Swiss Re SONAR New emerging risk insights June 2020Swiss Re SONAR informs and inspires conversations about emerging risks, so the insurance industry can continue to build resilience also in turbulent timesSwiss Re SONAR New emerging risk insights 1 Contents Overview 2 Foreword 3 Introduction 5 Macro trends 7 14 Emerging risk themes and 4 Trend spotlights Societal environment Global pharmaceutical supplies breaks in the chain? 16 Vaping and e-cigarettes a new wave of addicts? (Special feature) 18 Out of sight, out of mind mental health issues among the young 20 The sorcerers apprentice DIY synthetic bio hazards 21 Political environment Tipping the scale? Intergenerational imbalances on the rise 23 Standards into the unknown 24 The fragility of healthcare systems Trend spotlight 25 Technological and natural environment Moving to a low-carbon future Trend spotlight (Special feature) 28 Locking it up carbon removal and insurance (Special feature) 34 Green buildings will they pass the test of time? 36 Burning question risky lithium-ion batteries 37 Hydrogen fuel cells propelling the future? 38 Computing at the edge cybersecurity overstretched? 40 Deepfakes the creeping devaluation of truth? 41 Grey accountability product liability in the era of smart everything 42 Teeny weeny high-tech smart dust 43 Competitive and business environment A sea change in app usage? Trend spotlight 46 Sustainable supply chain management in financial services Trend spotlight 47 Appendix A: High impact emerging risk themes 2016 2020 50 Appendix B: Terms and definitions 542 Swiss Re SONAR New emerging risk insights Overview Emerging risk themes by potential impact and timeframe 03 years 3 years Trend spotlights by potential impact Computing at the edge cybersecurity overstretched? Tipping the scale? Intergenerational imbalances on the rise Locking it up carbon removal and insurance (Special feature) Moving to a low carbon future (Special feature) Global pharmaceutical supplies breaks in the chain? Standards into the unknown Burning question risky lithium-ion batteries Deepfakes the creeping devaluation of truth? Grey accountability product liability in the era of smart everything Vaping and e-cigarettes a new wave of addicts? (Special feature) Green buildings will they pass the test of time? Out of sight, out of mind mental health issues among the young A sea change in app usage? The fragility of healthcare systems The sorcerers apprentice DIY synthetic bio hazards Hydrogen fuel cells propelling the future? Teeny weeny high-tech smart dust Sustainable supply chain management just as crucial in financial services for Property for Casualty for Life “Mental health issues increased significantly in young adults over last decade” ScienceDaily, 15 March 2019, releases/2019/03/1903151 10908.html Impact Medium Most affected business areas L “Norway: Explosion at hydrogen filling station”, , 1 1. June 2019 1/norway-explosion-at- fuel-cell-filling-station/ Impact Low Most affected business areas Casualty Time frame (years) 3 Ops L & H Financial Markets Property Casualty Potential impacts Hydrogen is combustible in combination with oxygen: above a certain ratio the mixture is explosive. Leaks from a hydrogen tank may lead to explosions and trigger property claims. If fires or explosions of hydrogen tanks are caused by negligent handling or production defects, product liability policies may be triggered. Insurance companies will need to assess the pricing and investment risks for a growing hydrogen fuel industry40 Swiss Re SONAR New emerging risk insights Technological and natural environment Computing at the edge cybersecurity overstretched? Edge computing can supercharge data exchange, but also lead to more cybersecurity breaches. Fast broadband connections and central cloud servers enable the rapid transfer and process of massive amounts of information on the data highway. However, with Internet of Things (IoT), data needs to be transferred and processed not just more quickly, but instantaneously. Think of autonomous vehicles: any time-lag in signal transmission and processing can prove fatal. This is where edge computing comes in. To minimise latency in data transactions, computing power is added close to the connected end-devices themselves. In other words, at the periphery or edge of a network. Edge computing does not replace cloud services. It complements them by transferring the processing power from cloud platforms to where the data is created and consumed. Edge computing is playing a pivotal role in innovating and maintaining digital ecosystems across manufacturing, utilities, robotics and all other spheres demanding low-latency, a development in which 5G is likely to play an ever-increasing role. The addition of more and ever-evolving interconnected devices to a network also, however, increases potential attack surfaces. Poor implementation of edge computing can expose system vulnerabilities, which hackers could target using latest innovations in artificial intelligence to search through codes for entry points and deploy intelligent malware. Decentralised by nature, edge computing is less likely to benefit from a strong security monitoring. Data collected, consumed and intermediately stored at the edge can also be vulnerable to environmental conditions, and these can be harsh, such as in, for instance, the context of a wind turbine or in agriculture. This adds physical challenges to the maintenance of devices as well as data retention and security. 66 By moving security concerns to the periphery, edge computing heightens cyber risk potential from under-service, negligence and blind spots. Any device that remains connected to a network beyond its projected life span and is no longer updated with adequate security patches invites attackers. A scenario of “internet of forgotten things” that are more vulnerable to cybercrime is not a long stretch of the imagination. 67 66 iSF 30 Information Security Forum, Threat Horizon 2022: Digital and physical worlds collide, iSF 30 Information Security Forum, Jan. 2020, p 19. 67 Ibid., p 25ff. Impact High Most affected business areas Property, Operations Time frame (years) 0 3 Ops L & H Financial Markets Property Casualty Potential impacts: Edge computing leads to higher cyber exposures in industry and other sectors. There will also be exposures in professional and consumer solutions involving mobile devices. The increased complexity of systems/ networks with the addition of edge computing could increase potential cyber risk exposures. Decentralisation may also favour lower severity but higher frequency risk. Edge computing often takes place at remote environments and under conditions of limited physical security. Cyber incidents can cause machine failure or malfunction, and even business interruption. In connection with autonomous vehicles or health-critical devices, this can lead to injuries or fatalities. Liability may be more difficult to assign in case of failure in the edge- computing worldSwiss Re SONAR New emerging risk insights 41 Technological and natural environment Deepfakes the creeping devaluation of truth? Deepfakes are media formats that use artificial intelligence to fabricate digital content from underlying authentic source material. For example, the technology can hijack and misuse a persons identity by mingling real video-images and/or voice recordings with fabricated content. The synthesised avatar can be made to say or do anything just as convincingly as the target person, thus feigning the appearance of the actual individual. Deepfakes can be streamed in real time: social media platforms enable very effective spread of disinformation. Deepfakes are taking the phenomenon of “forged authenticity” to new levels. 68 It is nearly impossible for a lay third-person to tell the difference. Deepfakes can be used to discredit people, extort money through social engineering or blackmail, damage corporate reputations and manipulate public opinion. Deepfake events could trigger insurance policies in both the personal and commercial sectors. With digital technology becoming more sophisticated, cheaper and more accessible, deepfakes are a booming business. The legal environment cannot keep pace. A race between deepfake innovation and technologies designed to mitigate deepfake risk is more than likely. Whatever happens, trust in empirical fact will suffer. While deepfakes will normally latch on to a specific person whether a celebrity, a public figure or unknown individual their impact can go beyond the original intention and individual target. On a societal level, they can lead to flawed individual and collective decision-making (eg, when instigating hate). The proliferation of fabricated misconceptions can also impact financial markets and in a worst-case scenario trigger civil unrest. For the insurance industry, the consequences include increased loss potential on the insureds side from social engineering and identity infringement. Insurance operations could also be substantially affected through an increasing risk of claims fraud and social engineering attacks. Moreover, digitalisation of client relationships regarding customer identity verification and claims handling, for example may well need additional fraud-prevention measures. The impact will likely also be seen in court. In jurisdictions where video evidence is accepted, litigation could be prolonged and more costly, since any footage is more likely to be contested. Indeed, any media format could be suspected of having been deepfaked. The most detrimental impact of all is that in effect, deepfake diminishes the value of truth itself. 68 Forged Authenticity: Governing Deepfake risks, Policy brief, International Risk Governance Center IRGC, EPFL, Lausanne 2019. Impact Medium Most affected business areas Operations Time frame (years) 0 3 Ops L & H Financial Markets Property Casualty Potential impacts Increasing numbers of individuals may be susceptible to deepfake harassment or defamation. Harm may not be restricted to reputational damage. It could extend to mental health, damage to professional career, and financial loss. Some of these effects may, in turn, trigger insurance claims in personal lines. Organisations can be “hacked” and “hijacked” by social engineering attacks through deepfakes. Financial and reputational loss can be significant. Insurance operations can be adversely affected by the increasing risk of claims fraud and social engineering attacks. With increased propensity to question everything and particularly the truth court evidence will become more contested. Procedures to verify customer identity and claims accuracy could become more costly. Deepfakes targeted at or picked up by larger audiences may cause social unrest, hate crimes and violence. They can also influence political decisions and distort financial markets42 Swiss Re SONAR New emerging risk insights Technological and natural environment Grey accountability product liability in the era of smart everything More and more, products are becoming services that are dependent on a relationship with a provider (eg, software updates). It is more challenging to assign liability in these cases than with a stand-alone physical product. Traditional insurance covers for product liability will need to be revisited and likely re-designed. In September 2019, when hurricane Dorian approached Americas East Coast, an electrical car manufacturer enabled the use of extended battery capacity for some customers without physically accessing the respective cars. 69 The convenience of having components of a product easily purchased and modifiable over the internet also means that these can just as easily and conveniently be taken away, by the companies who provided them in the first place. Liability issues with software will likely crop up more as the scope of digital transformation continues to expand. Smart intelligence technology has increased the convenience and safety in countless ways (such as advanced driver-assistance systems), but it needs to be continuously maintained. In 2018, the OECD explained that such intelligent and connected devices could “become defective”. 70 In addition, the devices may only be safe to use as long as they are constantly connected. There may be occasions where connection is interrupted or where a software or patch update is pending, opening a gap in the security framework. With IoT devices now in widespread use at home and in production, software has become a central component of many products. If software is an integral part of a good, a modification and/or failure on the part of the producer or distributor to deliver updates could potentially make the product unsafe to use. What if the provider of software updates goes out of business or refuses to update older devices, in effect forcing purchase of a new model? The European Union is planning right-to-repair regulation for consumers, and some states in the US already grant right to repair and modify. The aim of the proposed EU regulations is to ensure that manufacturers allow access to relevant information to their products for professional repair and maintenance personnel. From here, it may be a short step to legislation making the information available to consumers too. This gives rise to concerns about product risk and liability, particularly with respect to manufacturer warranties and insurance. There are also competition concerns: if repair information is widely available, is a manufacturer still liable for a product that has been repaired, but not by them? For example, there is already a growing “grey market” in products for farm tractor software, the majority of which originate from Ukraine. 71 This unlicensed alternative software and associated diagnostic equipment is prone to malware and illegal botnets, which could impact the health and safety of operators. A further complexity is the many IoT devices that essentially provide services, ranging from controlling the home temperature, music playlists, shopping and keeping the fridge stocked. These trigger liability questions and in worse-case scenarios, also criminal repercussions. 69 “How the world will change as computers spread into everyday objects”, The Economist 12. September 2019. 70 Challenges to Consumer Policy in the Digital Age, Background Report G20 International Conference on Consumer Policy, Tokushima, Japan, Sept 2019, OECD, 2019. 71 J. Bloomberg, “John Deeres Digital Transformation Runs Afoul Of Rith-To-Repair Movement”, Forbes. com, 30. April 2017. Impact Medium Most affected business areas Casualty, Operations Time frame (years) 0 3 Ops L & H Financial Markets Property Casualty Potential impacts As products become more digitised, and subsequent updates and modifications become also widely accessible and changeable, where responsibility for correct operations actually lies is no longer so clear cut. Assigning li