensus globally. By 1991, two-thirds of
earth and atmospheric scientists accepted the idea of anthropogenic global warming.3 By
1995, the IPCC concluded that “the balance of evidence suggests that there is a discern-
ible human influence on global climate.”4 And in its Sixth Assessment Report in 2021,
the IPCC stated that “it is unequivocal that human influence has warmed the atmosphere,
ocean and land.”5
The science is clear. Human activity since the Industrial Revolution, such as the
burning of fossil fuels and rapid deforestation, has increased the concentration of all
GHGs in the atmosphere.6 Average global temperatures have, at the time of publica-
tion, increased by approximately 1.2 °C since the Industrial Revolution with land
areas warming more than the sea surface.7 The consequences include increased flood
and wildfire risk, melting of sea ice, intensification of heavy precipitation over con-
tinental areas, increasing upper-ocean acidity, increasing frequency and intensity of
daily temperature extremes, reductions in Northern Hemisphere snow and ice, and
rising global sea levels. CO2 emissions stay in the atmosphere for hundreds of years,
so the average temperature will continue to rise and the impacts will become more
serious until net emissions are reduced to zero.
According to the IPCC, the most serious physical effects of climate change will not
materialise for some time, although they could arise sooner and be more catastrophic
if we reach one of the planetary “tipping points.” In simple terms, a tipping point is a
critical planetary threshold that, if crossed, may lead to large, unpredictable and (in many
cases) irreversible changes in Earth’s climate system. For example, drier tropical forests
may escalate the loss of CO2-absorbing biomass, increasing CO2 concentrations in the

2 Amara Huddleston, “Happy 200th Birthday to Eunice Foote, Hidden Climate Science Pioneer,” NOAA
Climate​.go​v, 17 July 2019,
www​.climate​.gov​/news ​-features​/features​/ happy​-200th​- birthday​- eunice ​-foote ​- hidden​- climate ​- science​
-pioneer.
3 Julia Rosen, “The Science of Climate Change Explained: Facts, Evidence and Proof,” The New York
Times, 19 April 2021, sec. Climate, www​.nytimes​.com ​/article​/climate​- change​-global​-warming​-faq​.html.
4 IPCC Second Assessment Report, “Climate Change 1995,” 5, www​.ipcc​.ch​/site​/assets​/uploads​/2018​/05​
/2nd​-assessment​- en​-1​.pdf.
5 A Reisinger, M Howden, C Vera et al., “The concept of risk in the IPCC Sixth Assessment Report:
a summary of cross-Working Group discussions,” Intergovernmental Panel on Climate Change, Geneva,
Switzerland, 4 September 2020 (hereafter IPCC Sixth Assessment Report).
6 GHGs are CO2, chlorofluorocarbons, methane, tropospheric ozone, and nitrous oxide.
7 Stéphanie Bouckaert et al., “Net Zero by 2050, A Roadmap for the Global Energy Sector,” 4th revi-
sion, October 2021, International Agency Report (IEA), www​.iea​.org​/reports​/net​-zero​-by​-2050 (hereafter IEA
Report) ; IPCC Sixth Assessment Report (n 5).

410
 C limate C hange and I nsurance

atmosphere. This in turn increases temperatures and contributes to the further loss of
tropical forests, creating an irreversible feedback loop.
Climate change also has profound impacts on living systems and biodiversity. Tropical
ecosystems have joined polar, mountain, coral and Mediterranean ecosystems on the list
of the most vulnerable habitats, which will be severely damaged by 2–3 °C warming.8 If
balances in these ecosystems are tipped, consequences can cascade through the entire
ecosystems and impact human societies in unpredictable ways. Such impacts are already
apparent, with increasing loss of lives and livelihoods from extreme weather events that
are no longer buffered by degrading ecosystems, or increased incidence and spread of
certain diseases such as malaria, which can migrate from their “native” tropical regions
to warming regions.9 The second part of the IPCC’s Sixth Assessment Report, released
in February 2022, warns that: “reaching 1.5 °C in the near-term, would cause unavoid-
able increases in multiple climate hazards and present multiple risks to ecosystems and
humans.”10
Reducing the amount of GHGs emitted by human activity and accelerating the removal
of these gases from the atmosphere is the only way to avoid much of the projected warm-
ing and its associated global-scale effects. According to the IPCC, global emissions will
need to be cut by half by 2030 to keep temperature increase below 2 °C above pre-indus-
trial levels.11 To keep temperature increase below 1.5 °C there will need to be net-zero
carbon emissions by 2050.12
Reaching net-zero emissions requires action in the following key areas:13
1. Decarbonisation of the global energy supply;
2. Rapid electrification of buildings, industry and transport using clean electricity
and switching to lower-carbon fuels;
3. Greater efficiency and less waste in all sectors, such as energy efficiency in build-
ings and industry;
4. A reduction in land and industry emissions;
5. Improved carbon sinks whether nature-based (such as afforestation) or technologi-
cal (such as carbon capture and storage (CCS)).

8 IPCC Sixth Assessment Report (n 5).

9 “The Science behind climate change,” Met Office, www​.metoffice​.gov​.uk​/weather​/climate​/science​/the​
-science​- behind​- climate​- change#:~​:text​= as​%20a​%20system-​,Climate​%20science​%20is​%20the​%20study​
%20of ​%20regional​%20and​%20global​%20climate​,system​%20works​%20as​%20a​%20whole.
10 IPCC, 2022: Climate Change 2022: Impacts, Adaptation, and Vulnerability. Contribution of Working
Group II to the Sixth Assessment Report of the Intergovernmental Panel on Climate Change [H -O Pörtner, D
C Roberts, M Tignor, E S Poloczanska, K Mintenbeck, A Alegría, M Craig, S Langsdorf, S Löschke, V Möller,
A Okem, B Rama (eds.)]. Cambridge University Press. Cambridge University Press, Cambridge, UK and New
York, NY, United States, 3056, doi:10.1017/9781009325844 (hereafter IPCC Working Group II).
11 The IPCC’s Fifth Assessment Report, “What’s in it for Small Island Developing States?” Cambridge
University Press, www​.ipcc​.ch​/assessment​-report​/ar5/ (hereafter IPCC Fifth Assessment).
12 Nicholas Stern, “Sustainability and internationalism: driving development in the 21st century,” Policy
Insight. London: Grantham Research Institute on Climate Change and the Environment and Centre for Climate
Change Economics and Policy, London School of Economics and Political Science, 2019, www.lse .ac .uk /
GranthamInstitute /wp -content /uploads /2019 /03 /Stern Sustainability -and -internationalism .pdf, 10.
13 https://en​-roads​.climateinteractive​.org​/scenario​.html​?v​= 23​.2​.1; see generally, “Report on the
Implementation of Climate-Related Adaptation Measures in Non-Life Underwriting Practices,” EIOPA, 6
February 2023, EIOPA-BoS-22-593. The pilot exercise was aimed to better understand the industry’s current
underwriting practices regarding climate change adaptation.

411
 C limate C hange and I nsurance

In terms of adaptation to an already changing climate, measures to adapt buildings and

infrastructure to rising temperatures and their effects, or support nature-based solutions
with a resilience benefit (such as coastal reefs and mangroves), could help to protect econ-
omies and human health from at least some of the impacts of climate change.

THE IEA’S 1.5-DEGREE ROADMAP

In May 2021 the International Energy Agency (IEA) published its landmark “Net Zero by 2050:
A Roadmap for the Global Energy Sector,” which charted a narrow but achievable roadmap to
a 1.5 °C stabilisation in rising global temperatures and the achievement of other energy-related
sustainable development goals. The IEA roadmap would require an unprecedented transforma-
tion of how energy is produced, transported and used globally, requiring a historic surge in clean
energy investment, with no investment in new fossil fuel supply projects and no further final
investment decisions for new unabated coal plants. The roadmap would require that, by 2035,
there are no sales of new internal combustion engine passenger cars, and by 2040, the global
electricity sector reach net-zero emissions. In the near term, the report describes a net-zero path-
way that requires the immediate and massive deployment of all available clean and efficient
energy technologies, combined with a major global push to accelerate innovation. The pathway
calls for annual additions of solar PV to reach 630 gigawatts by 2030, and those of wind power
to reach 390 gigawatts.14

The international response to climate change

Recognising the risk that climate change poses to human society, the international com-
munity established a mechanism to curb unabated global warming through mitigation
of GHG emissions, and to develop measures to adapt to a changing climate. The UN
Framework Convention on Climate Change (UNFCCC or the Framework Convention)
entered into force on 21 March 1994 at the Rio Earth Summit with 197 ratifying countries
as parties.15 The UNFCCC’s core objective is to stabilise the concentration of GHGs in
the atmosphere. The Conference of the Parties (COP) is an association of all ratifying
parties and the Framework Convention’s supreme body. It meets annually at so-called
“COPs,” which are attended by heads of state, ministers, environmental experts and non-
governmental organisations (NGOs).
A key milestone in climate action at the international level was the Kyoto Protocol in
1997,16 which operationalised the UNFCCC by committing countries to limit and reduce
GHG emissions in accordance with agreed national targets. The Protocol also offered
states an additional means to meet their targets by way of market-based mechanisms,
such as emissions trading schemes. At the time of publication, there are 192 parties to the
Kyoto Protocol. However, as such the mechanism adopted under the Kyoto Protocol has

14 IEA Report (n 7) 14.

15 “What is the United Nations Framework Convention on Climate Change?” United Nations Climate
Change, https://unfccc​.int​/node​/10831/.
16 Owing to a complex ratification process, it entered into force on 16 February 2005.

412
 C limate C hange and I nsurance

been considered insufficient, with only some states having an obligation to mitigate their
GHG emissions. Indeed many present-day large emitters, such as China and India, had
no mitigation obligations under the Kyoto Protocol. As a result, efforts were made in the
first two decades of the twenty-first century to negotiate a more impactful climate change
agreement under the UNFCCC.
At the 21st Conference of the Parties (COP21) in Paris on 12 December 2015, the parties
to the UNFCCC signed the Paris Agreement, a landmark agreement on climate change.
The Paris Agreement sets out a global action plan to avoid dangerous climate change
by limiting global warming to well below 2 °C and pursuing efforts to limit it to 1.5
°C compared to pre-industrial levels.17 Its framework is based on three pillars—climate
mitigation, adaptation, and loss and damage. The Paris Agreement entered into force on
4 November 2016 and has been ratified by 194 countries to date.18
To achieve the Paris Agreement temperature goals, countries aim to peak their GHG
emissions as soon as possible to achieve a net-zero world by mid-century. The Paris
Agreement requires all parties to put forward their best efforts through nationally deter-
mined contributions (NDCs) for GHG reductions and to strengthen such efforts year on
year.19 This includes requirements that all parties report regularly on their emissions and
on their implementation efforts.20 Apart from their mitigation efforts, countries also use
their NDCs to communicate how they will build resilience to adapt to the impacts of cli-
mate change.21 Parties have legally binding commitments to submit and implement NDCs
and increase their level of ambition over time.22
The Paris Agreement also reaffirmed that developed countries should take the lead
in providing financial assistance to countries that are poorer and more vulnerable. It is
recognised that climate finance is needed for mitigation efforts because of the large-scale
investments that will be required to reduce emissions. Climate finance is equally impor-
tant for adaptation, as significant financial resources are needed to adapt to the adverse
effects and reduce the impacts of a changing climate.
The Paris Agreement creates international legal obligations to implement policies,
laws and regulations to bring individual parties’ emissions in line with their NDCs.
Accordingly, parties have implemented national climate frameworks to set medium and
long-term targets consistent with their international commitments with mechanisms to
measure domestic GHG emissions and to review and “ratchet” national ambition on emis-
sions reductions over time. As a result, globally, there are now over 2,960 climate laws
and policies.23 In comparison, at the time of the adoption of the Kyoto Protocol24 in 1997,

17 See https://ec​.europa​.eu ​/clima​/policies​/international​/negotiations​/paris​_en.

18 See https://unfccc​.int​/process​/the​-paris​-agreement​/status​- of​-ratification.
19 See “The Glasgow Climate Pact-Key Outcomes from COP26,” https://unfccc​.int​/process​-and​-meetings​
/the​-paris​-agreement​/the​-glasgow​- climate​-pact​-key​- outcomes​-from​- cop26.
20 See https://unfccc​.int​/process​-and​-meetings​/the​-paris​-agreement​/the​-paris​-agreement.
21 “Paris Agreement to the United Nations Framework Convention on Climate Change,” 12 December
2015, T.I.A.S. No. 16-110, 4.
22 Daniel Bodansky and Lavanya Rajamani, “The Evolution and Governance Architecture of the United
Nations Climate Change Regime.” Global Climate Policy: Actors, Concepts, and Enduring Challenges (2018),
13–65.
23 “Climate Change Laws of the World,” Grantham Research on Climate Change and the Environment,
https://climate​-laws​.org/ (hereafter Climate Change Laws).
24 A precursor of the Paris Agreement, the Kyoto Protocol was a 1997 international treaty extending the
UN Framework Convention on Climate Change (UNFCCC) which committed UNFCCC parties signatories to

413
 C limate C hange and I nsurance

there were 60 such laws and policies.25 National climate laws relate to both mitigation and
adaptation, and cover a wide range of topics including environmental regulation, forestry,
electricity and heat, agriculture, transportation, buildings, infrastructure and disaster risk
reduction. Measures to reduce emissions include reductions targets, carbon pricing and
taxes or emissions trading schemes, all seeking to keep emissions within acceptable levels
and in line with international commitments.
National climate action is progressing. As of publication, China (the largest emitter)
has committed to net zero,26 the EU has set out an ambitious “Green Deal” plan towards
the same goal,27 and the United States has passed the Inflation Reduction Act (IRA)28 with
ambitious energy and climate provisions, such as a series of tax credits, grants and subsi-
dies with US $369 billion funding to be invested in everything from clean power sources
and electric vehicle supply chains, to innovative home appliances, new industrial pro-
cesses, and sustainable farming practices. The IRA is expected to help the United States
achieve a 40% reduction in emissions by 2030.29 Nonetheless, there is currently a policy
gap. Work done by the organisation Climate Action Tracker indicates that the global com-
munity is not yet on track to meet the aspirational 1.5 °C goal of the Paris Agreement with
national 2030 climate commitments, even when fully implemented, leading to roughly
2.4 °C to 2.8 °C.30
If we overshoot 1.5 °C, the effects will be extreme. The IPCC has highlighted the urgent
need to limit global warming to 1.5 °C31 and the devastating consequences if we fail to do
so in an orderly and timely manner.32 For example, nearly 700 million people (9% of the
world’s population) will be exposed to extreme heat waves at least once every 20 years at
1.5 °C, but more than 2 billion people (28.2%) at 2 °C.33 Similarly in a 1.5 °C world, by
the end of the century, 70% of tropical coral reefs are at risk of severe degradation, but
virtually all in a 2 °C world.34 Although not all threats can be eliminated, the IPCC also

reduce GHG emissions; see https://unfccc​.int ​/ kyoto​_ protocol​/ background ​/items​/3145​.php.

25 Michal Nachmany, Sam Fankhauser, Joana Setzer and Alina Averchenkova “Global trends in climate
change legislation and litigation: 2017 update,” Grantham Research Institute on Climate Change and the
Environment.
26 Smiriti Mallapaty, “How China could be carbon neutral by mid-century,” Nature 19 October 2020, www​
.nature​.com ​/articles​/d41586 ​- 020 ​- 02927​-9.
27 Climate Action, “2050 long-term strategy,” European Commission, https://ec​.europa​.eu​/clima​/
policies​/strategies​/2050​_ en#:~​:text​= The​% 20EU​% 20aims​% 20to​% 20be​, action​% 20under​% 20the​% 20Paris​
%20Agreement.
28 “Inflation Reduction Act of 2022,” Loans Programs Office, Department of Energy , www​.energy​.gov​/
lpo​/inflation​-reduction​-act​-2022.
29 Shannon Osaka, “Why the Climate Bill’s Impact Might Not Match What Many Expect.” Washington
Post, 18 August 2022, www​.washingtonpost​.com​/climate​- environment​/2022​/08​/18​/ira​-inflation​-reduction​-act​
-climate​- change/.
30 State of Climate Action 2022, Climate Action Tracker, 2022, https://cli​mate​acti​ontracker​.org​/publica-
tions​/state​- of​- climate​-action​-2022/.
31 IPCC 2022, “Climate Change 2022: Mitigation of Climate Change. Contribution of Working Group III
to the Sixth Assessment Report of the Intergovernmental Panel on Climate Change” [P R Shukla, J Skea, R
Slade, A Al Khourdajie, R van Diemen, D McCollum, M Pathak, S Some, P Vyas, R Fradera, M Belkacemi,
A Hasija, G Lisboa, S Luz, J Malley, (eds.)]. Cambridge University Press, Cambridge, UK and New York, NY,
United States. doi: 10.1017/9781009157926 (hereafter IPCC 2022).
32 IPCC Sixth Assessment Report (n 5).
33 IPCC Sixth Assessment Report (n 5).
34 IPCC, 2018: Summary for Policymakers. In: Global Warming of 1.5 °C. An IPCC Special Report on
the impacts of global warming of 1.5 °C above pre-industrial levels and related global greenhouse gas emis-
sion pathways, in the context of strengthening the global response to the threat of climate change, sustainable

414
 C limate C hange and I nsurance

asserts, with high confidence, that “near-term actions that limit global warming to close to
1.5 °C would substantially reduce projected losses and damages related to climate change
in human systems and ecosystems.”35
At the time of publication, we are living in a world of 1.2 °C warming, and the impacts
of climate change are already apparent. Extreme weather events now hit the headlines
regularly with the value of insured and uninsured losses escalating year on year. The
hurricane season is worsening, droughts are worsening and heatwaves are worsening. In
2020, for example, multiple cities around the world experienced extreme temperatures
such as a record high of 42.7 °C in Madrid and a 72-year low of –19 °C in Dallas.36 The
Arctic Circle averaged summer temperatures 10 °C higher than in prior years.37
The impacts of climate change on human civilisation are myriad. In 2022 the IPCC
finalised the second part of the Sixth Assessment Report, Climate Change 2022: Impacts,
Adaptation and Vulnerability outlining the human and ecosystem impacts of unabated
climate change. Described by UN Secretary-General Antonio Guterres as “an atlas of
human suffering,”38 the report outlined that already 3.3 billion people are “highly vulner-
able” to climate impacts and 15 times more likely to die from extreme weather.39

Climate change and financial markets: Physical, transition and liability risk40
It is now generally understood that climate change poses a risk to the global financial sys-
tem and to financial markets worldwide. The Swiss Re Institute has predicted that climate
change could wipe up to 18% of the GDP of the world economy by 2050 if temperatures
rise to 3.2 degrees.41 The insurance industry is just one of many parts of the world econ-
omy which will increasingly bear the financial impact of climate change.
Climate change-related financial risks and opportunities are generally categorised as
follows:
1. Physical
2. Transition; and
3. Liability.42

development, and efforts to eradicate poverty [Masson-Delmotte, V, P Zhai, H -O Pörtner, D Roberts, J Skea, P
R Shukla, A Pirani, W Moufouma-Okia, C Péan, R Pidcock, S Connors, J B R Matthews, Y Chen, X Zhou, M
I Gomis, E Lonnoy, T Maycock, M Tignor and T Waterfield (eds.)]. Cambridge University Press, Cambridge,
UK and New York, NY, United States, 3–24. https://doi​.org​/10​.1017​/9781009157940​.001.
35 IPCC 2022 (n 31).
36 “Global Risks Report 2022,” 17th ed, World Economic Forum, 11 January 2022, www​.weforum​.org​/
reports​/global​-risks​-report​-2022 (hereafter Global Risks Report 2022).
37 Ibid.
38 “United Nations Secretary-General Antonio Guterres addresses the Human Rights Council,” NewsWire,
28 February 2022, https://ens​-newswire​.com​/new​-un​- climate​- change​-report​-an​-atlas​- of​-human​-suffering/.
39 IPCC 2022 (n 31).
40 For a more detailed treatment of liability risk see Chapter 15.
41 “This is How Climate Change Could Impact The Global Economy,” World Economic Forum, 28 June
2021, www​.weforum​.org​/agenda ​/2021​/06​/impact​- climate​- change​-global​-gdp/.
42 The TCFD includes liability risk as a type of transition risk, rather than a standalone category. In its
2020 discussion paper on methodological principles of insurance stress testing, the European Insurance and
Occupational Pensions Authority (EIOPA) considers only physical and transition risks, noting the importance
of litigation risks but pointing to the limited availability of information and methodologies regarding its inte-
gration into stress testing frameworks. However, the 2020 public consultation version of the “Application
Paper on the Supervision of Climate-related Risks in the Insurance Sector” produced by the International

415
 C limate C hange and I nsurance

These three categories were highlighted by Mark Carney, then-governor of the Bank of
England, in a seminal speech delivered at Lloyd’s of London in 2015 called “Breaking the
tragedy of the horizon—climate change and financial stability”43 which introduced the
concepts which would later inform the Bank of England’s and other financial regulators’
approach to mapping the effects of climate change on the financial system.
Each of these elements—the physical, transition and liability risks of climate change—
is having and will continue to have an impact on the global insurance market. At the same
time, the insurance industry has a vital role to play in helping the world adapt to a changing
climate and supporting the transition to a net-zero economy. Below we describe the key
features of each type of physical and transition risk. The following chapter (Chapter 15)
deals exclusively with climate liability risk.

In 2015, when I first spoke about the “Tragedy of the Horizon”, my chosen audience was
insurers, which was then the one group in the financial sector that had the perspective to begin
managing climate-related financial risks.44
Mark Carney, Governor of the Bank of England from
2013 to 2020

Physical risk: Loss and insurance impacts

Leading global (re)insurers have long sounded the alarm regarding the potential loss of
value that climate change will bring about through, for example, increased incidence of
wildfires, or higher sea levels and larger storms giving rise to storm surges and heavy
flooding in coastal cities. For instance, Lloyd’s of London has estimated that the 20 cm
rise in sea levels at the tip of Manhattan since the 1950s, when all other factors are held
constant, increased insured losses from Superstorm Sandy by 30% in New York alone.45
Physical risks resulting from climate change can be event-driven (acute) or stem from
longer-term shifts (chronic) in climate patterns such as temperature, precipitation and sea-
level rise, both of which can pose risks to businesses and the communities in which they
operate. Extreme weather events can seriously disrupt economic activity. Physical damage
to infrastructure, or interruptions to water and electricity supply or transport, can force
businesses to close and interrupt trade. Chronic changes to the climate affecting water
availability, food security and temperatures can affect the safety and reliability of physi-
cal infrastructure, the longevity and operations of physical assets, operating costs (for

Association of Insurance Supervisors (IAIS) and the Sustainable Insurance Forum (SIF) recognises physical,
transition and liability risks as three risk categories.
43 Mark Carney, “Breaking the tragedy of the horizon—climate change and financial stability,” Speech, 29
September 2015, Bank of England, www​.bankofengland​.co​.uk​/speech​/2015​/ breaking​-the​-tragedy​- of​-the​-hori-
zon​- climate​- change​-and​-financial​-stability (hereafter Carney speech).
44 “Insuring the climate transition. Enhancing the insurance industry’s assessment of climate change
futures,” UN environment programme finance initiative, UNEPFI’s Principles for Sustainable Insurance
Initiative, January 2021, www​.unepfi​.org​/industries​/insurance​/insuring​-the​- climate​-transition/ (hereafter
UNEP FI 2021).
45 A Lloyd’s report (“Catastrophe Modelling and Climate Change”—2014) looks at factors that influence
the impact of hurricanes. It notes the importance of sea-level changes—in addition to wind speed and tides—
in the impact of Sandy on New York. See, www​.lloyds​.com/~​/media​/ Lloyds​/ Reports​/ Emerging​%20Risk​
%20Reports​/CC​%20and​%20modelling​%20template​%20V6​.pdf.

416
 C limate C hange and I nsurance

example, cooling and heating), transport needs and employee safety. In addition, climate
change could prompt increased morbidity and mortality from disease or pandemics.46
Inflation-adjusted, weather-related losses in the insurance sector have been increasing
from an average of around US $50 billion per annum in the 1980s to around US $200
billion per annum over the past decade.47 For example, Hurricane Harvey caused floods
and over 100 deaths in Texas and Louisiana in 2017 and gave rise to insured losses of $19
billion. Two attribution studies found that climate change made this hurricane three times
more likely and increased the storm’s rainfall by 15%. And another study found that the
record-breaking 2021 heat dome in the Pacific Northwest of America, with insured losses
of $8.9 billion, was made 150 times more likely by climate change. According to the UN
Office for Disaster Risk Reduction (UNDRR), in the last 20 years, there has been a rise of
151% in direct economic losses from climate-related disasters.48 Yet there is not enough
protection against losses from climate change. The “protection gap” between insured
losses and damage from extreme weather events is particularly stark in emerging and
developing countries.49 Increasing physical risks year on year will absorb (re)insurance
capacity and lead to a hardening of the market. There is also a growing understanding that
some of the modelling which underpins underwriting and risk management is not future-
proof and requires the addition of climate change science to adequately anticipate the risk
of weather extremes in “record-breaking” years. There are some estimates that currently
modelled losses could be undervalued by as much as 50% if recent weather trends were to
prove representative of the new normal. Insurers have warned that the world could simply
become uninsurable if climate change continues unabated.50

Transition risk: The pace of change

In addition to physical risks, corporates face transition risks resulting from the shift to
a lower-carbon economy. As described above, to reach the climate change goals set out
in the Paris Agreement, and pivot away from fossil fuel dependence, sweeping changes
must be made across industries and economic sectors as well as profound changes in
everyday life.
Transition risks are the indirect financial risks that will arise as the economy decarbon-
ises. Transition risks will arise because of changes in policy and regulation supporting

46 Celia McMichael, “Climate change-related migration and infectious disease.” Virulence vol. 6, 6 (2015),
548–53. doi:10.1080/21505594.2015.1021539www.ncbi.nlm.nih.gov/pmc/articles/PMC4720222/.
47 “Global Insurance Industry Stands to Lose at Least $200 Billion This Year,” International Business
Times, 14 May 2020, www​.ibtimes​.com​/coronavirus​-repercussions​-global​-insurance​-industry​-stands​-lose​
-least​-200​-billion​-2976333.
48 “UN 20-year review: earthquakes and tsunamis kill more people while climate change is driving up eco-
nomic losses,” UNDRR, www​.unisdr​.org​/archive​/61121; and www​.unisdr​.org​/we​/inform ​/publications​/61119;
for full report, see Pascaline Wallemacq, Rowena House, “Economic Losses, Poverty & Disasters 1998–2017,”
Centre for Research on the Epidemiology of Disasters and United Nations Office for Disaster Risk Reduction,
2018, www​.unisdr​.org​/files​/61119​_credeconomiclosses​.pdf.
49 “Natural disaster risks: Losses are trending upwards,” Munich Re, www​.munichre​.com ​/en ​/risks​/natural​
-disasters​-losses​-are​-trending​-upwards​.html.
50 See, for example, www​.acclimatise​.uk​.com ​/2019​/01​/03​/world​-may​-become​-uninsurable​-with​- climate​
-change​-says​-iag/; www​.reinsurancene​.ws​/iag​-says​- climate​- change​- could​-make​-world​-uninsurable​-financial​
-review/; www​.wsj​.com ​/graphics​/climate​- change​-forcing​-insurance​-industry​-recalculate/; www​.environmen-
tal​-finance​.com​/content​/news​/climate​- change​- of​- 4c​-would​-be​-uninsurable​-says​-axa​- chairman​.html.

417
 C limate C hange and I nsurance

low-carbon industries, taxing or pricing high-carbon ones,51 or because of technological

advances (often funded by green investments and policy) leading to decreased costs of
renewables, battery storage, energy efficiency, and carbon capture and storage.52
The transition must be managed carefully. Too abrupt a transition could destabilise
markets and lead to a “climate Minsky moment”: A major collapse of asset values because
of an incomplete understanding of market risk.53 If the transition to a low-carbon econ-
omy is rapid or disorderly, there is a significant risk of assets becoming “stranded,”54 that
is, devalued or rendered obsolete. Asset stranding is a natural feature of any economy,
but climate change could strand assets at an unprecedented scale. Globally, a third of oil
reserves, half of gas reserves and over 80% of current coal reserves must remain unused
in order to meet the target of 2 °C agreed in Paris.55 Asset stranding would lead to reduc-
tions in the value of investments held by banks and insurance companies in sectors such
as coal, oil and gas.56 Reflecting this risk, (re)insurers have joined with other asset owners
and investors to call for coordinated climate action and engage with investee firms on
climate risk management.
The transition is gaining pace. At the time of writing, more than 133 countries have now
committed to becoming carbon neutral by mid-century, including major emitters such as
China (by 2060), the EU, the UK, Japan and South Korea,57 and around two-thirds of total
emissions now fall under such pledges.58 In June 2020, the Climate Ambition Alliance
renamed itself the Race to Zero Campaign (Race to Zero).59 With the objective of building
momentum around the shift to a decarbonised economy, Race to Zero has to date mobi-
lised 11,309 non-state actors including 8,307 companies, 595 financial institutions, 1,136
cities, 52 states and regions, 1,125 educational institutions and 65 healthcare institutions
(as of September 2022).60 Many actors across the “real economy” joined the largest-ever
alliance committed to achieving net-zero carbon emissions by 2050 at the latest.61
Technological and market forces are already creating seismic change in the energy land-
scape. The race to renewables has outpaced all predictions.62 In 2021 alone, China con-
nected around 17 gigawatts (GW) of offshore wind capacity to its national grid, more than

51 Cambridge Institute for Sustainability Leadership (CISL) (2019) “CISL Climate Wise Transition
Risk Framework Report: Managing the impacts of the low carbon transition on infrastructure investments,”
Cambridge Institute for Sustainability Leadership, www​.cisl​.cam​.ac​.uk ​/resources​/publication​-pdfs​/cisl​- cli-
mate​-wise​-transition​-risk​-framework​-report​.pdf (hereafter CISL 2019).
52 ​ https:/​/edu​.bankofengland​.co​.uk ​/ knowledgebank ​/climate​- change​-what​- are​- the​- risks​- to​-financi​a l​
-stability/.
53 Carney speech (n 43).
54 CISL 2019 (n 51) 6.
55 Christophe McGlade and Paul Ekins, “The geographical distribution of fossil fuels unused when limit-
ing global warming to 2°C,” Nature 517, no 7533 (2015) 187–190.
56 ​w ww​.bankofengland​.co​.uk​/ knowledgebank​/climate​- change​-what​-are​-the​-risks​-to​-financi​al​-stability.
57 “Net zero targets,” Climate Action Tracker, https://cli​mate​acti​ontracker​.org ​/methodology​/net​-zero​-tar-
gets/#:~​:text​= As​%20of​%20March​%202022​%2C​%2033​,target​%20(ECIU%2C%202021).
58 S Fankhauser et al., “The meaning of net zero and how to get it right.” Nat. Clim. Chang. 12, 15–21
(2022). https://doi​.org​/10​.1038​/s41558​- 021​- 01245​-w.
59 “What is Race to Zero?”, Race to Zero, https://eu​.eventscloud​.com​/website​/3981​/race​-to​-zero​-faqs/.
60 https://unfccc​.int​/climate​-action ​/race​-to​-zero​- campaign.
61 “Race To Zero Campaign,” UNFCCC, https://unfccc​.int​/climate​-action ​/race​-to​-zero​- campaign.
62 Nigel Brook and Nicholas Rayner, “China adds record offshore wind capacity as part of renewable
energy drive,” 15 February 2022, Clyde & Co, https://connectedworld​.clydeco​.com ​/post​/102hisb​/china​-adds​
-record​- offshore​-wind​- capacity​-as​-part​- of​-renewable​- energy​- drive.

418
 C limate C hange and I nsurance

the rest of the world added in the previous five years.63 In November 2022 the International
Energy Agency (IEA) raised its global forecast for renewables growth, forecasting 76%
more growth than two years previously, driven in part by a push for energy security after
Russia’s invasion of Ukraine led to energy shortages.64 The wind energy market is likely
to follow the precedent set by the solar energy market, which has seen an 80% reduction
in cost since 2010 as a result of rapid growth.65

The history of insurance industry leadership: Two decades of climate action

The insurance industry has long had a place firmly at the forefront of the financial
industry’s response to climate risk. Reflecting the state of climate action globally, early
interventions by insurers recognised the risks of climate change to the financial sys-
tem—and the potential for market failure—and called for ambitious climate policy and
coordinated climate action at the international (i.e. state-to-state) level.66 Leading insur-
ers joined forces with other corporate and financial market actors in investor mem-
bership organisations seeking to drive forward the understanding of climate risk in
financial markets and to advocate for climate action internationally. By the 2010s, the
focus was shifting to what the industry could do to foster resilience and support disaster
risk reduction. By the time of the Paris Agreement in 2015, there was an understanding
that insurers as investors had a vested interest in understanding climate-related risks
and opportunities and had a role to play in formulating climate-related financial disclo-
sure frameworks.
In 2002, in a two-phase study on climate change and the financial services industry,67
the UN Environment Programme Finance Initiative (UNEP FI) Climate Change Working
Group alerted the finance and business communities, governments and the public at large
to a number of the major risks to the world economy posed by climate change.68 Reflecting
the tenor of debate at the time, with denialism a mainstream political standpoint in many
countries, including the United States, the report’s CEO briefing paper found reason to
state “Climate change is a fact.”69 The report noted:
The view that climate change is of strategic business importance is more prevalent among
insurance and reinsurance companies than perhaps any other segment of the financial services

63 David Vetter, “China Built More Offshore Wind in 2021 than Every Other Country Built in 5 Years,”
Forbes, www​.forbes​.com​/sites​/davidrvetter​/2022​/01​/26​/china​-built​-more​- offshore​-wind​-in​-2021​-than​- every​
-other​- country​-built​-in​-5​-years/​?sh​= 2e112c146347.
64 Harriet Agnew, “Ukraine War Increases Urgency for Renewable Energy, Says Schroders Chief,”
Financial Times, 3 March 2022, www​.ft​.com​/content​/8e98393b​-13d1​- 4ab7​-a584​- cec5a6c8fbff.
65 “The Price of Solar Power Has Fallen by over 80% since 2010. Here’s Why,” World Economic Forum,
4 November 2021.
66 “Climate Change and the Insurance Industry: Taking Action as Risk Managers and Investors
Perspectives from C-level executives in the insurance industry,” The Geneva Association, January 2018, www​
.genevaassociation​.org​/publication ​/climate​- change​-and​- environment​/climate​- change​-and​-insurance​-industry​
-taking​-action​-risk.
67 “CEO Briefing, A document of the UNEP FI Climate Change Working Group,” UNEP FI, www​.unepfi​
.org​/themes​/climate​- change​/ceo​-briefing​- on​- climate​- change/.
68 “Climate Change and the Financial Services Industry: Module 1 Threats and Opportunities,” UNE
PFI, www​.unepfi​.org​/themes​/climate​- change​/climate​- change​-and​-the​-financial​-services​-industry​-module​-1​
-threats​-and​- opportunities/.
69 “CEO Briefing, A document of the UNEP FI Climate Change Working Group,” UNEP FI, www​.unepfi​
.org​/themes​/climate​- change​/ceo​-briefing​- on​- climate​- change/.

419
 C limate C hange and I nsurance

industry. However, their polices and strategies vary considerably according to geographic
location and line of business. For example, very few insurers have factored in climate change-
related risks into underwriting premiums and deductibles, although reinsurers have initiated
qualitative sector-level impact analyses.70

2007 saw the first global Declaration on Climate Change by the Financial Services Sector,
calling climate change “the greatest market failure ever.”71 Signatories to the Declaration
committed to advance knowledge and understanding of climate change risks and opportu-
nities, and to integrate those into core financial operations, reduce their carbon footprints,
and report and assess annual emissions. Nine years before the Paris Agreement, there was
also a call for government leaders to inter alia set clear, mandatory, medium and long-term
emission reduction targets and adopt ambitious goals and incentives for renewable energy,
such as the target then proposed by the EU to increase the share of renewable energy
in European supply to 20% by 2020.72 Insurance industry signatories to the Declaration
included board members of Allianz SE and Munich Group.73
The following year, in 2007 a global insurance industry leadership, Climatewise, facilitated
by the Cambridge Programme for Sustainability Leadership (CISL) was founded. Founding
ClimateWise members—including the Association of British Insurers, Aviva, Lloyd’s, Swiss
Re and ABI—committed to annually report their own organisations’ progress against seven
principles, permitting benchmarking and fostering cross-industry collaboration:74

• Be accountable;
• Incorporate climate-related issues into our strategies and investments;
• Lead in the identification, understanding and management of climate risk;
• Reduce the environmental impact of the business;
• Inform public policy-making;
• Support climate awareness amongst customers/clients; and
• Enhance reporting.

Also during the early 2000s, year on year, insurance industry leaders joined other sig-
natories of annual statements issued around the time of UNFCCC COPs highlighting
the need for climate action at an international level. These statements were sponsored
by membership organisations such as Ceres,75 the Institutional Investors Group on
Climate Change (IIGCC),76 the Investor Group on Climate Change Australia/New

70 Ibid.
71 “Declaration on Climate Change by the Financial Services Sector,” UNEP FI, 2007, www​.unepfi​.org​/
fileadmin​/statements​/cc​_statement​_ jun2007​.pdf.
72 The target was actually exceeded: In 2020 renewable energy formed 22.1% of energy consumption,
“What is the share of renewable energy in the EU?,” Eurostat, https://ec​.europa​.eu​/eurostat​/cache​/infographs​/
energy​/ bloc​- 4c​.html.
73 “Declaration on Climate Change by the Financial Services Sector,” UNEP FI, 2007, www​.unepfi​.org​/
fileadmin​/statements​/cc​_statement​_ jun2007​.pdf.
74 In 2019 these were aligned with the TCFD framework—see further below.
75 Ceres is a leading coalition of investors and environmental groups working with companies to address
sustainability challenges such as climate change. Ceres also directs the Investor Network on Climate Risk, an
alliance of 90 institutional investors with collective assets totalling $9 trillion.
76 The Institutional Investors Group on Climate Change (IIGCC) catalyses greater investment in a low-
carbon economy by bringing European investors together to use their collective influence with companies, pol-
icymakers and investors. The group currently has 56 members, representing assets of around EUR 4 trillion.

420
 C limate C hange and I nsurance

Zealand (IGCC, Australia/New Zealand),77 UNEP FI78 and the Principles for Responsible
Investment (PRI).79 For example, six years before the Paris Agreement, the 2009 “Investor
Statement on the Urgent Need for a Global Agreement on Climate Change” was launched
on 16 September 2009 at the Investor Forum on Climate Change in New York City.
Signatories included Allianz, Aviva and Swiss Re.80
At the same time, there was also a growing understanding that the insurance industry
could be part of the solution as regards financing adaptation and managing the economic
costs of climate change. For instance, a 2008 UNFCCC Technical Paper on financial
mechanisms to manage climate risks noted that:
National adaptation plans could provide the basis for public–private partnerships to man-
age the economic costs of climatic impacts through insurance. Key areas for public finance
include funding for public goods such as risk-relevant data (e.g. weather maps) and major
hazard reduction projects (e.g. flood control). Feasibility studies including demonstration or
pilot insurance schemes could also be funded.81

It was also recognised that the insurance industry could support climate action and resil-
ience more generally due to its wealth and depth of knowledge on assessing risk.82
The role that the insurance industry could play in supporting sustainable development
globally started to take shape. Developed by UNEP FI, the Principles for Sustainable
Insurance (PSI or Principles) were launched at the 2012 UN Conference on Sustainable
Development (Rio+20) representing the largest collaborative initiative between the UN
and the insurance industry.83 Endorsed by the UN Secretary-General and insurance indus-
try CEOs, the Principles serve as a global framework for the insurance industry to address
environmental, social and governance (ESG) risks and opportunities and as a global ini-
tiative to strengthen the insurance industry’s contribution as risk managers, insurers and
investors to building resilient, inclusive and sustainable communities and economies on
a healthy planet. The tools for achieving this include working with the private sector and

77 The Investor Group on Climate Change Australia/New Zealand (IGCC, Australia/New Zealand) rep-
resents institutional investors operating in Australia and New Zealand, with assets around AUD 500 billion,
and others in the investment community. The IGCC aims to ensure that the risks and opportunities associated
with climate change are incorporated into investment decisions for the ultimate benefit of individual investors.
78 United Nations Environment Programme Finance Initiative (UNEP FI) is a global partnership between
UNEP and the financial sector. Over 190 institutions, including banks, insurers and fund managers, work
with UNEP to understand the impacts of environmental and social considerations on financial performance.
Through its Climate Change Working Group (CCWG), UNEP FI identifies the roles of the finance sector in
addressing climate change, and advances the integration of climate change factors—both risks and opportuni-
ties—into financial decision-making. Under the auspices of the UN, the UNEP FI provides guidance to the
insurance industry. With an initial focus on investment, the focus has now turned to underwriting. UNEP
FI has published numerous risk guides for underwriters, including the Principles for Sustainable Insurance
discussed below.
79 Principles for Responsible Investment, convened by UNEP FI and the UN Global Compact, was estab-
lished to help investors achieve better long-term investment returns and sustainable markets through improved
analysis of environmental, social and governance issues.
80 “2009 Investor Statement on the Urgent Need for a Global Agreement on Climate Change,” United
Nations Environment—Finance Initiative, September 2009, www​.unepfi​.org​/publications​/2009​-investor​-state-
ment​- on​-the​-urgent​-need​-for​-a​-global​-agreement​- on​- climate​- change/.
81 “Mechanisms to manage financial risks from direct impacts of climate change in developing countries,”
UNFCCC,2008, FCCC/TP/2008/9, quoted in “Insuring Climate Resilience, How insurers are responding to
climate change. And how they can be part of an effective government response,” UNEP FI, November 2013.
82 Charles E Boyle, “Geneva Association Issues Report on Insurance Industry & Climate Change,”
Insurance Journal, 5 July 2009, www​.insurancejournal​.com ​/news​/international​/2009​/07​/06​/101984​.htm.
83 UNEP FI 2021 (n 44).

421
 C limate C hange and I nsurance

governments but at the same time raising public awareness of ESG issues and good risk
management while promoting accountability and transparency.84
In 2013, UNEP FI conducted original research with the participation of insurance
industry representatives and produced a report on “insuring climate resilience,” calling
for public interventions to help the insurance industry develop and scale up their products
and services in order to build the climate resilience of vulnerable communities, such as at
the national level, the establishment of integrated risk management approaches and risk
transfer solutions, including partnerships with the insurance industry (i.e. public–private);
improvements in zoning (e.g. coastal, wind, flood, land); improvements in management,
conservation and restoration of ecosystems; improvements in asset statistics (e.g. human,
incomes, property), including asset vulnerability and geographic distribution of asset val-
ues; and the promotion of insurance literacy.85
International action on climate change and resilience coalesced in various forms in 2015,
most importantly through the Paris Agreement, as described above. However, 2015 also
saw the UN General Assembly adopt the Sendai Framework for Disaster Risk Reduction
(2015–2030)86 (the Sendai Framework) with the objective of substantially reducing disas-
ter risk and losses in lives, livelihoods and health and in the economic, physical, social,
cultural and environmental assets of persons, businesses, communities and countries. The
Sendai Framework recognised that the state has the primary role to reduce disaster risk,
but that responsibility should be shared with other stakeholders including local govern-
ment and the private sector. The Sendai Framework set out a number of key priorities,
including public and private investment in disaster risk prevention and reduction.87 To
achieve this, inter alia, the Framework set out the importance of promoting mechanisms
for disaster risk transfer and insurance, risk-sharing and retention and financial protec-
tion for both public and private investment.88 Working with PSI and UNEP FI, the insur-
ance industry issued a statement in support of disaster risk reduction, noting the role
of the insurance industry as risk managers, risk carriers and institutional investors and
advocating for the development of strong public–private partnerships and fostering resil-
ience in the built environment, raising awareness of disaster risk and promoting disaster
risk reduction through insights, data and tools from the insurance industry. The industry
offered up the use of its risk management processes, models, analytics and metrics as a
potential model for understanding and reducing risk across a broad range of industries and
public sector entities.89
Also in 2015, the G20 Finance Ministers and Central Bank Governors asked the
Financial Stability Board (FSB),90 an international body that monitors and makes

84 “The Principles,” UNEP FI, see Principles 3 and 4 www​.unepfi​.org​/insurance​/insurance​/the​-principles/.

85 “Insuring Climate Resilience, How insurers are responding to climate change. And how they can be part
of an effective government response,” UNEP FI, November 2013.
86 See, “Sendai Framework for Disaster Risk Reduction 2015–2030,” United Nations Office for Disaster
Risk Reduction, 2015, www​.undrr​.org​/publication ​/sendai​-framework​- disaster​-risk​-reduction​-2015​-2030.
87 69/283, Sendai Framework for Disaster Risk Reduction 2015–2030, Resolution adopted by the General
Assembly on 3 June 2015, Priority 3, https://sus​t ain​able​deve​lopment​.un​.org​/index​.php​?page​= view​&type​= 111​
&nr​= 7738​&menu​= 35.
88 Ibid.
89 “United for disaster resilience: The insurance industry’s statement in support of disaster risk reduction,”
Sendai 2015, www​.unepfi​.org​/industries​/insurance​/united​-for​- disaster​-resilience/.
90 The FSB has been established to coordinate at the international level the work of national financial
authorities and international standard-setting bodies and to develop and promote the implementation of

422
 C limate C hange and I nsurance

recommendations about the global financial system,91 to review how the financial sec-
tor could take account of climate-related issues. As part of its review, the FSB identified
the need for better information to support informed investment, lending and insurance
underwriting decisions and improve understanding and analysis of climate-related risks.92
In December 2015, coinciding with the landmark COP21 in Paris, the FSB established
an industry-led disclosure task force on climate-related financial risks. The Task Force
on Climate-related Financial Disclosures (TCFD or Task Force) was established to con-
sider physical, transition and liability risks associated with climate change in order to
develop a set of recommendations for consistent, comparable, reliable, clear and efficient
climate-related disclosures.93 The Task Force set out to develop voluntary, consistent cli-
mate-related financial risk disclosures for use by companies in providing information to
lenders, insurers, investors and other stakeholders.94 The initial membership of the Task
Force included representatives from various insurance companies, banks, asset manag-
ers, pension funds, large non-financial companies, accounting and consulting firms and
credit rating agencies.95 The TCFD released its final climate-related financial disclosure
recommendations in June 2017,96 and 100 CEOs signed a statement in support of the rec-
ommendations including, from the insurance industry, the likes of Allianz SE, Aviva plc,
AXA Group, Swiss Re and WTW (formerly Willis Towers Watson).97

The global regulatory response to climate change: Impacts on insurers

It is recognised that climate change risks represent “green swan” risks: Potentially
extremely financially disruptive events that could precipitate the next systemic financial
crisis.98 Given the impact that climate change will have on the financial system, central
banks, regulators and supervisors have come to regard climate risk management as a
core function in supporting financial stability. Central banks and financial supervisors are
helping coordinate measures to fight climate change, including carbon pricing, integration
of sustainability into financial practices and accounting frameworks, and regulation and
policy development.

effective regulatory, supervisory and other financial sector policies in the interest of financial stability. It brings
together national authorities responsible for financial stability in 24 countries and jurisdictions, international
financial institutions, sector-specific international groupings of regulators and supervisors, and committees
of central bank experts. The FSB also conducts outreach with 65 other jurisdictions through its six regional
consultative groups.
91 The FSB promotes international financial stability; it does so by coordinating national financial authori-
ties and international standard-setting bodies as they work toward developing strong regulatory, supervisory
and other financial sector policies. It fosters a level playing field by encouraging coherent implementation of
these policies across sectors and jurisdictions; see www​.fsb​.org​/about/.
92 “Task Force on Climate-Related Financial Disclosures,” TCFD, www​.fsb​-tcfd​.org​/about/​#history (here-
after Task Force).
93 “FSB to establish Task Force on Climate-related Financial Disclosures,” 4 December 2015, www​.unepfi​
.org​/climate​- change​/tcfd/.
94 Ibid.
95 Task Force (n 92).
96 Task Force (n 92).
97 “Task Force on Climate-related Financial Disclosures,” 29 June 2017, UNEP FI, www​.unepfi​.org​/cli-
mate​- change​/tcfd/.
98 Patrick Bolton et al., “The green swan—Central banking and financial stability in the age of climate
change,” Banque de France, January 2020, www​.ngfs​.net​/en.

423
 C limate C hange and I nsurance

Reflecting the need for global collaboration amongst financial regulators, at the Paris
“One Planet Summit” in December 2017, eight central banks and supervisors established
the Network of Central Banks and Supervisors for Greening the Financial System (NGFS
or Network). Since then, the membership of the Network has grown dramatically across all
five continents. The Network’s purpose is to help strengthen the global response required
to meet the goals of the Paris Agreement and to enhance the role of the financial system to
manage risks and to mobilise capital for green and low-carbon investments in the broader
context of environmentally sustainable development. To this end, the Network defines and
promotes best practices to be implemented within and outside of the NGFS and conducts
or commissions analytical work on green finance.99
In April 2019, in its first comprehensive report, the NGFS, which had by then grown to
a network of 72 central banks and supervisors representing two-thirds of global banks and
insurers, formally endorsed the TCFD recommendations.100 Its endorsement report also
outlined recommendations for central banks and supervisors including the integration of
climate-related risks into financial stability monitoring and micro-supervision,101 achiev-
ing robust and internationally consistent climate and environment-related disclosure,102
and supporting the development of a taxonomy of economic activities.103
The global regulatory response for (re)insurers has also been shaped by the work of
the International Association of Insurance Supervisors (IAIS),104 which collaborates
with other international organisations and standard-setting bodies on climate risk issues,
including the FSB and the NGFS.105 Climate change has been identified as a key theme
within the IAIS Strategic Plan and spans its activities, ranging from financial stability risk
assessment to developing supervisory and supporting material and capacity building.106
IAIS contributions include:

• July 2018: Issues Paper on Climate Change Risks to the Insurance Sector which
provided an overview of how climate change is affecting the insurance sector by
providing examples of current material risks and impacts across underwriting
and investment activities, by exploring potential supervisory responses, and by
reviewing observed practices in different jurisdictions;107
• February 2020: Issues Paper on the Implementation of the TCFD
Recommendations which provided an overview of supervisory frameworks

99 “Origin of the Network for Greening the Financial System,” Central Banks and Supervisors, Network
for Greening the Financial System, www​.ngfs​.net​/en.
100 “A Call for Action, Climate Change as a source of financial risk,” Network for Greening the Financial
System, April 2019.
101 Recommendation 1.
102 Recommendation 5.
103 Recommendation 6.
104 The IAIS is a voluntary membership organisation of insurance supervisors and regulators from more
than 200 jurisdictions, constituting 97% of the world’s insurance premiums. It is the global standard-setting
body responsible for developing and assisting in the implementation of principles, standards and guidance as
well as supporting material for the supervision of the insurance sector; see www​.iaisweb​.org/.
105 “Climate Risk,” International Association of Insurance Supervisors, www​.iaisweb​.org​/activities​-top-
ics​/climate​-risk/.
106 Ibid.
107 “Issues Paper on Climate Change Risks to the Insurance Sector,” July 2018, IAIS, www​.iaisweb​.org​/
activities​-topics​/climate​-risk/.

424
 C limate C hange and I nsurance

considered in the development of climate-related disclosure requirements within

the market;108
• May 2021: Application Paper on the Supervision of Climate-related Risks in the
Insurance Sector, which provided guidance and recommendations to insurance
supervisors to further strengthen their efforts in addressing risks to the insurance
sector from climate change;109
• November 2021: Global Insurance Market Report (GIMAR) insurance sector
investment exposures to climate-related risks. This report provided the first quan-
titative global study on the impact of climate change on the insurance sector.110

Through its Global Monitoring Exercise (GME), the IAIS monitors and assesses global
insurance market trends and developments and their potential impact on insurance mar-
kets and global financial stability. In 2022, climate data elements were added to the GME,
and the IAIS has stated these will become a regular feature of the IAIS’s annual assess-
ment of insurance sector risks and thereby provide a global baseline of climate risk data
for the insurance sector.
An important aspect of the IAIS’s work is the promulgation of the Insurance Core
Principles (ICPs), a globally accepted framework for insurance supervision seeking to
encourage the maintenance of consistently high supervisory standards in IAIS member
jurisdictions.111 The IAIS has considered the ICPs in light of climate change and considers
that the ICPs—which include standards for supervision of conduct of business and capi-
tal adequacy112—are already sufficiently broad to cover climate risks. However, the IAIS
has announced it will amend ICP guidance to make it even more explicit that insurance
supervisors should require insurers to incorporate climate-related risks into their day-to-
day operations, including in governance, enterprise risk management and disclosures.113

National regulatory developments

With work spearheaded by the Bank of England and shaped by the work of the NGFS and
IAIS (in respect of insurance supervisors), financial regulators have increasingly adopted
climate risk management as part of their supervisory remit, with the aim of protecting
policyholders, contributing to financial stability and promoting the maintenance of a fair,
safe and stable insurance market.114

108 “Issues Paper on the Implementation of the Recommendations of the Task Force on Climate-related
Financial Disclosures,” IAIS, February 2020, www​.iaisweb​.org​/activities​-topics​/climate​-risk/.
109 “Application Paper on the Supervision of Climate-related Risks in the Insurance Sector,” IAIS, May
2021, www​.iaisweb​.org​/activities​-topics​/climate​-risk/.
110 “Global Insurance Market Report (GIMAR),” IAIS, www​.iaisweb​.org​/activities​-topics​/financial​-sta-
bility​/gimar/.
111 “Insurance Core Principles and ComFrame,” IAIS, www​.iaisweb​.org​/activities​-topics​/standard​-setting​
/icps​-and​- comframe/.
112 “Insurance Core Principles and Common Framework for the Supervision of Internationally Active
Insurance Groups,” IAIS, November 2019.
113 “Climate Risk,” IAIS, www​.iaisweb​.org​/activities​-topics​/climate​-risk/.
114 “Application Paper on the Supervision of Climate-related Risks in the Insurance Sector,” IAIS, May
2021, www​.iaisweb​.org​/activities​-topics​/climate​-risk/.

425
 C limate C hange and I nsurance

United Kingdom
In the United Kingdom, the Bank of England (BoE) under the leadership of Mark Carney
was instrumental in the development of the TCFD recommendations under the auspices
of the FSB. As described above, the BoE also provided thought leadership in the develop-
ment of the concept of the three risks of climate change to the financial system (physical,
transition and liability).
Since then, the UK’s financial regulators and institutions have increasingly focused
on climate risk. In 2019, the BoE became the first central bank and supervisor to set
supervisory expectations for banks and insurers on the management of climate-related
financial risks, covering governance, risk management, scenario analysis and disclosure
(Supervisory Statement 3/19).115 The Insurance Stress Test for 2019 included an explora-
tory exercise in relation to climate change.116 The BoE followed this up with a “Dear CEO”
letter to firms in 2020 which set out detailed guidance on how firms should embed climate
risk management by the end of 2021.117
The BoE with the UK’s Financial Conduct Authority (FCA) established the Climate
Financial Risk Forum (CFRF) in 2019 to share best practice across industry and financial reg-
ulators.118 In 2021, larger UK banks and insurers took part in the BoE’s first Climate Biennial
Exploratory Scenario (CBES) which, based on the NGFS’s climate scenarios, proposed three
scenarios of early, late and no additional action on climate to explore the resilience of the UK
financial system (both banks and insurers) to physical and transition risks. The results of that
stress test were published in May 2022.119 The CBES results indicated that participating UK
banks and insurers were making good progress in some aspects of their climate risk manage-
ment, yet still needed to do much more to understand and manage their exposure to climate
risks. The lack of available data on corporates’ current emissions and future transition plans
has been reported as a collective issue affecting all participating firms.120
At Glasgow’s COP26 in November 2021, the UK government announced the ambition
to become the world’s first “net zero” financial centre121 with the establishment of the
Glasgow Financial Alliance for Net Zero122 and the creation of a Transition Plan Taskforce
to draw up a “gold standard” for corporate transition plans. The Transition Plan Taskforce
Disclosure Framework123 published in November 2022 laid out a sector-neutral framework
that provides recommendations for companies and financial institutions, together with

115 “Climate Change,” Bank of England, www​.bankofengland​.co​.uk​/climate​- change.

116 “General Insurance Stress Test,” Bank of England Prudential Regulation Authority, April 2019, www​
.bankofengland​.co​.uk/-​/media​/ boe​/files​/prudential​-regulation​/ letter​/2019​/general​-insurance​-stress​-test​-2019​
-scenario​-specification​-guidelines​-and​-instructions​- draft​.pdf.
117 Sam Woods, “Managing climate-related financial risk—thematic feedback from the PRA’s review of
firms’ Supervisory Statement 3/19 (SS3/19) plans and clarification of expectations,” Letter, 1 July 2020, www​
.bankofengland​.co​.uk/-​/media​/ boe​/files​/prudential​-regulation​/ letter​/2020​/managing​-the​-financial​-risks​-from​
-climate​- change​.pdf​?la​= en​&hash= ​​A6B4D​​D1BE4​​5B276​​2900F​​54B2F​​5BF2F​​99FA4​​48424​.
118 “Climate Financial Risk Forum (CFRF),” Financial Conduct Authority, www​.fca​.org​.uk​/transparency​
/climate​-financial​-risk​-forum.
119 “Results of the 2021 Climate Biennial Exploratory Scenario (CBES),” Bank of England, 24 May 2022,
www​.bankofengland​.co​.uk ​/stress​-testing ​/2022​/results​- of​-the​-2021​- climate​-biennial​- exploratory​-scenario.
120 Ibid.
121 “Chancellor: UK will be the world’s first net zero financial centre” HM Treasury, 3 November 2021,
www​.gov​.uk​/government​/news​/chancellor​-uk​-will​-be​-the​-worlds​-first​-net​-zero​-financial​- centre.
122 Discussed below under “Voluntary Commitments to Net Zero.”
123 “Consultation, The Transition Plan Taskforce Disclosure Framework,” Transition Plan Taskforce,
November 2022, https://transitiontaskforce​.net​/wp​- content​/uploads​/2022​/11​/ TPT​-Disclosure​-Framework​.pdf.

426
 C limate C hange and I nsurance

Implementation Guidance124 and a Technical Annex.125 The UK was also the first country
to legislate for TCFD-aligned disclosures, which became mandatory for the UK’s largest
companies and financial institutions in April 2022.126
In 2022 the Bank of England issued a further “Dear CEO” letter to PRA-regulated
insurance firms indicating that financial risks arising from climate change remained a
core focus.127 The letter noted that progress in relation to financial risks arising out of
climate change has not been consistent across all firms, resulting in an incorporation of
supervision of such risks into the PRA’s core supervisory approach.128

Germany
The German Federal Financial Supervisory Authority (BaFin) requires regulated entities
to manage climate risks and integrate them into their risk management frameworks. In
this regard, BaFin published non-binding guidelines, updated in January 2020, for super-
vised entities, including insurance companies and banks.
In an interim report dated 5 March 2020, the Sustainable Finance Committee (SFB)
of the German Federal Government advocated, inter alia, expanding the scope of non-
financial disclosures under Directive 2014/95/EU (Non-Financial Reporting Directive,
NFRD). In addition, listed companies are also to apply the TCFD recommendations on
climate reporting from 2022. The final report of the SFB was published in March 2021 and
contains a total of 31 recommendations.
On 27 June 2022, the new version of the German Corporate Governance Code (DCGK) was
published and entered into force.129 The DCGK has, in a previous version, already established
an explicit expectation that companies and their management need to be aware of their role
and responsibility vis-à-vis society. In fact, social and environmental factors are considered to
be relevant for business success.130 This is a clear commitment to sustainability principles. The
new version of the DCGK states that the board must take into account the social and environ-
mental factors which influence the performance of the company and the company’s impacts
on people and the environment. Under the new DCGK, a company’s management board must
systemically identify and assess social and environmental risks and opportunities for the
company, and ensure that the company’s strategy gives appropriate consideration to social
and environmental matters. The supervisory board is required to give supervision and advice
on sustainability issues in particular and should comprise members with sufficient skills and
expertise in sustainability matters, which should be disclosed in a qualification matrix in the
company’s Corporate Governance Statement. The new DCGK also requires one member of

124 “Consultation, The Transition Plan Taskforce Implementation Guidance,” Transition Plan Taskforce,
November 2022, https://transitiontaskforce​.net​/wp​-content​/uploads​/2022​/11​/TPT​-Implementation​-Guidance​-1​.pdf.
125 “The Transition Plan Taskforce Implementation Guidance: Technical Annex,” Transition Plan
Taskforce, November 2022, https://transitiontaskforce​.net​/wp​- content​/uploads​/2022​/11​/ TPT​-Implementation​
-Guidance​-Technical​-Annex​.pdf.
126 The Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022, www​
.legislation​.gov​.uk ​/uksi ​/2022​/31​/contents​/made.
127 “Insurance Supervision, 2022 priorities” Letter, Bank of England Prudential Authority, 12 January 2022,
www​.bankofengland​.co​.uk/-​/media​/ boe​/files​/prudential​-regulation​/letter​/2022​/january​/insurance​-supervision​
-2022​-priorities​.pdf​?la​= en​&hash= ​​0AFDC​​E727B​​64DAD​​B0AC8​​57398​​B4FC1​​20847​​1EFE9​.
128 Ibid, 3.
129 Regierungskommission Deutscher Corporate Governance Kodex, German Corporate Governance
Code, June 2022, https://dcgk​.de​/en ​/press​/details​/new​- code​-published​-in​-the​-federal​-gazette​.html.
130 Ibid.

427
 C limate C hange and I nsurance

the audit committee to have expertise in auditing, and another to have expertise in accounting,
which should include sustainability reporting and its auditing and assurance. The chair of the
audit committee is required to have expertise in either accounting or auditing (and therefore,
sustainability reporting to the relevant degree).
The German Federal Government (Bundesregierung) has set binding national climate tar-
gets in a Climate Protection Act that came into force on 18 December 2019. The act first pro-
vided for a gradual reduction in greenhouse gas emissions compared to 1990, with a target
of at least 55% by 2030. Greenhouse gas neutrality is to be achieved by 2050. Due to a ruling
by the Federal Constitutional Court, the act was tightened so that a greenhouse gas reduction
target of 65% by the year 2030, and 88% by the year 2040 has now been introduced.
United States
The regulatory approach to climate risk has developed more slowly and sporadically in
the United States with limited coordination between state and federal regulators. The US
Securities and Exchange Commission (SEC) and state attorneys general took relatively
speedy action on climate risk disclosures, including 2015 investigations of at least two
energy companies, ExxonMobil and Peabody Energy Corp.
Under the Biden Administration, regulators have increased their focus on climate
change disclosures by companies. At the time of publication, with the federal govern-
ment’s renewed interest in climate change, federal agencies are currently developing a
strategy to require companies to quantify, disclose and mitigate the financial risk of cli-
mate change. This policy seeks consistent, clear, intelligible, comparable and accurate
disclosure of climate-related financial risk.
In October 2020, the New York Department of Financial Services (NYDFS) issued an
Industry Letter outlining its expectations related to addressing the financial risks from cli-
mate change to all New York-regulated banking organisations, branches and agencies of
foreign banking organisations, mortgage bankers and servicers, and limited purpose trust
companies, as well as New York-regulated non-depositories.131 In this letter, the NYDFS
outlined its expectations that the regulated organisations start integrating the financial
risks from climate change into their governance frameworks, risk management processes
and business strategies. In November 2021, the NYDFS became the first US financial
regulator to develop and finalise a comprehensive climate change risk regulatory frame-
work for “domestic” insurers.132 The framework set out the DFS’s expectations that all
New York insurers start integrating the consideration of the financial risks from climate
change into their governance frameworks, business strategies, risk management processes
and scenario analysis, and develop their approach to climate-related financial disclosure.
In March 2022, the SEC proposed new standardised climate-related disclosure rules for
all registered companies.133 The proposed rules are based on the TCFD recommendations

131 NYDFS, “Industry Letter to The Chief Executive Officers or the Equivalents of New York State Regulated
Financial Institutions,” October 2020. The six biggest US banks will be required to undergo a climate stress test,
overseen by the Federal Reserve, to assess their risk management practices for climate change scenarios. See, “Pilot
Climate Scenario Analysis Exercise, Participant Instructions,” Board of Governors of the Federal System, January
2023, www​.federalreserve​.gov​/publications​/climate​-scenario​-analysis​-exercise​-instructions​.htm.
132 NYDFS, “Guidance for New York Domestic Insurers on Managing the Financial Risks from Climate
Change,” 15 November 2021, www​.dfs​.ny​.gov​/system​/files​/documents​/2021​/11​/dfs​-insurance​- climate​-guid-
ance​-2021​_1​.pdf.
133 SEC, “Proposed rule: The Enhancement and Standardization of Climate-Related Disclosures for
Investors,” 17 CFR 210, 229, 232, 239, and 249, www​.sec​.gov​/rules​/proposed ​/2022​/33​-11042​.pdf.
428
 C limate C hange and I nsurance

and, if adopted, will apply to disclosures by domestic and foreign companies that file peri-
odic reports or registration statements with the SEC.

Australia
In November 2021, APRA, the Australian financial sector prudential regulator, released its
final prudential practice guide CPG 229 Climate Change Financial Risks.134 The Practice
Guide provides that an institution should manage and mitigate climate-related financial
risks through governance, risk management, scenario testing and disclosures.
Potential economic downturns are one of the risks that climate change poses to
Australia’s top five banks, though APRA expects these to be concentrated in specific
regions and industries, for example with mortgage lending losses expected to be higher in
northern Australia.135
The Australian Competition and Consumer Commission (ACCC) warned businesses
in September 2022 that they needed to be ready to substantiate any environmental or
sustainability claims when marketing their goods and services,136 addressing the issue of
greenwashing. Australia’s first fine against greenwashing was issued in October 2022 by
the Australian Securities and Investment Commission (ASIC).137

Post-COVID progress on financial regulation

The COVID-19 pandemic did not derail the progress of climate action in financial markets,
now increasingly framed as part of a broader conversation about sustainable finance and ESG.
In 2021, in the wake of the pandemic, the Sustainable Finance Working Group—a
group mandated to identify institutional and market barriers to green finance—produced
the G20 Sustainable Finance Roadmap.138 The aim of the Roadmap is to identify gaps and
leverage opportunities to support G20 member efforts and communicate G20 priorities
on sustainable finance.139 The FSB also published the FSB roadmap for addressing the
financial risks from climate change.140 The roadmap focuses on four main, interrelated
areas of firm-level disclosures, using consistent data for climate-related vulnerabilities,
vulnerabilities analysis and regulatory and supervisory practices and tools.141
In 2021, UNEP FI collaborated with 22 leading insurers and reinsurers from across
the globe, representing more than 10% of the global industry premium, to pilot the TCFD
recommendations. The group worked on the development of methodologies to evaluate

134 “Prudential Practice Guide: CPG 229 Climate Change Financial Risks,” Australian Prudential
Regulation Authority, November 2021, www​.apra​.gov​.au​/sites​/default​/files​/2021​-11​/ Final​%20Prudential​
%20Practice​%20Guide​%20CPG​%20229​%20Climate​%20Change​%20Financial​%20Risks​.pdf.
135 “Australian Banking System Cushioned for Imminent Climate Change-Related Risks—Regulator,”
Reuters, 30 November 2022, sec. COP27,
www​.reuters​.com ​/ business​/cop​/australian​-banking​-system​- cushioned​-imminent​- climate​- change​-related​
-risks​-2022​-11​-30/.
136 Businesses told to be prepared to back up their environmental claims,” ACCC, 20 September 2022,
www​.accc​.gov​.au​/media​-release​/ businesses​-told​-to​-be​-prepared​-to​-back​-up​-their​- environmental​- claims.
137 “Australia’s Corporate Regulator Issues First Fine for Greenwashing,” The Guardian, 27 October 2022,
www​.theguardian​.com​/environment​/2022​/oct​/27​/australias​-corporate​-regulator​-issues​-first​-fine​-for​-greenwashing.
138 G20 Sustainable Finance Working Group, G20, https://g20sfwg​.org/.
139 “What Should You Know About the Sustainable Finance Roadmap?” G20 Sustainable Finance Working
Group, https://g20sfwg​.org​/2022​/09​/23​/what​-should​-you​-know​-about​-the​-sustainable​-finance​-roadmap/.
140 “FSB Roadmap for Addressing Climate-related Financial Risks,” Financial Stability Board, 7 July
2021, www​.fsb​.org​/2021​/07​/fsb​-roadmap​-for​-addressing​- climate​-related​-financial​-risks/.
141 “FSB Roadmap for Addressing Climate-related Financial Risks,” Financial Stability Board, 7 July
2021, 2, www​.fsb​.org​/wp​- content​/uploads​/ P070721​-2​.pdf.
429
 C limate C hange and I nsurance

the financial impact that physical, transition and liability risks may have on their under-
writing portfolios.142
Also in 2021, the G20 recognised the risks that climate change posed to macroeconomic
outcomes and to regulated financial institutions and financial stability and, along with the
G7, pledged to promote the implementation of disclosure recommendations based on the
TCFD framework in line with domestic regulatory frameworks.143
In November 2021 as world leaders met in Glasgow for COP26, the IFRS Foundation
announced the formation of a new International Sustainability Standards Board (ISSB)
to develop—in the public interest—a comprehensive global baseline of high-quality sus-
tainability disclosure standards to meet investors’ information needs.144 The ISSB was
enshrined in a revised IFRS constitution in order to expand the Foundation’s objectives
to encompass the promulgation of sustainability standards.145 The ISSB brought together
in a working group the Climate Disclosure Standards Board (CDSB), the International
Accounting Standards Board (IASB), TCFD, the VRF and the World Economic Forum,
supported by the International Organization of Securities Commissions (IOSCO) and its
Technical Expert Group of securities regulators. The working group consolidated key
aspects of those organisations’ content into an enhanced, unified set of recommendations
for consideration by the ISSB, published as a prototype in March 2022.146 In June 2023,
ISSB published its base standards for enhanced sustainability reporting, paving the way
for consistent, comparable and decision-useful reporting standards.147

Voluntary commitments to net zero

As regulators integrate climate risk and other sustainability issues into their mandates,
and as reporting standards coalesce and become enshrined in domestic law, there is a
recognised need for market leaders to set the pace of the transition across industries,
including in insurance markets.
Leading global (re)insurers have joined with banks, pension funds and others in net-
zero alliances on a voluntary basis to reduce portfolio emissions of investments and pro-
mote sustainability in underwriting.
Formed in 2019, the UN-convened Net Zero Asset Owner Alliance (NZAOA) is a mem-
ber-led initiative of institutional investors committed to transitioning their investment
portfolios to net zero by 2050. The Alliance members were the finance industry’s first to
set intermediate targets, which include CO2 reduction ranges of 22% to 32% for 2025 and

142 UNEP FI 2021 (n 44).

143 “G20 Finance Ministers and Central Bank Governors Communiqué,” US Department of the Treasury,
10 July 2021, https://home​.treasury​.gov​/news​/press​-releases​/jy0269.
144 IFRS, “IFRS Foundation announces International Sustainability Standards Board, consolidation with
CDSB and VRF, and publication of prototype disclosure requirements,” www​.ifrs​.org​/news​-and​- events​/news​
/2021​/11​/ifrs​-foundation​-announces​-issb​- consolidation​-with​- cdsb​-vrf​-publication​- of​-prototypes/ (hereafter
IFRS Foundation).
145 “IFRS Foundation Trustees’ Feedback Statement on proposed amendments to the IFRS Foundation’s
Constitution,” November 2021, IFRS, www​.ifrs​.org​/content​/dam ​/ifrs​/project​/sustainability​-reporting​/feed-
back​-statement​- constitution​-sustainability​-nov2021​.pdf.
146 IFRS Foundation (n 144).
147 “IFRS S1 - General Requirements for Disclosure of Sustainability-related Financial Information”
and “IFRS S2 Climate-related Disclosures”, IFRS, 26 June 2023, https://www.ifrs.org/issued-standards/
ifrs-sustainability-standards-navigator/

430
 C limate C hange and I nsurance

49% to 65% for 2030. Members will seek to reach this commitment, especially through
148

advocating for, and engaging with, corporate and industry action, as well as public poli-
cies, for a low-carbon transition of economic sectors in line with science and under con-
sideration of associated social impacts.149
The NZAOA is convened by the UN, led by asset owners, and supported by civil society.
The NZAOA Secretariat is assembled by UNEP FI and PRI. The strategic advisers com-
prise the World Wildlife Fund (WWF) and Global Optimism, which is led by Christiana
Figueres, former Executive Secretary of the UNFCCC. As of publication, the NZAOA’s
membership comprises 74 institutional investors with a combined pool of assets under
management (AUM) worth US $10.6 trillion. Insurance industry members include Legal
& General, Allianz, Munich Re, Aviva, AXA, QBE, SCOR, Swiss Re and Generali, who
have each set their own interim targets. For example, Generali Group has a sub-portfolio
target to reduce portfolio carbon intensity by 25% by 2025.150, 151

Growth of membership (total AUM in US$ trillion and number of

members in the Alliance)
10.6

9.6

5.1

3.9
2.4

23.09.19 31.12.19 31.12.20 31.12.21 31.08.22

Figure 14.1 Growth of membership (total AUM in US$ trillion and number of members in the
Alliance)

The NZAOA expects all members to adopt intermediate targets within 12 months of
joining. Under the NZAOA’s Accountability Mechanism, members must “follow guidance

148 “UN-convened Net-Zero Asset Owner Alliance,” United Nations Environment Finance Initiative,
www​.unepfi​.org​/net​-zero​-alliance/.
149 “The Net-Zero Asset Owner Alliance,” UNEP FI, www.unepfi.org/wordpress/wp-content/uploads
/2019/09/AOA_FAQ.pdf.
150 “2025 Member Targets,” UNEP FI, www​.unepfi​.org​/net​-zero​-alliance​/resources​/member​-targets/.
151 United Nations Environment Programme (2022). “The Second Progress Report of the Net-Zero Asset
Owner Alliance: Advancing Delivery on Decarbonisation Targets,” Nairobi, September 2022, www​.unepfi​.org​
/wordpress​/wp​- content​/uploads​/2022​/09​/AOA​-Progress​-Report​-2022​-3​.pdf, 3 (hereafter Advancing Delivery
2022 UNEP FI).

431
 C limate C hange and I nsurance

or explain.” Failure to comply will result in a request for clarification and ultimately,
should the need arise, in delisting. The NZAOA has yet to be required to take such a step.
On 13 October 2020, the NZAOA released its first edition of the 2025 Target Setting
Protocol (Protocol).152 The aim of the Protocol was to provide details and guidance for
NZAOA members setting science-based targets on their financed emissions.153 In January
2022, the NZAOA released the second edition of the Target Setting Protocol, which
included more ambitious emission reduction ranges for 2025 intermediate targets and
covered additional asset classes.154 NZAOA’s second progress report on advancing deliv-
ery of decarbonisation targets was published in September 2022 with contributions from
leading insurer members.155 The report reaffirmed the growing recognition of the role of
asset owners as agents of change, as well as the fundamental role that targets play in both
directing and accelerating members’ respective embrace of net zero. It also outlines an
increase in the number of members with a short-term target to 44, collectively account-
ing for US $7.1 trillion in assets under management, up from 29 members in 2021.156 In
January 2023, NZAOA released the third edition of the Target Setting Protocol which
reflected on the latest science, expanded methodological coverage across asset classes and
added chapters on carbon removals and just transition, among other.157
Insurers also participate in an insurance industry-focused voluntary net-zero alliance:
The UN-convened Net-Zero Insurance Alliance (NZIA). The launch of the NZIA was
announced during the G20 Summit in 2021 and currently comprises 17 leading insurers
having lost almost half of its members in early 2023 due to the US political pressure high-
lighting antitrust concerns.158 Similarly to the NZAOA, the NZIA supports its members
as they work towards decarbonising their underwriting portfolios by individually setting
science-based intermediate targets and reporting on their progress annually. The Alliance
will also advocate for and engage in government policies for a science-based and socially
just transition of economic sectors to net zero.
NZIA members have committed to transitioning their insurance and reinsurance
underwriting portfolios to net-zero GHG emissions by 2050. In order to develop the tools
and guidance to implement the commitments its members have made, the NZIA has put
in place the following six workstreams:159
1. Metric and targets: Established to develop a global standard to measure “insur-
ance-associated emissions”;

152 “Alliance 2025 Target Setting Protocol,” UN Environment Programme, www​.unep​.org​/resources​/

report​/alliance​-2025​-target​-setting​-protocol.
153 “Target Setting Protocol Second Edition,” UNEF PI, www​.unepfi​.org​/net​-zero​-alliance​/resources​/tar-
get​-setting​-protocol​-second​- edition/.
154 Advancing Delivery 2022 UNEP FI (n 150).
155 Advancing Delivery 2022 UNEP FI (n 150).
156 Advancing Delivery 2022 UNEP FI (n 150).
157 United Nations Environment Programme (2023), Target Setting Protocol Third Edition, January 2023
https://www.unepfi.org/industries/target-setting-protocol-third-edition/
158 Tommy Wilkes, ‘Insurers’ climate alliance loses nearly half its members after more quit’ Reuters,
30 May 2023 https://www.reuters.com/business/insurers-climate-alliance-loses-nearly-half-its-­members-
after-more-quit-2023- 05-30/#:~:text=The%20NZIA%2C%20which%20was%20for med%20in%20
2019%20to,two%20weeks%20ago%20and%2030%20in%20late%20March.
159 “Implementation,” UNEP FI, www​.unepfi​.org​/net​-zero​-insurance​/implementation/#:~​:text​= In​
%20order ​% 20to​% 20develop​% 20the​% 20tools​% 20and​% 20guidance​, Alliance​% 20​% 28NZIA​% 29​% 20has​
%20put​%20in​%20place​%20six​%20workstreams.

432
 C limate C hange and I nsurance

2. Engagement: Established to raise awareness on net-zero insurance;

3. Net-zero insurance white paper: This explains the meaning of net zero in the con-
text of insurance and reinsurance underwriting portfolios as well as explaining
different approaches to achieve net zero;
4. Life and health exploratory: Established to explain the approaches insurers can
take in order to contribute to a net-zero economy;
5. Antitrust: Established to engage with competition authorities and ensure compli-
ance with antitrust/competition laws; and
6. NZIA Communications: Established to develop and implement the NZIA global
communications programme.
The work is led by the UN Principles for Sustainable Insurance (PSI) Initiative’s
Secretariat, and the working groups comprise NZIA member representatives with exper-
tise in the relevant areas. NZIA members will need to publish their first interim science-
based targets within six months after the publication of an NZIA Target-Setting Protocol,
scheduled to be published in January 2023.
Alongside the NZAOA and the NZIA sit the Net Zero Banking Alliance, the Net Zero
Asset Managers initiative (NZAM), the Paris Aligned Investment Initiative, the Net Zero
Financial Service Providers Alliance, and the Net Zero Investment Consultants initiative.
A pan-sector coalition connecting these alliances is the Glasgow Financial Alliance for
Net Zero (GFANZ), launched in April 2021 by the UK Presidency of COP26, in tandem
with the UN Special Envoy for Climate Action and Finance, Mark Carney.160 GFANZ
currently represents 40% of the world’s financial assets and collectively committed $130
trillion to reach net zero.161 All members of GFANZ must first be accredited by Race to
Zero (see above).

Competition law and controversy

There is a growing recognition that existing competition and antitrust law may not be fit for pur-
pose in the climate context, given the need for collaboration and coordinated movement across
entire industries. Net-zero alliances have flagged potential risks around breach of competition
law. For example, it was widely reported that lawyers advised NZIA that its members may be in
breach of competition law if they act together and coordinate on net-zero underwriting.162 When,
in early August 2022, Race to Zero announced binding restrictions on fossil fuel finance, specifi-
cally “no coal,”163 various GFANZ members threatened to leave GFANZ over stated concerns

160 “Accelerating the transition to a net-zero economy,” Glasgow Financial Alliance for Net Zero, www​
.gfanzero​.com/.
161 “Carney Unveils $130 Trillion in Climate Finance Commitments,” Bloomberg, 2 November 2021,
www​.bloomberg​.com ​/news​/articles​/2021​-11​- 02​/carney​-s​- climate​-alliance​- crests​-130 ​-trillion​-as​-pledges​-soar​
#xj4y7vzkg.
162 Alastair Marsh, “Net-Zero Insurers’ Climate-Friendly Plans to Exit Coal Impeded by Antitrust Laws,”
Insurance Journal, 19 January 2022, www​.insurancejournal​.com ​/news​/international​/2022​/01​/19​/649921​
.htm#:~​:text​= Representatives​%20of​%20the​%20NetZero​%20Insurance​%20Alliance​%20have​%20begun​,are​
%20focused​%20on​%20technical​%20details​%2C​%20the​%20person​%20said.
163 Elizabeth Meager, “Why competition law is a threat to climate collaboration,” Capital Monitor,
10 October 2022, https://capitalmonitor​.ai​/factor​/environmental​/why​- competition​-law​-threat​-to​- climate​
-collaboration/.

433
 C limate C hange and I nsurance

of breaching antitrust and competition laws.164 Race to Zero subsequently loosened its criteria,
stipulating that “no new coal projects” should be supported.165 Representatives of GFANZ also
stated that members were free to accept or ignore Race to Zero’s proposals.166
To forge a way forward, there is now discussion between net-zero alliance representatives
and regulators. For example, representatives of NZIA have discussed with the EU whether
exemptions could be introduced to competition laws for collective actions towards net zero.
Certain states have brought about reforms to antitrust and competition rules in order to ensure
that agreeing to Race to Zero’s commitments would not result in enforcement actions from com-
petition authorities. Austria, for example, changed its laws to exempt “cooperation for the pur-
pose of an eco-sustainable or climate-neutral economy” from the Austrian “cartel prohibition.”167
EU, Dutch and British competition authorities have published guidance clarifying that climate-
specific initiatives would not fall foul of competition law, and it is reported that France, Germany
and Greece are working on similar guidance.168 The United States has failed to follow suit, which
culminated in antitrust laws being used as political pressure on insurers in early 2023 and led to
many leaving NZIA as a result.169

Financed emissions
Asset owners (including insurers) are increasingly looking to monitor and report the
GHG emissions associated with their loans and investments, known as “financed emis-
sions,” and the Partnership for Carbon Accounting Financials (PCAF) has played a key
role in this regard. PCAF is a finance industry-led initiative created in 2015 by 14 Dutch
financial institutions and now has members around the world. Its original aim was to
standardise the way financial institutions measure and report financed emissions, and
to increase the number of financial institutions that commit to measuring and disclosing
Scope 3 emissions in line with its methods. In 2020, PCAF published its flagship Global
GHG Accounting and Reporting Standard for the Financial Industry with methodologies
for measuring financed emissions.

164 “US Banks Threaten to Leave Mark Carney’s Green Alliance over Legal Risks,” Financial Times, 21
September 2022, www​.ft​.com​/content​/0affebaa​- c62a​- 49d1​-9b44​-b9d27f0b5600.
165 “Two Pension Funds Quit Mark Carney’s Green Alliance,” Financial Times, 25 September 2022, www​
.ft​.com​/content​/df321358​- c6d1​- 4dfc​-8ab7​- 4526fab1305b.
166 Hamish Penman, “Banks Try Quiet Quitting on Net Zero,” Energy Voice, 14 October 2022, www​
.energyvoice​.com​/uncategorized​/451729​/ banks​-try​- quiet​- quitting​- on​-net​-zero/.
167 “Directorate for Financial and Enterprise Affairs Competition Committee,” OECD,
DAF/COMP/WD(2021)46, 5 November 2021, https://one​.oecd​.org​/document​/DAF​/COMP​/WD(2021)46/en/pdf.
168 Elizabeth Meager, “Why competition law is a threat to climate collaboration,” Capital Monitor,
10 October 2022, https://capitalmonitor​.ai​/factor​/environmental​/why​- competition​-law​-threat​-to​- climate​
-collaboration/.
169 Tommy Wilkes, ‘Insurers’ climate alliance loses nearly half its members after more quit’ Reuters,
30 May 2023 https://www.reuters.com/business/insurers-climate-alliance-loses-nearly-half-its-­members-
after-more-quit-2023- 05-30/#:~:text=The%20NZIA%2C%20which%20was%20for med%20in%20
2019%20to,two%20weeks%20ago%20and%2030%20in%20late%20March.

434
 C limate C hange and I nsurance

Insurance-associated emissions
Insurers also have a key role as underwriters170 and more generally, in the net-zero transi-
tion.171 Various stakeholders have increasingly focused on the GHG emissions associated
with underwriting portfolios for accounting purposes (“insurance-associated emissions”),
and this led to the NZIA collaborating with PCAF to develop the first global standard to
measure and disclose these emissions. The Standard was published in November 2022. It
supplements and builds on the requirements of the worldwide Greenhouse Gas Protocol,
which has developed broad market adoption over the years. It provides insured-emissions
calculation approaches for commercial lines and personal motor insurance.

Scope 1, 2 and 3 emissions

According to the global standard set by the Greenhouse Gas Protocol,172 Scope 1 emissions are
the direct greenhouse gas emissions from sources directly owned or controlled by the reporting
entity. They include on-site fuel combustion and emissions from chemical production in owned
or controlled process equipment, refrigerant losses and company vehicles. Scope 2 emissions
are the indirect greenhouse gas emissions associated with the generation of electricity purchased
or acquired by the reporting entity. This can include energy used for heating, cooling or general
processing of goods and materials by the reporting entity. Finally, Scope 3 emissions are all
indirect greenhouse gas emissions from sources not directly owned or controlled by the reporting
entity, which occur both upstream and downstream in the reporting entity’s supply or value chain.
Examples of Scope 3 emissions include business travel, procurement, waste and water.

Opportunities for the insurance sector

Climate change presents not only risks but also opportunities for innovation in risk analy-
sis, risk reduction or insurance product development within a changing risk landscape.
The industry can help foster an understanding of the existing and new risks to society
brought about by climate change.173 At the international level, it is understood that the
insurance industry is a key partner in efforts to adapt to a changing climate, particularly
in disaster risk financing, modelling and capacity building.

170 “Insuring the net-zero transition: Evolving thinking and practices,” UNEP FI’s Principles for
Sustainable Insurance Initiative, April 2022, www​.unepfi​.org​/wordpress​/wp​- content​/uploads​/2022​/04​/
Insuring​-the​-net​-zero​-transition​.pdf.
171 University of Cambridge Institute for Sustainability Leadership (CISL). “Insurers in Paris-aligned
climate transition: Practical actions towards net zero underwriting,” Cambridge, UK: Cambridge Institute
for Sustainability Leadership, December 2021, www.cisl.cam.ac.uk/files/insurers_in_paris aligned_climate
_transition_cisl_climatewise_december_2021.pdf. ClimateWise is based out of the Cambridge Institute for
Sustainability Leadership (CISL), as part of the Centre for Sustainable Finance. It represents a growing global
network of leading insurance industry organisations and helps to align its members’ expertise to directly sup-
port society as it responds to the risks and opportunities of climate change.
172 “Corporate Standard, Greenhouse Gas Protocol,” Greenhouse Gas Protocol, https://ghgprotocol​.org ​/
corporate​-standard.
173 UNEFPI 2021 (n 44).

435
 C limate C hange and I nsurance

New products and de-risking innovation

There is a recognised need to create “climate-ready” insurance products that incentivise
certain climate-positive behaviours. This includes the incorporation of net-zero objectives
and outcomes into business models and operations and demonstrating greater resilience
and adaptation in response to climate risks.174, 175

Figure 14.2

For example, sustainability can be built into the claims process. Zurich’s Commercial
Property Insurance through a “green endorsement” provides for retrofitting with sustain-
able building materials as part of its reinstatement cover. At the point of claim, RSA
suggests greener choices to customers by recommending energy-efficient replacements
for damaged goods. A number of insurers are now incentivising “repair over replace” in
motor policies or suggesting recycled parts.

The LMA’s model greenhouse gas emissions reduction endorsement

Contracts can incentivise lower-carbon activity. This is a key tenet of an international initiative
of in-house and private practice lawyers working together on creating precedent “climate-aligned

174 Neal Baumann, David Rush, Andy Masters et al., “Climate product innovation within the insurance
sector,” The University of Cambridge Institute for Sustainability Leadership (CISL) and Deloitte, 2021, 8,
www​.cisl​.cam​.ac​.uk​/files​/climatewise​_climate​_ product​_innovation​.pdf (hereafter CISL 2021).
175 Neal Baumann, David Rush, Andy Masters et al., “Climate product innovation within the insurance
sector,” The University of Cambridge Institute for Sustainability Leadership (CISL) and Deloitte, 2021, 11,
www​.cisl​.cam​.ac​.uk​/files​/climatewise​_climate​_ product​_innovation​.pdf.

436
 C limate C hange and I nsurance

contractual clauses” through The Chancery Lane Project.176 Insurance contracts are no exception,
and The Chancery Lane Project has proposed a series of precedent clauses for use in insurance
contracts.177
As an example of this type of clause in action, in 2022, the Lloyd’s Market Association
(LMA), representing Lloyd’s managing agencies, published a greenhouse gas emissions reduc-
tion endorsement for use on international risks. The model endorsement provides that consid-
eration of the insured paying an additional premium and in the event of direct physical loss or
damage to insured property indemnifiable under this insurance, the insured may elect to repair,
replace or rebuild such property with materials that directly and measurably reduce the insured’s
Scope 1 greenhouse gas emissions (“GHG Reduction Materials”). If the insured elects to do so,
then the model endorsement provides that insurers will pay an additional amount of up to a cer-
tain percentage of the cost of replacement or rebuilding cost.

Insurance also has a role to play in de-risking nascent renewable technologies and low-
carbon or cleantech start-ups, for example those exploring carbon removal through carbon
capture and storage (CCS). Insurance can provide confidence to investors and project
developers to support these solutions at scale. As well as assisting at the “front end” of the
transition, insurance can support the sustainable decommissioning of fossil fuel assets.
For example, Aviva through its surety business holds corporate guarantees or collateral as
security and can thus provide guarantees for completion of reclamation work to remove
oil pipelines and to restore land to its original state.
Supporting the net-zero transition by developing innovative products and underwriting
climate risks is not without its challenges. There may be little or no loss history, making it
hard to assess the risk and set premiums and other terms. For some use cases, parametric
insurance might have advantages over conventional indemnity insurance.
As described in Chapter 6, parametric insurance pays out an agreed sum when speci-
fied objective triggers are met (such as rainfall, wind levels or hours of sunshine), often
by reference to an index created for this purpose. Isolating these perils (for which reliable
historic data may well be often available) and ignoring other perils that might cause loss
to the insured (such as faulty equipment or installation) could allow the insurer to offer
cover on commercial terms. And if the insured can live with the associated “basis risk,”
they also benefit from a more dependable and rapid pay-out if the insurance is triggered,
because this does not depend on the insured’s compliance with policy conditions and there
is no loss adjustment. Parametric insurance has been used to support the deployment of
renewables, which are often dependent on weather-based factors that can be readily linked
to an index.
Innovative insurance products are fostering nature-based solutions to climate change
and help with the maintenance of carbon sinks and nature-based resilience assets that
could be threatened by extreme weather events. As an example, coral reefs combine car-
bon sequestration benefits with physical resilience benefits. With the Nature Conservancy

176 "Start using climate aligned clauses in your contracts,” The Chancery Lane Project, https://chancery-
laneproject​.org/.
177 Ibid.

437
 C limate C hange and I nsurance

and WTW, Swiss Re has developed a parametric insurance product to protect coral reefs
on the Yucatan Peninsula. The solution ensures rapid disbursement of funds to enable
trained and experienced community members to respond to reef damage, with the first
payment triggered by Hurricane Delta in 2020. A similar product responded when Belize
was struck by Hurricane Lisa in 2022.178 Munich Re has backed a similar parametric
insurance to protect coral reefs in Hawaii, the first such product in the United States.179
Like reefs, mangroves are a critical nature-based solution offering increased resilience
and helping protect against coastal flooding. AXA XL has been working on ways that
insurance might help restore mangrove forests after extreme weather events, for example,
by using a parametric insurance policy based on wind speed and paired with a traditional
indemnity policy to support both short-term and long-term restoration actions.180

National risk pools for natural catastrophe risk181

Climate-related weather events make natural catastrophe risk—the risk of loss from a
particularly destructive natural event—especially acute. Evidence of this mounting risk
for sovereigns is already widely present. In the United States, for instance, nine of the ten
worst fire seasons have occurred in the past 15 years, with 2017 and 2018 being the worst
years ever.182 The losses in these two seasons were unprecedented—more than 35,000
structures burned down, approximately $32 billion in property losses occurred, and more
than 100 people were killed.183 National risk pools present an innovative solution to the
management of natural catastrophe risk.
A number of countries have established public risk transfer programmes to address
underinsurance or to respond to specific perils or losses that have traditionally been
underinsured. For example, in Mexico, FONDEN, the Natural Disasters Fund, was estab-
lished in the late 1990s as a mechanism to support rapid rehabilitation of federal and
state infrastructure affected by adverse natural events, particularly earthquake risk.184
Resources are leveraged with market-based risk transfer instruments—parametric catas-
trophe bonds (“cat bonds”) and parametric reinsurance.185 In France, the Caisse Centrale
de Réassurance is a public reinsurer covering a range of risks, such as flooding, earth-
quakes, volcanoes or landslides. Consorcio de Compensación de Seguros in Spain covers
“Extraordinary Risks” (natural catastrophes and terrorism); such cover is mandatorily
included in policies for property damage and personal injury issued by private insurers. In
the UK, Flood Re186 is a private not-for-profit entity owned and managed by the insurance

178 “Hurricane Lisa triggers parametric Mesoamerican reef insurance,” Artemis, 11 November 2022,
www​.artemis​.bm ​/news​/ hurricane​-lisa​-triggers​-parametric​-mesoamerican​-reef​-insurance/.
179 “Munich Re backed parametric insurance launched for Hawaii’s coral reefs,” Artemis, 21 November
2022, www​.artemis​.bm ​/news​/munich​-re​-backed​-parametric​-insurance​-launched​-for​-hawaiis​- coral​-reefs/.
180 CISL 2021 (n 173).
181 Sometime also referred to as a “disaster risk,” natural catastrophe risk is not just confined to climate-
related events but extends to other naturally occurring phenomena, such as earthquakes.
182 Christopher C French, “America on fire: climate change, wildfires & insuring natural catastrophes.”
UC Davis L. Rev. 54 (2020), 817 (hereafter America on Fire).
183 America on Fire (n 181).
184 World Bank 2012. “FONDEN: Mexico’s Natural Disaster Fund—A Review,” World Bank Group,
Washington, DC, https:// openk ​​nowle​​dge​.w​​orldb​​ank​.o​​rg ​/ ha​​ndle/​​109​86​​/2688​​1.
185 Ibid.
186 FloodRe, www​.floodre​.co​.uk/.

438
 C limate C hange and I nsurance

industry and funded via a levy on insurance contracts; it operates as a pool for reinsuring
homes with a high risk of flooding. Climate risk lends itself to this type of national scheme.
For example, nationwide bundled natural catastrophe schemes with a diverse risk pool of
insureds and premium rates based on home values have been proposed as a response to
the growing risk of coastal flooding of private properties in the United States.187 Building
on this demand for innovative solutions at the national level and in order to offer protec-
tion to less-developed and more vulnerable countries, new international partnerships for
disaster resilience have been formed alongside sovereign risk pools, such as the recently
established Global Shield (see further below).

New partnerships for disaster resilience

Over the ten years to 2019, developed countries donated $133 billion in disaster-related
official development assistance (ODA), but only $ 5.5 billion went toward measures to
build resilience before disasters strike.188 Insurance represents an alternative pathway to
strengthening disaster preparedness and resilience for sovereigns, sub-sovereigns and
humanitarian organisations. Public–private partnerships (PPPs) between insurers and
governments are creating new approaches to disaster response and risk pooling. There is
a current weakness in the financial protection structure in climate-vulnerable economies
with after-the-event funding sought. Insurance-based solutions can provide pre-arranged
finance which disburses before or just after disasters happen.
Launched in 2017, the InsuResilience Global Partnership (InsuResilience) aims to
enable more timely and reliable disaster responses and to better prepare for climate and
disaster risk through the use of climate and disaster risk finance and insurance solu-
tions.189 InsuResilience brings together more than 120 member entities to drive research,
modelling innovation and learning and to provide technical assistance to developing
countries. InsuResilience engages with a range of actors including international develop-
ment partners, civil society and private sector entities.190 The G20 InsuResilience Vision
2025 programme aims to bring insurance-related protection to 500 million people annually
by 2025. In 2021, 24 implementing programmes were operating under the InsuResilience
umbrella with 324 projects in 108 countries. Through its InsuResilience Solutions Fund
(ISF), InsuResilience promotes the development of innovative and sustainable climate
risk insurance products in developing and emerging countries, to improve the resilience
of poor and vulnerable households against the impacts of climate change and natural
disasters.
Led by the insurance industry and supported by international organisations, the
Insurance Development Forum (IDF)191 is a public–private partnership that aims to opti-
mise and extend the use of insurance and its related risk management capabilities to
build greater resilience and protection for people, communities, businesses and public

187 America on Fire (n 180).

188 “Net Resilience Gain concept proposed,” UNDRR, www​.undrr​.org​/news​/net​-resilience​-gain​- concept​
-proposed.
189 “A Global Partnership for Climate and Disaster Risk Finance and Insurance Solutions,” InsuResilience,
www​.insuresilience​.org/.
190 “Projects and Instruments,” Insuresilience, www​.insuresilience​.org​/projects/.
191 Insurance Development Forum, “Delivering significant policy and operational impact: Insurance
Development Forum 2021 Annual Review,” IDF, www​.insdevforum​.org/.

439
 C limate C hange and I nsurance

institutions that are vulnerable to disasters and their associated economic shocks. The
IDF’s working groups drive forward the most urgent priorities. For example, the IDF
working group on investment aims to increase the sectors and countries in which insur-
ance investments could operate by exploring how insurers, working with development
banks and others, can support the requirements for investment in resilient and sustainable
infrastructure in emerging economies. The IDF’s Risk Modelling Steering Group is dedi-
cated to improving global understanding and quantification of natural hazard disaster risk,
while the objective of the Sovereign and Humanitarian Solutions (SHS) Working Group is
to address the insurance needs of sovereigns, sub-sovereigns, international institutions and
humanitarian agencies in programmes and territories that are usually supported by donors
or developments banks.192 The IDF also drives research into technological developments
that could facilitate closing the protection gap,193 including in microinsurance markets.194
It publishes papers that identify the legal, regulatory and policy environment which could
best promote resilience and, by extension, sustainable economic development.195
An example of the IDF’s work is a tripartite project launched in 2022 between the
Ghana Ministry of Finance, the United Nations Development Programme (UNDP) and
the German Government, to develop a sovereign risk transfer scheme for urban floods in
Ghana, alongside long-term investments in the country’s capacity to leverage and integrate
insurance and risk financing into its development strategies. As IDF members, Hannover
Re and WTW, together with the international humanitarian assistance and sustainable
development organisation Global Communities, are developing resilience strategies in
communities susceptible to natural catastrophes in Medellín, Columbia. Collaborating
closely with the city’s government, the partnership will use climate risk insurance to inte-
grate finance and supporting services, bringing protection to the most vulnerable exposed
populations.196
The Access to Insurance Initiative (A2ii),197 another global partnership, inspires and
supports insurance supervisors in promoting access to insurance for underserved and
low-income populations. Although created with a wide mandate that spans many areas,
such as capacity development, knowledge generation, guidance and implementation sup-
port, and supervisory peer-to-peer exchange and dialogue,198 A2ii has looked extensively
at climate risk and resilience building, in particular addressing the protection gap in mar-
kets with low insurance penetration.199

192 Insurance Development Forum, “Working Groups,” IDF, www​.insdevforum​.org​/working​-groups/.

193 Nigel Brook, Wynne Lawrence, Edward Langlier and Bill Marcoux, “How Technology can Help Bridge
the Protection Gap,” Insurance Development Forum, 29 November 2019, www​.insdevforum​.org​/ knowledge​/
idf​-reports​-publications​/idf​-paper​- on​-how​-technology​- can​-help​-bridge​-the​-protection​-gap/.
194 Nigel Brook, Bill Marcoux, Wynne Lawrence et al., “Technology and Innovation: Tools to help close
the Protection Gap in Microinsurance Markets,” 28 November 2020, www​.insdevforum​.org​/ knowledge​/idf​
-reports​-publications​/idf​-paper​-the​-power​- of​-technology​-to​- close​-the​-microinsurance​-protection​-gap/.
195 Insurance Development Forum, “Insuring Resilience, Critical Legal, Regulatory and Policy
Architecture,” IDF, 19 July 2021, www​.insdevforum​.org​/ knowledge​/idf​-reports​-publications​/insuring​-resil-
ience​- critical​-laws​-paper/.
196 CISL 2021 (n 173).
197 “Access to Insurance Initiative: Homepage,” Access to Insurance Initiative, https://a2ii​.org​/en ​/ home.
198 Ibid.
199 “Climate Risk/Disaster Insurance,” Access to Insurance Initiative, 2020, https://a2ii​.org​/en ​/ knowledge​
-center​/climate​-riskdisaster​-insurance​/summary​- of​-the​-15th​-16th​-and​-17th​- consultative​-forums​-in​-2019-​%E2​
%80​%9Cclimate​-and​- disaster​-risk​-building​-resilience​-bridging​-the​-protection​-gap​%E2​%80​%9D.

440
 C limate C hange and I nsurance

Risk pools
Sovereigns are using insurance-based mechanisms through risk pools to build capacity in
disaster risk management and planning and provide funding for disaster risk.
At a regional level, the African Risk Capacity (ARC) Group200 is a specialised agency
of the African Union established to help African governments improve their capacities to
better plan, prepare, and respond to extreme weather events and natural disasters. Through
collaboration and innovative financing, the ARC Group enables countries to strengthen
their disaster risk management systems and access rapid and predictable financing when
disaster strikes to protect the food security and livelihoods of vulnerable populations. The
work of ARC focuses on capacity-building programmes, building risk models (drought,
tropical cyclone and river floods) and mapping weather-related risks in the African region.
Other risk pools that operate on a regional level include the Philippines Catastrophe
Insurance Facility (PCIF)201 and Climate Risk Adaptation and Insurance in the Caribbean
Project (CRAIC).202 While the PCIF allows non-life insurers to cede their catastrophe
risks to an insurance pool to more efficiently manage their catastrophe exposures and
boost their capacity to take in more catastrophe risks, the CRAIC intends to design and
implement products targeted at medium-level weather extremes (specifically, excess rain-
fall and high winds) to help vulnerable people adapt to these events.

The Global Shield

In 2022 at COP27 in Sharm-el-Sheikh Egypt, the Vulnerable 20 Group of Finance
Ministers of 58 climate-vulnerable economies (V20) and the G7 launched the Global
Shield against Climate Risks.203 Building upon the work of InsuResilience, the Global
Shield is an initiative for pre-arranged financial support designed to be deployed during
climate disasters. The Shield brings together climate risk finance and preparedness, with
solutions to provide protection that can be implemented swiftly if climate-related dam-
ages occur linked to contingency plans of developing countries. As a result, people and
countries will be able to access the assistance that they urgently need when disaster strikes
more easily and more quickly. Furthermore, the Shield will mobilise additional funds to
meet the growing demand for finance. Initial contributions pledged to the initiative at
COP27 included around EUR 170 million from Germany and more than EUR 40 million
from other countries.
In terms of implementation, the Global Shield will align behind vulnerable country
strategies for closing protection gaps using a range of appropriate instruments. Various
instruments are available that can be used to help disburse money quickly to govern-
ments, to poor people and to those worst affected when a disaster occurs. They include, for

200 “About the African Risk Capacity Group,” African Risk Capacity, www​.arc​.int/.
201 See generally, Steve Evans, “Philippine Catastrophe Insurance Facility,” www​.artemis​.bm ​/news​/phil-
ippine​- catastrophe​-insurance​-facility​-pcif​-means​-less​-risk​- ceded​-to​-reinsurers​-to​-begin/.
202 Munich Climate Insurance Initiative, “Climate Risk Adaption and Insurance in the Caribbean
(CRAIC)” Climate Insurance, https://climate​-insurance​.org​/projects​/climate​-risk​-adaptation​-and​-insurance​
-in​-the​- caribbean/.
203 “Global Shield against Climate Risks,” Federal Ministry and Economic Cooperation and Development,
www​.bmz​.de​/en​/issues​/climate​- change​-and​- development​/global​- shield​-against​- climate​-risks#:~​:text​= The​
%20Global​%20Shield​% 20was​% 20officially ​% 20launched​% 20on​% 2014​, have​% 20devastating​% 20impacts​
%20on​%20poor​%20people​%20in​%20particular.

441
 C limate C hange and I nsurance

example, social protection systems, designated disaster reserves in public budgets, loans
from multilateral development banks that are disbursed in an emergency, or government
bonds for which repayment can be reduced or suspended in a disaster situation. Insurance
against rare events with the potential to cause a huge amount of damage can also be a use-
ful instrument. The basis is provided by contingency plans that a country draws up after
analysing its own climate risks.
At the household and business level, these instruments comprise livelihood protection,
social protection systems, livestock and crop insurance, property insurance, business
interruption insurance, risk-sharing networks and credit guarantees, among other options.
And at the level of governments, humanitarian agencies and NGOs, the Global Shield will
support the integrated development of instruments used to ensure that money is avail-
able when needed and the processes to ensure that it is spent on providing what affected
individuals and communities need. The first recipients of Global Shield packages include
Bangladesh, Costa Rica, Fiji, Ghana, Pakistan, the Philippines and Senegal.204
Global Shield identified the Global Risk Modelling Alliance (GRMA) as a key resource,
particularly during initial in-country climate risk assessments and subsequent capacity
building. The Global Risk Modelling Alliance (GRMA)205 is an initiative of the V20 and
the IDF and is hosted by the ISF joint public–private technical assistance programme. The
GRMA has three main components:

• A grant fund to help countries fill critical risk model and data gaps for public
good;
• A technical assistance team comprising risk practitioners combining both public
and private sector expertise; and
• Open-source risk modelling technology, tools and standards developed by the
insurance industry and optimised for public sector use.

The GRMA will support participating countries in building, sharing and further devel-
oping locally-driven views of climate and disaster risk, across ministries of finance,
asset-owning ministries, disaster risk management authorities and research institutions.
Through local ownership of the analysis, sovereigns and cities will be better able to
develop and report strategic risk profiles, initiate climate-resilient investments and trans-
fer residual risk to international markets. Pakistan has been announced as the first partner
country to deploy the GRMA. The GRMA aims at strengthening climate and disaster risk
insights and will support Pakistan’s development of its first National Adaptation Plan and
its first Long-Term Climate Strategy.206

204 Matt Sheehan, “V20 and G7 Launch Global Shield Initiative at COP27, Backed by World Bank—
Reinsurance News,” 15 November 2022, www​.reinsurancene​.ws​/v20​-and​-g7​-launch​-global​-shield​-initiative​
-at​- cop27​-backed​-by​-world​-bank/.
205 “Global Risk Monitoring Alliance,” www​.grma​.global/.
206 “PRESS RELEASE COP27: Global Risk Modelling Alliance Selected as Key Resource for the Global
Shield Initiative,” Insurance Development Forum, www​.insdevforum​.org​/press​-release​- cop27​-global​-risk​
-modelling​-alliance​-selected​-as​-key​-resource​-for​-the​-global​-shield​-initiative/.

442
 C limate C hange and I nsurance

Conclusion—climate, biodiversity, planetary boundaries and ESG

Beyond climate change, biodiversity loss and other environmental issues have been gain-
ing prominence across markets, regulations and laws. In late 2022, international biodi-
versity targets to be met by 2030 were agreed upon in the Post-2020 Global Biodiversity
Framework,207 paving the way to the decade of biodiversity action. At the same time,
climate change and biodiversity loss have been identified as two out of nine planetary
boundaries—the critical environmental thresholds, which, when crossed, may ultimately
make Earth inhospitable to humans. Out of these nine planetary boundaries,208 six have
been crossed as of 2022, which are land-system change, biodiversity loss, climate change,
biogeochemical cycles (phosphorus and nitrogen), the introduction of novel entities into
the biosphere (including plastics pollution) and the freshwater cycle.209 International
politics seems to be responding to these developments—for instance, calls for an inter-
national treaty on plastics pollution intensified significantly after plastics pollution was
identified as a cause of a breach of a planetary boundary in early 2022.210 Despite the
unpredictability of international negotiations, the treaty is now expected as early as
2024.211 Similarly global market-led initiatives on biodiversity and wider sustainability
disclosures pioneered by the Task Force on Nature-related Financial Disclosures212 and
the International Sustainability Standards Board 213 point towards the expansion of the
reporting approach adopted vis-à-vis climate change into other areas of sustainability
concerns.
This shift can also be seen in mainstream economics. The World Economic Forum’s
Global Risk Report has long featured climate risk as a core global risk. The 2022 report,214
produced in partnership with Marsh McLennan, SK Group and Zurich Insurance Group,
identified a disorderly climate transition through “climate action failure” as among the
top five short-term risks to the world. Yet alongside this, the risks of “biodiversity loss,”
“human environmental damage” and “social cohesion erosion” all feature among the ten
most severe risks on a global scale over the next ten years.215 This indicates an increas-
ing appreciation of the integration of wider environmental, social and governance issues
within mainstream economic thinking.
At the same time, we have witnessed legislative and regulatory action combining the
concept of climate/environmental liability with liability for human rights breaches and

207 See, “Preparation for the Post-2020 Global Biodiversity Framework,” www​.cbd​.int​/conferences​/
post2020.
208 Stratospheric ozone depletion, loss of biodiversity and biomass, novel entities (e.g. chemicals, plastics),
climate change, ocean acidification, freshwater use and change in the global hydrological cycle, changes in
land use, the presence of nitrogen and phosphorus, and air pollution.
209 Jeff Masters, “Recklessness Defined: Breaking 6 of 9 Planetary Boundaries of Safety,” Yale Climate
Connections, 12 July 2022, https://yal​ecli​mate​conn​ections​.org​/2022​/07​/recklessness​- defined​-breaking​- 6​- of​-9​
-planetary​-boundaries​- of​-safety/.
210 “Safe planetary boundary for pollutants, including plastics, exceeded, say researchers,” Stockholm
Resilience Centre, www​.stockholmresilience​.org​/research​/research​-news​/2022​- 01​-18​-safe​-planetary​-bound-
ary​-for​-pollutants​-including​-plastics​- exceeded​-say​-researchers​.html.
211 Sara De Giorgio, “The Paris Agreement of plastic: coming in 2024,” Curious Earth, https://curious​
.earth​/ blog​/the​-paris​-agreement​- of​-plastic​- coming​-in​-2024/#:~​:text​= A​%20plastic​%20treaty​%20is​%20being​
%20drawn​%20up​%20to​,since​%20The​%20Paris​%20Agreement.​%20What​%20does​%20this​%20mean​%3F.
212 https://tnfd​.global/.
213 ​ w ww​.ifrs​.org​/groups​/international​-sustainability​-standards​​-board/.
214 Global Risks Report 2022 (n 36).
215 Ibid.

443
 C limate C hange and I nsurance

wider ESG criteria. For instance, the EU’s Corporate Sustainability Reporting Directive
(CSRD) introduces detailed reporting requirements regarding the corporate impact on the
environment (including biodiversity), human rights and social standards. These reporting
requirements will apply to all large companies based in the EU, whether listed on stock
markets or not, as well as non-EU companies with a turnover of over EUR 150 million in
the EU. Listed SMEs will also be covered, but they will have more time to adapt to the new
rules. The new reporting requirements will be phased in, with companies already subject
to the Non-Financial Reporting Directive (precursor to the CSRD) having to report under
the CSRD from 2025.216 The extraterritorial impact of CSRD is likely to work as a cata-
lyst, globally raising standards of human rights and environmental due diligence report-
ing around the world in the same way the EU General Data Protection Regulation did a
few years ago in the sphere of data protection.217
We expect this trend to gain momentum in the first half of the 2020s, crystallising into
regional legislative and regulatory action first. From 2025 onwards, it is likely that the
frameworks will become more intertwined and globalised resulting in a web of ESG-
linked legal instruments by the end of this decade. This development will have profound
implications for insurers on both sides of their balance sheets, underwriting and portfolio
management alike, requiring changes in policy wordings and investment practices.

216 European Commission, “Corporate sustainability reporting,” https://finance​.ec​.europa​.eu​/capital​-mar-

kets​-union​-and​-financial​-markets​/company​-reporting​-and​-auditing​/company​-reporting​/corporate​- sustain-
ability​-reporting ​_en.
217 General Data Protection Regulation.

444
 C hapter 1 5

Climate Change

Liability Risk

Nigel Brook, Wynne Lawrence and Lucia Williams1

CON T EN TS
Introduction 446
History of climate litigation 448
Types of climate litigation 449
Government framework cases 450
Framework mitigation cases 450
Adaptation cases 452
Administrative/planning cases 453
Damages-based claims for contribution to climate change 456
Failure to adapt to physical risks 458
Failure to adapt professional services 459
Fiduciary duties cases 460
Greenwashing 462
Insurance coverage cases 464
Drivers of climate litigation 466
Potential impacts on insurers 468
Regulatory scrutiny and (re)insurers’ approach to managing climate liability risk 472
Conclusion 477

1 The authors acknowledge and express their appreciation for the contributions to this chapter by Benjamin
Soh, Magnus Taylor, Matthew Loy, Anna Harkin, Paige Matthews, Saskia Wolters, Arina Naumova and Chiara
Vigneri.

DOI: 10.4324/9781003319054-15 445

 C limate C hange

Introduction
As set out in the previous chapter, liability risk is considered one of three major risks to the
financial system arising from climate change, the other two being physical and transition
risks. As with physical and transition risks, liability risks arising from climate change can
impact insurers’ business risk profile, underwriting strategy and underwriting processes.2
The 2020 IPCC Sixth Assessment Report (“AR6”) Summary of Cross-Working Group
Discussions describes liability risk as:
risk of liability for failure to accurately assess risk of climate change to company infrastruc-
ture and business lines, failure to assess and plan for climate change impacts before decision-
making, and failure to protect people from impacts of climate change when a duty of care or
other legal obligation exists.3

This definition encapsulates three different facets of climate change liability risk: The
first focuses on companies and what could be considered a failure to adapt—either in
terms of assessing risks of climate change to company infrastructure or business lines;
the second also addresses failure to adapt but more broadly, in terms of considering cli-
mate change impacts before decision-making. This second category could be exemplified
by an acquisition of a fossil fuel asset without proper climate due diligence or trustees of
pension funds that are overly concentrated on fossil fuel assets (i.e., failure to appreciate
and take account of the impact of the energy transition). The last point, instead, “failure to
protect people,” seemingly aims to encapsulate possible breaches of duty of care by actors
that have contributed, or not done enough, to protect people against the consequences of
climate change.
The fact that the IPCC Working Groups, arguably the most eminent collection of
experts tasked with assimilating scientific papers on climate change, specifically address
climate liability risk testifies to the international scientific community’s recognition of the
importance of climate liability risk as a factor in formulating global solutions to climate
change and its consequences.
The term “climate liability risk” is used sometimes interchangeably with climate liti-
gation, or “legal” risk. Indeed, the IPCC Working Group II Contribution to the Sixth
Assessment Report notes that litigation and liability are linked.4 The three different types
of liability risk outlined by the IPCC AR6 Working Group definition match up with three
distinct types of climate change litigation: (1) Against companies for failure to adapt; (2)
against corporate and non-corporate actors, including their directors and officers, for fail-
ure to take climate change and the energy transition into account in their decision-making;
and (3) against corporate and non-corporate, particularly governmental, bodies for their
part in causing, or not doing enough to prevent climate change. These three types of

2 “Application Paper on the Supervision of Climate related Risks in the Insurance Sector,” International
Association of Insurance Supervisors, Sustainable Insurance Forum, May 2021, www​.iaisweb​.org/.
3 A Reisinger, M Howden, C Vera et al., “The concept of risk in the IPCC Sixth Assessment Report:
a summary of cross-Working Group discussions,” Intergovernmental Panel on Climate Change, Geneva,
Switzerland, 4 September 2020 (hereafter IPCC Sixth Assessment Report).
4 IPCC Working Group II Contribution to the Sixth Assessment Report, “Climate Change 2022: Impacts,
Adaptation and Vulnerability,” Intergovernmental Panel on Climate Change, 2565, www​.ipcc​.ch ​/report ​/sixth​
-assessment​-report​-working​-group​-ii/ (hereafter IPCC Working Group II). The Working Group II Contribution
notes this in the context of loss & damage; but this can apply to different contexts.

446
 C limate C hange

climate litigation are some of the most prevalent in the current universe of climate cases,
but there are multiple other types.
Climate liability risk is a consequence of increased physical and transition risks. Until
net GHG emissions reach zero, the physical risks of climate change and associated loss
and damage will continue to mount, which is likely to give rise to more and more claims
seeking to prompt action to tackle climate change. The transition to a low-carbon econ-
omy will strand fossil fuel-related assets and a disorderly transition will greatly increase
the destruction of value and associated large write-offs in the value of companies or sov-
ereign bonds. Failures to adapt investment strategies, advisory services, product offerings
or governance structures in light of the rising standards of care around climate risk man-
agement could give rise to shareholder claims or regulatory action. Climate liability risk
is also sometimes considered a sub-set of transition risk;5 another lever in the transition to
a low-carbon economy alongside policy, regulatory and market developments. However,
liability risk is informed by a wider range of considerations—including jurisprudential,
evidential and constitutional—than physical risks, which are driven by climate change
itself, and transition risks, which are driven by policy, regulatory and market trends.
Liability risk is generally less well understood than physical and transition risk and the
fact that (re)insurers underwrite many types of liability risk means that this is a topic of
particular interest and concern for (re)insurers and their legal counsel.
For a company, the risks involved in a climate lawsuit extend beyond an adverse ruling
and include the reputational damage of being sued, (potentially very high) defence costs
and potentially paying for a settlement.
Climate litigation has been defined as comprising:
Cases brought before administrative, judicial and other investigatory bodies, financial super-
visory authorities and ombudsman schemes or in domestic or international courts and organi-
sations, that raise issues of law or facts regarding the science of climate change and climate
change mitigation and adaptation efforts.6

This definition, adopted throughout the rest of this chapter when referring to climate liti-
gation, is comparatively wide and aims to capture a broad spectrum of cases, while not
necessarily including in the definition any case that tangentially mentions or could poten-
tially be interpreted as relevant to climate change.

5 For example in the Final Report, “Recommendations of the Task Force on Climate-related Financial
Disclosures,” June 2017, TCFD recommendations framework, 5, www​.fsb​-tcfd​.org​/publications/.
6 Maryam Golnaraghi, Joana Setzer, Nigel Brooke, Wynne Lawrence and Lucia Williams, “Climate
Change Litigation—Insights into the evolving global landscape,” The Geneva Association, April 2021, 5
(hereafter Geneva 2021), www​.genevaassociation​.org​/publication ​/climate​- change​-and​- environment​/climate​
-change​-litigation​-insights​- evolving​-global; Joana Setzer et al., “Climate change litigation and central banks,”
Legal Working Paper Series, Eurosystem, December 2021 No 21 (hereafter Setzer 2021), p 5, citing D Markell
and J Ruhl (2012), “An Empirical Assessment of Climate Change In the Courts: A New Jurisprudence Or
Business As Usual?,” Florida Law Review, (2021) vol 64, no. 1, 15; M Burger and J Gundlach, “The Status of
Climate Change Litigation: A Global Review,” UN Environment Programme, 2017; M Burger and J Metzger,
“Global Climate Litigation Report: 2020 Status Review,” UN Environment Programme 2021. Climate litiga-
tion has been defined more narrowly, for instance, as “cases before judicial and quasi-judicial bodies that
involve material issues of climate change science, policy, or law,” Joana Setzer and Catherine Higham. “Global
trends in climate change litigation: 2022 Snapshot,” Grantham Research Institute on Climate Change and the
Environment and the Centre for Climate Change Economics and Policy, 2022, 6 (hereafter Setzer 2022). Setzer
and Higham note that complaints to administrative bodies would also be included in this definition, “where
these are indicative of an important trend or development.”

447
 C limate C hange

History of climate litigation

Climate change litigation emerged in the 1980s, alongside the international scientific commu-
nity’s growing concern about climate change and its impacts. The number of cases filed each
year has been accelerating since around 2015. The total from 1986 to the end of 2014 stood at
just over 800; another 1,200 were filed between 2015 and 2022, and the trend is still upwards.7
The history of climate litigation can be broken down into three “waves.”8
The first wave of climate litigation began in the mid-1980s and was geographically
concentrated in the United States and Australia. These cases were typically administra-
tive cases brought against public bodies in a bid to raise environmental standards.9 This
nascent wave lasted until the mid-2000s when the second wave commenced.10
The second wave of climate litigation saw an explosion in the number of climate cases,
having been ignited by two significant events in the sphere of global climate change politics.
First, the Kyoto Protocol came into force in 2005, pushing the issue of climate change to the
forefront of public consciousness. Second, the failure of the Copenhagen Accord in 2009 to
commit nations to emissions reduction led to climate litigation being pursued as an alternative
avenue to push governments to act on climate change.11 The second wave saw an expansion
in the types of cases and, in particular, the emergence of tort cases against corporations for
allegedly contributing to climate change. During this wave, climate litigation also expanded its
geographical reach to Europe, especially through the European Court of Justice.12
Much like the second wave, the present, third, wave of climate litigation was heralded
by a momentous occasion in the history of global climate change politics. The 2015 Paris
Agreement obliged nations to set ambitious emissions reduction goals going forward.
Among other notable examples, this led to the landmark case of Urgenda Foundation v
State of the Netherlands,13 where a Dutch court found the Dutch government’s existing
emissions reduction pledge to be insufficient towards meeting its obligations under the
Paris Agreement and required it to further limit emissions. Since then, many Urgenda-
inspired lawsuits have been filed across the world, including in jurisdictions in Asia,
Africa and Latin America.14 The types of climate litigation pursued continue to become
more diverse, with many new claims focusing on the failures of directors, trustees and
fiduciaries to consider emissions and climate risk.
As of publication, there are over 2,00015 climate change litigation cases globally. Since
2015, 1,006 climate-related litigation cases have been filed, compared to 834 from 1986 to
2014.16

7 Setzer 2022 (n 6) 4.
8 Setzer 2021 (n 6).
9 Setzer 2021 (n 6) 14.
10 Setzer 2021 (n 6) 7.
11 Geneva 2021 (n 6) 17.
12 Geneva 2021 (n 6) 17.
13 ECLI:NL:HR:2019:2007.
14 Geneva 2021 (n 6) 17.
15 See, “Climate Change Laws of the World,” Grantham Research on Climate Change and the Environment,
https://climate​-laws​.org/ (hereafter Climate Change Laws). In this chapter, the websites https://climate​-laws​
.org/ or http://climatecasechart​.com/ are provided as a reference to assist readers understand cases referred to
with excellent summaries and other documents which are made available in English.
16 Joana Setzer and Catherine Higham. “Global trends in climate change litigation: 2021 Snapshot,”
Grantham research Institute on Climate Change and the environment and the Centre for Climate Change
economics and Policy, 2021.

448
 C limate C hange

Types of climate litigation

Numerous different types of climate litigation have developed over the past decades,
and have engendered efforts on the part of scholars, legal practitioners and others to
attempt to record and categorise them. Two databases in particular, maintained by the
Sabin Center at Columbia University17 and the Grantham Centre at the London School of
Economics18 have been instrumental in this work, enabling a granular analysis of a now
fairly wide, and growing, body of case law.
Climate cases have been categorised in terms of their objective, as “strategic,” or “non-
strategic” cases—the former being cases where claimants pursue “some broader societal
shift,” such as policy changes; and the latter seeking a decision on a matter of concern
only to the litigants involved, such as whether planning permission for a project should
take account of climate change considerations.19 Alternatively, they can be divided into
“climate-aligned” cases, i.e. those which seek to advance climate measures, and “non-
climate-aligned,” i.e. those which aim to delay climate action, or “just transition” cases.20
Or, again, they have been classified by type of defendant—whether governmental bodies
or corporations.21
The IPCC Working Group II Contribution to the Sixth Assessment Report, “Climate
Change 2022: Impacts, Adaptation and Vulnerability,” Intergovernmental Panel on
Climate Change (page 2599), has identified the following types of litigation:

1. Challenge government decisions for not considering climate change risks;

2. Petitions to act;
3. Regulatory proceedings;
4. Failure to act by public authorities;
5. Failure by private sector to consider climate change adaptation in their business
practice;
6. Youth public trust claims;
7. Human rights claims.

While the above list is widely cast, its focus is on litigation involving public bodies—with
only one row devoted to claims against private sector actors. Claims against corporations
can be further categorised into cases focusing on compensation for damage caused by
climate change and/or expenses incurred to prevent or mitigate such damage; cases tar-
geting directors and officers for breach of fiduciary duties; and the increasingly prevalent
“greenwashing” cases. One could also add a nascent category of cases brought by corpo-
rations against their insurers about coverage for defence costs or damages arising from
climate change.
The spectrum of climate cases is broad and growing, and individual cases may
involve a multiplicity of parties and allegations. Putting them into categories can help in

17 “Climate Change Litigation Databases,” Sabin Center for Climate Change Law, http://climate-
casechart​.com/.
18 Climate Change Laws (n 15).
19 Setzer 2021 (n 6) 10.
20 Setzer 2022 (n 6) 7.
21 Geneva 2021 (n 6) 19.

449
 C limate C hange

determining which are most relevant to insurers, in terms of potential direct and indirect
impact on their liability portfolios and assets.
We provide here below an overview of some well-defined categories of cases:
1. Framework cases against states, comprising:
a. Mitigation cases; and
b. Adaptation cases.
2. Administrative/planning cases;
3. Damages-based claims for contribution to climate change;
4. Cases on failure to adapt to physical risks;
5. Cases on failure to adapt professional services;
6. Fiduciary duties cases;
7. Greenwashing cases; and
8. Insurance coverage cases.
These types of litigation are discussed in turn below.

Government framework cases

One of the most prevalent types of climate litigation to date has been cases brought against
governmental bodies. Academic literature identifies cases which challenge governments’
overall policy responses to climate change as “government framework cases.”22 These
types of cases can be further subdivided into cases related to (a) mitigation of climate
change, which seek to limit GHG emissions and drive forward low-carbon policymaking,
and (b) adaptation cases, which target the state’s responsibilities to take steps to address
loss and damage caused by climate change and adapt to a changing climate and its effects
on its citizens.

Framework mitigation cases

The leading mitigation case, mentioned above, is Urgenda Foundation v State of the
Netherlands. In 2015, the year of the Paris Agreement, the first instance ruling in Urgenda
represented the first time a domestic court ordered a state to reduce emissions by an abso-
lute minimum amount. The case was ultimately appealed to the Dutch Supreme Court
which in its December 2019 judgment ordered the Dutch government to institute an addi-
tional 4% reduction of GHG emissions (for a total reduction target of 25%) by the end
of 2020 compared to 1990 levels (equivalent to reducing emissions by 15 megatonnes in
2020). Following that judgment, in 2020, the Dutch government adopted 30 proposals
from a plan drawn up by the plaintiff environmental group, Urgenda, in collaboration
with 800 civil society groups and other organisations.23 The measures included a 75%
reduction in the capacity of the country’s three coal-fired power stations, limits on cattle

22 Catherine Higham, Joana Setzer and Emily Bradeen, “Challenging government responses to climate
change through framework litigation,” Grantham Research Institute on Climate Change and the Environment
and Centre for Climate Change Economics and Policy, London School of Economics and Political Science
(2022), 1.
23 ​w ww​.urgenda​.nl​/en​/themas​/climate​- case​/dutch​-implementation​-plan/#:~​:text​= CO2​-reduction​%20plan​
%3A​% 2025​% 25​% 20in​% 202020​% 20The​% 20government ​% 20now​,to​% 20help​% 20the​% 20Cabinet​​ % 20to​
%20reach​%20its​%20goal.

450
 C limate C hange

and pig herds, subsidies to homeowners to use double-glazed windows and less concrete
for energy efficiency, lower speed limits and the installation of solar panels on all school
rooftops. The costs are estimated at approximately EUR 3 billion.24 Cases have been
brought against many other nation-states, including Ireland, France, Belgium, Sweden,
Switzerland,25 Germany,26 the United States, Canada, Peru, South Korea, Poland,27
Finland,28 Sweden29 and Russia.30
More than half of the subnational cases globally were filed against German subnational
governments following the successful Neubauer case in April 202131 at the federal level,
in which the claimants challenged the emission reduction targets for 2030 (55% by 2030)
and the design of the German Climate Protection Act.32 German courts have also faced the
issue of separation of powers, which often arises in framework cases. This was reflected
in the judgment in Family Farmers and Greenpeace Germany v Germany,33 where the
court held that “it is not up to the administrative court to impose this standard on the
German government as a mandatory and obligatory minimum level of climate protection,
taking into account the executive’s scope for design and assessment.”34 Despite this chal-
lenge to the power of courts to hold a government’s climate policies and actions illegal,
the importance of framework cases for companies and investors should not be underes-
timated. The framework cases may result in concrete governmental policy action and
spur net-zero transition. Indeed, the success of the above-mentioned Neubauer case was
followed by climate litigation against some of the country’s major emitters.35 Framework
mitigation litigation in France demonstrates several indirect impacts of framework cases
for corporate actors. First, these cases have the power to mobilise citizens around litiga-
tion against their government, which then often spills into litigation against corporates.

24 See Geneva 2021 (n 6), and Jonathan Watts, “Dutch officials reveal measures to cut emissions after
court ruling,” The Guardian, 25 April 2020, www​.theguardian​.com​/world​/2020​/apr​/24​/dutch​- officials​-reveal​
-measures​-to​- cut​- emissions​-after​- court​-ruling.
25 Verein KlimaSeniorinnen and Others v Switzerland (Application no. 53600/20), European Court of
Human Rights, https://en​.klimaseniorinnen​.ch/​?ref​= the​-wave; “Observations in the facts, admissibility and
merits,” Key documents, KlimaSeniorinnen, www​.klimaseniorinnen​.ch​/english/.
26 Kate Connolly, “‘Historic’ German Ruling Says Climate Goals Not Tough Enough,” The Guardian, 29
April 2021, www​.theguardian​.com ​/world ​/2021​/apr​/29​/ historic​-german​-ruling​-says​- climate​-goals​-not​-tough​
-enough.
27 “Poland faces first citizen lawsuits over climate change,” 11 June 2021, Reuters, www​.reuters​.com ​/ busi-
ness​/environment​/poland​-faces​-first​- citizen​-lawsuits​- over​- climate​- change​-2021​- 06​-10/.
28 “Activists file legal challenge over Finnish climate inaction,” france24​.co​m, 28 November 2022, www​
.france24​.com​/en​/ live​-news​/20221128​-activists​-file​-legal​- challenge​- over​-finnish​- climate​-inaction​?ref​= the​
-wave.
29 Niclas Rolander, “Greta Thunberg Sues Her Native Sweden for Failing on Climate,” 25 November 2022,
Bloomberg, www​.bloomberg​.com ​/news​/articles​/2022​-11​-25​/greta​-thunberg​-sues​-sweden​-for​- climate​- change​
-failure​# xj4y7vzkg.
30 Waseem Mohamed, “First Climate Lawsuit against Russian Government Launched over Emissions,”
The Guardian, 13 September 2022, sec. World news, www​.theguardian​.com​/world​/2022​/sep​/13​/first​- climate​
-lawsuit​-russia​- emissions.
31 Neubauer, et al. v Germany, https://climate​-laws​.org​/geographies​/germany​/ litigation​_cases​/neubauer​- et​
-al​-v​-germany.
32 Setzer 2021 (n 6).
33 Family Farmers and Greenpeace Germany v Germany, https://climate​-laws​.org​/geographies​/germany​/
litigation​_cases​/family​-farmers​-and​-greenpeace​-germany​-v​-germany.
34 Higham, Setzer and Bradeem, 2022.
35 Ibid. In addition, within two weeks of the decision of the German Federal Constitutional Court in
Neubauer, the federal government presented an amendment to the Climate Protection Act—see www​.bundesr-
egierung​.de​/ breg​- de​/themen ​/ klimaschutz​/ klimaschutzgesetz​-2021​-1913672.

451
 C limate C hange

For instance, a public petition used in Notre Affaire à Tous and others v France was
brought by four French non-governmental organisations (NGOs), with the support of over
2.3 million members of the public whose signatures featured on the petition.36 Importantly
for corporates, the science and arguments used in this case are also being used by the same
in parallel proceedings initiated against the French oil major Total.37 A similar trend was
identified in the Netherlands where the successful Urgenda case against the Dutch gov-
ernment motivated the litigants to pursue Royal Dutch Shell for allegedly deficient climate
plans only a year later.38

Adaptation cases
There is a rising number of cases addressing states’ failure to implement adaptation poli-
cies.39 The most-cited adaptation case is Leghari v Federation of Pakistan (2015 WP. No.
25501/201), in which a farmer sued Pakistan’s national government for failing to imple-
ment its national climate change policies.40 Mr Leghari argued that the government’s fail-
ure to meet its climate change adaptation targets had resulted in immediate impacts on
Pakistan’s water, food and energy security. Such impacts offended Mr Leghari’s constitu-
tional right to life.
In September 2015, an appellate court in Pakistan ruled in favour of Mr Leghari, find-
ing that although the government had formulated a climate change policy and implemen-
tation framework, there had been no real progress with implementation. To oversee the
execution of the policy, the court directed several government ministries to each nominate
“a climate change focal person” to help ensure the implementation of the Framework and
created a Climate Change Commission composed of representatives of key ministries,
NGOs, and technical experts to monitor the government’s progress.41

Climate change and human rights

One of the most significant trends in climate litigation has been the emergence of litigation based
on breaches of human rights. Both the Urgenda and Leghari cases detailed above relied on con-
stitutional human rights arguments to push forward mitigation or adaptation at the national level
based on the obligations of the state towards its citizens.
Human rights arguments have also been deployed before other national courts in support of
climate litigation. A salient example is Agostinho v Portugal (No. 39371/20), a case brought in
2020 by six Portuguese youths against 33 European states before the European Court of Human

36 Ibid.
37 Ibid.
38 Ibid.
39 Joana Setzer and Lisa C Vanhala, “Climate change litigation: A review of research on courts and litigants
in climate governance.” Wiley Interdisciplinary Reviews: Climate Change 10, no. 3 (2019), e580; Jacqueline
Peel and Hari M Osofsky. “Climate change litigation.” Annual Review of Law and Social Science 16 (2020),
21–38; IPCC Working Group II (n 4) 659.
40 Brian Preston, “The role of the courts in facilitating climate change adaptation,” The Asia-Pacific
Centre for Environmental Law Climate Change Adaptation Platform (2016) 3.
41 Leghari v Federation of Pakistan (2015) W.P. No. 25501/201, http://climatecasechart​.com ​/non​-us​- case​/
ashgar​-leghari​-v​-federation​- of​-pakistan.

452
 C limate C hange

Rights (ECtHR) for alleged breaches of the young peoples’ human rights under the European
Convention on Human Rights (ECHR) on climate change grounds.42 The claimants argued that
the states breached Article 2, the right to life; Article 8, the right to respect for private life, family
life, home and correspondence; and Article 14, the right to be free of discrimination. They argue
that the defendant states’ contribution to climate change poses a threat to their lives and to their
physical and mental well-being, and that the impact will be greater on them than on older people,
which is a form of discrimination.
Another example of rights-based arguments, this time before an international tribunal and
based on international human rights law (rather than national or constitutional human rights
obligations), in 2022, is Daniel Billy and others v Australia No. 3624/2019.43 There, the UN
Human Rights Committee (UNHRC) found that the Australian Government was in violation of
the human rights obligations towards indigenous Torres Straight Islanders through its inaction
on climate change. Australia’s failures inter alia to reduce GHG emissions and to upgrade infra-
structure were found to violate the human rights of the islanders (including their cultural rights).
Significantly, the UNHRC called on Australia to compensate the claimants, engage in consulta-
tion with the islanders to assess their needs and take measures to ensure the communities’ safe
existence on the islands.44

Administrative/planning cases
Administrative cases are those brought against governments or public bodies, with the
aim of challenging their decisions and influencing their conduct.45 The earliest examples
of climate change litigation were administrative cases against public bodies. For instance,
in 1986, a group of plaintiffs that included the City of Los Angeles and the City of New
York sued the National Highway Traffic Safety Administration (NHTSA) (with Ford
and General Motors among the intervenors) under the National Environmental Policy
Act (NEPA) challenging the NHTSA’s decision not to prepare an Environmental Impact
Statement (EIS) covering its Corporate Average Fuel Economy (CAFE) standards for

42 Duarte Agostinho and Others v Portugal and 32 Other States, https://climate​-laws​.org​/geographies​/

international​/ litigation​_cases​/duarte​-agostinho​-and​- others​-v​-portugal​-and​-32​- other​-states.
43 Daniel Billy and others v Australia (Torres Strait Islanders Petition) CCPR/C/135/D/3624/2019,
http://climatecasechart​.com ​/non​- us​- case​/petition​- of​- torres​- strait​-islanders​- to ​- the ​- united​- nations​- human​
-rights​- committee​-alleging​-violations​-stemming​-from​-australias​-inaction​- on​- climate​- change/, https://view​
.officeapps​.live​.com​/op​/view​.aspx​?src​= http​%3A​%2F​%2Fclimatecasechart​.com​%2Fwp​- content​%2Fuploads​
%2Fsites​%2F16​%2Fnon​-us​- case​- documents​%2F2022​%2F20220923​_CCPRC135D36242019​_ decision​.docx​
&wdOrigin​=BROWSELINK.
44 Ibid.
45 Geetanjali Ganguly, Joana Setzer and Veerle Heyvaert. “If at first you don’t succeed: Suing corporations
for climate change,” Oxford Journal of Legal Studies 38, no. 4 (2018), 841–868.
This type of case has been further subdivided into: Those concerning administration understood as relat-
ing to specific projects; requesting or alleging misleading/incomplete information/disclosure; requesting,
interpreting or enforcing legislation/policies; and protection/loss and damages. However, cases may be moti-
vated by more than one of these objectives—Michal Nachmany, Sam Fankhauser, Joana Setzer and Alina
Averchenkova, “Global trends in climate change legislation and litigation: 2017 update.” Grantham Research
Institute on Climate Change and the Environment (2017) 16; for the purposes of this report, reference will be
made simply to “administrative cases.”

453
 C limate C hange

model years (MY) 1987–88 and 1989. The court found that, while the state and city peti-
tioners had standing to bring the challenge on air pollution grounds, based on their obliga-
tions under the Clean Air Act, the plaintiffs failed to explain how the injury they alleged to
have arisen from global warming could be traced causally to the NHTSA’s decision. This
case is an early example of the difficulties faced in proving a causal relationship between
the alleged administrative failure and tangible loss or damage.
The examples of planning or administrative cases are myriad. UK examples include
campaigners’ attempts to stop, via the courts, the construction of a third runway at
Heathrow Airport46 and to challenge the approval of gas-fired generating units at the Drax
Power Station.47 Greenpeace has challenged the UK’s North Sea Transition Authority over
its approval of the Jackdaw oil field on climate grounds.48 The UK Court of Appeal has
considered a judicial review challenge to the UK government’s decision to approve US
$1.15 billion of financing for a gas project in Mozambique.49
In Australia in Sharma v Minister for the Environment50 at first instance in 2021, the
Federal Court found that the Minister of Environment owed a duty to take reasonable care
to avoid causing personal injury to children when deciding whether to permit coal mine
expansion under the Australian Environment Protection and Biodiversity Conservation
Act. The decision to impose a new duty of care on the Minister was overturned on appeal
in 2022. Later that year, the Queensland Land Court ruled human rights would be unjus-
tifiably limited by a proposal to dig the state’s largest coal mine in the Galilee Basin in
Central Queensland, the Waratah coal mine, representing the first time a coal mine was
challenged on human rights grounds in Australia.51
Also in 2022, a high court in South Africa found that the exploration right granted by
the South African Department of Mineral Resources and Energy (DMRE) to allow Shell
to conduct seismic surveys off the ecologically sensitive Wild Coast was unlawful.52

46 R (on the application of Friends of the Earth Ltd and others) (Respondents) v Heathrow Airport Ltd
(Appellant) [2020] UKSC 52. On appeal from: [2020] EWCA Civ 214; www​.supremecourt​.uk ​/cases​/uksc​
-2020 ​- 0042​.html; Waseem Mohamed, “First Climate Lawsuit against Russian Government Launched over
Emissions,” The Guardian, 13 September 2022, sec. World news, www​.theguardian​.com ​/environment​/2020​/
dec​/16​/top​-uk​- court​- overturns​-block​- on​-heathrows​-third​-runway.
47 ClientEarth, R (on the application of) v Secretary of State for Business, Energy and Industrial Strategy
& Anor [2021] EWCA Civ 43, [2021] WLR(D) 44, [2021] PTSR 1400, www​.bailii​.org​/ew​/cases​/ EWCA​/Civ​
/2021​/43​.html.
48 “Jackdaw court case welcomed by climate campaigners,” Friends of the Earth Scotland, 26 July 2022,
https://foe​.scot​/press​-release​/jackdaw​- court​- case​-welcomed​-by​- climate​- campaigners/.
49 “Court of Appeal to hear legal challenge against UK funding for Mozambique gas mega-project,”
Friends of the Earth, 6 December 2022,
https://friendsoftheearth​.uk ​/climate​/court​-appeal​-hear​-legal​- challenge ​-against​-uk​-funding​-mozambique​
-gas​-megaproject.
50 Sharma and others v Minister for the Environment, VID 389 of 2021; [2021] FCA 560; [2021] FCA 774;
[2022] FCAFC 35; [2022] FCAFC 65, http://climatecasechart​.com ​/non​-us​- case​/raj​-seppings​-v​-ley/.
51 Jade Toomey, “Queensland Court Rules Clive Palmer’s Waratah Coal Mine Infringes on Human Rights
of Future Generations,” ABC News, 25 November 2022, www​.abc​.net​.au ​/news​/2022​-11​-25​/qld​- court​-waratah​
-coal​-mine​-youth​- climate​-activists​- clive​-palmer​/101698906​?ref​= the​-wave.
52 Ajsa Habibic, “Court Finds Shell’s Exploration Right in South Africa ‘Unlawful,’” Offshore Energy, 2
September 2022, www​.offshore​- energy​.biz​/court​-finds​-shells​- exploration​-right​-in​-south​-africa​-unlawful/​?ref​
= the​-wave.

454
 C limate C hange

Anti-regulatory53 legal challenges: Corporates v government policy and

the case of the ECT
Not only are there legal challenges seeking to advance climate-aligned policies, but there are also
those seeking to block climate policymaking or compensation in respect of losses occasioned
by the transition. For example, two energy companies, RWE and Uniper, filed claims of EUR
1.4 billion and EUR 1 billion respectively against the Dutch state, claiming its ban on coal-fired
power generation by 2030 was a form of expropriation. The Dutch court ruled the coal ban did
not infringe on property rights and that the owners of the coal-fired power plants could have
foreseen it.54
Claims have also been brought under the Energy Charter Treaty (ECT), a 1994 multilateral
investment treaty, which affords foreign energy investors (including fossil fuel investors) certain
protections, such as fair and equitable treatment and freedom from expropriation. These claims
have led to criticism and calls for reform of the ECT, which stands accused of discouraging gov-
ernments from taking steps to phase out high-polluting energy production for fear of retaliation.
In 2022, five young people brought a claim in the European Court of Human Rights against
12 states for their active membership of the ECT, with claimants arguing that the states’ contin-
ued ECT membership:

• Violates Article 2 (the Right to Life) and Article 8 (the right to and respect for private and
family life) of the European Convention of Human Rights (EHCR);
• Is inconsistent with the Paris Agreement goals; and
• Impedes the urgent transition away from fossil fuels.

As of publication, Italy, Spain, Poland, the Netherlands, France, Slovenia and Germany have
all withdrawn or announced plans to withdraw from the ECT.55 Others may well follow suit.
However, withdrawal from the ECT has its complications. As it protects all energy sources
equally, total withdrawal from the ECT could leave renewables investors (at least temporar-
ily) without any form of reliable protection in certain states. Foreign direct investments (FDI)
are central to the massive renewable infrastructure and advanced energy technology projects
required for the energy transition, and FDI in clean energy can only work with stable regulatory
regimes and protections for investors.
Also, the ECT contains a 20-year sunset clause (Article 47(3)), which means investors could
continue to challenge and seek compensation from states for green climate policies for 20 years
after their withdrawal. Further, if the ECT is amended after the states’ withdrawal, such amend-
ments would not bind the withdrawn state (for example, Italy, which withdrew in 2016) because
they did not ratify the new terms. Withdrawal would therefore mean the survival of the unre-
formed ECT.

53 Also called non-climate-aligned, Setzer 2022 (n 6).

54 “Dutch Court Denies RWE and Uniper Compensation for Closure of Coal Plants,” Reuters, 30 November
2022, sec. Commodities, www​.reuters​.com​/markets​/commodities​/dutch​- court​- denies​-rwe​-uniper​- compensa-
tion​- closure​- coal​-plants​-2022​-11​-30/​?ref​= the​-wave.
55 For further discussion see: Richard Power and Sarah Hill-Smith, “The Energy Charter Treaty—is it
make or break?” Market Insight, Clyde & Co, 24 June 2022, www​.clydeco​.com ​/en ​/insights​/2022​/06​/the​- energy​
-charter​-treaty​-is​-it​-make​- or​-break.

455
 C limate C hange

Damages-based claims for contribution to climate change

An important category of climate litigation comprises cases against major emitters seek-
ing compensation for loss and damage due to climate impacts. This has been largely a US
phenomenon, with over 20 cases to date brought by administrative entities (states, cities
etc.) and other bodies against oil majors in US courts.56 Cases against corporates in high-
emitting industries have also been brought or threatened in Germany,57 Switzerland,58
New Zealand,59 Indonesia60 and Canada.61 In these cases, plaintiffs seek damages for
losses and costs incurred in remedying and/or adapting to the impacts of climate change.
The amounts at stake are very high, as are the legal costs involved in defending such law-
suits. There are also fears of a precedent-setting impact, with a claimant victory in any
one jurisdiction potentially opening the floodgates to further claims that could be brought
by anyone who has suffered the impacts of climate change against any of those companies
which have historically contributed to the problem.
These cases mostly target fossil fuel companies, although an Indonesian case targets
a cement manufacturer, a German case targets a utility company, and a New Zealand
case includes a dairy operation and steel manufacturer as defendants. Underpinning these
claims is the argument that a limited number of corporations are responsible for most
of the GHG emissions that have significantly contributed to climate change over time.62
Many of these cases refer to the work of Richard Heede and the Climate Accountability
Institute. Using archival research, the Heede Carbon Majors report identified major cor-
porations’ historical contributions to GHG emissions. Heede attributed 63% of the carbon
dioxide and methane emitted between 1751 and 2010 to 90 entities, which he defined as
the “carbon majors.” Out of these, 50 are investor-owned companies, 31 are state-owned
companies, and the remaining nine are government-run. Most cases seeking to establish
corporate liability for causing climate change have relied on this work.63
In the United States, cases against oil majors are being brought by various administra-
tive entities including states, cities and municipalities, in many different state jurisdictions,
mainly seeking funds to address or prevent the impacts of climate change on communities
and infrastructure. For example, in the case brought by the City and County of Honolulu
against Sunoco LP, claimants are claiming, among other things, compensatory damages

56 Bruce Gill, “U.S. Cities and States Are Suing Big Oil Over Climate Change. Here’s What the Claims
Say and Where They Stand,” Frontline, 1 August 2022, www​.pbs​.org​/wgbh ​/frontline​/article​/us​- cities​-states​
-sue​-big​- oil​- climate​- change​-lawsuits/.
57 Luciano Lliuya v RWE, https://climate​-laws​.org​/geographies​/germany​/ litigation​_cases​/ luciano​-lliuya​-v​
-rwe.
58 Four Islanders of Pari v Holcim, www​.climate​-laws​.org​/geographies​/switzerland ​/ litigation​_cases​/four​
-islanders​- of​-pari​-v​-holcim.
59 Smith v Fonterra Co-Operative Group Limited [2020] NZHC 419; [2021] NZCA 552; [2022] NZSC 35.
60 Four Islanders of Pari v Holcim, www​.climate​-laws​.org​/geographies​/switzerland ​/ litigation​_cases​/four​
-islanders​- of​-pari​-v​-holcim.
61 Andrea Woo, “Vancouver Sets aside $660,000 for Big Oil Lawsuit to Recoup Climate Change Costs,”
The Globe and Mail, 21 July 2022, www​.theglobeandmail​.com​/canada​/ british​- columbia​/article​-vancouver​
-sets​-aside​- 660000​-for​-big​- oil​-lawsuit​-to​-recoup​- climate/#:~​:text​= Vancouver​%20sets​%20aside​%20​%24660​
%2C000 ​ % 20for ​ % 20big ​ % 20oil​ % 20lawsuit ​ % 20to​ % 20recoup​ % 20climate​ % 20change​ % 20costs,​ -Andrea​
%20Woo​&text= ​​Vanco​​uver%​​20Cit​​y​%20C​​ounci​​l​%20h​​as​%20​​voted​​,and%​​20pro​​tecti​​on​%20​​from%​​20ext​​reme%​​
20hea​​t.
62 Richard Heede, Tracing anthropogenic carbon dioxide and methane emissions to fossil fuel and cement
producers, 1854–2010. Climatic Change 122, 229–241 (2014). https://doi​.org​/10​.1007​/s10584​- 013​- 0986-y
63 Ibid. Geneva 2021 (n 6).

456
 C limate C hange

for the costs of adaptation measures, such as improvements to coastal roads affected by
sea level rise.64 These cases thus far have involved extensive procedural wrangling over
whether the claims should be heard in federal or state court, which is generally considered
more plaintiff-friendly.65

Attribution science in the courts

Attribution is an emerging scientific field which is being deployed in cases seeking damages for
climate change.
Probabilistic event attribution seeks to determine the extent to which man-made emissions
have altered the probability or magnitude of a specific type of extreme weather event (such as
storms, extreme rainfall, heatwaves, cold spells and droughts at a particular location. Attribution
is achieved by comparing the probability of a given event generated by two models: One based on
the world as it is, the other on a counterfactual world where there were no man-made emissions.66
Initiated in 2014, the World Weather Attribution (WWA)67 is an international academic effort
to operationalise attribution science. WWA applies a scientific approach that combines observa-
tional data, analysis of a range of models, peer-reviewed research and on-the-ground reports to
assess high-impact events—how strong the likelihood is, for example, of similar weather-related
disasters occurring in the future. This, coupled with other advances in the field, has improved
attribution science to the extent that it can aid climate litigants in establishing causal connec-
tions.68 Indeed, the IPCC itself has endorsed such use of attribution science.69
By delineating a causative link between GHG emissions and localised physical effects, the
developing field of attribution science is increasingly providing the evidentiary basis for claim-
ants seeking to establish liability for climate change impacts.70

64 City & County of Honolulu v Sunoco LP, http://climatecasechart​.com ​/case​/city​- county​- of​-honolulu​-v​
-sunoco​-lp/.
65 Nate Raymond, “Baltimore Gets Venue Win in Climate Case against Exxon, BP,” Reuters, 7 April 2022,
sec. Litigation, www​.reuters​.com ​/ legal​/ litigation ​/ baltimore​-gets​-venue​-win​- climate​- case​-against​- exxon​-bp​
-2022​- 04​- 07/​?ref​= the​-wave. See also, Emma Ager, “More industries will come under spotlight as climate
litigation arena grows,” Market Insights, Clyde & Co, 14 December 2022, www​.clydeco​.com ​/en ​/insights​/2022​
/12​/more​-industries​-will​- come​-under​-spotlight.
66 Renee Cho, “Attribution Science: Linking Climate Change to Extreme Weather,” State of the Planet,
4 October 2021; https://news​.climate​.columbia​.edu ​/2021​/10​/04​/attribution​-science​-linking​- climate​- change​-to​
-extreme​-weather/.
67 “Exploring the contribution of climate change to extreme weather events,” World Weather Attribution,
www​.wor​ldwe​athe​ratt​r ibution​.org/.
68 Rupert Stuart-Smith, Aisha Saad, Friederike Otto, Gaia Lisi, Kristian Lauta, Petra Minnerop and Thom
Wetze, “Attribution science and litigation: facilitating effective legal arguments and strategies to manage cli-
mate change damages,” Summary report for FILE Foundation.
69 IPCC, 2021: Climate Change 2021: The Physical Science Basis. Contribution of Working Group I to the
Sixth Assessment Report of the Intergovernmental Panel on Climate Change [Masson-Delmotte, V, P Zhai, A
Pirani, S L Connors, C Péan, S Berger, N Caud, Y Chen, L Goldfarb, M I Gomis, M Huang, K Leitzell, E Lonnoy,
J B R Matthews, T K Maycock, T Waterfield, O Yelekçi, R Yu, and B Zhou (eds.)]. Cambridge University Press,
Cambridge, United Kingdom and New York, NY, United States, in press, doi:10.1017/9781009157896, 108.
70 Friederike Otto, Rachel James and Myles Allen, “The science of attributing extreme weather events and
its potential contribution to assessing loss and damage associated with climate change impacts,” https://unf-
ccc​.int​/files​/adaptation​/workstreams​/ loss​_ and​_damage​/application​/pdf​/att​r ibu​ting​extr​emeevents​.pdf; Quirin
Schiermeier, “Climate science is supporting lawsuits that could help save the world,” Nature, 597, 169-171
(2021) www​.nature​.com​/articles​/d41586​- 021​- 02424​-7.

457
 C limate C hange

Failure to adapt to physical risks

Companies face a range of liability risks should they fail to adapt to the physical risks
of climate change. They may already be exposed to public liability claims for weather-
related losses linked to their operations. However, the frequency of these claims may
increase as a result of the physical risks posed by climate change.71
Specifically, operators of high-risk physical infrastructure could face significant expo-
sures as the physical impacts of climate change put pressure on operational and design
tolerances. For instance, more prevalent hot and dry conditions may lead to an increase
in wildfire losses caused by sparks from power lines, exposing power line operators to
increased litigation risks. Dam operators will have to contend with a higher risk of failure
and consequent loss of life and property damage as severe precipitation events become
more prevalent.72
One example of such claims relating to high-risk infrastructure is the claim by the
Conservation Law Foundation (CLF) against ExxonMobil Corporation, alleging that
ExxonMobil failed to consider the risks posed by climate change to the operations of an
oil terminal in Massachusetts. CLF argue that the terminal was susceptible to the physical
impacts of climate change (e.g. rising sea levels and increase in the magnitude and fre-
quencies of storms), which places the surrounding communities and environment in peril
should there be an accidental discharge of hazardous materials when an extreme weather
event occurs.73
Physical climate risk can also give rise to supply chain disruptions and the potential
for product liability claims. Developing countries that produce many of the raw materials
needed for a variety of products are also the most vulnerable to the physical impacts of
climate change.74 Companies need to deploy measures to safeguard their supply chain or
risk facing contractual liability for delays or failure to perform contractual obligations.
At the other end of the production chain, companies will increasingly need to ensure
that their products are adapted to climate change. For example, if global temperatures
continue to rise, perishable goods may be destroyed or become unusable in the process
of being transported. Failure to account for changes in humidity or temperate extremes
could lead to spoliation and contamination.75 Complex machinery may suffer from more
frequent breakdowns. The operating conditions and productivity of employees may be
impacted by weather extremes, which could also give rise to liability exposures.76

71 Neil Beresford and Nigel Brook, “Climate change: Liability risks for businesses, directors and offic-
ers—The coming wave of litigation,” Market Insights, Clyde & Co, 68, www​.clydeco​.com​/en​/reports​/2019​/07​/
new​-liability​-risks​-businesses​- directors​- officers.
72 Ibid, 68–69.
73 Conservation Law Foundation v ExxonMobil Corp, 2016, http://climatecasechart​.com ​/case​/conserva-
tion​-law​-foundation​-v​- exxonmobil​- corp/.
74 “Coping with climate change: risks and opportunities for insurers, Liability” The Chartered Insurance
Institute, 12, www​.cii​.co​.uk ​/media ​/4043837​/ch10​_liability​.pdf.
75 “The Rise of Climate Litigation: how to understand and minimise your legal risk,” Rilisence, Clyde &
Co, 15, https://risilience​.com​/resources​/reports​/the​-rise​- of​- climate​-litigation/.
76 Ibid, 15.

458
 C limate C hange

Failure to adapt professional services

Buildings and infrastructure are designed and built with the frequency and magnitude of
local weather events in mind. It is now widely appreciated that climate change is materi-
ally increasing the incidence and severity of some of these events, and advances in climate
science (in particular, attribution science) and access to remote data are making it possible
to estimate how much those risks will alter at the relevant location over a given timeframe
on specified emissions scenarios. Professionals involved in the design or construction of
new structures, including architects, engineers, surveyors and town planners, could be
held liable if those structures are unable to cope with extreme weather conditions that are
rare today but likely to become more prevalent over the structure’s projected lifespan.77 As
severe weather events such as floods and droughts become more commonplace, there is a
growing expectation that the potential impact of such events should be taken into account
and “designed out,” just as buildings in earthquake zones are designed to be earthquake
resistant.78
An example of this type of litigation is the US case Lijo Abraham and Niji Thomas,
et al. v Costello, Inc., wherein a group of 400 homeowners from a housing development in
Texas sued an engineering firm following residential flooding brought about by Hurricane
Harvey.79 The claimants alleged that the firm was negligent in its planning, design and
operation of levee systems that protected the housing development. In particular, they
argued that the flooding was a foreseeable event given that the area where the housing
development was located had experienced other hurricanes of similar ferocity in the
past.80 Although climate change was not specifically mentioned, this is the type of case
which may become more frequent with heightened physical climate risks.
Professional advisors such as lawyers, accountants or auditors may be targeted with
claims if their advice to clients fails to consider the impacts of climate change. Activist
law firm ClientEarth in 2021 warned audit firms that they could fail to fulfil audit stand-
ards and legal duties by not considering climate risk, having found in a review of the
2019 climate change-related reporting of the largest 250 UK-listed companies that only
4% of audit reports provided a clear explanation as to whether auditors considered cli-
mate-change related factors.81 There are potentially increasing risks for solicitors. In 2022,
Stephen Tromans KC, a leading environmental law barrister, in an opinion commissioned
by UK-based company Groundsure, advised that conveyancers have a legal duty to advise
on climate risk.82 Relevant to this assessment was the publication by the UK’s Law Society

77 Neil Beresford and Nigel Brook, “Climate change: Liability risks for businesses, directors and offic-
ers—The coming wave of litigation,” Market Insights, Clyde & Co, 68, www​.clydeco​.com​/en​/reports​/2019​/07​/
new​-liability​-risks​-businesses​- directors​- officers, 79.
78 “Coping with climate change: risks and opportunities for insurers, Liability” The Chartered Insurance
Institute, 12, www​.cii​.co​.uk ​/media ​/4043837​/ch10​_liability​.pdf.
79 “Texas Homeowners Sue Engineering Co. Over Harvey Damage by Matthew Guarnaccia,” Law360,
2018, www​.law360​.com​/articles​/1030312​/texas​-homeowners​-sue​- engineering​- co​- over​-harvey​- damage.
80 Ibid.
81 “Big Four auditors risk legal challenge on climate failings: ClientEarth,” ClientEarth, December 2021.
82 Joseph Mullane, “Leading KC Spells out conveyancers’ climate risk duty of care,” Today’s Conveyancer,
12 September 2022, https://todaysconveyancer​.co​.uk ​/ leading​-kc​-spells​- out​- conveyancers​- climate​-risk​- duty​
-of​- care/.

459
 C limate C hange

of a draft climate resolution which calls for “climate conscious” legal practice, which
includes providing competent advice to clients on risks.83

Fiduciary duties cases

Commensurate with the financial risks that climate change poses to the financial system
and individual companies and investments, there are rising standards of care for directors,
officers and trustees as regards consideration of climate risk in discharging their legal
duties.
The Commonwealth Climate and Law Initiative (CCLI),84 a thinktank dedicated to
exploring legal and regulatory issues relevant to climate risk governance for fiduciar-
ies, has examined the legal basis for directors to take account of physical climate change
risk under prevailing statutory and common law in a number of jurisdictions including
Canada, Australia, the UK, India, South Africa, Delaware, Japan, Philippines, Hong
Kong, Malaysia and Singapore.85 In many cases, existing legal duties of fiduciaries are
now imbued with the need to consider climate risk.
In the UK, for example, the duties owed by directors to a company have their roots in
common law but are codified in the Companies Act 2006 (CA 2006).86 While recognis-
ing the point is yet to be tested by the courts, the CCLI report on UK directors’ duties
concluded that, if directors fail to assess, manage and report on the foreseeable and mate-
rial financial risk climate change presents to their company, two of these general duties
(under section 172, which provides that a director must act in the way he/she considers, in
good faith, would be most likely to promote the success of the company for the benefit of
the members as a whole, and section 174, the duty to exercise reasonable care, skill and
diligence) may offer a route of recourse against directors.87 Lord Sales, Justice of the UK
Supreme Court, discussed this in a 2019 speech, noting that “as things stand, there is much
force in the view that directors may and, increasingly, must take into account and accord
significant weight to climate change in their decision-making.”88
The possibility of climate change-related liability for directors and officers has also
received attention in Australia. In 2016, an Australian thinktank, the Centre for Policy
Development (CPD), issued a legal opinion by Senior Counsel Noel Hutley concluding
that Australian company directors who fail to consider climate change risks now could
be found liable for breaching their duty of care and diligence under section 180 of the

83 “Creating a climate-conscious approach to legal practice,” The Law Society, 28 October 2021, www​
.lawsociety​.org​.uk ​/ Topics​/Climate​- change​/ Tools​/Creating​-a​- climate​- conscious​-approach​-to ​-legal​-practice;
“Climate change,” The Law Society, www​.lawsociety​.org​.uk​/topics​/climate​- change/.
84 “Commonwealth Climate and law initiative, About,” https://com​monw​ealt​hcli​matelaw​.org/.
85 “Commonwealth Climate and law initiative, Across the Globe,” https://com​monw​ealt​hcli​matelaw​.org​/
across​-the​-globe/.
86 The Companies Act 2006, Part 10, Chapter 2: General Duties of Directors, s.171—s.177, www​.legislation​
.gov​.uk ​/ukpga ​/2006​/46​/part​/10​/chapter​/2.
87 Alexia Staker and Alice Garton, “Directors Liability and Climate Risk: United Kingdom—Country
paper,” Commonwealth Climate and Law Initiative, April 2018, https://com​monw​ealt​hcli​matelaw​.org​/
publications/.
88 Lord Sales, Justice of the Supreme Court, “Directors’ duties and climate change: Keeping pace with
environmental challenges,” Anglo-Australasian Law Society, Sydney, 27 August 2019, www​.supremecourt​.uk​
/docs​/speech​-190827​.pdf.

460
 C limate C hange

Corporations Act. An update was issued in 2019, which reinforced the original opinion
89

by highlighting the financial and economic significance of climate change and the result-
ing risks that should be considered at board-level.90
Both the UK and Australia have seen claims brought against fiduciaries. For example,
in McVeigh v Retail Employees Superannuation Pty Limited, an Australian retail worker
filed a claim against the corporate trustee of Australia’s largest pension fund, arguing that
its failure to provide adequate information relating to its exposure to climate-related risks
prevented him from making an informed judgment about the management and finan-
cial condition of the fund.91 Before the trial began, REST reached a settlement with the
plaintiff and set out the details of the settlement in a press release. REST acknowledged
that “Climate change is a material, direct and current financial risk to the superannuation
fund across many risk categories, including investment, market, reputational, strategic,
governance and third-party risks.” To address this risk, REST agreed to implement a net-
zero goal for the fund, to measure, monitor and report climate progress in line with TCFD
recommendations, to ensure investee climate disclosure and to publicly disclose portfolio
holdings, among other commitments.92
In 2021, in the UK a derivative claim was brought against the directors of the corporate
trustee of the University Superannuation Scheme (USS), the private pension scheme for
academic staff, inter alia on the basis that the USS did not have a credible basis for achiev-
ing the goal to become net zero by 2050.93 The claimants also argued that the directors’
duties should be interpreted in line with Articles 2 and 8 of the European Convention on
Human Rights, respectively the right to life and the right to a private and family life. As
such, the claimants asserted that the only rational way for the directors to discharge their
duties in light of the Paris Agreement, as well as the wishes of the beneficiaries, and the
long-term interests of the company, was to devise and implement an immediate plan for
fossil fuel divestment. The English High Court refused permission to bring the derivative
action, including on the basis that the claimants could not demonstrate sufficient interest
and evidence of a loss, and that it could not be shown that the directors had deliberately
breached their duties.
In March 2022, ClientEarth began pre-action steps in derivative shareholder proceed-
ings against the 13 directors of the UK‑based Shell plc in an attempt to hold those individ-
uals personally responsible for failing to adequately prepare the company for a transition
to carbon neutrality, in line with the Paris Agreement.94 The pre-action public statements
on the case argue that the board’s failure to properly manage Shell’s exposure to climate
risk breaches its duties under s172 and s174 of the CA 2006, which require directors of
UK-based companies to promote the success of the company for the benefit of its members

89 Noel Hutley and Sebastian Hartford Davis, “Climate Change and Directors’ Duties,” Supplementary
Memorandum of Opinion, 26 March 2019, Centre For Policy Development.
90 Ibid.
91 McVeigh v Retail Employees Superannuation Trust NSD1333/2018 (Australia), http://climatecasechart​
.com ​/non​-us​- case​/mcveigh​-v​-retail​- employees​-superannuation​-trust/.
92 Ibid.
93 Ewan McGaughey et al. v Universities Superannuation Scheme Limited, 2021, https://climate​-laws​.org​
/geographies​/united​-kingdom ​/ litigation​_cases​/ewan​-mcgaughey​- et​-al​-v​-universities​-superannuation​-scheme​
-limited.
94 ClientEarth v Board of Directors of Shell, March 2022, http://climatecasechart​.com ​/non​-us​- case​/cli-
entearth​-v​-board​- of​- directors​- of​-shell/.

461
 C limate C hange

as whole and to exercise reasonable care, skill and diligence.95 ClientEarth argues that
the directors’ failures put the company’s long-term commercial viability and therefore its
investors’ capital, including pension funds, at risk.96
As knowledge of climate risk grows and greater information and standards develop, it is
becoming increasingly important for directors and officers to demonstrate that these risks
have been considered, that actions have been taken to mitigate them where necessary and
that asset values are represented fairly on balance sheets, including assets which could
become stranded when there is a shift to a low-carbon economy. Failure to do so could
lead to litigation by investors or other stakeholders.

Greenwashing
Greenwashing cases have been a prominent feature of the third wave of climate litigation.
These are typically brought by environmental NGOs or as class actions, with the aim of
protecting consumers from corporates seeking to oversell environmental credentials by
running misleading advertising or marketing campaigns.97
In the past, greenwashing cases were mostly brought against oil and gas companies.
However, in more recent years, the range of corporate defendants has broadened to include
a host of other industries such as food, agriculture, transport and finance.98 Greenwashing
cases also now target companies’ climate credentials and net-zero commitments, includ-
ing any dissonance between advertised commitments and actual investment or transition
planning.
A notable example is the case filed in July 2022 by ClientEarth against Dutch airline
KLM, which alleged that the airline’s “Fly Responsibly” advertising campaign misled the
public into believing that KLM’s business model is in line with its commitment to achiev-
ing net-zero emissions by 2050. As part of the campaign, KLM encouraged its customers
to facilitate a sustainable future for aviation by offsetting their flights or donating money
to finance “greener” fuels through KLM’s CO2ZERO scheme. KLM claimed that the
scheme funds reforestation projects and the purchase of biofuels. The claimants argued
that KLM had breached the EU’s Unfair Commercial Practices Directive by misleading
the public as to the sustainability of their flights. The main focus of the claimants’ allega-
tions was, specifically, KLM’s declarations that it was creating a more sustainable future
and was on track to reduce its emissions to net-zero by 2050. According to the claimants,
the use of more efficient aircraft and sustainable aviation fuels, which underpin KML’s
sustainability advertising, are not sufficient to enable the aviation sector to meet the cli-
mate goals set out in the Paris Agreement, and that projects such as CO2ZERO do not

95 Laura Cooke, Nigel Brook, Simon Konsta and Jane O’Reilly, “Shell’s directors in frame for failure to
properly manage exposure to climate risk,” Clyde & Co, 15 March 2022, https://connectedworld​.clydeco​.com ​/
post​/102hkqz​/shells​- directors​-in​-frame​-for​-failure​-to​-properly​-manage​- exposure​-to​- climate​-ris.
96 ClientEarth Investor Briefing—Friends of the Earth & Others v Shell, April 2021, www​.clientearth​.org​/
latest​/documents​/clientearth​-investor​-briefing​-friends​- of​-the​- earth​- others​-v​-shell​-april​-2021/.
97 Zaneta Sedilekova, “When Artificial Intelligence meets greenwashing in court,” Market Insight, Clyde
& Co, 11 February 2022, www​.clydeco​.com​/en​/insights​/2022​/2​/when​-artificial​-intelligence​-meets​-green-
washing​-in.
98 Zaneta Sedilekova et al., “First greenwashing aviation lawsuit filed against KLM,” Clyde & Co, 18
July 2022, https://connectedworld​.clydeco​.com​/post​/102ht22​/first​-greenwashing​- aviation​-lawsuit​-filed​
-against​-klm.

462
 C limate C hange

limit the amount of damage that greenhouse gas emissions, short-lived climate pollutants
and other non-CO2 warming impacts of aviation (such as contrails) have on the climate
and the environment. The claimants argued that, on the contrary, KLM’s promotion of
this scheme undermines global action to mitigate climate change and avoid the dangerous
impacts of global warming.
Claims against corporates for misleading advertising are often brought outside the
courts. For instance, in December 2019, ClientEarth complained to the UK’s National
Contact Point for the OECD Guidelines on Multinational Enterprises about BP’s global
corporate advertising, claiming that it misled the public about BP’s low-carbon energy
activities, including their scale relative to the company’s fossil fuel extraction business.99
Before BP submitted its response to the complaint, BP announced its intention to stop cor-
porate reputation advertising campaigns and bring to an end its “Possibilities Everywhere”
campaign.
Another example is the claim brought by Australasian Centre for Corporate
Responsibility (“ACCR”) against Santos, a listed Australian oil and gas company. ACCR
alleges that Santos had included misleading statements in its annual report, for example
that Santos’ natural gas provides “clean energy” and that it has a “clear and credible plan”
to achieve net-zero emissions by 2040.100
Regulators have also clamped down on the greenwashing practices of corporate actors.
In 2022, the UK’s Advertising Standards Authority ruled that an advertisement from Tesco,
which claimed that its plant-based products were more environmentally friendly than meat
products, was misleading, as the company had failed to conduct an assessment of the full
life-cycle environmental impact of these plant-based products.101 In the United States, the
US Securities and Exchange Commission (SEC) meted out a US $1.5 million fine to BNY
Mellon Investment Advisor for purporting that all mutual funds it managed had undergone
an environmental, social and governance quality review when this was not the case.102
Asset manager DWS faced investigations by regulators in Germany and the United States
following allegations by its former head of sustainability that it had made misleading state-
ments in its 2020 annual report by claiming more than half of its US $600 billion assets
were invested using ESG criteria.103 DWS’s offices were raided by German prosecutors in
2022,104 and a claim was commenced by a consumer group in the German courts.105

99 UK National Contact Point, “Initial Assessment: ClientEarth complaint to the UK NCP about BP,”
GOV.UK, 16 June 2020, www​.gov​.uk​/government​/publications​/client​- earth​- complaint​-to​-the​-uk​-ncp​-about​
-bp​/initial​-assessment​- clientearth​- complaint​-to​-the​-uk​-ncp​-about​-bp.
100 Australasian Centre for Corporate Responsibility v Santos, 2021, https://climate​-laws​.org​/geogra-
phies​/australia​/ litigation​_cases​/australasian​- centre​-for​- corporate​-responsibility​-v​-santos.
101 Zaneta Sedilekova and Isabelle Merchat “UK greenwashing litigation in fashion and retail,” Clyde
& Co, 22 September 2022, https://connectedworld​.clydeco​.com ​/post​/102hxa3​/uk​-greenwashing​-litigation​-in​
-fashion​-and​-retail.
102 Rachel Cropper-Mawer and Avryl Lattin, “Regulatory Reporting on ESG Matters and the First
Greenwashing-Related Cases,” Market Insight, Clyde & Co, 15 July 2022, www​.clydeco​.com ​/en ​/insights​/2022​
/07​/regulatory​-reporting​- on​- esg​-matters​-and​-the​-first.
103 “DWS probes spark fears of greenwashing claims across investment industry,” Financial Times, www​
.ft​.com ​/content​/a3d6a8d1​- 0800 ​- 41c9​-ab92​- c0d9fce1f6e1.
104 “German officials raise Deutsche Bank’s DWS over ‘greenwashing’ claims,” Reuters, 31 May 2022,
www​.reuters​.com​/ business​/german​-police​-raid​- deutsche​-banks​- dws​-unit​-2022​- 05​-31/.
105 “Deutsche Bank’s DWS sued by consumer group over alleged greenwashing,” Reuters, 24 October
2022, www​. reuters​.com​/ business​/finance​/deutsche​- banks​- dws​- sued​- by​- consumer​-group​- over​- alleged​
-greenwashing​-2022​-10 ​-24/.

463
 C limate C hange

Shareholder derivative actions can arise from the reputation and market risks associ-
ated with greenwashing. For example, a class-action lawsuit was filed in 2022 against
bioenergy firm Enviva and its top executives after a short-seller report alleged the com-
pany engaged in greenwashing and its stock value dropped.106 The lawsuit claims Enviva
misled investors regarding its financial position and misrepresented the environmental
sustainability of its wood pellet production.107

Hurricanes and racketeering: Puerto Rico v Big Oil

In an interesting development in greenwashing litigation, a group of 16 Puerto Rican municipali-
ties sued Chevron, ExxonMobil, Shell and other fossil fuel companies for, amongst other things,
alleged violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), legisla-
tion originally designed to institute enhanced criminal sanction for involvement in organised
crime.108
The lawsuit, filed in federal court and described by plaintiffs as a “first-of-its-kind” RICO
case, accuses the fossil fuel industry of colluding to deny the climate impacts of their products.
The plaintiff municipalities argued that ExxonMobil, Shell and others colluded to intention-
ally deceive consumers and that the devastating 2017 hurricane season was exacerbated by cli-
mate change.109 The municipalities claim was under common law consumer fraud, deceptive
business practices and RICO, as well as anti-trust, public nuisance, liability (failure to warn),
liability (design defect), private nuisance and unjust enrichment.110

Insurance coverage cases

Thus far, reported insurance coverage cases relating to climate change have been brought
in the United States by carbon majors against their insurers or by insurers seeking declara-
tory relief in relation to the compensation cases seeking to hold carbon majors responsible
for climate change loss and damage.
In the earliest known example of a climate change-related insurance coverage case,
Steadfast Insurance Co. v AES Corporation, the insurer sought a declaration that it was not
obligated to defend or indemnify the insured energy company against a lawsuit brought
against it by a native Alaskan village (the village of Kivalina), which argued that the
energy company’s (and others’) activities had contributed to climate change resulting in

106 “Enviva Investor Alert,” Bloomberg, 30 November 2022, www​.bloomberg​.com ​/press​-releases​/2022​-11​

-29​/enviva​-investor​-alert​?ref​= the​-wave.
107 Ibid.
108 Class Action Complaint, No. 3:22-cv-01550, https://fingfx​.thomsonreuters​.com​/gfx​/ legaldocs​/jnvw-
yekmzvw​/ Puerto​%20Rico​%20Complaint​%20Exxon​.pdf​?ref​= the​-wave.
109 Clark Mindock, “Puerto Rican towns sue Big Oil under RICO alleging collusion on climate denial,”
Reuters, 29 November 2022, www​.reuters​.com ​/ legal​/ litigation ​/puerto​-rican​-towns​-sue​-big​- oil​-under​-rico​
-alleging​- collusion​- climate​- denial​-2022​-11​-29/​?ref​= the​-wave.
110 Class Action Complaint, No. 3:22-cv-01550, https://fingfx​.thomsonreuters​.com​/gfx​/ legaldocs​/jnvw-
yekmzvw​/ Puerto​%20Rico​%20Complaint​%20Exxon​.pdf​?ref​= the​-wave.

464
 C limate C hange

the village’s demise. In 2011, the Virginia Supreme Court sided with Steadfast, affirm-
111

ing the previous state court ruling, and holding that the insurer was not obliged to defend
and indemnify AES on the basis that there was no “occurrence” for the purposes of the
commercial general liability policy in question. The CGL policy defined “occurrence” as
“an accident, including continuous or repeated exposure to substantially the same general
harmful condition.”112 The Court concluded that, insofar as AES’s actions in emitting
greenhouse gases were intentional, and the consequences of those actions were alleged by
Kivalina “to be not merely foreseeable, but natural or probable,” there was no “accident”
that would have triggered the policy and the policy was therefore not engaged.113
In 2022, two other insurance coverage cases were brought in quick succession, indicat-
ing that these may become a regular feature of climate litigation as loss and damage mount
and compensation cases are brought by more and more actors against a greater range of
defendants.
In Everest Premier Insurance Co. v Gulf Oil Ltd., the underlying suit relates to Gulf Oil’s
alleged failure to adapt its Connecticut fuel terminal in preparation for climate change.
In declaratory proceedings issued in June 2022, Gulf Oil’s liability insurer claimed that
it had no duty to defend and indemnify Gulf Oil since the allegations in the underlying
claim against the company did not involve any bodily injury or existing property dam-
age that was caused by an occurrence during the policy period.114 In addition, the insurer
argued that even if there had been property damage, cover had been excluded under the
policies’ pollution exclusion and other exclusions.115 Although the insurer has since volun-
tarily withdrawn its case following the dismissal of the underlying case for lack of stand-
ing, this case highlights that definitions of “occurrence” may be at issue in other climate
coverage cases.116
In the second example of a recent insurance coverage case, a Sunoco subsidiary, Aloha
Petroleum Ltd., a target of litigation from two Hawaiian administrative entities,117 brought
a lawsuit against its liability insurer, the National Union Fire Insurance Co. of Pittsburgh,
for breach of contract, claiming that the insurer was obliged to defend and indemnify it
against the underlying lawsuits. The defendant insurer made similar arguments as those
put forward by the insurer in Steadfast v AES,118 stating that the policy in question con-
tained a pollution exclusion which would exclude cover for Aloha Petroleum’s alleged
conduct. A difference in this case is that Aloha Petroleum contended that the policy spe-
cifically provided coverage for “products hazard,” including bodily injury or property

111 ​ http:/​/climatecasechart​.com​/case​/steadfast​-insurance​- co​-v​-the​-aes​- c​orporation/.

112 Ibid.
113 Ibid.
114 ​ http:/​/climatecasechart​.com​/case​/everest​-premier​-insurance​- co​-v​-gu​lf​- oil​-lp/.
115 Ibid.
116 ​ http:/​/climatecasechart​.com​/case​/everest​-premier​-insurance​- co​-v​-gu​lf​- oil​-lp/. See also Sarah Hill-
Smith and Nigel Brook, “Climate adaptation lawsuit and insurers’ obligation to defend or indemnify,”
Lexology, Clyde & Co, 25 July 2022, www​.lexology​.com​/ library​/detail​.aspx​?g​= 7a2a2552​-bcb1​- 4aaf​-864d​
-586a2a89c336.
117 http://climatecasechart​.com ​/case​/city​- county​- of​-honolulu​-v​-sunoco​-lp/.
118 AES Corporation v Steadfast Insurance Company, No. 100764 (Va. 20 April 2012), https://law​.justia​
.com ​/cases​/virginia​/supreme​- court​/2011​/100764​.html.

465
 C limate C hange

damage arising out of the insured’s products.119 At the time of publication, the lawsuit is
pending before the District Court of Hawaii.

Drivers of climate litigation

Original research carried out in 2021 by the insurance industry think tank the Geneva
Association, the London School of Economics Grantham Research Institute on Climate
Change and the Environment, and Clyde & Co LLP identified various drivers of climate
litigation.120 These include:

• Physical and transition risks;

• Increased awareness of the implications of climate change;
• Increasing climate commitments;
• Availability of funding;
• Evolving standards of care;
• Developments in climate attribution science. ​

Figure 15.1 Maryam Golnaraghi, Joana Setzer, Nigel Brooke, Wynne Lawrence and Lucia
Williams, “Climate Change Litigation—Insights into the evolving global land-
scape,” The Geneva Association, April 2021, Figure 6 Seven key drivers of climate
litigation, p 24.

119 Aloha Petroleum Ltd. v National Union Fire Insurance Co. of Pittsburgh, 1:22-cv-00372, http://cli-
matecasechart​.com​/case​/aloha​-petroleum​-ltd​-v​-national​-union​-fire​-insurance​- co​- of​-pittsburgh/.
120 Geneva 2021 (n 6).

466
 C limate C hange

As explained in the introduction to this chapter, the manifestation of physical and tran-
sition risks, both presently and in the future, heightens the risk of climate litigation for
companies and fiduciaries who fail to adequately assess, plan and manage these risks.
Adding to liability risk is the availability of funding options for prospective litigants.
First, contingency fee arrangements have become more prevalent as various jurisdictions
have legalised this practice over the years. In particular, contingency fee arrangements
have been used to significant effect in the United States, in the context of local govern-
ments bringing climate cases against oil majors.121 Second, third-party litigation funding
has provided the means for claimants who otherwise could not afford the cost to commence
climate litigation. For example, a charitable foundation called the Children’s Investment
Fund Foundation (CIFF) has contributed US $25 million to ClientEarth, the environmen-
tal law charity which has been involved in bringing various high-profile climate cases
against a wide variety of public and private actors.122 Third, crowdfunding and personal
donations have gained traction as a way of funding climate litigation. An example of this
is the ongoing case of Duarte Agostinho and Others v Portugal and 32 Other States in the
European Court of Human Rights, which was brought by six Portuguese youths seeking
to hold 33 European countries responsible for their failure to tackle climate change. The
funding for this case was obtained through a crowdfunding campaign on the CrowdJustice
website.123 Funding for climate litigation can come from unusual sources. For example,
David Gilmour of Pink Floyd donated proceeds from the sale of more than 120 guitars to
ClientEarth in 2019.124 The Christies’ auction earned US $21.4 million, making it the most
valuable musical instrument sale in auction history.125
Advancements in the legal and scientific spheres have also incentivised claimants
to take to the courtrooms. Previously, claimants faced serious evidential hurdles in
linking human activities to climate change and the resultant increase in the probabil-
ity and severity of weather events (see above with regard to attribution science). The
IPCC’s latest report highlights that the methodology of climate-change attribution has
matured since the last assessment and that the results of state-of-the-art studies can
now be considered robust.126
Simultaneously, there have been different forms of raising awareness of climate change
and the necessity of reaching the 1.5 °C target. Climate change, and responses to it, now
regularly feature as a key political issue in national and subnational elections. Climate
action on the global stage in preparation for the annual COPs attracts significant pub-
lic resources and garners global news coverage. Climate activism and protest are now a

121 Geneva 2021 (n 6), 25.

122 Geneva 2021 (n 6), 26.
https://ciff.org/grant-portfolio/
123 ​
w ww​.crowdjustice​.com ​/case​/you​th4c​lima​te​justice/.
124 “David Gilmour Donates Proceeds from Guitar Auction to ClientEarth,” ClientEarth, 6 October 2019,
www​.clientearth​.org ​/ latest ​/ latest​- updates​/news​/david​-gilmour​- donates​- proceeds​-from​-guitar​- auction​- to​
-clientearth/.
125 “ David Gilmour’s collection of guitars sells for $21.5 million at Christie’s,” Christie’s, 21 June 2019,
www​.christies​.com​/features​/david​-gilmour​- collection​-auction​-results​-9974​-1​.aspx​?sc​_lang​= en​# fid​-9974.
126 IPCC Working Group I, “Contribution to the Sixth Assessment Report, Climate Change 2021: The
Physical Science Basis,” ipcc​.c​h, www​.ipcc​.ch​/assessment​-report​/ar6/.

467
 C limate C hange

regular feature of life in many countries, with seemingly more audacious acts each year
against a wider variety of targets, including in the insurance industry.127
As detailed in the previous chapter, there has been a growing number of climate change
laws and regulations to reduce emissions such as carbon taxes. It is estimated that there
are approximately 3,010128 climate laws and policies globally. The Paris Agreement
“ratchet mechanism” provides some form of accountability for countries in reducing GHG
gradually. These laws create new duties and standards of care, giving rise to new potential
penalties in the courts, or by way of regulatory sanction. The expansion of climate law
also creates legal and policy transition risks for corporate actors, which in turn heightens
liability risk for failure to adapt to a new market and regulatory landscape. Climate judg-
ments themselves are creating new legal precedents which could expose others to height-
ened liability risk. For example, in the 2021 case of Milieudefensie et al. v Royal Dutch
Shell, the Dutch court held that companies that produce and sell fossil fuels have a duty of
care to take responsibility for the effects of GHG emissions.

Potential impacts on insurers

As set out above, current coverage disputes in relation to climate change have focused
on commercial general liability policies. However, other types of policies may be at risk,
including specialist insurance policies such as directors’ and officers’ liability policies and
professional indemnity policies.129
There are large potential exposures for insurers in relation to climate change litiga-
tion, not only, of course, for damages but also substantial legal defence costs, regardless
of whether the insured is successful or not.130 In relation to costs, the Climate Biennial
Exploratory Scenario (CBES) run by the Bank of England in 2021 suggest that overall
costs to banks and insurers will be lowest with early, well-managed action to reduce GHG
emissions and limit climate change.131 Pressures on insurers are exacerbated by the fact
that climate change risk has historically not been properly factored into the underwriting
process.132 Insurers have now started to react to the surge in climate change litigation by
considering their potential exposures and reviewing wordings. This might include meas-
ures such as lowering policy limits, increasing premiums or even inserting explicit exclu-
sions in relation to climate change risks.133

127 Bethan Moorcraft, “Are climate protests against insurers getting out of control?” Insurance Business
UK, www​.ins​u ran​cebu​sinessmag​.com​/uk ​/news​/columns​/are​- climate​-protests​-against​-insurers​-getting​- out​- of​
-control​- 425985​.aspx; “Extinction Rebellion: Lloyd’s of London Protest Held by Activists,” BBC News, 12
April 2022, sec. London, www​.bbc​.com ​/news​/uk​- england​-london​- 61077277.
128 https://climate​-laws​.org/.
129 “Results of the 2021 Climate Biennial Exploratory Scenario (CBES),” Bank of England, 24 May 2022,
www​.bankofengland​.co​.uk ​/stress​-testing ​/2022​/results​- of​-the​-2021​- climate​-biennial​- exploratory​-scenario.
130 Ibid.
131 Ibid.
132 “Climate-related litigation: Raising awareness about a growing source of risk,” Network for Greening
the Financial System Technical Document, November 2021, 7 (hereafter Network for Greening) www​.ngfs​.net​
/sites​/default​/files​/medias​/documents​/climate​_ related​_litigation​.pdf#:~​:text​= Understanding​%20the​%20risks​
%20arising ​% 20from​% 20climate ​- related​% 20litigation​% 20is ​,information​% 20from​% 20the​% 20respective​
%20jurisdictions​%20about​%20climate​-related​%20litigation.
133 Javier, Solana, “Climate change litigation as financial risk.” Green Finance 2, no. 4 (2020), 344–372,
352–353.

468
 C limate C hange

LMA model climate change exclusion

Exemplifying the insurance market’s concerns around climate liability exposures, the LMA has
published LMA5570,134 a model climate change exclusion for use on liability policies. It was
produced with input from the Joint Committees and the non-marine market. The clause includes
reference to a definition of “Climate Change,” the source of which is the UNFCCC Article 1 (2).

Climate Change Exclusion

Notwithstanding any other provision in this Policy or any endorsement hereto, this Policy
excludes any loss, liability, cost or expense arising out of any allegation or claim that the (Re)
Insured caused or contributed to Climate Change or its consequences. For the purposes of this
clause Climate Change means a change of climate which is attributed directly or indirectly
to human activity.
10th Nov 2021 LMA5570

Insurers also need to understand the possible impacts of climate litigation on the com-
panies they are exposed to in the assessment of their credit or market risk.135 Defendant
companies who lose in court will first and foremost have to pay out in accordance with
the court judgment. This could include legal defence costs, damages, fines and/or costs
associated with adapting their operations to climate change. Company assets could also
become stranded due to court judgments. These consequences could produce a cascade
effect which could negatively affect companies in various ways, including creditworthi-
ness, financing costs and/or reputation. In turn, companies’ value (e.g. share price) could
be affected, potentially significantly.136
Although no such claims have been brought to date, there is potential for insurers them-
selves to become direct litigation targets in cases similar to those directed against banks
and other financial institutions for alleged failures to properly manage and disclose cli-
mate risks to investments,137 or for failures to set GHG emissions reduction targets.
There have been actions related to the financing of high-emitting projects,138 as well as
reporting failures related to these “financed emissions.”139 ClientEarth brought a lawsuit
against the Belgian National Bank for alleged violations of EU treaties, further to the
Bank’s purchase of bonds from fossil fuel and other GHG-intensive companies through
the European Central Bank’s Corporate Sector Purchase Programme (CSPP).140 A claim

134 David Powell, “LMA Model Climate Change Exclusion,” Lloyd’s Market Association, 24 November
2021, www​.lmalloyds​.com ​/ LMA ​/ News​/ LMA​_bulletins​/ LMA​_ Bulletins​/ LMA21​- 041​-DP​.aspx.
135 Network for Greening (n 132).
136 Ibid.
137 Abrahams v Commonwealth Bank of Australia, https://climate​-laws​.org​/geographies​/australia​/ litiga-
tion​_cases​/abrahams​-v​- commonwealth​-bank​- of​-australia.
138 Setzer 2021 (n 6).
139 BankTrack, et al. v ING Bank, https://climate​-laws​.org​/geographies​/netherlands​/ litigation​_cases​/ bank-
track​- et​-al​-vs​-ing​-bank.
140 ClientEarth v Belgian National Bank, https://climate​-laws​.org​/geographies​/ belgium​/ litigation​_cases​/
clientearth​-v​-belgian​-national​-bank.

469
 C limate C hange

has also been threatened by French NGOs against BNP Paribas for continuing to invest in
new fossil fuel projects under the French “Duty of Vigilance” law.141
The Carbon Disclosure Project (CDP) Financial Services Disclosure Report 2020 found
that, for the 25% of financial institutions that report Scope 3 emissions to CDP, the emis-
sions they finance are on average over 700 times higher than their direct operational emis-
sions (that is, investing, lending and underwriting activities).142 CDP also found that less
than half of disclosing financial institutions and 27% of insurers report portfolio align-
ment with a well below 2 ℃ target.143
As financed emissions are entering the litigation spotlight, it can be expected that insur-
ance-associated emissions will also gain the attention of activists and, potentially, stra-
tegic litigants. With the support of new accounting tools, such as PCAF, a standardised
methodology has been created to measure and disclose underwritten GHG emissions.144
One of the most active climate litigants in Europe, ClientEarth, for example, has a dedi-
cated climate finance workstream145 and has written to Lloyd’s of London regarding its
ESG guidance for managing agents,146 reported insurance firms to the UK’s Financial
Conduct Authority for alleged failures to disclose climate risks in annual reports147 and
sought to block insurance of carbon-intensive projects through letter writing campaigns
with threats of regulatory complaints or legal action, for example by writing to Lloyd’s of
London regarding the controversial Adani coal mine in Australia.148
At least one climate campaign group—Insure our Future—focuses exclusively on insur-
ance companies’ underwriting of fossil fuels, identifying specific fossil fuel-intensive pro-
jects and targeting the insurance such projects need to operate as a means of blocking
their development.149 In March 2022, Insure our Future brought together 27 NGOs issuing
a letter to (re)insurance company CEOs entitled “Insure our Future 2022 demands to the
insurance industry.” The demand of the consortium included the immediate cession of
insurance for new and expanded coal, oil and gas projects and a phase-out of insurance
for coal, oil and gas companies, divestment from non-Paris aligned fossil fuel companies

141 “Climate NGOs take unprecedented legal action against number one European financier of fossil fuel
expansion, BNP Paribas,” Oxfam International, 26 October 2022, www​.oxfam​.org​/en​/press​-releases​/climate​
-ngos​-take​-unprecedented​-legal​-action​-against​-number​- one​- european​-financier.
142 “The Time to Green Finance,” CDP Financial Services Disclosure Report, 2020, https://cdn​.cdp​.net​
/cdp​-production ​/cms​/reports​/documents​/000​/005​/741​/original ​/CDP​-Financial​- Services​-Disclosure​-Report​
-2020​.pdf​?1619537981.
143 Ibid.
144 “Partnership for Carbon Accounting Financials collaborates with UN-convened Net-Zero Insurance
Alliance to develop standard to measure insured emissions,” United Nations Environment Programme,
Finance Initiative, 6 September 2021, www​.unepfi​.org​/industries​/insurance​/partnership​-for​- carbon​-account-
ing​-financials​- collaborates​-with​-un​- convened​-net​-zero​-insurance​-alliance​-to​- develop​-standard​-to​-measure​
-insured​- emissions/.
145 “Climate Finance,” ClientEarth, www​.clientearth​.org​/what​-we​- do​/priorities​/climate​-finance/.
146 Letter to The Society of Lloyd’s and the Council of Lloyd’s Client Earth, 11 February 2022, www​
.clientearth​.org​/media​/q24j4cmh​/clientearth​-letter​-to​-lloyd​-s​- on​- operation​- of​- esg​-guidance​-11​-february​.pdf.
147 “Insurance firms could face fines over climate reporting failure,” ClientEarth, 6 August 2018, www​
.clientearth​.org​/ latest​/ latest​-updates​/news​/insurance​-firms​- could​-face​-fines​- over​- climate​-reporting​-failure/.
148 “Lawyers warn Lloyd’s over legal risks of underwriting contested Carmichael coal mine,” ClientEarth,
5 May 2019, www​.clientearth​.org​/ latest​/ latest​-updates​/news​/ lawyers​-warn​-lloyd​-s​- over​-legal​-risks​- of​-under-
writing​- contested​- carmichael​- coal​-mine/.
149 “Our best insurance is to keep fossil fuels in the ground,” Insure Our Future, https://global​.insure​- our​
-future​.com/.

470
 C limate C hange

and adoption of binding targets for insured emission that are transparent, comprehensive
and aligned with a 1.5 °C pathway. The letter concluded:
The role of insurers in fueling or mitigating climate change is attracting growing interest
among investors, ESG raters, regulators, insurance customers, current and prospective insur-
ance employees, concerned citizens, and the media. We will do everything we can to identify
and call out the climate leaders and laggards within the insurance industry, both companies
and their CEOs.150

Conceivably, as standards for climate risk management in the financial sector continue
to rise, legal action or regulatory sanction could be brought by stakeholders where insur-
ers or their directors or officers do not adequately address and manage climate risk.151

Table 15.1 “Insuring the climate transition. Enhancing the insurance industry’s assessment of
climate change futures,” UN Environment Programme Finance Initiative, UNEP’s
Principles for Sustainable Insurance Initiative, January 2021, Table 15.1 Potential litiga-
tion risk examples by business area p 79

Area Description Examples

Business level
Underwriting Litigation risks within the Risk stemming from the insurer’s
underwriting business of the contractual liability (e.g. general
insurer (including pricing) and public liability, directors’ and
stemming from obligations officers’ and professional indemnity)
under insurance contracts
Investment Litigation risks within the Risk of asset devaluation due to
investment portfolios of the investee’s losses after litigation
insurer related to climate change
Sales Litigation risks related to the Risk of legal claims due to misleading
liability of the insurer as part of or incomplete insurance advice
the insurance sales and advice related to climate change or failure
process to adequately assess climate change
Corporate level
Corporate Litigation risks related to the Direct litigation against insurers
disclosure liability of the insurer as part of for breach of underlying legal
the corporate disclosure process frameworks (e.g. failing to disclose
material climate-change risks in
prospectus on corporate level)
Insurer’s Litigation risks related to liability Direct litigation against insurers
director’s of the insurer’s directors for breach of underlying legal
liability frameworks or fiduciary duty
Other corporate Litigation risks related to the Direct litigation against insurers
duties liability of the insurer in for breach of underlying legal
relation to other corporate frameworks
duties

150 “Insure Our Future 2022 demands to the insurance industry,” Insure Our Future Global, 10 March
2022, https://global​.insure​- our​-future​.com​/insure​- our​-future​-2022​- demands​-to​-the​-insurance​-industry/.
151 “The impact of Climate Change on the Financial Stability of the Insurance Sector,” International
Association of Insurance Supervisors, Global Insurance Market Report, 2021, www​.iaisweb​.org​/uploads​/2022​
/01​/210930​- GIMAR​-special​-topic​- edition​- climate​- change​.pdf.

471
 C limate C hange

Where a (re)insurer is publicly listed, it could also be subject to greenwashing or deriva-

tive shareholder claims related to inaccurate or misleading climate or ESG-related disclo-
sures. Alongside this, by supporting carbon-intensive sectors, insurers may be exposed to
counterparty risk stemming from liability risk152: The likelihood or probability that the
other party may default on their contractual obligations could increase due to the legal
liabilities the company is subject to.153 Litigation risk could accordingly impact insurers’
underwriting business as well as an insurer as a corporate entity as described in the UNEP
FI framework below. ​

Regulatory scrutiny and (re)insurers’ approach to managing climate liability risk

As a 2021 report from UNEP FI outlined, climate litigation may cause a wide range of
financial impacts in the real economy, which extend beyond the direct cost and credit
risk to individual borrowers or insureds, including financial shocks and regulatory capital
impacts, which can flow through to the broader economy.154 ​

Figure 15.2 Sarah Barker, Joshua Dellios and Ellie Mulholland, “Legal action as a driver and
consequence of climate-related physical risk adaptation Liability risk and adapta-
tion finance,” Minter Ellison and UN Environment Programme Finance Initiative
(UNEP FI), April 2021, Figure 3 p 20.

152 This can cross jurisdictional boundaries. For example, a bank can be sued in its home jurisdiction or
suffer financial loss following litigation relating to an asset or borrower liability exposure in another jurisdic-
tion. UNEPF​​I​- Cli​​mate-​​Chang​​e​-Lit​​igati​​on​-Re​​port-​​Lowre​​​s​.pdf​.
153 "Global Insurance Market Report (GIMAR),” International Association of Insurance Supervisors,
December 2022, https://www​.iaisweb​.org​/activities​-topics​/financial​-stability​/gimar/.
154 Sarah Barker, Joshua Dellios and Ellie Mulholland, “Legal action as a driver and consequence of
climate-related physical risk adaptation Liability risk and adaptation finance,” Minter Ellison and UN envi-
ronment programme finance initiative (UNEP FI), April 2021 (hereafter Barker 2021), www​.unepfi​.org​/

472
 C limate C hange

Accordingly, as part of their mandate to enhance financial stability generally, and as

addressed in Chapter 14, regulators are increasingly including climate risk assessments
of their regulated entities as part of their supervisory mandate. Generally, this is more
advanced in respect of physical and transition risk assessments than liability risk. As the
Bank for International Settlements (“BIS”) has outlined, reasons for this may include the
problems associated with accurately estimating litigation costs.155 The pricing of liability
exposure risks is inherently complex as it may involve a high proportion of tail risk and
large losses, with a rapidly-changing regulatory and litigation environment (including the
drivers identified above), a lack of reliable data, as well as challenges in risk accumulation
and aggregation.156 As with other types of climate risk, past exposures will not be a reli-
able guide for the future.
The Network for Greening the Financial System (NGFS), a group of central banks and
financial supervisors, has pushed for financial regulators to include climate liability risk
as part of their supervisory mandate.157 As the NGFS 2021 report on climate litigation
noted, financial supervisors should ensure that the institutions they supervise are prepared
for the risks from climate-related litigation against themselves and counterparties.
A report commissioned by the European Central Bank (ECB) in 2021 recommended
that the ECB as financial supervisor integrate climate change litigation risk into its super-
visory toolkit.158 This report suggested that the financial risk of climate change litigation
goes beyond insurance costs159 and that the “lack of legal precedents is not a reliable
indication of future climate change litigation risk.”160 The report’s authors outlined how
financial supervisors should gain a better understanding of climate change litigation as
a financial risk to protect themselves.161 It states that liability risk assessment consists of
understanding the risk from potential changes in societal, litigation and judicial environ-
ments. To that end, the report recommends that insurance supervisors should consider
both qualitative and quantitative information on exposure to liability risks.162 It remains to
be seen how the ECB and other central banks will formally assess climate litigation risk,
although the first indications have come from the Bank of England.
As with other elements of climate risk assessment, the UK has led the way on cli-
mate liability risk assessments from a supervisory standpoint. The Bank of England’s
Climate Biennial Exploratory Scenario (CBES), which commenced in 2021, con-
ducted stress tests that asked participating large UK-regulated banks, life insurers and
general insurers to look at three climate scenarios developed by the NGFS: Early cli-
mate action, no additional action and late action. These scenarios were applied to both

wordpress​/wp​- content​/uploads​/2021​/04​/ UNEPFI​- Climate​- Change​-Litigation​-Report​-Lowres​.pdf; see also

Setzer 2021 (n 6).
155 Patrick Cleary et al., “Turning up the heat—climate risk assessment in the insurance sector,” FSI
Insights, 20, www​.bis​.org ​/fsi ​/publ ​/insights20​.pdf.
156 Barker 2021 (n 153) 26.
157 Network for Greening (n 131) 17.
158 Setzer 2021 (n 6) 60.
159 Setzer 2021 (n 6) 58.
160 Setzer 2021 (n 6) 61.
161 Setzer 2021 (n 6) 62.
162 Setzer 2021 (n 6) 60. See also “Application Paper on the Supervision of Climate related Risks in the
Insurance Sector,” International Association of Insurance Supervisors, Sustainable Insurance Forum, May
2021, 12, www​.iaisweb​.org/.

473
 C limate C hange

physical risks and transition risks over a period of 30 years.163 CBES also included a
template for general insurers to explore potential exposures to climate-related litiga-
tion risk. General insurers were asked to provide details of their exposure (policy
limits and probable maximum loss) from specific products, in force on 31 December
2020, covering various sectors of the economy that have been identified as having an
elevated or direct exposure to climate risk.
The CBES litigation scenario provided a number of hypothetical legal case rulings
against insureds to assess the potential risks arising from climate litigation, inspired by
actual civil cases, with seven sample cases, addressing:
1. Direct causal contribution to climate change: A corporation found liable for con-
tribution to climate change resulting in physical damage;
2. Violation of fundamental rights resulting in cessation or significant reduction of
operations: A corporation prevented from practising carbon-intensive activities
impacting its financial revenues (stranded assets);
3. Greenwashing: A corporation liable for misleading customers and investors by
false advertising or understated climate risk disclosures;
4. Misreading the transition: A corporation liable for selling a carbon-intensive
product with the knowledge it would become redundant in view of net-zero
policies;
5. Indirect causal contribution by utilities: Utilities sued for indirect contribution to
climate change amplifying physical risks;
6. Directors’ breach of fiduciary duties (asset managers): Case brought by investors
of an asset manager relating to breach of directors’ duties due to understatement of
risk in disclosures; and
7. Indirect causal contribution (financing): Case against financiers of carbon-inten-
sive activities by funding activities of carbon majors.
The parallels between these and actual climate cases pending in the courts, as described
above, is clear.
CBES results,164 published in 2022, revealed that general insurers struggled with col-
lating and aggregating information for a robust assessment of climate-related litigation
exposures according to contract wording and industry sector classifications. For many
participants, this was the first time they had attempted to draw together information to
assess the potential for climate-related litigation across several product lines.
The exercise highlighted that corporate directors’ and officers’ policies were the most
likely to pay out and were vulnerable to three of the seven hypothetical legal cases.
Professional indemnity policies were also at risk from the indirect financing case.
Participating insurers noted that they also covered legal defence costs, meaning that costs
could be sizeable even if litigation against insureds is unsuccessful.

163 Wynne Lawrence, “CBES exercise highlights insurers’ climate liability risk,” Insurance Day, 13 June
2022, https://insuranceday​.mar​itim​eint​elligence​.informa​.com​/ ID1140905​/CBES​- exercise​-highlights​-insurers​
-climate​-liability​-risk#:~​:text= ​%27CBES​%20exercise​%20highlights​%20insurers​%E2​%80​%99​%20climate​
%20liability​% 20risk​% 27​% 2013​, fiduciary​% 20duties​% 20and​% 20indirect​% 20financing​% 20of​% 20carbon​
%20emissions.
164 “Results of the 2021 Climate Biennial Exploratory Scenario (CBES),” Bank of England, 24 May 2022,
www​.bankofengland​.co​.uk ​/stress​-testing ​/2022​/results​- of​-the​-2021​- climate​-biennial​- exploratory​-scenario.

474
 C limate C hange

CBES also provided examples of best practice, including:

• Using a multidisciplinary team (underwriters, claims handlers, legal, risk man-

agement, actuarial);
• Submitting initial results to robust internal challenge;
• Considering a wide range of legal interpretations;
• Using findings to inform existing risk management practices;
• Applying technical rigour in considering policy exposures (e.g. risk differentia-
tion within sub-sectors, consideration of differing geographical and legislative
environments).

In February 2022, the Bank of France and the Autorité de Contrôle Prudentiel et de
Résolution (“ACPR”) published its second report165 on good practice for climate change
risk management in the insurance sector, with contributions from 21 insurance and rein-
surance groups and three professional federations. The report outlines suggested practices
for (re)insurers to strengthen governance of climate risks. Included within scope, in align-
ment with the NGFS’s 2019 report,166 were liability risks, with the ACPR noting that:
(Re)insurers are exposed to this risk: Directly, where these institutions are held liable for hav-
ing contributed to the consequences of climate change, a liability that is certainly difficult to
establish, and indirectly, if the institution is exposed to companies that are held liable them-
selves, through the channels of counterparty risk, market risk and reputation risk.

Although climate liability risk stress testing is in its relative infancy, based on the work by
regulators such as the PRA and bodies such as the Sustainable Insurance Forum, IAIS and
NGFS, it can be expected that this will become a regular feature of insurance supervisors’
requirements of regulated entities around the world.167
Investors are also showing an interest in insurers’ climate liability risk assessment, in
line with TCFD recommendations (see Chapter 14). As mentioned at the outset of this
chapter, litigation risk forms part of the climate risk assessment recommended by the
TCFD, and its impacts span the four TCFD pillars of governance, strategy, risk manage-
ment, and metrics and targets. ​
Shareholder group ShareAction has used the framework provided by TCFD to assess the
disclosure by the 80 largest global insurance companies. ShareAction assessed responses
to the following questions to judge disclosure about governance, strategy, risk manage-
ment and metrics. Included within the assessment on governance was the following
question: “Summarize the steps the company has taken to educate clients on mitigating

165 “Climate Change Risk Governance,” ACPR, Banque De France, 17 February 2022, https://acpr​.banque​
-france​.fr​/sites​/default​/files​/medias​/documents​/20220222​_climate​_change​_ risk​_ governance​_ rapport​_en​.pdf.
The first report was published by the ACPR in 2019 (No. 102 analyse et synthèse, “French insurers facing
climate change risk.”).
166 “A call for action, Climate change as a source of financial risk,” Network for Greening the Financial
System. First Comprehensive Report, April 2019, www​.ngfs​.net​/sites​/default​/files​/medias​/documents​/ngfs​
_first​_comprehensive​_ report_-​_17042019​_0​.pdf.
167 “Insuring the climate transition. Enhancing the insurance industry’s assessment of climate change
futures,” UN environment programme finance initiative, UNEP’s Principles for Sustainable Insurance
Initiative, January 2021.

475
 C limate C hange

Table 15.2 Sarah Barker, Joshua Dellios and Ellie Mulholland, “Legal action as a driver and
consequence of climate-related physical risk adaptation Liability risk and adaptation
finance,” Minter Ellison and UN Environment Programme Finance Initiative (UNEP
FI), April 2021, Table 14 p 76

TCFD recommendation Litigation risk role

Governance Incorporation of climate-related litigation risk into the governance

of an organisation, including in relation to the senior
management and director’s responsibilities
Strategy Consideration of climate-related litigation risk when defining the
sustainability and overall business strategy for ensuring a robust
and forward-looking business model
Risk management Incorporation of climate-related litigation risk into the risk
management function including identification, assessment,
mitigation, monitoring and reporting
Metrics and targets Definition of metrics and targets for climate-related litigation risk
management

Potential litigation risk role by TCFD recommendation

climate liability risks and encourage policyholders to reduce the losses caused by climate
change-influenced events.”168
There are various sources of guidance for insurers in assessing climate liability risk.
The CFRF, convened in 2019 by the Bank of England and PRA to develop guidance for
climate risk assessment, in 2022 published its litigation guide. In 2021, UNEP FI/PSI
published its final report on “Insuring the Climate Transition” with a dedicated chapter on
the assessment of litigation risk for insurers, including recommendations for stress testing
(based on the Bank of England’s CBES).169 That report proposes a framework for assess-
ment which includes at least three key factors:
1. The likelihood that litigation will be brought;
2. The chance the case will be successful;
3. The financial impact of the remedy sought.
A practical guide by The Institute and Faculty of Actuaries suggests including the insur-
er’s own potential liability as part of a liability risk assessment.170 The European Insurance
and Occupational Pensions Authority (EIOPA) considers that liability risk should also be
included in the balance sheet:
on the assets side of the balance sheet, liability risk can affect the value of assets of investees
made responsible for pollution. On the liability side of the insurers’ balance sheet, insurers

168 Paul Kovacs, “Climate Risks, Implications for the Insurance Industry in Canada,” Insurance Institute,
2020, https://s3​.amazonaws​.com ​/tld​- documents​.llnassets​.com ​/0024000​/24615​/insurance​.pdf.
169 “Insuring the climate transition. Enhancing the insurance industry’s assessment of climate change
futures,” UN environment programme finance initiative, UNEP’s Principles for Sustainable Insurance
Initiative, January 2021.
170 Mark Rothwell, “Practical guide to climate change for general insurance practitioners,” The Institute
and Faculty of Actuaries, August 2019, www​.actuaries​.org​.uk ​/news​-and​-insights​/news​/practical​-guide​- cli-
mate​- change​-general​-insurance​-practitioners.

476
 C limate C hange

can offer environmental liability coverage for companies considered to cause environmental
risks, potentially high claims can result from court decisions and need to be integrated in the
valuation of insurers’ liabilities.171

Conclusion
As this chapter illustrates, the field of climate liability risk is complex, varied and con-
stantly evolving, as more and more cases are filed by different claimants against an ever-
growing spectrum of defendants and involving diverse causes of action—so much so that
it is difficult to publish a chapter on this topic before it becomes out of date. This chapter
has but scratched the surface of the field of climate liability risk to assist the reader in
understanding it and in appreciating the importance of taking climate liability risk into
account in decision-making by corporations, financial institutions and, of course, insurers.
More than simply a sub-set of transition risk, and informed by considerations includ-
ing jurisprudential, evidential and constitutional, climate liability risk, or climate litiga-
tion risk, is a consequence of increased physical and transition risks and an important
lever in driving forward climate policy and accelerating the transition to a carbon-neutral
world. Having gathered increasing pace since its emergence in the 1980s, climate litiga-
tion has taken many forms—from “framework cases” against governments to damage-
based claims for contribution to climate change, to fiduciary duty cases, greenwashing
cases and, only recently, insurance coverage cases. While insurers have not been directly
targeted by climate change litigation, in light of the growing thrust to hold financial insti-
tutions accountable for the consequences of climate change (as per the examples discussed
above), it is not unlikely that they will be targeted in the future for climate risk manage-
ment and governance, or, potentially, in respect of insurance-associated emissions, par-
ticularly as this type of litigation evolves and intensifies and the transition continues to
gather pace.
Alongside physical and transition risks, other drivers of climate liability risks such as
awareness of climate change risk and responsibilities generally, climate commitments,
availability of funding, standards of care and developments in attribution science are
also, in the main, increasing and contributing to this field’s development. This chapter has
noted, in particular, regulatory developments which will inform (re)insurers’ approach to
the assessment and management of climate liability risk.
It is indeed crucial that (re)insurers are familiar with this risk both as risk-bearers and
as investors. As governments have identified and financial supervisors have mandated,
financial actors are increasingly expected to take on a stewardship role as key stakehold-
ers in the transition from a fossil fuel based to a carbon-neutral economy—for the sake of
the viability of their business, the stability of the financial system and society as a whole.

171 EIOPA, “Opinion on Sustainability within Solvency II,” EIOPA-BoS-19/24130, September 2019, 20.

477
 C hapter 1 6

Conclusion

New and Evolving Challenges and Opportunities

Anthony A Tarr, Julie-Anne Tarr, Maurice Thompson and Dino Wilkinson

CON T EN TS
Overview 479
Technology and insurance in the digital age 479
Insurance and automation 479
Insuring digital assets 481
Transforming risk management 482
Asymmetry of information: Big data 484
Genetic testing, genetic information and epigenetics 485
Blockchain and distributed ledger technology 487
Space and insurance 489
Professional indemnity 491
Cyber risks and insurance 492
Pandemics and insurance 493
Climate change 494
The insurance company of the future 496

478 DOI: 10.4324/9781003319054-16

 C onclusion

Overview
As stated in the Introduction to this book, the global landscape in which insurance is
transacted continues to change at a rapid rate, fuelled by breakthrough technologies driv-
ing innovation and by external forces of the magnitude of climate change and pandemics.
As Clyde & Co observe in their report “Insurance 2023—the year ahead:”1
In today’s complex and connected environment, successfully navigating risk has never been
more difficult. Businesses need to deal simultaneously with the challenges confronting them
today and prepare for those they will encounter tomorrow. To do so requires a forward-look-
ing view, to anticipate threats and challenges.

This changing and challenging landscape will ensure and drive the continuing evolution
of the global insurance market and, as such, this edition of this book represents a marker
recording the status of this journey at the beginning of 2023.
This concluding chapter reflects upon some of the key internal and external dynamics
impacting the global insurance market and takes a “look to the future” approach in con-
sidering such matters as technology and digital assets, asymmetry of information, genetic
testing, genetic information and epigenetics, space, climate change and cyber risks.

Technology and insurance in the digital age

There can be little doubt that the future is digital: Personal, social and business interac-
tions are increasingly conducted online, whether via the internet or in the metaverse.
Currencies, art and other assets are able to exist in a purely digital environment and a
generation is growing up to believe that an online presence is more valuable (or more
reflective of their true self) than a “real world” persona.2
This rapid shift in the perception, scope and scale of the digital space over the last
20 years has had—and will continue to have—a radical effect on many industries.3 For
insurers, the impact is particularly transformative. Not just in how they might transact
business but also in how they understand, assess and price risk. However, it is evident that
digital transformation of the sector has “the potential to generate substantial economic
and societal benefits but can also give rise to challenges and potential costs to customers.”4

Insurance and automation

While the use or introduction of automatic equipment to reduce human intervention has
been a feature of economic development since the industrial revolution, more recent
advances in robotic process automation (RPA), the ease (and decreasing cost) of collect-
ing and storing vast amounts of data, and the adoption of AI have allowed organisations

1 James Cooper, “Insurance 2023—the year ahead,” Clyde & Co, January 2023, https://online​.flippingbook​
.com​/view​/913789930/.
2 See, for example, Jiao Huang, Sameer Kumar and Chuan Hu, “A Literature Review of Online Identity
Reconstruction” Frontiers in Psychology, 23 August 2021, vol 12, 2021, https://doi​.org​/10​.3389​/fpsyg​.2021​
.696552.
3 See, for example Ben Dattner and Tomas Chamorro-Premuzic, “How to Curate Your Digital Persona,”
Harvard Business Review, 3 July 2020, https://hbr​.org ​/2020​/07​/ how​-to​- curate​-your​- digital​-persona.
4 Christian Schmidt, “Insurance in the Digital Age,” September 2018, The Geneva Association (hereafter
Schmidt, Geneva Association).

479
 C onclusion

to execute complex processing operations in ways that go far beyond the traditional auto-
mation of simple jobs. Technology has the capability to perform tasks that significantly
outstrip human capacity: The United Kingdom’s Office for National Statistics released a
study in 2019 suggesting that more than 70% of jobs in England in 2019 were at medium
to high risk of automation,5 and the World Economic Forum predicted that AI will replace
85 million jobs worldwide by 2025.6
This changing trend in the workforce already has and will inevitably continue to reshape
the demand for insurance products. Automation has the potential to reduce or remove the
risk of human error, but this is replaced by the risk of systems failure or cyber attacks:
In the digital era, some risks become less frequent, while others, like cyber, will gain in
importance, and again others may cease to exist.7

The need for employers’ liability insurance could well decline, for example, in areas
where the human workforce is reduced. At the same time, there is likely to be a rise in
demand for cyber insurance and other cover to protect vital systems. Motor insurance for
fleet operations may require adaption to cover new risks relevant to connected cars and
autonomous vehicles.
A prime example of this shift can be seen in the healthcare sector, where providers have
traditionally looked towards medical malpractice insurance to cover the risk of errors in
procedures and diagnoses. Where decisions are based on artificial intelligence-powered
data analytics, the system may be as much to blame as the clinician. The COVID-19 pan-
demic saw a rapid acceleration in the adoption of telehealth platforms and other technol-
ogy as part of enhanced care delivery, but it remains to be seen whether this increased
reliance on technology in clinical decision-making has reduced or increased the likeli-
hood of claims—for example, the determination of liability when physicians delegate the
task of diagnosing medical conditions to intelligent scanning systems without exposing
themselves to increased liability for malpractice if the system makes an error.8 In any
case, it has certainly complicated the position on liability with an increase in the number
of potential targets for claims (including platform providers and other healthtech vendors)
and, perhaps, more complex cross-border scenarios with the increase in remote health
consultations.
In the transport sector, autonomous vehicles are rapidly developing in scope and sophis-
tication with the increasing use of machine learning and data analysis to make decisions
that supplement or even replace human choices. This could shift the focus of motor claims
away from operator responsibility and towards product liability claims related to equip-
ment and software, as well as cybersecurity and negligence in the context of maintenance.
The operator of the vehicle will not necessarily be the most obvious party to sue, with
potential claims against manufacturers, software developers and consultants all part of

5 Office for National Statistics: “The probability of automation in England: 2011 and 2017,” www​.ons​.gov​
.uk ​/emp​loym​enta​ndla​bour ​market ​/peopleinwork ​/emp​loym​enta​ndem​ploy​eetypes​/articles​/the​prob​abil​ityo​faut​
omat​ioni​nengland ​/2011and2017.
6 “The Future of Jobs Report 2020,” World Economic Forum, October 2020, www3​.weforum​.org​/docs​/
WEF​_ Future​_of​_ Jobs​_ 2​020​.pdf.
7 Schmidt, Geneva Association (n 4).
8 John Villasenor, “Products Liability Law as a Way to Address AI Harms,” Brookings, 31 October 2019,
www​.brookings​.edu​/research​/products​-liability​-law​-as​-a​-way​-to​-address​-ai​-harms/#:~​:text​= Under​%20strict​
%20liability​%2C​%20manufacturers​%E2​%80​%94including.

480
 C onclusion

a growing and complicated mix. There will be emerging ambiguities in the allocation of
responsibility and liability where neither an identifiable human driver with full control of
the vehicle nor a completely driverless vehicle system exists. However, there is no doubt
that increased automation will fuel a significant increase in product liability claims.
The development and expansion of AI in relation to driverless cars, robots, the use of
autonomous machines to execute complex financial transactions and other innovations
give rise to diverse legal issues ranging from the concept of “AI personhood”9 to liability
issues—with obvious insurance implications.

Insuring digital assets

Outside the transformative impact on existing traditional business sectors, it will also be
interesting to observe how the wider societal shift towards a more digital and connected
world will create new risk and opportunity for insurers. “The metaverse” is a broad term
to describe a network (or world) that creates an immersive experience through augmented
and virtual reality technologies—sometimes referred to as Web3 or the 3D internet. In
contrast to the Web 2.0 era that saw a shift from publication to a more interactive read/
write version of the internet, the metaverse goes further by creating an interactive vir-
tual world. This world is a shared experience characterised by its persistent nature—the
metaverse continues to exist even when a participant is not engaged.
Much of this new economy (specifically, the storage and exchange of value) will be
underpinned by blockchain technology. A blockchain is a digital, distributed and shared
ledger consisting of securely linked records of transactions (blocks). It allows parties to
exchange value (i.e. cryptocurrencies) or unique assets (in the form of non-fungible tokens
(NFTs) in much the same way as equivalent exchanges in the real world. This opens more
scope for the creation of digital assets or even real estate that users can build, retain, own
and trade in a form of online economy.
Any insurance companies that are not currently developing a strategy around Web3
technologies need to move quickly. As the author Stewart Brand puts it:
Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the
road.10

For insurers, the first step is to understand what risks are being presented by any new
technology and how these may translate into insurance coverage. Some of the risks associ-
ated with Web3 technologies are relatively standard concepts for insurers to understand:
theft, fraud and accident. However, there are potential complexities in applying these con-
cepts to digital-only assets. As with any new technology, insurers will naturally be cau-
tious about making any definitive assessment of these risks without sufficient market data
or knowledge. One might reasonably question, for example, whether the existence of an
immutable record such as the blockchain could reduce—or even eliminate—the risk of
theft or fraud. Media reports of substantial losses being suffered from hacking and scams
suggest that is not the present reality.

9 See for example Matthew U Scherer, “Of Wild Beasts and Digital Analogues: The Legal Status of
Autonomous Systems” (2019) 19 Nevada Law Journal 259.
10 ​
w ww​.wholeearth​.com ​/ history​-whole​- earth​- catal​og​.php.

481
 C onclusion

In the case of digital assets, how does an insurer become comfortable with the idea that a dig-
ital asset can possess equivalent properties of ownership and value as a tangible item? Crypto
assets such as Bitcoin are regularly scrutinised in the media with commentators highlighting
their volatility, dramatic crashes and high-profile failures of major exchanges. Consequently,
there is an increasing appetite among service providers and users to seek insurance products to
mitigate these risks. While such products are still developing, there are test cases looking at the
scope of cover and definitions under existing policies—for example, whether cryptocurrencies
or digital assets may be classified as covered property (a US ruling in 2018 determined Bitcoin
to be “property” and not money under a homeowners insurance policy,11 and a subsequent rul-
ing in the UK High Court found similarly under English law12).
These rulings are significant for a number of reasons. Not only do they allow important
proprietary rights and remedies for victims of digital crime, but they also have material
consequences for the treatment of cryptocurrencies under traditional insurance policies.
This will be an area of continuing development as insurers seek to meet market demand
with bespoke products for digital assets.

Transforming risk management

Another facet of digital transformation is the new approach to risk and compliance that it
can allow. Just as AI-powered predictive analytics have enhanced other aspects of busi-
ness, these tools can be adopted by risk and security functions to help ensure that risk
management keeps pace with new ways of working.
Much of the transformational shift is powered by the acquisition of data. In some cases,
insurers are obtaining data in exchange for discounts in premiums—consider, for exam-
ple, the use of telematics in motor insurance, smart sensors in a home or office environ-
ment and wearables in health insurance. These connected devices provide a stream of
information to support risk assessment, decision-making and mitigation:
The use of real-time monitoring and visualisation are fundamentally changing the insurers’
relationship with customers. Policyholders who agree to let an insurer track their habits, for
example by using wearable technology, can learn more about themselves, and can use the
information to adapt behaviour and reduce risks.13

For example, a sensor in a building could feasibly detect a fire or flood situation in a home
and issue alerts or trigger preventative systems to significantly control the damage. Other
studies suggest that health and lifestyle monitoring wearable technologies could extend
the lifespan of those using them by an average of six months.14
Moreover, Cem Dilmegani15 describes how “digital twinning,” being computerised rep-
resentations of any physical objects such as people, houses or cars, can offer improvements

11 ​ See Kimmelman v Wayne Insurance Group, State of Ohio, Court of Common Pleas, Franklin County.
Civil Division September 25, 2018 Case No. 18CV1041.
12 ​ See AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556. See also B2C2 Ltd v Quoine Pte
Ltd [2019] SGHC(1) 03; David Ian Ruscoe and Malcolm Russell Moore v Cryptopia Ltd [2020]NZHC 728.
13 Schmidt, Geneva Association (n 4).
14 “Predicts 2018: Personal Devices,” Gartner, 30 November 2017, www​.gartner​.com ​/en ​/documents​
/3834663, quoted in Keri Allen, “How wearable tech is helping to save lives,” 30 April 2018, IT Pro, www​.itpro​
.co​.uk​/ business​-strategy​/31017​/ how​-wearable​-tech​-is​-helping​-to​-save​-lives.
15 “How Digital Twins Change the Insurance Sector in 2023” 13 January 2023
https://research​.aimultiple​.com​/digital​-twin​-insurance/.

482
 C onclusion

in core insurance practices such as underwriting, claims processing and fraud detection.
By creating simulations or exercises which help to derive “virtual data,” he observes that:
insurance companies can assess their readiness to deal with rare disasters such as volcanic
eruptions, large earthquakes or floods, pandemics, and so on. From this perspective, digital
twins provide a virtual platform for insurance companies where any risk scenario can be
predicted and evaluated.16
This combination of data and vast experience in risk assessment is driving a shift that is
moving the insurance industry from risk protection to risk prevention:
Risk data is of growing relevance with the increase in connected devices, sensors and indus-
trial control systems, as well as open-source data. With digitisation, risk engineering will
be able to make much greater use of data to gain insights, as well as inform loss prevention
actions and implementation.17

For example, as a leading adviser to insurers around the world, Clyde & Co has been
active in developing products that combine legal expertise with automated intelligence. In
2022, the firm launched Newton,18 a series of innovative products as part of a new technol-
ogy platform for casualty claims handling. By leveraging its position as the biggest legal
provider to the UK casualty market—and, consequently, the firm with the largest data-
set—these products support claims handlers to enhance their decision-making capability
in areas such as fraud screening, claims valuation reserve and offer calculations.
Similarly, other supporting players are developing solutions to meet the changing needs of
the insurance sector. In China, the online insurance agency Ant Insurance launched a digi-
tal operations platform called Xingyun to help insurers improve operational efficiency and
customer experience. According to reports in September 2022, Xingyun was able to identify
more than 100 types of verification documents (including hospital receipts) for the settle-
ment of insurance claims with an identification accuracy rate of more than 95%.19 These
advances are helping to reduce friction in business processes and improve settlement times.
While AI-powered predictive analytics and systems are assisting insurers in countless
ways, the COVID-19 pandemic did serve as a “wake-up” call to many insurers who were
found wanting in how they were managing their insurance risk exposures. For example,
in 2021, the Australian Prudential Regulation Authority (APRA)20 asked ten insurers to
comprehensively review what went wrong with respect to business interruption insur-
ance. The Deputy Chair of APRA, Helen Rowell, in a speech to the Insurance Council of
Australia’s 2022 Annual Conference, summarised the broad findings as follows:
The problems were not isolated to sloppiness with outdated policy wordings. This was a
very basic error, but other more fundamental issues were also exposed. Key themes included

16 Idem. See also Accenture, “Meet me in the Metaverse,” Technology Trends 2022 www​.accenture​.com​/
content​/dam​/accenture​/final​/industry​/insurance​/document​/Accenture​-Insurance​-Technology​-Vision​-2022​.pdf​
#zoom​= 40.
17 “How digitalisation and data are reshaping risk mitigation,” Zurich, 11 January 2022, www​.zurich​.com​
/en ​/products​-and​-services​/protect​-your​-business​/commercial​-insurance​-risk​-insights​/ how​- digitalisation​-and​
-data​-are​-reshaping​-risk​-mitigation.
18 ​ w ww​.clydeco​.com ​/en ​/expertise​/products​/casualty​-inn​ovation.
19 “Ant Insurance Launches China’s First Digital Operation Platform for Insurance Companies,” 7
September 2022, Fintech News Hong Kong, https://fintechnews​.hk​/19100​/fintechchina​/ant​-insurance​-launches​
-chinas​-first​- digital​- operation​-platform​-for​-insurance​- companies/.
20 “Insurance risk self-assessment thematic review,” APRA, 26 October 2022, www​.apra​.gov​.au ​/insur-
ance​-risk​-self​-assessment​-thematic​-review.

483
 C onclusion

miscalculation or ignoring of the potential materiality of the risk associated with the pandemic,
a lack of willingness to escalate matters of concern, and complexity in policies and systems.
Multiplicity of policy wordings was a real problem, especially in the SME market where third-
party distributors were utilised. In some cases, competitive drivers overrode sound under-
writing discipline. These issues speak to more holistic weaknesses in risk culture.21

Accordingly, managing insurance risk exposures through basic attention to risk and con-
trol frameworks remains fundamental to the issue of insurance risk management.

Asymmetry of information: Big data

The explosion in the gathering, availability and use of data also poses huge challenges for
regulators—and there is no room for complacency. As discussed in Chapter 2, the global
landscape in which insurance is transacted continues to change at a rapid rate, particularly
in relation to the availability of data, burgeoning access to information and scientific/
technological advances. Asymmetry of information, access to and integrity of data, deter-
mination of liability in novel technological contexts and insurance discrimination issues
will continue to challenge regulators, insurers and the wider community on a global basis.
Concerns in relation to the appropriateness and fitness for purpose of the common law
duty of disclosure have already led to significant reforms that endeavour to achieve a balance
between the interests of the insurer and the insured in the process of transacting an insurance
contract and in the outcomes attendant upon failure or asymmetry in such disclosure when
a claim is made. For example, the English and Scottish Law Commissions embarked upon a
joint insurance law reform programme in 2006, and the product of their work is the passage of
two Acts—the Consumer Insurance (Disclosure and Representations) Act 2012 (UK) and the
Insurance Act 2015 (UK). The 2012 Act22 provides a good insight into the balancing dynamics
deployed in altering a consumer insured’s duties in relation to non-disclosure and misrepre-
sentation in consumer insurance contracts. The effect of these provisions is to place the onus
squarely upon the insurer to ask questions in respect of any consumer insurance contract, and
it is obvious that the clearer and more directed the questions the greater the likelihood that an
insurer could demonstrate failure by an insured under the new requirements.
The UK reforms attracted favourable comment and attention in Australia with the
Royal Commission into Misconduct in the Banking, Superannuation and Financial
Services Industry23 recommending reform of disclosure requirements in respect of
consumer insurance contracts under the Insurance Contracts Act 1984 (Cth). This
recommendation has been enacted in the Financial Sector Reform (Hayne Royal
Commission) Act 202024 with the prior duty of disclosure replaced with a duty to take
reasonable care not to make a misrepresentation to an insurer. Reforms, such as those
described above, advance the cause of aligning the law and practice of insurance to
modern circumstances and markets.

21 APRA’s deputy chair speech, 2 November 2022, www​.apra​.gov​.au​/news​-and​-publications​/apra​- deputy​

-chair​-helen​-rowell​-speech​-to​-insurance​- council​- of​-australia​%E2​%80​%99s.
22 This legislation is discussed in detail in Julie-Anne Tarr, “Transforming Insurance Law: A com-
parative review of recent insurance law reform in the United Kingdom and Australia” (2016) 28 Insurance
Law Journal 10.
23 Final Report, 1 February 2019. Commonly referred to as the “Banking Royal Commission,” or the
“Hayne Royal Commission” (after the Commissioner, the Hon. Kenneth Hayne AC QC.).
24 Section 20B.

484
 C onclusion

Technological and scientific advances have the potential to impact insurance laws and
practices that have a long pedigree. However, it remains an open question as to whether
this continuing evolution in the insurance market in an age of big data demands further
reform to rebalance information disclosure requirements. For example, in this evolving
data-driven global insurance market, an insurer’s asymmetry of information relative to
any particular transaction being negotiated may be negated or become less significant.
This may in turn demand further reform to rebalance pre-contract information disclosure
requirements in the global insurance market.
Attention, as this asymmetric balance is reconfigured, needs to focus also on the
insurer’s disclosure obligations, with due process and accountability requiring that
a prospective insured has easily accessible information about the processing of their
personal data.
The two UK laws also resulted in significant amendments to the Marine Insurance
Act 1906 (UK) with potentially very important flow-on effects in those jurisdictions that
replicated this marine legislation in their domestic legal systems.25 In particular, major
changes to the laws of disclosure, warranties and remedies in marine insurance contracts
have been effected through amendments to the Marine Insurance Act 1906 (UK). This Act
is the model upon which marine insurance legislation was faithfully reproduced globally
in many Commonwealth and other jurisdictions. In a strongly connected and international
market with an epicentre and legacy in London, the changes to the UK legislation should
ideally pave the way globally for law reform without creating unnecessary disharmony or
inconsistency in international practice in the marine insurance industry.

Genetic testing, genetic information and epigenetics26

In healthcare, rapid development around genetic and epigenetic27 information is helping
to revolutionise personalised healthcare models. Combined with other technologies and
big data, more tailored, better priced and customised policies will be part of the future.
Beyond the myriad of advantages that advances in these sciences will present for indi-
vidual and group well-being, uses in insurance contexts will also bring a host of potential
ethical, legal and social implications.
The most pressing issue is the extent to which “insurance discrimination” based on
genetic testing, genetic information and epigenetics constitutes a legitimate activity by

25 See, for example, Julie-Anne Tarr, “Marine Insurance Law Reform in Australia—A following sea”
(2017) 45 ABLR 117.
26 Generally, see Julie-Anne Tarr, “Regulatory Approaches to Genetic Testing in Insurance” (2002) 24,
The Sydney Law Review, 189–206; John Lefebre, Georgiana Willwerth-Pascutiu, Sheetal Salgaonkar et al.,
“Genetics and Insurance: Challenges and Opportunities III,” RGA, 29 September 2021,
www​.rgare​.com​/ knowledge​- center​/media​/research​/genetics​-and​-insurance​- challenges​-and​- opportunities​
-iii (hereafter Lefebre).
27 Epigenetics is defined as “the study of changes in gene function that are mitotically and/or meioti-
cally heritable and that do not entail a change in DNA sequence.” See Charles Dupras, Lingqiao Song, Katie
M Saulnier and Yann Joly, “Epigenetic Discrimination: Emerging Applications of Epigenetics Pointing to
Limitations of Policies against Genetic Discrimination,” Frontiers in Genetics 9 (2018), 202, www​.ncbi​.nim​
.nih​.gov​/pmc​/articles​/ PMC6002493/; see also Michael Miller and Paige Freeman, “Legal Issues relating to
Epigenetics in Life Insurance,” 2018, Association of Life Insurance Counsel (ALIC) Annual Meeting, 7 May
2018, the authors explain that “Epigenetics (meaning ‘around’ or ‘beyond’ the gene) is the study of alterations
in gene expression through the addition or removal of biochemical markers, as opposed to changes in DNA
itself.”

485
 C onclusion

insurers in determining which applicants it will accept and on what terms, or whether it
bestows an unfair edge to private enterprise that comes at the expense of those already
at high risk of suffering debilitating health problems. Genetic discrimination has been
defined as “the differential treatment of asymptomatic individuals or their relatives on the
basis of their actual or presumed genetic characteristics.”28
Concerns arise around privacy and genetic discrimination and the extent to which
insurers should be able to impose affirmative requirements that tests be undertaken or, in
some jurisdictions, compel disclosure of existing information in this respect.29 This also
requires determination of the extent to which test results from one person can be used in
conjunction with consideration of the insurability of others who possess similar genetic
traits such as family members and even future descendants. Concerns include the debate
as to the disincentive to undergo testing due to the prospect of insurance discrimination
and the consequences this presents both for scientific research and for preventative health
treatment.30
The interface between the predictive nature of genetic testing and insurance discrimi-
nation touches upon the fundamental nature of insurance as a commercial enterprise as
the predictive certainty of genetic testing and availability of genomic information is cen-
tral to risk allocation.
From an insurer’s perspective, for example, the use of increasingly accurate genetic
data will inevitably create the ability for insurance underwriters to predict with far greater
accuracy an individual’s expected healthcare costs or the stage at which a life or disability
policy will have to be paid. This in turn creates the ability of insurers to reject candidates
who are likely to prove too cost-ineffective or to charge significantly higher premiums
to those with test results indicating a pre-disposition towards engendering higher costs.
However, if insurers are not able to use this information or curtailed access to it, con-
sumers who are aware of their heightened need for such services will potentially be able
to access these products at a substantially lower rate than would otherwise be the case.
Although attractive from their perspective, the economic result in a commercial setting
arguably will be that the majority of insureds are forced to pay significantly higher premi-
ums than would otherwise be assessed.
However, the Reinsurance Group of America (RGA)31 observe that:
The definitive impact of genetic information on product pricing due to the information asym-
metry that may stem from insurers’ ability (or lack thereof) to access genetic testing informa-
tion is currently unknown. At this point it is known that genetic testing may improve both
mortality and morbidity outcomes and influence in-force lapse rates. For example, someone

28 Margaret Otlowski, Sandra Taylor and Yvonne Bombard. “Genetic discrimination: international per-
spectives,” Annual review of genomics and human genetics 13 (2012), 433–454.
29 “Genetic testing threatens the insurance industry: Insurers worry about adverse selection; the insured
worry about discrimination,” The Economist, 3 August 2017, www​.economist​.com​/finance​-and​- economics​
/2017​/08​/03​/genetic​-testing​-threatens​-the​-insurance​-industry?; see also, Regulation (EU) 2016/679 on the pro-
tection of natural persons with regard to the processing of personal data and on the free movement of such data.
A data subject has the right “not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
30 See, for example, Lachlan Colquhoun, “Genetic testing and insurance: a no-win situation?” ANZIIF, 26
May 2022, vol 45, 1,
https://anziif​.com ​/professional​- development​/the​-journal​/volume​- 45​/issue​-1​/genetic​-testing​-and​-insurance​
-a​-no​-win​-situation.
31 Lefebre (n 26).

486
 C onclusion

receiving favourable genetic test results may be more inclined to allow a policy to lapse,
whereas someone receiving concerning results may be more motivated to keep their policy
in force, thus negatively impacting a pool’s overall mortality expectations. Much uncertainty
exists, and more precise pricing assumptions about genetic testing impacts are needed both
for consumer behaviour and for mortality and morbidity outcomes.

Familiar liability issues will remain but will grow increasingly complex as more technol-
ogy is introduced in chains around scientific validity, test accuracy and test result interpre-
tations. For example, Charles Dupras et al.32 point to the challenges that may arise when
deciding whether it is prudent or fair to implement epigenetic age and ageing estimators
in life insurance, as “the first question that demands attention is whether the testing has
been scientifically validated and if there is a proven correlation between the biological age
calculations of methylation33 testing and mortality risk.” The need to draw policy lines
for example as to how insurers can use and deploy data, how insurers determine which
applicants will be accepted and on what terms, and what levels of discrimination (and,
indeed, how that term is defined in these contexts) will become high stakes territory for
consumers, regulators and the global insurance industry.
Privacy and genetic discrimination will be principles that inevitably conflict with big
data and broad-scale modelling capacities as to the extent to which insurers should be
able to impose affirmative requirements around information disclosure or testing. In this
sense, moral hazard and risk pools stand to be reshaped as concepts—and to what extent
those who are high risk or who share genetic markers will be able to access health and life
insurance—that will be subject to ongoing consideration by legislators and regulators.34
What is clear, as The Guardian argued in an editorial,35 is that “Insurance depends on
the pooling of risk but big data may drain that pool.” Accordingly, the interface between
big data, the predictive nature of genetic testing and insurance discrimination touches
upon the fundamental nature of insurance as a commercial enterprise. This is a recurrent
theme when considering the impact of big data and predictive analytics.36

Blockchain and distributed ledger technology

Forecasting the future is perhaps foolhardy, but also necessary. As the economy becomes
increasingly digital, and the physical and digital worlds continue to be interconnected
through the use of AI and robotics, the need for risk transfer will remain. As the economy
grows so will the risk transfer market. However, current market structures and norms
within the insurance sector need to adapt or in many instances be wholescale replaced,
in order to avoid redundancy. An economy in which the digital identities of companies or

32 Charles Dupras, Stephan Beck, Mark A. Rothstein et al., “Potential (mis)use of epigenetic age estimators
by private companies and public agencies: human rights law should provide ethical guidance.” Environmental
Epigenetics, 2019, 1–12.
33 See for example, Bekim Sadikovic, “The Diagnostic Power of DNA Methylation” The Pathologist, 16
April 2018, https://thepathologist​.com ​/inside​-the​-lab​/the​- diagnostic​-power​- of​- dna​-methylation.
34 “Genetic testing and implications for life insurers,” Swiss Re, www​.swissre​.com ​/dam ​/jcr​:df09d7f8​- 4ca8​
-44e9​-b167 f64b6​8c082​03/ge​​netic​​_test​​ing ​_f​​acts_​​for​_i​​nsure​​​rs​.pd​​f.
35 The Guardian, 28 September 2018, www​.theguardian​.com ​/commentisfree​/2018​/sep​/27​/the​-guardian​
-view​- on​-big​- data​-and​-insurance​-knowing​-too​-much.
36 Generally, see Michèle Finck, “Smart contracts as a form of solely automated processing under the
GDPR,” International Data Privacy Law, vol 9, issue 2, May 2019, 78–94, https://doi​.org ​/10​.1093​/idpl ​/ipz004.

487
 C onclusion

individuals interact and transact with one another will not tolerate a risk transfer which
does not fit within the same digital networks or ecosystems. Insurers need to have market
processes and conditions which allow instant decision-making and the building of data-
driven risk analysis.
DLT and blockchain, powered by smart contracts, while often over-hyped, provide a
mechanism for such a digital bridge while also being consistent with the current market
structure within which risk is pooled and distributed. As prior market crashes and spirals
(both within the insurance and the wider finance sector) have shown, a lack of pooling
and a lack of transparency and understanding of where end liability for a risk lies can be
fatal when risk is accumulated by too few players. The diversified global insurance and
reinsurance markets have shown themselves very resilient and effective in sharing that
risk. However current intra-market structures are not fit for purpose for interaction within
digital structures, and this may discourage effective risk sharing and pooling. This raises
a risk of market sustainability and also of shrinking relevancy.
Thus, the insurance markets need to embrace, as many are doing, DLT, blockchain and
smart contract technologies as a bridge between the markets and the digital economy.
For those in the legal and regulatory sector relevant to insurance, there also needs to
be a recognition that the protections and standards accumulated over centuries of global
economic expansion may not be relevant. We can criticise the market for being cumber-
some in not embracing technology that does not fit within existing structures. Equally, we
are comfortable with the notion that the value proposition for new entrants and startups is
that they can think afresh without being encumbered by dogma. The same approach must
also be taken in the legal and regulatory environment.
In light of economic development, complicated trading structures and arrangements
have arisen in order to allow parties to transact where the level of familiarity and trust
that existed in smaller and more cohesive societies is absent.37 So when, in the eighteenth
century, the Lloyd’s insurance market flourished with the ability to pool the risk of a tea
clipper voyage across the seas, the level of trust needed to be enhanced with some degree
of formality. Thus, the early short-form slip policies of insurance were developed. and
corporate structures (such as Lloyd’s syndicates and limited companies) were established.
As the world became ever more globalised and economic networks distant, the level of
complexity of those arrangements increased. For example, consider the unavoidable com-
plexities of policy wordings and administration where insurers seek to pool an aviation
risk across the globe.
The new digital technologies cut through some of that complexity at the risk level.
Much of the debate as to smart contracts and their enforceability and desirability often
misses the fundamental point that parties intrinsically do not want to enter into a contract
but want to transact.38
If a digital or codified basis for that transaction can be established with sufficient cer-
tainty, then the need for much legal protection in contracts falls away. As an example,
when code incorporates the basis of the transaction, then it is in our view unhelpful to talk
about the code enforcing the agreement or resolving any dispute.39 Rather the code—if put

37 See Lee Bacon, “‘Getting Medieval With Smart Contracts’—Clyde Code,” Artificial Lawyer, 4 June
2018, www​.artificiallawyer​.com​/2018​/06​/04​/getting​-medieval​-with​-smart​- contracts​- clyde​- code/.
38 Ibid.
39 Ibid.

488
 C onclusion

in place properly—simply transacts the agreement. Take, for example, an insured seeking
insurance for the risk of supply for a consignment of coffee, where the risk is placed on a
digital platform in which the parties’ digital identity is trusted. If the insurance platform
is also linked to the underlying trading platform which utilises a real-time date, then the
transaction at the insurance level is hugely simplified. DLT, blockchain and smart con-
tracts can enable such an arrangement. What will be disintermediated is a lot of the pro-
cess but also a lot of the risk. In turn then, also a lot of the legal and regulatory complexity.

Space and insurance40

Christopher McKeon, Ann Satovich, McKay Simmons, Christopher O’Connor and Brad
Barger, in their very compelling article in The Space Review,41 succinctly summarise the
current state of the market as follows:
The marketplace for space insurance today revolves around policies for physical assets, in
particular satellite coverage, which is predominantly dominated by a handful of European
insurers. Coverage includes pre-launch testing and facility exposures, launch and orbital pro-
tection, and coverage for ground support services. Additionally, other specialty coverages
such as manufacturer’s warranties, broadcast service, and other business interruption are also
available. Lloyd’s of London estimates42 that the space insurance market is about $500 mil-
lion annually for satellites and non-human cargo. With respect to pre-launch, it is estimated
that only $10 million to $15 million in premiums are generated annually,43 indicating that the
majority of risk and premium occurs post-launch, considering the value of a lost satellite can
range from $200 million to $400 million.
Interestingly, space insurance is not triggered until launch. Prior to liftoff,44 the insured
assets are earthbound and therefore covered under any inland marine policies in force. As
with all current pre- or post-launch insurance, it is property-related, as human passengers
have been minimal.

However, manned and unmanned launches and orbital operations are undergoing a revo-
lution. There is a transition away from a small number of dominant state launchers to an
increasingly important mixture of state and private commercial undertakings.
Privately owned and operated launch systems including those of Virgin Galactic, Blue
Origin and SpaceX are driving innovation, leaps in efficiency and reduction in the cost
of launch and operation. The SpaceX reusable modular launch vehicles are prime exam-
ples.45 Those “new entrant” commercial launch services are securing government con-
tracts and for the first time are operating human crew missions, which was previously

40 Generally, see Andrea J Harrington, Space Insurance and the Law: Maximizing Private Activities in
Outer Space (Edward Elgar, 2021), www​.elgaronline​.com ​/display​/9781839105852​.xml.
41 “Boldly insure where no one has gone,” The Space Review, 8 November 2021, www​.thespacereview​
.com ​/article​/4280​/1; www​.ins​u ran​ceth​ough​tlea​dership​.com ​/commercial​-lines​/ boldly​-insure​-where​-no​- one​
-has​-gone.
42 Andrew Ross Sorkin et al., “The Space Race for Insurers,” The New York Times, 9 July 2021, sec.
Business, www​.nytimes​.com​/2021​/07​/09​/ business​/dealbook ​/ branson​-bezos​-space​-race​-insurance​.html.
43 Bethan Moorcraft, “Satellite insurance—a brief introductory guide,” Insurance Business America,
5 August 2019, www​.ins​u ran​cebu​sinessmag​.com​/us​/guides​/satellite​-insurance-​-a​-brief​-introductory​-guide​
-174465​.aspx.
44 “Space Insurance and the New Era of Space Exploration,” Global Aerospace, 29 June 2020, www​.global​
-aero​.com ​/space​-insurance​-and​-the​-new​- era​- of​-space​- exploration/.
45 See for example, Space Exploration Technologies Corporation (SpaceX) that designs, manufactures and
launches advanced rockets and spacecraft. The company was founded in 2002 by Elon Musk to revolutionise
space technology, www​.spacex​.com/.

489
 C onclusion

the exclusive domain of state undertakings. They are driving regulatory developments
necessary to enable public and commercial transport operations.46
This shift to private commercial operations is expanding a hitherto limited “open mar-
ket” for space launch and operation services. It will allow the proliferation of novel activi-
ties, including space tourism (suborbital and orbital) and industrialisation of Earth and
Lunar orbital space.47
That is expected to drive an expansion of the demand for insurance cover and require
the expansion of market capacity. The expansion of insurance capacity will be essential
to the development of commercial activities in space and to facilitate the financial invest-
ment that they require. However, there are challenges. The risk environment is changing,
with shifting patterns of prevalence and the emergence of novel risks. The legal frame-
work within which space activities are conducted is in many respects outdated and under-
developed, leading to uncertainty around the legal principles underpinning private law
liability and the essentials for trade.48
The near-Earth orbital environment is becoming sufficiently congested that individual
operators’ situational awareness and avoidance activities are becoming time-consuming,
costly and arguably (in the near future) inadequate to avoid interference or physical col-
lision. The threat posed by orbital debris to operational space assets is increasing.49 The
debris and congestion issues are set to escalate rapidly with the launch of thousands of sat-
ellites forming communications “constellations” and large-scale (manned and unmanned)
orbital platforms.50
These developments also raise novel risks and hazards for the Earth-bound; between
2008 and 2017, 450 large objects amounting to approximately 900 tonnes of man-made
material have made uncontrolled landings.51 If the likelihood of damage to life or property
is considered small, there remains the issue of pollution. Likewise, launch sites (“space-
ports”) and the land in the shadow of launch windows accumulate pollutants, some of
which (some rocket fuels, for example) are highly toxic. There is also the increasing issue
of non-physical, but equally important, radio frequency interference and the increasing
concern both within and outside the scientific community around “dark and quiet” skies.52
The insurance industry faces challenges in the assessment and valuation of these space-
related risks.

46 See, for example, the Space Industry Act 2018 (UK), Space Industry Regulations 2021 (UK), Spaceflight
Activities (Investigation of Spaceflight Accidents) Regulations 2021 (UK), and Space Industry (Appeals)
Regulations 2021 (UK).
47 See, for example, Stefanie Waldek, “The Past, Present, and Future of Space Tourism,” AFAR, 11 October
2022, www​.afar​.com ​/magazine​/space​-tourism​-the​-past​-present​-and​-future.
48 Christopher McKeon, Ann Satovich, McKay Simmons, Christopher O’Connor and Brad Barger, “Boldly
insure where no one has gone” The Space Review, 8 November 2021, www​.thespacereview​.com​/article​/4280​/1;
www​.ins​u ran​ceth​ough​tlea​dership​.com ​/commercial​-lines​/ boldly​-insure​-where​-no​- one​-has​-gone.
49 See, for example, “Space Junk,” SPACE, www​.space​.com ​/topics​/space​-junk.
50 See for example, “Constellations: Connection for people all over the globe,” Airbus, www​.airbus​.com​/
en​/products​-services​/space​/telecom​/constellations.
51 Carmen Pardini and Luciano Anselmo, "Uncontrolled re-entries of spacecraft and rocket bodies: A
statistical overview over the last decade." Journal of Space Safety Engineering 6, no. 1 (2019): 30-47; and see
also , Dipshikha Chakravortty, Basu Saptarshi, and K. S. Nandakumar. "Spacefarers, protect our planet from
falling debris." Nature 597, no. 7875 (2021): 178-178.
52 See, for example, “Dark and Quiet Skies: An IAU Global Outreach Project,” International Astronomical
Union, www​.iau​.org​/public​/darkskiesawareness/.

490
 C onclusion

Existing launch and/or in-orbit assets, loss of revenue and third-party cover will need
to adapt to risks associated with a more crowded operating environment, new technol-
ogy and equipment, a widening web of losses consequent on an incident and (orbital and
terrestrial) environmental and pollution-related risks. Insurance of commercial manned
space operations, while not unknown, is not well developed, and the risks associated with
space tourism have not previously required the detailed consideration of the wider space
insurance market.
Nevertheless, as Christopher McKeon et al. comment:

Insurers need to prepare now for the exponential growth in this market segment and the grow-
ing needs of individual and corporate customers. The marketplace for space insurance today
revolves around policies for physical assets, in particular satellite coverage. Coverage includes
pre-launch testing and facility exposures, launch and orbital protection, as well as coverage
for ground support services. For the nascent space tourism industry, the current practice is
that all passengers sign a waiver of liability and assume full risk themselves. This is serving
as a bridge until the insurance market can provide a solution.53

Professional indemnity
The COVID-19 pandemic had a very significant impact on the global professional indem-
nity insurance market with many of the challenges that arose, or that were exacerbated—
such as supervision, increased regulatory oversight, economic uncertainty and specific
social challenges, including social inflation—likely to persist and to evolve in the coming
years. For example, insureds remain keenly aware of the impact of the pandemic on their
risk exposure, in particular with regard to the shift to remote or hybrid working, with
the added complexity of staff attrition. Privacy, cyber and ransomware exposures remain
constant and expanding risks.
Other new challenges have emerged, including increased regulatory oversight, and
recessionary pressures and economic headwinds, caused in part by the crisis in Ukraine,
which have led, and will continue to lead, to insolvencies.
As discussed in Chapter 12, some professions and industries including construction,
medicine and financial professionals, have been and will continue to be impacted more
than others. For example, the construction industry faces challenges in overcoming the
shortage of key equipment and materials, a spike in procurement costs, longer lead times,
schedule and cost overruns, compromised supply chains, skilled labour shortages and
increased competition for limited work.54 Moreover, most jurisdictions have also seen an
increase in regulation in response to shifting societal expectations about building quality,
safety, usability and energy efficiency. The switch to sustainable energy and the adop-
tion of modern building methods is also transforming the risk landscape, with radical
changes in design, materials and construction processes. New materials and construction
methods are being introduced across the market in short periods of time, and with this
comes increased risks of defects and the potential for unexpected safety, environmental

53 Christopher McKeon, Ann Satovich, McKay Simmons, Christopher O’Connor and Brad Barger, “Boldly
insure where no one has gone” The Space Review, 8 November 2021, www​.thespacereview​.com​/article​/4280​/1;
www​.ins​u ran​ceth​ough​tlea​dership​.com ​/commercial​-lines​/ boldly​-insure​-where​-no​- one​-has​-gone.
54 “No Turning Back: An Industry ready to transcend,” 2021 Global Construction Survey, KPMG, https://
assets​.kpmg​.com​/content​/dam​/ kpmg​/ie​/pdf​/2021​/09​/ie​-global​- construction​-survey​-2​.pdf.

491
 C onclusion

and health consequences. The combined effect of these changes and developments is
55

creating fertile ground for large liability claims against architects, engineers, developers,
other external professionals and construction companies.56
Globally there is a greatly increased focus on environmental, social and governance
(ESG) and sustainability issues, and climate change-related regulatory and shareholder
actions against companies and their directors and officers (D&Os) relating to ESG risks
are likely to significantly increase as new regulations come online and political debate
around ESG intensifies. The implementation of ESG reporting requirements will make
it easier to hold directors to account for the impact of their organisations on the environ-
ment and society, as well as add a further level of reporting and disclosure.57 For example,
in Europe, on 10 November 2022, the EU Parliament formally adopted The Corporate
Sustainability Reporting Directive (CSRD) in a move to make businesses established
within the European Union and those that operate within the EU disclose information on
their ESG credentials.58
Emerging technologies including big data and automation will continue to develop and
will enable market participants to do business more efficiently and improve the accuracy
of risk pricing for PI underwriters. While there are some significant challenges to over-
come with applying some of those technologies to PI insurance claims, such as achiev-
ing very specific disclosure requirements through automation, if developments continue
apace then many of those challenges may be overcome in the near future.
The forward-looking aspects of the PI insurance market have never been so important.
It will take a continued effort and collaboration between all stakeholders to monitor and
respond to new claims trends and new technologies, and to prepare for the future.

Cyber risks and insurance

As noted in Chapters 1 and 11 of this book, cyber insurance claims have increased signifi-
cantly in recent years, driven by the rise of threats such as ransomware attacks, but also
due to the growth of cyber insurance.59AGCS60 comments that:
Gone are the days when companies bought insurance against cyber-attacks instead of invest-
ing in attack protection technology themselves. The two go hand in hand. Companies need
to think about disaster recovery planning, put their plans to the test and then continue to test
them. Ultimately, if a company improves its cyber maturity level, it will likely obtain better
cyber insurance as a result.

55 “Managing the new age of construction risk—10 trends to watch as the sector builds back better.”
Allianz Global Corporate and Specialty SE, 2021, www​.agcs​.allianz​.com ​/news​-and​-insights​/reports​/10 ​-trends​
-construction​-risks​.html.
56 “Complex construction projects generate large PI claims,” Allianz Global Corporate and Specialty SE,
2022 www​.agcs​.allianz​.com ​/news​-and​-insights​/expert​-risk​-articles​/claims​-report​-22​- construction​.html.
57 “Global claims review 2022—Trends and developments in corporate insurance losses.” Allianz Global
Corporate & Specialty, July 2022, www​.agcs​.allianz​.com​/news​-and​-insights​/reports​/claims​-in​-focus​.html.
58 See the European Union’s Corporate Sustainability Reporting Directive (CSRD), 10 November 2022,
https://finance​.ec​.europa​.eu​/capital​-markets​-union​-and​-financial​-markets​/company​-reporting​-and​-auditing​/
company​-reporting​/corporate​-sustainability​-reporting ​_en.
59 “Global claims review 2022—Trends and developments in corporate insurance losses.” Allianz Global
Corporate & Specialty, July 2022, www​.agcs​.allianz​.com​/news​-and​-insights​/reports​/claims​-in​-focus​.html.
60 ​Idem.

492
 C onclusion

If insurers do not adequately address what is perceived to be catastrophic risk, then poten-
tially the portfolio aggregated position of insurers could be unsustainable with some con-
cern cyber attacks will eventually become “uninsurable.”61
However, the remediation effort with respect to increased scrutiny, increases in premi-
ums and deductibles, and reduced limit deployment has put the market in a much more
sustainable position. Insurers have improved their underwriting techniques, which will
need to continue to evolve as the risk landscape changes. Another area which continues
to challenge is third-party risks; risk that a supplier or even a customer, who interacts
with the company’s systems, may open that company to unauthorised access.62 Given the
dynamic and complex nature of cyber security vulnerabilities and the continuous evo-
lution of cyberattack tactics, techniques and procedures, accounting for known vulner-
abilities is challenging.63 The lack of historical loss data (resulting from the sector’s short
history) adds another layer of unpredictability for all involved.64 However, cyber is a line
of insurance that can be properly underwritten to distinguish the good risk from the bad
and, if insurers can underwrite diligently, there is a long-term future for this class of
insurance.
Trends point to the market corrections having had their intended impact in correct-
ing cyber insurance portfolios. The benefit to insured companies and those seeking to
(re)purchase dedicated cyber insurance is a return of more competitive conditions, as
the 2023 strategies of many insurers reflect aggressive growth targets. Importantly, this
will lead to greater scope to revive discussions between brokers and underwriters around
cyber coverage, the boundaries of which were being challenged prior to the hard mar-
ket conditions. Insurers need to remain competitive while ensuring policies offered do
not carve out too much cover, as this will be received poorly by purchasers. As the area
evolves and more historic data becomes available, it is likely the industry will see that the
costs of dealing with a cyber incident are not led by fines nor ransoms but rather the cost
to rebuild data and technology, and it is this which will dictate policy response moving
forward.

Pandemics and insurance

The COVID-19 pandemic is not over. Over three years since it began, it continues to cost
lives and livelihoods. However, beyond occasional reports of the ongoing consequences of
the cessation of China’s “Zero-COVID” policy in December 2022, little attention is paid
to the pandemic in the media. The world, it seems, has “moved on.”
And yet, the damage lingers, and the challenge of meeting the next inevitable pandemic
remains. It is a challenge that, at least as far as development of affordable comprehensive
pandemic insurance is concerned, is not being met. When the next pandemic arrives, there
is unlikely to be, say, a PIRA-based programme or Pandemic Re-style body in place in any

61 Ian Smith, “Cyber attacks set to become ‘uninsurable’, says Zurich chief,” Financial Times, 26 December
2022, www​.ft​.com​/content​/63ea94fa​- c6fc​- 449f​-b2b8​- ea29cc83637d.
62 “Governance in Focus, Cyber Risk reporting in the UK,” Deloitte, February 2017.
63 Report, Government Cyber Security Strategy (UK) 2022–2030, 65, www​.gov​.uk​/government​/publica-
tions​/government​- cyber​-security​-strategy​-2022​-to​-2030.
64 Tom Johansmeyer, “Cybersecurity Insurance Has a Big Problem,” Harvard Business Review, 11 January
2021, https://hbr​.org​/2021​/01​/cybersecurity​-insurance​-has​-a​-big​-problem.

493
 C onclusion

of the major world economies. There may be small-scale programmes in place in some
localities of some countries but nothing of the nature contemplated or suggested by the
OECD. Perhaps the proverbial “day” will be “saved” by after-the-event government action
but, with the ongoing Ukraine conflict and an imminent recession occupying the time
and effort of many political leaders, this may not be the case. Nor is the “public purse” as
capacious as it was prior to the pandemic, even if the political will for another round of
furlough schemes, debt forgiveness and bailouts existed.
What of the insurance industry? The difficulties faced by Marsh and Munich Re in
developing and marketing PathogenRX remain and, if anything, have grown since the
onset of the COVID-19 pandemic. Even now, many potential policyholders will be reluc-
tant to pay for such “expensive” insurance. Disagreements over the terms of such cover
may also, in the event of another pandemic, lead to the same flurry of policyholder v
insurer litigation as that brought about by COVID-19-related claims. We could well see yet
another series of conflicting judgments such as FCA v Arch65 and Swiss Re International
v LCA Marrickville.66
Even if some form of comprehensive public-private pandemic risk programme could
be put in place, which seems unlikely as the collective memory of the financial cost of the
COVID-19 pandemic fades as the days, weeks and months pass, what would it look like?
What would be its scope? Who would be eligible? Would it be compulsory or voluntary?
Primary cover or reinsurance? One provider or many? If the latter, would it have a uni-
form set of policy wordings? If not, why not and how would any differences be resolved?
Three years after the beginning of the COVID-19 pandemic, these basic questions remain
unanswered. It seems that they will remain unanswered in the immediate future. Unless
and until they are answered, there is unlikely to be an effective insurance-based response
to the next, inevitable, pandemic.

Climate change
Despite the ambitious commitments by governments and corporations to cut greenhouse
gas (GHG) emissions, global energy-related carbon dioxide emissions rose by 6% in
2021 to 36.3 billion tonnes, their highest ever level, as the world economy recovered from
COVID-19 and relied heavily on coal to power growth.67 If the world carries on with its
current path of a 3 ℃ rise, scientists predict that by 2070 more than three billion people
will live in regions with an average temperature beyond 29 ℃, a temperature consid-
ered near unliveable.68 Heavy rains, floods and heatwaves lead, among other things, to
crop failures, creating shortages in agricultural production already stressed by infertile
soils and an ever-increasing human population, which is expected to grow by one-third

65 FCA v Arch Insurance (UK) Ltd and others [2021] UKSC 1.

66 Swiss Re International Se v LCA Marrickville Pty Limited [2021] FCA 1206.
67 “Global CO2 emissions rebounded to their highest level in history in 2021,” International Energy
Agency, 8 March 2022, www​.iea​.org​/news​/global​- co2​- emissions​-rebounded​-to​-their​-highest​-level​-in​-history​
-in​-2021.
68 Chi Xu, Timothy A Kohler, Timothy M Lenton, Jens-Christian Svenning and Marten Scheffer, “Future
of the human climate niche.” Proceedings of the National Academy of Sciences 117, no. 21 (2020), 11350–11355,
cited in “3 billion people could live in places as hot as the Sahara by 2070 unless we tackle climate change,”
World Economic Forum, 13 May 2020, www​.weforum​.org ​/agenda ​/2020​/05​/temperature​- climate​- change​
-greenhouse​-gas​-niche​- emissions​-hot/.

494
 C onclusion

between 2009 and 2050. As climate events occur with increasing frequency and magni-
69

tude, the human and economic consequences will be devastating.

Novel solutions at every level are necessary to surmount these challenges. And there
are signs that financial actors, including insurers, are taking steps in the right direction
to reduce risk and find solutions. At the same time, financial regulators and international
bodies are fostering the conditions necessary to enable prudent management of climate
risk and to enable the net-zero transition. Parametric insurance and resilience bonds are
gaining traction and attention as tools to assist corporations and sovereigns alike build
resilience to climate change.
Climate litigation is forecast to develop in myriad ways and corporations and their
directors will increasingly find themselves in the spotlight as defendants. The accelerat-
ing development of standards in climate risk management and corporate climate-related
disclosures will increase the liability risk for directors and officers. Shareholders will
increasingly be equipped with the information necessary to question investment decisions
that do not take into account the physical and transition risks of climate change and cause
loss as a result.
As the importance of the Earth’s planetary boundaries is increasingly understood, and
the risks to human society and business of mismanagement of natural resources become
apparent, the rise of climate litigation will likely be followed by other global waves of
environmental litigation. Developments such as the publication in March 2022 and June
2022 of the beta versions of frameworks from the Task Force for Nature-related Financial
Disclosures (TNFD) bring the spectre of biodiversity liability risk and the potential for
climate-biodiversity litigation. The impact of plastics on the environment and human
health is also coming under increasing scrutiny. In March 2022, 175 countries adopted
a resolution for the development of a legally binding global treaty on plastic pollution
aimed at the full lifecycle of plastic.70 This development will undoubtedly provide the
background for activists to pursue this nascent area of litigation against those involved in
the plastics value chain.
As more and more corporations make public net-zero or other environmental commit-
ments, they become exposed to allegations of greenwashing.71 Since greenwashing claims
are based on the company’s current public statements and actions, they are inherently
easier to prove than claims based on historical contributions to climate change. However,
the fast-developing field of attribution science, which seeks to determine the extent to
which man-made emissions have altered the probability or magnitude of a specific event,
or type of event, will likely strengthen the evidentiary basis of tortious claims against oil
majors for causal contribution to climate change.72
Climate litigation shows no sign of slowing, and as duties of care are delineated and
standards of care around climate risk management rise, it can be expected to continue its

69 “Global Agriculture towards 2050,” High Level Expert Forum, FAO, 12 October 2009; Nigel Brook
and Zaneta Sedilekova, “Climate Change Risks—the Future of Law as we know it?” Law Society Horizon
Scanning, February 2021, 6 (hereafter Brook).
70 Nigel Brook, Zaneta Sedilekova and Saskia Wolters, “End to plastic pollution? Towards an international
plastics treaty,” Clyde & Co, 11 March 2022.
71 Ibid, Brook (n 69) 7.
72 Rupert Stuart-Smith, Aisha Saad, Friederike Otto, Gaia Lisi, Kristian Lauta, Petra Minnerop and Thom
Wetze, “Attribution science and litigation: facilitating effective legal arguments and strategies to manage cli-
mate change damages,” Summary report for FILE Foundation.

495
 C onclusion

exponential expansion in volume and scope, number of jurisdictions, types of plaintiffs

and defendants and sums claimed. In the next phase of climate litigation, activists may
cast their nets even wider, targeting “facilitators” of carbon-intensive businesses, includ-
ing financial actors such as banks and insurers, as well as service providers such as law-
yers and auditors.73

The insurance company of the future

As in any industry, we expect that the evolving insurance market will see winners, losers
and a range of new players. Digitisation is creating a wave of new opportunities for digital
native market entrants to usurp the traditional incumbents.
Trends that we expect to continue and accelerate in the insurance market include:

• Increased personalisation: More accurate and faster risk assessment powered by

AI analytics allows for more personalised insurance products. Usage-based and
on-demand insurance options (also known as pay-as-you-go) seem likely to be
favoured in the digital economy. With consumers generally understood to be
moving away from concepts of material ownership, the ability to obtain and pay
for insurance only when an asset is being used is a significant attraction;
• The rise of self-service: Online quote generators and chatbots are becoming
more commonplace as digital channels continue to be favoured over traditional
insurance distribution models;
• More data, more discounts: Insurers are already offering reduced premiums in
exchange for more information to enable them to make better decisions.

All of these trends—and the expectations of modern consumers—will shape the future of
the industry and the shape of market players. “Digital first” insurers are already emerging
and existing market players appear to be aware of the threat: Research in 2019 suggested
that 67% of insurance leaders agreed that current business models would be unrecognis-
able within five years.74 Examples of such new models include the highly-flexible tempo-
rary insurance cover offered by UK start-up Cuvva, which allows customers to borrow a
vehicle and insure it from anywhere between one hour and 28 days.
To meet these challenges and to be effective in the digital age, insurers need to address
three fundamental considerations: People, process and technology. Staff need to have the
right skillsets both to support the new methods being adopted by insurers and to under-
stand the risks faced by insureds. As with many other sectors, insurers will be compet-
ing with the technology giants and digital startups for this talent. They will need to offer
similar levels of flexibility, opportunity and other benefits to succeed. Moreover, as the

73 “The Rise of Climate Litigation: how to understand and minimise your legal risk,” Rilisence, https://
risilience​.com​/resources​/reports​/the​-rise​- of​- climate​-litigation/, 7.
74 “Insurers Go All-in on Ecosystems,” Accenture Strategy, 2019, www​.accenture​.com/​_ acnmedia​/ PDF​
-96​/Accenture​-Strategy​-Ecosystems​-Insurers​-Feb2019​-Infographic​.pdf.

496
 C onclusion

demand for automated services grows, the insurance industry must ensure that its work-
forces are equipped to work alongside automation.75 As Clare Ruel76 explains:
This market movement has opened the door for more job roles around developing and imple-
menting automation, especially as this type of technology is being applied across the entire
insurance lifecycle. This development could place greater emphasis on staff having creativity,
agility, critical thinking and social intelligence, for example. However, because the automa-
tion sector is often perceived to be highly specialised, techy and male dominated, the insur-
ance industry is facing a skills gap when it comes to fulfilling automation-centric roles.

The importance of education and training to ensure staff have the appropriate skills to
address digital transformation cannot be overstated. McKinsey expresses the opinion that
“talent strategy requires the same rigor and focus as business strategy, especially as the
insurance industry sees accelerated change.”77
Business processes—both internal and customer-facing—need to align with new
expectations. Modern companies and consumers expect a fully digital journey with lim-
ited friction, particularly for the emerging on-demand and usage-based or pay-as-you-go
insurance models. Paperwork, call centre queues and lengthy processing times will see an
exodus of customers towards the organisations that get this right.
Finally, underpinning all of this will be technology. It will be critical for insurers to
invest in the right platforms and solutions to deliver the services of the future.
Developing ecosystems will be an important growth strategy for insurers in the years
ahead: Identifying key services that dovetail with their insurance products and integrating
those into their customer journey. A recent McKinsey study78 on the value of digital eco-
systems suggested they could account for around EUR 60 trillion in revenue globally by
2030. While the insurance sector is firmly on the path to digitalisation following the move
to remote working during the pandemic, those who do not take full advantage of digital
platforms, and access to innovations such as automation, data analytics and modelling,
are likely to be left behind.79
While existing large organisations have the funds to make those investments, there is
also the challenge of being tied to legacy systems—a problem that is not generally faced
by new market entrants. This is likely to be a key factor in disruption of the insurance
market with startups able to be more nimble at selecting or developing the right solutions
from the outset. For existing players, the choices could boil down to concentrating on
incremental in-house development, outsourcing to a third-party platform or seeking to
obtain the necessary technology through acquisition.
If we look to history, one thing is clear: Insurance in its many forms will continue to
adapt and improve now and tomorrow, sharing risk to create a braver world.80

75 “Transforming the talent model in the insurance industry,” McKinsey and Company, 6 July 2020, www​
.mckinsey​.com​/industries​/financial​- services​/our​-insights​/transforming​-the​-talent​-model​-in​-the​-insurance​
-industry (hereafter McKinsey 2020).
76 Clare Ruel, “TechTalk: Rising automation demand reveals insurance skills gap,” Insurance Times, 2
June 2022, www​.insurancetimes​.co​.uk ​/news​-analysis​/techtalk​-rising​-automation​- demand​-reveals​-insurance​
-skills​-gap​/1441344​.article.
77 McKinsey 2020 (n 75).
78 “Ecosystem 2.0: Climbing to the next level” McKinsey and Company, 11 September 2020, www​.mckin-
sey​.com​/capabilities​/mckinsey​-digital​/our​-insights​/ecosystem​-2​-point​-0​-climbing​-to​-the​-next​-level.
79 “Insurance Growth Report 2022 Navigating increasing complexity,” Clyde & Co, February 2022.
80 https://www​.lloyds​.com ​/about​-lloyds​/ history

497
 INDEX

Note: Page numbers in italics indicate figures, bold indicate tables in the text, and references
following “n” refer footnotes.

AAWA see Advanced Autonomous Waterborne American Institute of Certified Public

Applications Accountants (AICPA) 309
ABI see Association of British Insurers Anns v Merton London Borough Council
ACCC see Australian Competition and 203–4
Consumer Commission anomaly detection, fraud detection 32
Accenture 11, 12 anti-money laundering (AML) 121, 258
Access to Insurance Initiative (A2ii) 440 Ant Insurance 483
Accident Compensation Act 2001 238 anti-trust considerations 85–6
Accord Project 124 anti-virus/anti-malware (and end-point
accountability of entities 94 monitoring) 300–1
accountants and auditors 366–7 Apple 11
account information service providers applicable law 118
(AISPs) 256 application/asset tiering system 300
ACCR see Australasian Centre for Corporate application programming interfaces (APIs) 42,
Responsibility 61, 78n53, 255, 269
activity-based pricing, Cover Genius 77–8 appropriate licensing, embedded insurance
adaptation cases 452–3 80–1
ADAS 173–4 APRA see Australian Prudential Regulation
administrative/planning cases 453–5 Authority
Advanced Autonomous Waterborne Arctic Circle 415
Applications (AAWA) 11 Arner, D. W. 116
advanced text analytics, fraud detection 33 Arnold v Britton 386
advertising, embedded insurance 89–90 artificial intelligence (AI) 2–3, 24–6; analytics
African Risk Capacity (ARC) Group 132–3, and data protection/privacy 34; balancing
145–6, 441 advantages and addressing risks 33–4; big
after the event (ATE) 399; see also data and 6, 26–7; embedded insurance 86–7;
COVID-19 insurers 30–1; personhood 3, 481; powered
AGCS see Allianz Global Corporate & analytics 38–41; powered analytics of big
Specialty data 41–3
aggregate loss index insurance 142–3 ASIC see Australian Securities and Investment
Agostinho v Portugal 452–3 Commission
AI see artificial intelligence asset registers 300
air risk/first party 228 assets under management (AUM) 431, 431–2
air risk/third party 228 assisted driving 165
algorithmic discrimination, fintech 279–80 Association of British Insurers (ABI) 394,
All-England Lawn Tennis and Croquet Club 394n101, 420
Ltd (AELTC) 375–6 augmented and virtual reality technologies 481
Allianz Global Corporate & Specialty (AGCS) AUM see assets under management
4, 15, 492 Australasian Centre for Corporate
Allianz SE 420, 421, 423, 431 Responsibility (ACCR) 463
Aloha Petroleum Ltd. 465 Australia: anti-money laundering and
American Bureau of Shipping (ABS) 205–7 counter-terrorism financing (AML/CTF)

 499
 I N D E X

273; bushfires due to drone crashes in autonomous vehicles (AVs) 4, 157–81;

220; business interruption insurance insurance industry dynamics 178–80;
389–92; Consumer Data Right (CDR) liability, risk and insurance 162–75; non-
269–70; crowdfunding 273; cryptocurrency autonomous vs. 176; product liability 175–8;
exchanges 273; enhanced regulatory regulation 159–62
sandbox (ERS) 274; financial technology Autorité de Contrôle Prudentiel et de
(fintech) in 268–74; Innovation Hub 274; Résolution (ACPR) 475
liability, risk and insurance for AVs 171–3; availability, SOC2 309
mandatory comprehensive credit reporting Aviva plc 376, 420, 421, 423, 431, 437
273; misconduct regulations 364n183; Select AVs see autonomous vehicles
Senate Committee 272–3 AXA Group 423, 431
Australian Competition and Consumer AXA XL 438
Commission (ACCC) 311, 429
Australian Cyber Security Centre (ACSC) 292 Baker, T. 388n74
Australian Environment Protection and Bank for International Settlements (BIS) 473
Biodiversity Conservation Act 454 Bank of England (BoE) 416, 425–7, 468, 473, 476
Australian Government’s Australian Signals Bank of France 475
Directorate (ASD) 308 Barger, B. 489
Australian Privacy Principles (APPs) 40 Barker, S. 472, 476
Australian Prudential Regulation Authority Barton, G. 86
(APRA) 429, 483 basis risk 131–4, 155
Australian Reinsurance Pool Corporation Baxter, D. 59
(ARPC) 402 BCP framework (business continuity plan) 305
Australian Securities and Investments bespoke drone insurance 225–7; conditions
Commission (ASIC) 85, 274, 311, 429; 227; covers and extensions 227; first-party
Regulations 83n69 insurance 225–6; general exclusions 227;
Australian Senate Inquiry Committee third-party liability 226–7
231, 244 bias, embedded insurance 86–7
Australian Traffic Safety Bureau (ATSB) 228 big data 26, 48, 484–5, 487, 492; AI analytics
Australian Transaction Reports and Analysis and data protection/privacy 34; AI-powered
Centre (AUSTRAC) 273 analytics and 38–43; AI used by insurers
Authorised Self-Driving Entity (ASDE) 165–6, 26–7; analytics 30; artificial intelligence
171–2 (AI) and 6; defined 23, 78n52; insurers 30–1
authorising self-driving 165 Big Tech 256, 311
Automated and Electric Vehicles Act 2018 BII see business interruption insurance
(UK) 162, 163, 181, 192, 192n41, 244; Binance 276, 277
Automated & Electric Vehicles Act 2018 biodiversity 411, 443–4, 495
(AEVA) 165 BIS see Bank for International Settlements
automated decision-making 31–2, 279–80 Bitcoin 96n1, 97–101, 262–4, 280, 482
automated driving 165 Black Swan Re 402–4
automated driving system (ADS) 171, 173 Blockchain 8–9, 96n1, 99, 481, 487–9;
Automated & Electric Vehicles Act 2018 technology 99 (see also distributed ledger
(AEVA) 165 technology)
automated lane-keeping systems (ALKS) 159 Blue Origin 489
Automated Vehicle Safety Law (AVSL) 171 board engagement 313–14
automatic identification system (AIS) 208 BoE see Bank of England
Autonomous Driving Act 2021 (Germany) Boucher v Lawson 192, 192n42, 193
168–70, 181 Brady, M. 240
autonomous ships 182–211; choice of law Brand, S. 481
for product liability 188–91; classification Braun, M. 282
societies 200–8; liability insurance for breach of contract 278–9
ships and shipowners 186–7; limitation of Bribery Act 2010 258
liability and networking of its effects 191–9; Brushfield v Arachas 391
maritime cyber risks 208–11 Buckley, R. P. 116
autonomous transportation 10–13 Building Information Modeling (BIM) 358

500
 I N D E X

business interruption insurance (BII) 5, 18, Certain Policyholders -and- China Taiping
19, 377–407; Australia 389–92; common Insurance (UK) Co Ltd 386
law jurisdictions 389–92; coverage 378–80; CGL policy 406, 465, 468
duration and indemnity 380–1; exclusions Chamberlain, T. 7, 49
381; financial technology (fintech) 281; Chancery Lane Project 437
future pandemics and catastrophes 392– change management 299, 304
407; impact of COVID-19 382–3; Lloyd’s Chartered Institute of Loss Adjusters (CILA),
proposals 402–4; private pandemic risk UK 380n33
insurance 395–402; purpose 377–8; United Charter of Fundamental Rights (Charter),
Kingdom 383–7; United States 387–9; US Europe 38–9
Pandemic Risk Insurance Act 405–6 Chen, B. X. 36
Business Interruption Insurance Coverage Act Chevron 464
of 2020 405 Children’s Investment Fund Foundation
business interruption losses 325 (CIFF) 467
Business Interruption Relief Act of 2020 405 China 69, 150, 236n71, 297, 413, 414, 418,
buy-now-pay-later (BNPL) 271–2 483 commercial
BYOD (bring your own device) 302 Christensen, D. 174, 175n208
Civil Aviation Authority (CAA) 237
Caisse Centrale de Réassurance 438 Civil Aviation Ordinance 236
Cambridge Centre for Alternative Finance Civil Aviation Safety Authority (CASA) 237
(CCAF) 250 civil liability 167
Cambridge Programme for Sustainability “Claims made sections of cover” 317
Leadership (CISL) 420 classification societies 200–8
Caparo Industries Plc v Dickman 204 Clean Air Act 454
Capital One Finance Corp. 320 clean energy 412, 455, 463
captives 367, 368 ClientEarth 345, 459, 461, 462, 463, 467,
carbon capture and storage (CCS) 20, 411, 469–70
418, 437 Climate Action Tracker 414, 418n57
carbon dioxide (CO2) 410–11, 431, 456, Climate Biennial Exploratory Scenario (CBES)
456n61, 494 426, 468, 473–6
Carbon Disclosure Project (CDP) 470 climate change 19–21, 494–6; damages-based
Caribbean Catastrophe Risk Insurance Facility claims for contribution to 456–7; effects
(CCRIF) 144–6 of 5; exclusion 469; financed emissions
Carney, M. 416, 416n43, 418n53, 426, 433, 434; and financial markets 415–19; global
433n161, 434n164–5 regulatory response to 423–5; and Global
Carpenter, G. 219 Shield 441–2; history of insurance industry
Carter v Boehm 2, 72 leadership and 419–23; and human rights
case studies: commercial insurance 227–9; 452–3; insurance-associated emissions 435;
Cover Genius 73–8; Moonrock Drone insurance impacts 416–17; international
Insurance 227–9; Nat Cat protection gap response to 412–15; liability risks 446–77;
146–7; parametric products 141–2; solar national regulatory developments 425–9;
development in a remote area of Texas 139; national risk pools for natural catastrophe
wind-at-location 147–8 risk 438–9; new partnerships for disaster
catastrophe bonds 106–7 resilience 439–40; opportunities for the
catastrophe swap 106–7 insurance sector 435–8; physical risk
CBES see Climate Biennial Exploratory 416–17; post-COVID progress on financial
Scenario regulation 429–30; potential impacts
CCS see carbon capture and storage on insurers 468–77; problem of 410–12;
CCWG see Climate Change Working Group risks 420, 423, 424, 428, 438–9, 441, 449,
CDSB see Climate Disclosure Standards Board 460, 468, 475, 477; transition risk 417–19;
Center for Insurance Policy and Research 2 voluntary commitments to net zero 430–4
central bank digital currency (CBDC) 260 Climate Change 2022: Impacts, Adaptation
Centre for Connected and Autonomous and Vulnerability 415, 449
Vehicles 11 Climate Change Working Group (CCWG) 419,
Centre for Policy Development (CPD) 460 421n78

501
 I N D E X

Climate Disclosure Standards Board Consumer Protection Act 1987 (CPA) 167
(CDSB) 430 contingency planning 130
climate litigation: defined 447, 447n6; drivers contract law 108, 115
of 466, 466–8; funding for 467; history of COP27 441
448; risks 471, 476, 495; types of 449–66 Copenhagen Accord 448
climate-ready insurance 436 COPs see Conference of the Parties
Climate Risk Adaptation and Insurance in the Corbin & King Ltd v AXA 386
Caribbean Project (CRAIC) 441 Cornell, N. 108, 115
climate risks 420, 423, 424, 428, 438–9, 449, corporate budgets 129
460, 468, 475, 477; management 418, 423, corporate espionage 297
425–6, 447, 471, 477, 495, 496 Corporate Sector Purchase Programme (CSPP)
ClimateWise 420, 435n171 469–70
cloud computing 2; see also edge computing Corporate Sustainability Reporting Directive
CO2 see carbon dioxide (CSRD) 444, 492
CO2ZERO 462–3 coverage gap 5, 404
Coalition 293 coverage in BII 378–80
COBIT (Control Objectives for Information Cover Genius 8, 73–8; activity-based pricing
and Related Technologies) 307 77–8; background 73–4; during COVID-
Coinbase 252, 265, 281 19 75–6; distribution model 75; Luxury
cold wallets 263 Escapes 74–5; purchase experience 75; tech-
collision data 166–7 led approach to insurance 77; tiered pricing
Comite Maritime International (CMI) 204 extracts 77
Commercial, M. 284 Coverpay 271
commercial general liability policy see CGL covers and extensions 227
policy COVID-19 18–19, 69–70, 216, 249–50, 270,
commercial motor fleet insurance 54–5 361, 393; AI-powered predictive analytics
commercial property insurance 9 on 483; business interruption insurance
common law jurisdictions 389–92 382–3; Cover Genius during 75–6; exposing
Commonwealth Climate and Law Initiative insurance coverage gap 5; and insurance
(CCLI) 460 493–4; legislative changes during and
communications/call centre 324 after 353–4; losses due to 392; occurrence
communication strategy 314 385; post-COVID progress on financial
Companies Act 2006 (CA 2006) 460–1 regulation 429–30
compensation for services, embedded CRAIC see Climate Risk Adaptation and
insurance and 81–2 Insurance in the Caribbean Project
Competition and Consumer Act 2010 86 credit monitoring and ID protection 324
competition law 433–4 Crenshaw, C. 117
complexity and emerging risks 357–8 Criminal Code Act 1995 (Cth) 322n72
composite policies 317 criminal liability 167–8
Compulsory Third Party (CTP) 240 crop policy 135
compulsory third-party liability insurance crowdfunding, Australia 273
233–42; general 233–40; implementation CrowdJustice 467
options 240–2 Cruise 178
Conference of the Parties (COP) 412–13, 423 cryptoassets 262–8; custodians 264;
confidentiality, SOC2 309 encryption of 263; insurance cover 265–6;
connected, cooperative, and automated losses and risk 264–5; non-fungible tokens
mobility (CCAM) 181 (NFTs) 267–8; regulation 266–7; types of
Connected and Automated Vehicles 262–3
(CAVs) 158 cryptocurrencies 262, 481–2; exchanges 264,
Conservation Law Foundation (CLF) 458 273
consumer concerns 152–3 crypto-custody risks 264
Consumer Data Right (CDR), Australia 269–70 Crypto Winter 262
consumer insurance, disclosure questions 33 Cullaffroz-Jover, S. 116
Consumer Insurance (Disclosure and current insurance claims trends 319–20
Representations) Act 2012 484 Cuvva 496

502
 I N D E X

cyber attacks 34; financial technology (fintech) cyber security 480; data protection and 12;
280–1 data protection/privacy and 34–6; goals
Cyber Essentials Readiness toolkit 299 of 297–8; incident/claims 294–6; risk
cyber incident 15, 16, 34, 87, 290–1, 316, 318, management 297–306; risks 35
353
cyber insurance 15–16; high-level overview of Dale, K. 164
315–16; market 285; pay 323–5 Daniel Billy and others v Australia 453
cyber insurers 293n14 dark web monitoring/threat intelligence 324
cyber liability cover 316–17 data capture and analytics 134
cyber maturity 306 data mining in fraud detection 33
cyber regulatory landscape 310–12 Data Protection Directive 39
cyber resilience 298–9 data protection/privacy 34; cyber security and
Cyber Resilience Act 303 12, 34–6; embedded insurance 87–8; origins
cyber risk and insurance 15–16, 286–332, of 37–8; principles 38–41; regulation 41–3;
353, 492–3; anti-virus/anti-malware (and risk assessment, UAVs 222
end-point monitoring) 300–1; application/ data recovery 324
asset tiering system 300; asset registers DCGK see German Corporate Governance
300; Australian Signals Directorate (ASD) Code
308; board engagement 313–14; challenges decentralised autonomous organisations
and emerging trends 330–1; change (DAOs) 112–13, 119, 119n78
management 304; communication strategy decentralised finance (DeFi) 117, 270
314; current insurance claims trends Declaration on Climate Change 420; see also
319–20; cyber insurance pay 323–5; cyber climate change
maturity 306; cyber regulatory landscape degrees of autonomy 183
310–12; cyber risk management 310; cyber delegated supervision 93–4
security incident/claims landscape 294–6; Dellios, J. 472, 476
cyber security risk management 297–306; Deloitte 69
delayed investigations and notifications 315; Denial-of-Service (DoS) 34
distributed ledger technology (DLT) 112–14; derivatives 151
embedded insurance 87–8; encryption and Descartes 74, 129, 129n6, 136n28, 139n33,
backup 303–4; ESSENTIAL 8/TOP 35 141–2, 141n38, 146n63, 147n66, 153
308; establishing cyber resilience 298–9; design, drafting and marketing, PI 156
frameworks 306–10; future of 328–31; Det Norske Veritas (DNV) 209
goals of cyber security 297–8; high-level digital age: insurance in 479–84; technology
overview of cyber insurance 315–16; in 479–84; transforming risk management
incident response planning 304–5; incident 482–4
response resilience 310–15; insurance digital assets 481–2
clauses and operation 316–17; ISO Digital first 496
27001/27002 308–9; landscape and statistics digital forensics costs 324
292–7; late notification to insurers 313; digital identity 2, 280, 489
maritime 185, 208–11; MITRE ATT&CK digital-intelligence-led 93
310; overview 289–92; patch management digital native banks, Australia 272
299–300; payment of 325–6; perimeter digital technology 479
defence 301–2; in practice 292–3; proactive digital transformation 497
incident response 315; quantitative versus digital twinning 482
qualitative risk 305–6; ransom payments digitisation 15, 51, 56, 71, 256, 483, 496
320–3; responses from industry and Dilmegani, C. 482
regulators 327–8; risk assessment, UAVs Dime Fitness, LLC v Markel Ins Co 388
222–4; risk to individuals and businesses directors’ and officers’ claims 281–2
from 296–7; secure mobile devices 302–3; disaster recovery plans (DRP) 329
SOC audit (formally SAS70) 309; supply disaster resilience 439–40
chain risk management 314–15; training and disease clauses as secondary triggers 384
awareness 305; United States Institute of Disparte, D. 110–11
Standards and Technology (NIST) 306–7; dispute resolution in DLT 122–3
uptake and availability of 328–30 disruptors 249

503
 I N D E X

distributed ledger technology (DLT) 8–9, actions 90; first generation of 68; free
57, 60, 370, 487–9; catastrophe bonds choice and anti-trust considerations 85–6;
and 106–7; catastrophe swap and 106–7; growth of 68–73; informed decision-making
challenges of 111–14; characteristics of 82–5; key challenges, barriers and risks
98; cyber risks 112–14; described 97–100; 80–90; policy awareness 82–5; rebating or
dispute resolution 122–3; emerging markets inducements 89; regulation of compensation
124–5; flight insurance 107; future of 109; for services 81–2; risk of over-regulation
insurance potential uses and advantages and innovation 90–4; tax considerations 88;
102–6, 109–11; ledger transparency 111–12; technology 78–80
legal implications and areas of development embedded insurance partners (EIPs) 73
116–22; legal risks and issues with 114–15; embedded mobile technology 63
public vs. private blockchains 101–2; emerging markets, DLT 124–5
smart contract 100; standardisation 123–4; encryption 98; backup and 303–4
weather risks 107–9 Energy Charter Treaty (ECT) 455
DLT see distributed ledger technology enhanced regulatory sandbox (ERS) 274
Donoghue v Stevenson 204 environmental, social and governance (ESG)
Dorset Yacht Co v Home Office 204 344–7, 421–2, 429, 443–4, 463, 470, 471,
Dorsey, J. 267 472, 492
Driver and Vehicle Standards Agency Enviva 464
(DVSA) 165 epigenetics 485–7, 485n25
drones see unmanned aerial vehicles Ernst & Young 53, 60, 70, 111
Duarte Agostinho and Others v Portugal and Erny, M. 59
32 Other States 467 ESG see environmental, social and governance
Dupras, C. 487 ESSENTIAL 8/TOP 35 308
duration and indemnity, BII 380–1 European Banking Institute Working Paper
duty of disclosure: impact of AI-driven big 99, 114
data analytics on 30; insured 27–8; reform European Central Bank (ECB) 473
of 28–30 European Convention on Human Rights
Duty of Vigilance law 470 (ECHR) 453, 461
dynamic driving task (DDT) 172, 172n68 European Insurance and Occupational
Pensions Authority (EIOPA) 5, 41, 42, 61,
Earon, E. 242–3 476
Ebers, M. 170 European Parliamentary Research Service 120
ECHR see European Convention on Human European Securities and Markets Authority
Rights (ESMA) 116–17
Economic Crime and Corporate Transparency European Telecommunications Standards
Bill 2022 262 Institute (ETSI) 303
economic headwinds 347–9 European Union 144, 160, 190; 2009 motor
edge computing 2; see also cloud computing insurance directive 241; Agency for
E-discovery/data cataloguing 324 Cybersecurity 161; General Data Protection
education, parametric insurance 156 Regulation (GDPR) 6, 258, 312; Maritime
Edwards, H. S. 113 Unmanned Navigation through Intelligence
Ehsani, J. P. 179 in Networks (MUNIN) 11; Payment
EIOPA see European Insurance and Services Directive (PSD2) 255–6; Safety
Occupational Pensions Authority Agency 235
Electronic Chart Display and Information Everest Premier Insurance Co. v Gulf Oil
System (ECDIS) 185 Ltd. 465
electronic chart displays (ECDIS) 185 exclusions, BII 381
electronic health records (EHRs) 363–4 exposure-based insurance policy 231
embedded fintech in Australia 269 exposures, in fintech 275
embedded insurance 3, 8, 66–94; advertising extensive enforcement actions 90
89–90; appropriate licensing 80–1; bias and ExxonMobil Corp. 428, 458, 464
artificial intelligence 86–7; characteristics
79–80; data protection and cyber risks 87–8; Federal Aviation Administration (FAA)
described 67–80; extensive enforcement 214, 237

504
 I N D E X

Federal Trade Commission 90 fly and run 234

fiduciary duties cases 460–2 “Fly Responsibly” advertising campaign 462
financial advisers 364–6 FONDEN (Natural Disasters Fund) 145, 438
Financial Conduct Authority (FCA), UK 254, foreign direct investments (FDI) 455
257–61, 426 Foss Maritime 205
Financial Conduct Authority (FCA) v Arch framework cases: adaptation 452–3;
381, 383, 384, 386, 388–91, 397, 404, administrative/planning 453–5; anti-
407, 494 regulatory legal challenges 455; fiduciary
financial crisis 254 duties 460–2; government 450; insurance
financial resilience 129 coverage cases 464–6; mitigation 450–2
Financial Sector Reform (Hayne Royal fraud detection 3, 9, 32–3
Commission) Act 2020 484 fraud protection 103–6
Financial Services Markets Act (FSMA) 257 free choice, embedded insurance 85–6
Financial Stability Board (FSB) 422–3, 424, FSB see Financial Stability Board
426, 429–30; Task Force on Climate-Related FTX 265–6, 277
Financial Disclosures (TCFD) 20 funding, fintech in UK 254–5
financial technology (fintech) 3, 246–85;
algorithmic discrimination 279–80; in G20 InsuResilience Vision 439
Australia 268–74; automated decision- G20 Summit 430, 432
making 279–80; breach of contract 278–9; G20 Sustainable Finance Roadmap 429,
business interruption 281; cyber-attack/ 439n138
data/crime 280–1; directors’ and officers’ General Data Protection Regulation (GDPR) 6,
claims 281–2; exposures 275; future of 31–2, 38–40, 45, 119–20, 221–2, 258, 366
274–5; insurance for 282–6; intellectual general exclusions, UAVs 227
property (IP) infringement/employment Generali 431–2
disputes 278; investor claims 277–8; General Motors 178
liability and insurance 13–15; managerial genetic discrimination 486
liability 281–2; professional liability 278–9; genetic information 485–7
regulatory issues 275–6; reputational risks genetic testing 485–7
281; technology failures 278–9; types of Geneva Association 34
companies 250–2; in the UK 252–68 Gen Z 69
Finck, M. 40 German Corporate Governance Code (DCGK)
fintech in Australia 268–74; buy-now-pay-later 427–8
(BNPL) 271–2; current landscape 268–9; German Federal Financial Supervisory
decentralised finance 270; digital native Authority (BaFin) 427
banks 272; embedded 269; middle-and- Germany: Federal Government 427–8;
back-office solutions 271; open banking liability, risk and insurance for AVs 168–70
269–70; payments 270–1; regulatory Gershweir, M. W. 177
environment 272–4; see also Australia get cover, pay later scheme 271
fintech in UK 252–68; Big Tech 256; current GFANZ see Glasgow Financial Alliance for
landscape 252–4; drivers for growth in 254; Net Zero
financial crisis 254; funding 254–5; market GHGs see greenhouse gases; greenhouse gases
initiatives 258–61; open banking 255–6; (GHGs)
regulation in 256–7; risk and compliance gig (or sharing economy) 7n27, 48
257–8; see also United Kingdom Gilmour, D. 467
firewalls 301–2 GIMAR see Global Insurance Market Report
first-party cover 316 Ginsburg, R. B. 387
first-party insurance 225–6 Glasgow Financial Alliance for Net Zero
Five-Star Safety Ratings programme 173 (GFANZ) 426, 433
Fletcher, J. 194 Global Financial Innovation Network (GFIN)
flight insurance 107 259–60
Flock 53–7, 63, 229; commercial motor fleet Global FinTech Regulatory Rapid Assessment
insurance 54–5; safety and efficiency 55–6 Study 250
Flock Cover 51 Global Index Insurance Facility (GIIF) 144n42
Flood Re 402, 438 Global Insurance Market Report (GIMAR) 425

505
 I N D E X

Global Monitoring Exercise (GME) 425 IACS Resolutions 205

global navigation satellite system (GNSS) IAIS see International Association of
208, 209 Insurance Supervisors
Global Optimism 431 ICAO UAS Toolkit 234
Global Parametric Insurance Market 129 iCloud 297
Global Risk Modelling Alliance (GRMA) 442 identity access management (IAM) 302
Global Shield 439, 441–2 IDF see Insurance Development Forum
GME see Global Monitoring Exercise IEA see International Energy Agency;
GNSS spoofing 210 International Energy Agency (IEA)
Goldberg, J. 49 IIGCC see Institutional Investors Group on
Google 11 Climate Change
government framework cases 450 immersive reality technology 2
Green Deal plan 346, 414 IMO see International Maritime
green endorsement 436 Organization
green finance 424, 429 Implementation Guidance 427
greenhouse gases (GHGs): emissions 20, incident response: management 324; planning
414n34, 428, 435, 435n172, 436–7, 463, 465, 304–5; resilience 310–15
494; neutrality 428 indemnity-based products 134–9; contract
Greenhouse Gas Protocol 435 certainty 136–7; efficiencies and cost
green swan risks 423 savings 134–6; hard-to-insure and emerging
greenwashing 345, 429, 449, 450, 462–4, 472, risks 138–9; moral hazard and fraud
474, 477, 495 137–8; solar development in a remote area of
Greggs PLC v Zurich Insurance PLC 386 Texas 139
ground risk/first party 228 indemnity insurance see professional
growth of embedded insurance 68–73 indemnity (PI) insurance
Gründl, H. 398, 399 indemnity principle 150–2
guaranteed asset protection (GAP) 83 inducements, embedded insurance 89
The Guardian 487 industrialised machine learning 2
Guardrisk Insurance Company Limited v Cafe Industrial Revolution 410, 479
Chameleon CC 391 Inflation Reduction Act (IRA) 354n120, 414,
Guterres, A. 415, 415n38 414n28
Information Commissioner’s Office (ICO),
halo effect 83 UK 257
Hannover Re 440 information disclosure, on-demand insurance
Hare, J. 204 59–62
Harrop, C. 42, 61 Information & Privacy Commissioner for
HDI Global Specialty SE v Wonkana No. 3 Pty Ontario, Canada 36
Ltd 389 informed decision-making 82–5
Hedley Byrne & Co Ltd v Heller & Partners initial public offering (IPO) 251
Ltd 204 innovation: impacts on regulations 92–3; risk
Heede, R. 456 of embedded insurance 90–4
Heede Carbon Majors 456 Innovation Hub, Australia 274
Hetz, W. 54 Inns By The Sea v California Mutual Insurance
heuristic scanning 301 Co 388
Hillier, R. 376 Institutional Investors Group on Climate
HM Revenue and Customs (HMRC) 257 Change (IIGCC) 420–1, 421n77
home and contents cover 231–2 insurable interest 149–50
Hong Kong Civil Aviation Department 236 insurance 399; advancement in 7; automation
hot wallets 263 and 479–81; autonomous transportation
Huntington Ingalls Industries Inc. et al. v Ace 10–13; autonomous vehicles (AVs) 178–80;
American Insurance Co. et al. 389 clauses and operation 316–17; coverage
Hurricane(s): Delta 438; Harvey 417, 459; Lisa cases 464–6; for cryptoassets 265–6; cyber
438, 438n178 risks and 492–3; defined 2; in digital age
Hutley, N. 460 479–84; discrimination 485–6; embedded 3,
hybrid clauses, secondary triggers 384 8; for financial technology (fintech) 13–15,

506
 I N D E X

282–6; fraud in on-demand insurance International Standards Organization and SAE

59–62; market 102; on-demand 3, 7–8, 7n23; International (ISO/SAE) 162n27
pandemics and 493–4; parametric 9–10; International Sustainability Standards Board
professional indemnity 491–2; see also (ISSB) 430, 443
specific types International Underwriting Association (IUA)
“Insurance 2023—the year ahead” 479 7, 49
Insurance Act 2015 484 Internet of Things (IoT) 42, 99, 109, 131
Insurance Contracts Act 1984 484 investor claims, fintech 277–8
Insurance Core Principles (ICPs) 425 IPCC see Intergovernmental Panel on Climate
Insurance Council of Australia 171 Change
Insurance Development Forum (IDF) IPCC AR6 Working Group see 2020 IPCC
439–40, 442 Sixth Assessment Report (AR6) Summary
Insurance Information Institute 231 of Cross-Working Group
Insurance Institute for Highway Safety, US 179 IRA see Inflation Reduction Act
Insurance Services Office (ISO) 379n27 irreversible feedback loop 411
Insurance Stress Test 426 ISO 27001/27002 308–9
insured duty of disclosure 27–8 ISSB see International Sustainability
Insure our Future 470 Standards Board
insurers 9, 30–1; see also insurance IT security 324
insurers’ responses in UAVs 224–42; bespoke
drone insurance 225–7; compulsory jurisdictional law 118
third-party liability insurance 233–42;
general 224; home and contents cover Kinley, A. 164
231–2; mutual insurance 232–3; on-demand Klarna 252
drone insurance 229–31; write-back drone Klein, R. W. 406
insurance cover 224–5 Klinger, E. L. 53–4
InsuResilience Global Partnership KLM 462–3
(InsuResilience) 439, 441 Knight, J. 266
InsuResilience Solutions Fund (ISF) 439 Kovas, A. 283
Insuring the Climate Transition 471, 476 KPMG 62, 64
intellectual property (IP) infringement/ Krummaker, S. 396
employment disputes 278 Kwon, W. J. 128
interagency coordination 93 Kyoto Protocol 412–13, 448
Intergovernmental Panel on Climate Change
(IPCC) 19, 19n58, 19n59, 410–11, 410n5, late notification to insurers 313
411n8, 411n10, 414–15, 414n31, 446, 446n3– ledger transparency, DLT 111–12
4, 449, 457, 457n68, 467 Lee, N. T. 86
International Accounting Standards Board legal costs 324
(IASB) 430 legal risks, DLT 114–15
International Association of Classification Leiman, T. 240
Societies (IACS) 201 Leopardstown Inn v FBD Insurance Plc 391
International Association of Insurance lex fori 191
Supervisors (IAIS) 92, 395, 424–6, 475 LexisNexis Risk Solutions 276
International Civil Aviation Organization liability: autonomous transportation 10–13;
(ICAO) 213n3 financial technology (fintech) 13–15;
International Cooperative and Mutual insurance 13–15, 186–7, 480; risk and
Insurance Federation (ICMIF) 368 insurance for AVs 162–75
International Energy Agency (IEA) 412, 419, liability risks 19; climate 444–77; defined 446;
494n67 managing 472, 472–7, 476
International Maritime Organization (IMO) 11, Lidar (Light Detection and Ranging) 243n100
183, 184, 194n54 light touch approach 9
International Organization of Securities Lijo Abraham and Niji Thomas, et al. v
Commissions (IOSCO) 430 Costello, Inc. 459
International Safety Management Code (ISM Limitation of Shipowners’ Liability Act 193
Code) 209 Lin, X. 128

507
 I N D E X

Little Job (ship) 194 mining 101n21

LLMC 76 194, 197 misleading marketing for AVs 166
Lloyd’s 4, 402–4, 420, 437, 470, 488, 489 MITRE ATT&CK 310
Lloyd’s Market Association (LMA) 392, 393, Money Laundering, Terrorist Financing and
436–7, 469 Transfer of Funds Regulations (MLRs)
Long-Term Climate Strategy 442 258, 266
loss adjusting 325 money transfer 121
low-carbon economy 355, 418, 447, 462 Moonrock Drone Insurance 218, 227–9, 243
Loyaltrend Ltd v Creechurch Dedicated Motor Accident Insurance Act 1994 241
Ltd 380 motor insurance 54–5, 163, 180, 241, 370,
Luxury Escapes 74–5 480, 482
The MSC Napoli 196–7
Ma-Afrika Hotels (Pty) Ltd v Santam Mulholland, E. 472, 476
Limited 391 Mumenthaler, C. 110
machine learning see artificial intelligence (AI) Munich Group 420
Maloney, C. 405 Munich Re 431, 438, 494
managerial liability, fintech 281–2 mutual insurance 232–3
mandatory comprehensive credit reporting, mutuals 368–9
Australia 273 MyBudget 276
Mandatory Credit Reporting and Other
Measures Act 2021 273 NASA: Global Flood Monitoring System 133
manipulative marketing see manufactured NatCat 146–7, 375, 382, 392
vulnerability National Association of Insurance
manufactured vulnerability 89 Commissioners (NAIC) 41, 48, 59, 387n,
Marc Rich & Co AG v Bishop Rock Marine Co 387n71–2, 388n73
Ltd (The Nicholas H) 203, 204 National Cyber Security Centre (NCSC) 292–3
Marine Insurance Act 1906 485 National Environmental Policy Act (NEPA) 453
maritime autonomous surface ships (MASS) National Highway Traffic Safety
10, 183–7, 183n1, 204, 210 Administration (NHTSA) 173, 174, 453–4
Maritime & Coastguard Agency, UK 183 National Injury Insurance Schemes (NIIS) 240
maritime cyber risks 185, 208–11 nationally determined contributions
Maritime Unmanned Navigation through (NDCs) 413
Intelligence in Networks (MUNIN) 11 National Transport Commission (NTC) 171
market initiatives, fintech in UK 258–61 natural catastrophe risks 438–9
Marsh McLennan 443, 494 natural catastrophes (Nat Cat) 5, 18
McCarran-Ferguson Act 81, 387 Natural Disaster Insurance Review 18
McKeon, C. 489, 491 natural disasters 18, 128, 145, 330, 441
McKinsey & Company 109–11, 497 natural language processing (NLP) 33, 371
McQuaid, E. 42, 61 NDCs see nationally determined contributions
McVeigh v Retail Employees Superannuation (NDCs)
Pty Limited 461 negative basis risk 132
MDM 302 network analysis, fraud detection 32
medical malpractice, risk trends in 358–9 Network for Greening the Financial System
Merchants Bank of Boston 192 (NGFS) 424–6, 473, 475
Merchant Shipping Act 1854 (UK) 192 “Net Zero by 2050: A Roadmap for the Global
Merchant Shipping Act 1894 (UK) 193 Energy Sector” 412
metaverse 479, 481 Net-Zero Insurance Alliance 20
micro, small and medium enterprises Never Again Small Business Protection Act 405
(MSMEs) 250 New Payments Platform (NPP) 270–1
Microsoft 178 New World Harbourview Hotel Co Ltd v Ace
middle-and-back-office solutions, fintech in Insurance Ltd 397n116
Australia 271 New York Department of Financial Services
Milieudefensie et al. v Royal Dutch Shell 468 (NYDFS) 428
millennials 69 NGFS see Network for Greening the Financial
miners 101 System

508
 I N D E X

NHTSA see National Highway Traffic Safety Pandemic Risk Insurance Act (PRIA) 402,
Administration 405, 406
nodes 98–9 pandemics 18–19; catastrophes and 392–407;
noise, risk assessment, UAVs 221–2 defined 375n2; insurance and 374–408,
non-autonomous, autonomous vehicle vs. 176 493–4; risk cover 375n3; risk insurance
non-fungible tokens (NFTs) 262–3; 375n3
cryptoassets 267–8; disparate or intangible Paperwork 497
assets 284; entities dealing with 265; parametric index insurance 142
uncertain future 284; unclear value 284 parametric insurance 3, 5, 9–10, 127–56;
nongovernmental organisation (NGO) 149–50 advantages over indemnity-based products
non-insurance entities 93 134–9; basis risk 131–4, 155–6; consumer
nuisance, risk assessment, UAVs 221–2 concerns 152–3; design, drafting and
NZAOA see Net Zero Asset Owner Alliance, marketing 156; education 156; indemnity
under United Nations principle 150–2; industry growth 153–4;
NZIA see Net-Zero Insurance Alliance, under insurable interest 149–50; overview 128–9;
United Nations problem for regulators 148–9; regulation
156; regulatory and legal challenges 148–53;
OakNorth 251–2 sovereign disaster risk management and
“occurrence-based” sections of cover 317 144–6; structure of 130–1; types of 140–3
O’Connor, C. 489 parametric products 141–2
OECD (Organisation for Economic Paris Agreement 413–14, 413n21, 413n24,
Co-operation and Development) 6, 36, 71, 417, 419–22, 424, 443n208, 448, 450, 455,
81, 92, 395, 400–1, 401n120, 402, 494; 461–2, 468
Privacy Guidelines 38–40 Partnership for Carbon Accounting Financials
on-demand drone insurance 229–31 (PCAF) 434–5, 470
on-demand insurance 3n11, 7–8, 7n23, patch management 299–300
47–65; defined 48; Flock 53–7; information PathogenRX 375, 396, 397, 404
disclosure 59–62; insurance fraud 59–62; “pay-as-you-fly” approach 51, 229, 230–1
transactional process 57–9 “pay-as-you-go” insurance 7, 49, 230
on-demand software 48 payment initiation service providers
O’Neil, C. 320n58 (PISPs) 256
“One Planet Summit” 424 payments, fintech in Australia 270–1
“one-size-fits-all” approach 229 Payment Services Directive (PSD2) 255–6
open banking: fintech in Australia 269–70; Payment Systems Regulator (PSR) 257
fintech in UK 255–6 PCAF see Partnership for Carbon Accounting
Open Finance 272 Financials
open insurance 42, 62 Peabody Energy Corp 428
OpenQuake Platform 133 Peña, A. 54
Operational Design Domain (ODD) 165 pending freight 192, 192n44, 193, 193n51
operational efficiency 400 perceived data protection/privacy 34–6
operational risks, risk assessment, UAVs perimeter defence 301–2
218–19 Permission for Commercial Operation
Orient-Express Hotels Ltd v Assicurazioni (PfCO) 234
Generali SA 384 Personal Data Protection Act (PDPA) 40
original equipment manufacturers (OEMs) 169 personal injury, risk assessment, UAVs 220–1
OTA (over-the-air) 177 Philippines Catastrophe Insurance Facility
Otto Candies LLC v Nippon Kaiji Kyokai (PCIF) 441
Corporation (Otto Candies) 204 physical damages 416–17
over-regulation, risk of embedded insurance physical risks 19, 20, 416–17; failure to adapt
90–4 to 458
planetary boundaries 443, 495
Pacific Catastrophic Risk Facility policy awareness, embedded insurance 82–5
(PCRAFI) 146 positive basis risk 132
Paech, P. 116, 117 Posner, R. 387
Pandemic Re (PRIA programme) 404, 407, 494 Post-2020 Global Biodiversity Framework 443

509
 I N D E X

post‑event assistance 399 protection gap 417, 440

PPPs see public-private partnerships Prudential Regulation Authority (PRA) 257
pre-agreed pay-out 72 PSI see UN Principles for Sustainable
“pre-breach” services 325 Insurance
predictive analytics 35n51; fraud detection 32 Public Act 332 of 2016 (Senate Bill 995) 174
Premier Dale v RSA & Arachas 391 public blockchain 101–2
prevention of access (PoA) clauses, secondary public key 263
triggers 384, 385 public–private partnerships (PPPs) 421,
PRI see Principles for Responsible Investment 422, 439
Principles for Responsible Investment (PRI) public purse 494
421, 431 public relations 324
Privacy Act 1988 198 Puerto Rico v Big Oil 464
private Blockchains 101–2; see also Blockchain pure parametric policy 140–1
private key 263 Pütz, F. 168, 180
private pandemic risk insurance 395–402
privileged access management (PAM) 302 QBE 431
proactive incident response 315 qualitative risk vs. quantitative risk 305–6
Proceeds of Crime Act (2000) 258 quantum technology 2
processing integrity, SOC2 309
product liability: autonomous ships 188–91; Race to Zero Campaign 418, 433–4
autonomous vehicles (AVs) 175–8; liability, Rachael Allen 205–6
risk and insurance for AVs 167 Racketeer Influenced and Corrupt
product marketing 189 Organizations Act (RICO) 464
Product Security and Telecommunications Ramos, A. 268n65
Infrastructure Act 2022 303 ransom demands 324
product standards, risk assessment, UAVs ransom payments 320–3
219–20 ransomware 15, 34, 177, 289, 295–6, 304–5,
professional indemnity (PI) insurance 320–3
16–17, 283, 333–73, 491–2; accountants and rapidity of change 370
auditors 366–7; building regulatory reform Raskin, M. 115
356–7; captives 368; challenges 338–53; ratchet mechanism 468
complexity and emerging risks 357–8; cyber real economy 418, 472
risks 353; economic headwinds 347–9; real-time notifications, fraud detection 33
electronic health records (EHRs) 363–4; rebating in embedded insurance 89
environmental, social and governance Recher & Co v North British and Mercantile
(ESG) 344–7; financial advisers 364–6; Insurance Co. 381n34
impact of technology 370–2; increased Reeman v Department of Transport 204
regulatory oversight 343–4; legislative regulation: autonomous vehicles (AVs) 159–62;
changes during and after COVID-19 cryptoassets 266–7; financial technology
353–4; mutuals 368–9; rapidity of change (fintech) 275–6; fintech in Australia 272–4;
370; risk transfer mechanisms 369; risk fintech in UK 256–7; liability, risk and
transfer structures 367–9; risk trends in insurance for AVs 165–6; reform 356–7
medical malpractice 358–9; risk trends in Regulation 12A–12M 83n69
other professions 364; robotic surgeries Regulation Impact Statement (RIS) 171
362; social inflation 349–52; supervision Regulatory and Supervisory Framework for
and staffing 340–2; technology in claims Insurance Intermediation 81
372; technology in underwriting 370–2; reinsurance 399, 401, 417, 470; see also
telemedicine 359–62 insurance
professional liability 278–9 Reinsurance Group of America (RGA) 486–7
project-specific insurance 369 remotely piloted aircraft systems (RPAS) 213,
property damage, risk assessment, UAVs 213n3
220–1 reputational risks, fintech 281
protection against bad actors 120–1 Resnick, P. 86
Protection and Indemnity Associations (P&I Responsibility of Shipowners Act 1734 192
Clubs) 12, 186, 186n15, 187, 191, 194 REST 461

510
 I N D E X

ReStart 402 shore-based operator (SBO) 184, 188

retroactive exclusions 318 Siegel, E. 35
Rio Earth Summit 412 Siehr, K. 189
risk and compliance, fintech in UK 257–8 Simmons, M. 489
risk assessment, UAVs 217–24; cyber risks Singapore Cybersecurity Act 299
222–4; data protection 222; general 217–18; single insurer 192
noise 221–2; nuisance 221–2; operational Sixth Assessment Report 19n58, 19n59,
risks 218–19; personal injury 220–1; privacy 410–11, 410n5, 410n7–8, 411n10, 414–15,
221–2; product standards 219–20; property 414n31–4, 446, 446n3–4, 449, 457n68, 467
damage 220–1; trespass 221–2 SK Group 443
risk mitigation 231 small and medium-sized enterprises (SMEs)
risk pools 138, 146, 438–9, 441 131, 154, 252
risks of embedded insurance 80–90 smart contracts 3, 9, 57, 96n3, 135n26;
risk transfer mechanisms 369 distributed ledger technology (DLT) 100;
risk transfer structures 367–9 technology-enhanced 135; in underwriting
Ritterband, S. 219, 219n26 and claims management processes 103
Road Accident Fund (RAF) 241–2 Smarter Consumer Communications 90
Road Traffic Act (Germany) 168–70, 175n80 SOC audit (formally SAS70) 309; SOC2 309
Road Traffic Act 1988 241 social inflation 349–52, 491
Robert, S. 394 social insurance 399
Robert Heath Heating 55, 56 Society for Automotive Engineers
robotic process automation (RPA) 479 International (SAE) 11, 160
robotics 487 Society for Worldwide Interbank Financial
robotic surgeries 362 Telecommunication’s (SWIFT) 113
Rockliffe Hall Ltd v Travelers Insurance Co software as a service see on-demand
Ltd 386 software
Rome II Regulation 188 South African Civil Aviation Authority
Roney, E. 42, 61 (SACAA) 237
Ronin Network 280 South African Department of Mineral
Röschmann, A. Z. 59, 62, 64 Resources and Energy (DMRE) 454
Rowell, H. 483 Sovereign and Humanitarian Solutions
RPA see robotic process automation (SHS) 440
Ruel, C. 497 sovereign disaster risk management 144–6
Rye Ridge Corp v Cincinnati Ins Co 388 space: industrialisation 490; and insurance
Ryskamp, D. 176 489–91; tourism 490–1
The Space Review 489
SAE see Society for Automotive Engineers SpaceX 489
International special-purpose acquisition company (SPAC)
Safely Ensuring Lives Future Deployment 255
and Research in Vehicle Evolution (SELF Splitt Chartering APS v Saga Shipholding
DRIVE) 173 Norway AS (The Stema Barge II) 197–8
SARS 375, 381 standalone cyber insurance 315–16
Satovich, A. 489 standardisation, DLT 123–4
SCOR 431 Steadfast Insurance Co. v AES Corporation
Sea Machines Robotics SM300 205–6 464–5
SEC see US Securities and Exchange Stema UK 197–8
Commission Stevens Institute of Technology 11, 12
secure mobile devices 302–3 STL (starters, transfers, leavers) 302
security, SOC2 309 Stonegate Pub Company v MS Amlin 386
self-help processes 221 Superstorm Sandy 416
Senate Bill S6806A 320n59 supervision and staffing 340–2
Sendai Framework for Disaster Risk supply chain risk management 314–15
Reduction 422 Supreme Court 191, 385n57
Sharma v Minister for the Environment 454 Sustainable Finance Committee (SFB) 427
Shell 464 Sustainable Finance Working Group 429

511
 I N D E X

Swiss Re Institute 18, 415, 420, 421, 423, 431, 438 UK House of Commons Treasury Select
Swiss Re International v LCA Marrickville Committee 394
390, 397, 407, 494 unattended machinery space (UMS) 185
UN Convention on the Law of the Sea
take or pay 135n27 (UNCLOS) 195
targeted/personalised marketing 31 UNDRR see UN Office for Disaster Risk
Target Setting Protocol 432 Reduction
Task Force on Climate related Financial UN Environment Programme Finance
Disclosures (TCFD) 423–4, 426–7, 429–30, Initiative (UNEP FI) 419, 421–2, 430, 431,
443, 461, 475, 476, 495 471, 472, 476, 476
tax considerations, embedded insurance 88 UNEP see United Nations Environment
TCFD see Task Force on Climate related Programme (UNEP)
Financial Disclosures UNEP FI see UN Environment Programme
tech-led approach to insurance, Cover Genius 77 Finance Initiative
Technical Annex 427 UNEP FI/PSI 476
technology: embedded insurance 78–80; UNFCCC see UN Framework Convention on
failures in fintech 278–9; PI 370–2; in PI Climate Change
claims 372; in PI underwriting 370–2 UN Framework Convention on Climate Change
Ted Baker Plc v Axa Insurance UK Plc 381 (UNFCCC) 20n60, 412–13, 412n15, 413n18–
telemedicine 359–62 21, 413n24, 418n60–1, 420–1, 431, 469
Terrorism Risk Insurance Act 2002 (TRIA), UN Human Rights Committee (UNHRC) 453
US 405 United Kingdom: air travel trust fund (ATTF)
Texas Windstorm Insurance Association 242n94; business interruption insurance
367n203 383–7; Chartered Institute of Loss Adjusters
The Financial Sector Conduct Authority (CILA) 380n33; Financial Conduct
(FSCA) 84 Authority (FCA) 154, 254, 257–61; financial
third-party liability 226–7 technology (fintech) in 252–68; Information
third-party litigation 175 Commissioner’s Office (ICO) 257; liability,
3D internet 481 risk and insurance for AVs 162–4; Maritime
tiered pricing extracts, Cover Genius 77 & Coastguard Agency 183; Motor Insurer’s
tipping points 410 Bureau 240n89
Titanic 193 United Nations 200; Net Zero Asset Owner
TKC London Ltd v Allianz Insurance Plc 378, Alliance (NZAOA) 431–3; Net-Zero
381, 386 Insurance Alliance (NZIA) 432–5
training and awareness 305 United Nations Development Programme
transactional process 57–9 (UNDP) 440
TransferGo 276 United Nations Environment Programme
Transition Plan Taskforce Disclosure (UNEP) 410, 431n150, 470n143
Framework 426–7 United States: bushfires due to drone crashes in
transition risks 19 220; business interruption insurance 387–9;
Tranter, K. 240 consumer drone accidents 218n24; drones
travaux préparatoires 197–8 in 213n1; Federal Aviation Administration
Treating Customers Fairly (TCF) 84 (FAA) 214; Institute of Standards and
trespass, risk assessment, UAVs 221–2 Technology (NIST) 306–7; Insurance
tropical ecosystems 411 Institute for Highway Safety 179; liability,
trust architecture 2 risk and insurance for AVs 173–5; Terrorism
Risk Insurance Act 2002 (TRIA) 405
UAVs see unmanned aerial vehicles University Superannuation Scheme (USS) 461
Uber 12, 178 unmanned aerial vehicles (UAVs) 10, 212–45;
UK and Scottish Law Commission 151 assessment of risks 217–24; deployed
UK Competition and Markets Authority or operation of 215; insurers’ responses
(CMA) 255 224–42; operator of 215; regulator of 216;
UK Department for Transport 11 regulatory challenges and uncertainty
UK General Data Protection Regulation (UK 212–17; technological challenges 216
GDPR) 257–8 unmanned aircraft (UA) 213, 213n2

512
 I N D E X

unmanned aircraft systems (UAS) 213, Waymo 178

213n2, 223 weather risks, DLT 107–9
UN Office for Disaster Risk Reduction Web 2.0 era 481
(UNDRR) 417, 422 Web3 technologies 481
UN Principles for Sustainable Insurance (PSI) Werbach, K. 108, 115
421, 422, 433, 471, 476 Weston, H. 406
unvalued loss of profits 381n34 wind-at-location 147–8
Urgenda Foundation v State of the Wirecard scandal 281
Netherlands 448 WMO see World Meteorological Organization
US Department of Health and Human (WMO)
Services 360 WorkPac Pty Ltd v Rossato 390
US Department of Transportation 173, 179 World Bank 144, 144n42, 146, 250
US National Association of Insurance World Bank Group 144
Commissioners (NAIC) 57, 151–2 World Economic Forum 430, 443, 480
US National Flood Insurance Program (NFIP) World Food Program 146
399, 402 World Health Organisation (WHO) 382n40,
US Pandemic Risk Insurance Act 405–6 396, 397
US Securities and Exchange Commission World Meteorological Organization
(SEC) 117, 118, 345, 428–9, 463 (WMO) 410
World Weather Attribution (WWA) 457
valued loss of profits 381n34 World Wildlife Fund (WWF) 431
Various Eateries Trading Ltd v Allianz 386 write-back drone insurance cover 224–5
Vehicle Certification Agency (VCA) 165 WTW 423, 437–8, 440
video on demand (VOD) 48
Virgin Galactic 489 XCover 74, 75
virtual data 483 Xiaoyan Liu 278
voyage data recorders (VDRs) 185 Xingyun 483
VRF 430
Zero-COVID policy 493
Wagner, J. 59 Zetzsche, D. A. 116
Wahi, N. 281 Zoox 12, 178
Walchek, S. 52 Zurich Insurance Group 436, 443

513