Unfinished business permeates Brexit. A case in point is jurisdiction and enforcement of judgments. As of the end of last year the regimes which had thitherto featured so large in lawyers’ lives, Brussels I, Lugano and the Brussels Convention, fell away. What remained was the common law rules on jurisdiction and enforcement, tempered only by the much more skeletal 2005 Hague Convention on Choice of Court Agreements, possibly a few hoary pre-EU bilateral treaties on enforcement of judgments, and a vague prospect of the UK joining Lugano as a non-EU state with the agreement of the EU.
The latter possibility has now been scotched; although the other Lugano states (Switzerland, Iceland and Norway) were cool about the idea, the EU Commission on 4 May came out with a de Gaullean Non. For the moment therefore we are stuck with the status quo.
Is this a disaster for UK lawyers, in particular as regards the enforceability of our judgments elsewhere in Europe? Not as much as you might think, even though though it is a reverse, and admittedly proceedings to give effect to judgments may become somewhat untidier and more costly.
First, note that in the EEA outside the EU, Switzerland has a fairly summary native procedure for enforcing foreign (non-Lugano) judgments; and as regards Norway we have dusted off a 1961 agreement and reactivated it.
Turning to the position within the EU, it is worth remembering that one sizeable subset of Commercial Court judgments will remain fairly readily enforceable: namely, those emanating from exclusive English jurisdiction clauses – a very common phenomenon in international trade contracts, and a not unusual one in other cases where English law is chosen by the parties to govern their transaction. This is because the 2005 Hague Convention, already applicable in the UK and throughout the EU (and also in Singapore and Montenegro) mandates enforcement, not only of such clauses, but also of any judgments resulting. The only gaping exceptions here are interim judgments and carriage contracts.
In the mid-term things may moreover get better. The EU is, it seems, well on the way to ratifying the 2019 Hague Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, a convention to which the UK can also adhere. If and when EU and UK both ratify this Convention, it will require expeditious enforcement of each other’s commercial judgments – and incidentally judicially-approve settlements – rendered against, among others, anyone who has agreed to the jurisdiction of the court rendering the judgment. Its only slightly annoying exception, as in the case of the 2005 Hague Convention, concerns carriage contracts, something apt to exclude bill of lading and voyage charter disputes (though possibly not time charter litigation).
Furthermore, it is worth remembering that the UK’s exclusion from Lugano carries one positive benefit: namely, an escape from its strict and arguably over-dirigiste provisions on jurisdiction. UK courts will thus retain the ability regained in January to decline jurisdiction where there is a good reason to do so without being concerned with the straitjacket imposed by Owusu v Jackson (C-281/02)  E.C.R. I-1383. Conversely, English courts will keep their newly-restored ability to extend to European-domiciled defendants the wide English rules of exorbitant jurisdiction tempered only by forum non conveniens and the court’s discretion to refuse permission to serve out. Further, one suspects much to everyone’s relief, lis alibi pendens in Europe will not, as in Art.27 of Lugano, prevent the English court hearing the case, but merely give it a discretion to do so. The unlamented Italian torpedo fashioned by cases such as Erich Gasser GmbH v MISAT SRL (Case C-116/02)  E.C.R. I-14693, partly but only partly disposed of in Brussels I Recast, will thus be for ever disarmed and its casing given a decent burial on the seabed. And, of course, the anti-suit injunction, a remedy of very considerable use in the practical defence of exclusive jurisdiction and arbitration agreements, is now available against all defendants.
In short, life may be messier for English lawyers without Lugano. But one suspects that it may not be that much unhealthier for the legal business of the English courts. For the moment at least UK Law Plc remains in pretty rude health, and with very decent prospects for the foreseeable future. You’d be foolish if you thought of writing it off any time soon.
Artificial intelligence (AI) is used in many domains ranging from public sector to health, finance, insurance, home affairs and agriculture. There is no doubt that AI can potentially bring a wide array of economic and societal benefits for nations and humanity as a whole. However, it has been subject of intense deliberation as to how AI can be best regulated given that its applications could potentially have adverse consequences on privacy, dignity and other fundamental human rights of individuals. There is no easy answer to this question and various options have been deliberated over the years. Academics have come up with theories as to which manner of regulation would suit the interest of the society best, whilst various stakeholders (developers and/or users of the technology) have supported different types of regulation alternatives suiting their interests.
On 21 April, the European Commission unveiled its proposal for the regulation of AI in EU (2021/0106 (COD)). This is an important development which will, no doubt, generate significant interest (and debate) and play a role in shaping the regulatory framework not only in the EU but perhaps globally. In a nutshell, the proposed new regulatory regime for AI will be as follows:
The regulation lists AI systems whose use is considered unacceptable and accordingly prohibited (Article 5). Such AI practices are: i) those that deploy subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm; ii) those that exploit any of the vulnerabilities of a specific group of persons due to their age, physical or mental disability, in order to materially distort the behaviour of a person pertaining to that group in a manner that causes or is likely to cause that person or another person physical or psychological harm; iii) those that are used by public authorities or on their behalf for the evaluation or classification of the trustworthiness of natural persons over a certain period of time based on their social behaviour or known or predicted personal or personality characteristics, with the social score leading to either or both of the following: a) detrimental or unfavourable treatment of certain natural persons or whole groups thereof in social contexts which are unrelated to the contexts in which the data was originally generated or collected; b) detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour or its gravity; and iv) those that use “real-time” remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement (certain exclusions also listed for this).
The new regime contains specific rules for AI systems that create a high risk to the health and safety of fundamental rights of natural persons (Title III, Arts 6 and 7). Annex III, lists a limited number of AI systems whose risks have already materialised or likely to materialise in the near future (e.g. biometric identification and categorisation of natural persons; AI systems intended to be used for recruitment or selection of natural persons for employment; AI systems intended to be used by public authorities to evaluate the eligibility of natural persons for public assistance benefits and services and AI systems intended to be used by law enforcement authorities as polygraphs and similar tools to detect the emotional state of a natural person) Article 7 authorises the Commission to expand the list of high-risk AI systems in the future by applying a set of criteria and risk assessment methodology.
The proposed regulation sets out the legal requirements for high-risk AI systems in relation to data and data governance, documentation and record keeping, transparency and provision of information to users, human oversight, robustness, accuracy and security (Chapter 2).
Chapter 4 sets the framework for notified bodies to be involved as independent third parties in conformity assessment procedures and Chapter 5 explains in detail the conformity assessment procedures to be followed for each type of high-risk AI system.
Certain transparency obligations have been set for certain AI systems (e.g. those that i) interact with humans; ii) are used to detect emotions or determine association with (social) categories based on biometric data and iii) generate or manipulate content (deep fakes)) by virtue of Title IV.
Title V encourages national competent authorities to set up regulatory sandboxes and sets a basic framework in terms of governance, supervison and liability.
The draft regulation proposes to establish a European Artificial Intelligence Board which will facilitate a smooth, effective and harmonised implementation of the requirements under this regulation by contributing to the effective corporation of the national supervisory authorities and the Commission and providing advice and expertise to the Commission. At national level, Member States will have to designate one or more national competent authorities and, among them, the national supervisory authority, for the purpose of supervising the application and implementation of the regulation (Title VI).
There is no doubt in the coming weeks the suitability of the proposed regulation will be rigorously deliberated. For example, civil rights campaigners might possibly argue that the proposed regulation does not go far enough as the it allows several exceptions to the use of “real time” biometric identification systems. Fundamentally, Article 5 of the proposed regulation states that the use of real-time biometric identification systems can be allowed for the “prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or of a terrorist attack”, the interpretation of which leaves wide discretionary power to the authorities. On the other hand, developers of AI applications might find it troubling that the Commission would have a discretion going forward to treat new applications developed as high-risk making them subject to a demanding compliance regime set out in the proposed regulation.
Obviously, the proposed regulation will not apply in the UK. However, it is important for the relevant regulators in the UK to see what is brewing on the other side of the Channel. We should follow the debates emerging, reactions to it from various interest groups and academics with interest. There might be considerable benefit for the UK to make its move once the path the EU is taken on this issue is settled. This might bring economic advantages and even perhaps a competitive edge (assuming that more efficient regulatory measures are preferred in the UK)!
The UK’s application, submitted on 8 April 2020, to join the Lugano Convention in its own right appears to be foundering on opposition from the EU. Although the three non-EU Members (Iceland, Norway and Switzerland) have expressed support for admitting the UK, the European Commission is less favourably disposed, and its consent is essential if the UK is to become a party to the convention. On 12 April the Commission stated.
“The Commission has conducted a thorough assessment of the request and has discussed it with Member States. It will come forward with a Communication in the coming weeks.
It is worth noting, however, that the Lugano Convention is a tool used within the EU-EFTA/EEA context. The UK has chosen to leave the EU, the Single Market and the Customs Union. It has chosen to have a more distant relationship with the EU than EEA-EFTA countries. These choices have to be taken into account when determining the EU’s position.”
The final decision, however, lies with the European Council, which comprises EU Member State heads of state or government and is expected soon. We wait with bated breath.
On 19 February 2021 the Supreme Court delivered a seminal judgment in the first appeal in a collision to come before the highest court since the mid 1970s and overturned the decisions of both Mr Justice Teare  1 Ll.R. 66 and of the Court of Appeal  1 Ll.R. 130.
On 11 February 2015 the outbound Ever Smart, a large container ship, collided with the inbound Alexandra 1, a VLCC, within the pilot boarding area, just outside the dredged entrance/exit channel to the port of Jebel Ali. The appeal concerned two questions relating to the application of the “crossing rules” as set out in rules 15 – 17 of the International Regulations for Preventing Collisions at Sea 1972. The Supreme Court emphasised that the Collision Regulations must be capable of implementation by all vessels as defined in the Rules, irrespective of their technological capabilities .
The Questions on the Appeal
The first question for determination was whether the crossing rules are inapplicable or are to be disapplied where an outbound vessel (Ever Smart) is navigating within a narrow channel and has a vessel (Alexandra 1) on a crossing course approaching the narrow channel with the intention of and in preparation for entering it. This question concerned the inter-relationship between the crossing rules and the “narrow channel rules” (rule 9).
The second question was whether it is necessary for the putative give-way vessel to be on a steady course for the crossing rules to be engaged. The “putative give-way vessel” is the vessel which, if the crossing rules apply, would be required by rule 15 to keep out of the way of the other vessel. In practical terms it is the vessel which has the “putative stand-on vessel” on her starboard side.
Both Teare J. and the Court of Appeal answered both questions “yes” with the consequence that the crossing rules were either not engaged at all or, if engaged, were overridden by the narrow channel rules. Teare J. apportioned liability 80% (Ever Smart) and 20% (Alexandra 1) and this was upheld by the Court of Appeal.
The decision of the Supreme Court
The Supreme Court disagreed. Before addressing the two questions the Supreme Court emphasised the international character of the Collision Regulations and their application to “mariners of all nationalities, of all types (professional and amateur), in a wide range of vessels and in worldwide waters”: see  – . In this regard the Supreme Court referred to the well-known statement of Lord Wright in The Alcoa Rambler  AC 236 (PC) at p 250 that “wherever possible” the crossing rules “ought to be applied and strictly enforced because they tend to secure safe navigation”. See also Atkin LJ in The Ulrikka (1922) 13 Ll.L.Rep 367 at 368. At  –  the Supreme Court carried out a detailed analysis of the context and purpose of the crossing rules, addressing the meaning of “heading”, “course” and “bearing” and emphasising the existence of a risk of collision when two vessels are approaching each other on a more or less steady bearing: see rule 7(d)(i).
The Supreme Court also considered the effect of rule 2(a) and (b). Rule 2(a) had been heavily relied upon by the Alexandra 1 interests for the dis-application of the crossing rule but this argument was rejected as “misconceived”: . In essence the Supreme Court held that:
a. The crossing rules were of such importance in the context of collision avoidance that “they should not lightly be treated as inapplicable” .
b. Any tension between the obligation of the stand-on vessel to keep her course and speed and to comply with another rule should “be resolved by treating the stand-on obligation as moulded for the purpose of permitting compliance with the other rule” . Teare J. and the Court of Appeal had erred in treating the rules as inconsistent either generally (Teare J.) or on the particular facts (the Court of Appeal).
c. Any ouster of one rule must be limited to the minimum strictly necessary to avoid danger and uncertainty: .
The Second Question
The Supreme Court first addressed the second question and held that neither the give-way vessel nor the stand-on vessel had to be on a steady course for the crossing rules to be engaged:  – . In essence the Supreme Court held that two crossing vessels may be approaching each other and remain on a steady bearing, (with consequent risk of collision) without either vessel being on a steady course.
“ …. if two vessels, both moving over the ground, are crossing so as to involve risk of collision, the engagement of the crossing rules is not dependent upon the give-way vessel being on a steady course. If it is reasonably apparent to those navigating the two vessels that they are approaching each other on a steady bearing (over time) which is other than head-on, then they are indeed both crossing, and crossing so as to involve a risk of collision, even if the give-way vessel is on an erratic course. In such a case, unless the overtaking rule applies, the crossing rules will apply.” 
Although it was in issue on the facts, the Supreme Court also considered that the stand-on vessel need not be on a steady course for the engagement of the crossing rules  – .
The Supreme Court concluded that, subject to the first question, the crossing rules were engaged even though “ALEXANDRA 1 was not on a steady course, or speed” .
The First Question
The Supreme Court identified a number of relevant factual situations where the inter-relationship between the crossing and narrow channel rules needed to be considered. The Supreme Court sought “to determine with clarity and as precisely as possible”  the circumstances in which the crossing and narrow channel rules would apply in the vicinity of the entrance to a channel
Three broad groups of cases were identified :
“Group 1 are vessels which are approaching the entrance of the channel, heading across it, on a route between start and finishing points unconnected with the narrow channel. They are approaching the entrance of the channel, but not intending or preparing to enter it at all. Group 2 are vessels which are intending to enter, and on their final approach to the entrance, adjusting their course to arrive at their starboard side of it. ….. Group 3 are approaching vessels which are also intending and preparing to enter, but are waiting to enter rather than entering …. ”
The crossing rules would clearly apply in a Group 1 case. The crossing rules would not apply in relation to Group 2 “because the approaching vessel is both preparing and intending to enter it, and already shaping (ie adjusting her course and speed to do so), on her final approach”. The decisions in The Kaiser Wilhelm Der Grosse  P 36 and 259, The Canberra Star  1 Lloyd’s Rep 24 and Kulemesin v HKSAR  16 HKCFA 195 fell within Group 2.
However the present case fell with Group 3 because Alexandra 1 had not yet shaped to enter the narrow channel on her final approach. The Supreme Court held that the crossing rules should continue to apply to a “Group 3 waiting vessel, or any vessel approaching the channel intending to enter it, which has yet to shape her course to enter it on her starboard side of it” . Further there were no reason why the outbound vessel could not comply both with the crossing and narrow channels:  – .
At  the Supreme Court concluded on the first question as follows:
“Where an outbound vessel in a narrow channel is crossing with an approaching vessel so as to involve a risk of collision, the crossing rules are not overridden by the narrow channel rules merely because the approaching vessel is intending and preparing to enter the narrow channel. The crossing rules are only overridden if and when the approaching vessel is shaping to enter, adjusting her course so as to reach the entrance on her starboard side of it, on her final approach.”
Apportionment will now be re-determined by Sir Nigel Teare on the basis that the crossing rules applied from about C-23 and that the Alexandra 1 was the give-way vessel.
Simon Rainey QC and Nigel Jacobs QC represented the successful Ever Smart Interests. They were instructed by Ince Gordon Dadds LLP (Christian Dwyer, Sophie Henniker-Major and James Drummond) in consultation with Stann Law Limited (Faz Peermohamed).
On 27 November 2020, the Supreme Court handed down its highly anticipated judgment in Halliburton Company v Chubb Bermuda Insurance Ltd  UKSC 48, unanimously dismissing Halliburton’s appeal. In doing so, it found that, at the relevant time of assessment, a fair-minded observer would not have considered that the circumstances gave rise to reasonable doubts as to the impartiality of the chairman of the tribunal hearing the parties’ dispute arising out of the Deepwater Horizon incident in 2010.
Critics of the decision will undoubtedly focus on the consequences of the court’s view that the “relevant time” was the time of the hearing to remove chairman under section 24(1)(a) of the Arbitration Act 1996 (the Act), rather than the time of his acceptance of an appointment by Chubb in a separate arbitration – also relating to non-payment by Chubb under an insurance policy related to the Deepwater Horizon incident – around six months after his appointment in the arbitration between Halliburton and Chubb.
However, the decision brings finality to a key issue in the English law of arbitration, namely the existence of a legal duty to disclose an arbitrator’s participation in other arbitrations involving the same subject matter and a common party. In addition, it delivers clarity in relation to certain other aspects of disclosure and arbitral practice more generally – notably including the interaction between the duty of disclosure on one hand and the obligation of confidentiality on the other, and the application of the English rules on disclosure just as equally to party-appointed arbitrators as to tribunal chairs.
The Disputes, The Arbitrations, The Appeals
The Deepwater Horizon was an offshore oil and gas drilling rig leased by BP and operated by Transocean at BP’s Macondo Prospect in the Gulf of Mexico. Cementing and well monitoring services were provided by Halliburton. On 20 April 2010, the rig experienced a major blowout in the course of the temporary abandonment and plugging of a well, resulting in the tragic loss of several rig workers’ lives, significant oil spills and environmental damage, and the sinking of the rig on 22 April 2010.
The US Government brought proceedings against BP, Transocean and Halliburton in relation to the damage caused by the incident. A trial to determine liability before the Federal Court for the Eastern District of Louisiana resulted in a judgment on 4 September 2014 apportioning blame in percentage terms as between the three defendants. Halliburton settled certain of the US Government’s claims against it in the amount of US$1.1 billion, but its liability insurer, Chubb, resisted its subsequent insurance claims on the basis that the settlement amount was not reasonable. Accordingly, Halliburton commenced London arbitration proceedings against Chubb under its Bermuda Form policy, resulting in the High Court’s appointment on 12 June 2015 of Mr Kenneth Rokison QC as chair of the tribunal in default of agreement by the two party-appointed arbitrators.
Mr Rokison subsequently accepted an appointment by Chubb in December 2015 in its separate arbitration with Transocean arising out of the same incident following Transocean’s settlement of claims with the US Government; and an appointment in a third arbitration arising out of the same incident between Transocean and another insurer in August 2016.
At the time, Mr Rokison made no disclosure in the arbitration between Halliburton and Chubb of his appointment in the other two references. In November 2016, Halliburton became aware of these appointments and applied to the court pursuant to section 24(1)(a) of the Act to remove him as chair of the tribunal on the grounds of perceived bias. The High Court dismissed the application following a hearing on 12 January 2017 and Halliburton appealed against this decision. The Court of Appeal dismissed Halliburton’s appeal, resulting in Halliburton’s appeal to the Supreme Court.
The Legal Duty To Disclose Multiple Appointments With A Common Party
The issues before the Supreme Court were (i) whether and to what extent an arbitrator may accept appointments in multiple references concerning the same or overlapping subject matter with only one common party without thereby giving rise to an appearance of bias, and (ii) whether and to what extent the arbitrator may do so without disclosure.
Giving the leading judgment, Lord Hodge made clear that in cases of apparent bias such as the present, the court was not concerned “to ‘make windows into men’s souls’ in search of an animus against a party or any other actual bias, whether conscious or unconscious.” Instead, its task was to examine “how things appear objectively”. [Para. 52]
The analysis was done in the context of section 24(1)(a) of the Act which allows for the removal of an arbitrator where “circumstances exist that give rise to justifiable doubts” as to the arbitrator’s impartiality. The court considered that this could be the case “if the arbitrator at and from the date of his or her appointment had such knowledge of undisclosed circumstances as would, unless the parties waived the obligation, render him or her liable to be removed under section 24 of the 1996 Act”. Agreeing with the Court of Appeal, the Supreme Court affirmed that this gave rise to a legal duty to make a disclosure of such matters which would otherwise cause the arbitrator to be in breach of their “statutory obligation of fairness”. In other words, “an arbitrator who knowingly fails to act in a way which fairness requires to the potential detriment of a party is guilty of partiality”. [Para. 78]
The court accepted the submissions of the ICC, LCIA and CIArb who favoured the recognition of such a legal duty in international arbitration proceedings; and those of the GAFTA and the LMAA to the effect that parties who chose to arbitrate their commodities and shipping disputes under those specialist rules understood that the smaller pool of specialist arbitrators involved might well act in multiple arbitrations arising out of the same subject matter, without needing to disclose that fact. Lady Arden reinforced the importance of having clear evidence of a practice of dispensing with parties’ consent for arbitrators to appear in multiple arbitrations: while the English courts might trust arbitrators to decide cases on the basis of the evidence before them and set aside any inequality of arms and material asymmetry of information, this was something that “may not translate easily for the many parties to arbitrations who are familiar with different legal systems”. [Para 164]
Right Place, Wrong Time
The question therefore arose whether participants in Bermuda Form arbitrations would typically expect disclosure of an arbitrator’s involvement in related arbitrations. The court found no evidence of parties acceding to a general practice of non-disclosure, which was also consistent with the fact that Mr Rokison had made disclosures to the parties in the other two arbitrations that arose out of the present subject matter of his role in the arbitration between Halliburton and Chubb. Accordingly, the court found that Mr Rokison’s appointment in the second and third arbitrations should have been disclosed to Halliburton, and his failure to do so was a breach of legal duty which meant that a fair-minded and informed observer may well have concluded that there was a real possibility of bias. [Para 147]
Ultimately this was of little consequence, however, as the court ruled that the relevant time for the determination of possible bias was not when he was appointed in the second reference (December 2015) – but the date of the hearing of the application to remove him as an arbitrator (January 2017).
This, said the court, was because of section 24(1)(a) of the Act’s use of the present tense requiring an examination of whether circumstances “exist” when the issue of an arbitrator’s removal arises for determination by the court. By the time of the removal hearing concerning Mr Rokison, Halliburton had discovered his appointment in the other arbitrations and questioned him about that in correspondence, resulting in him providing an explanation for his failure to disclose – based on an oversight and belief that there would not be material overlap between the different sets of proceedings. Halliburton accepted this explanation as being truthful, and the court was not persuaded that a fair-minded and informed observer assessing the situation at the date of the removal hearing – having the benefit of Mr Rokison’s explanation for his failure to disclose – would infer that there was a real possibility of bias on Mr Rokison’s part. [Para 149]
So, Arbitrators Have A Statutory Duty to Disclose. But What If They Don’t?
In their judgments, both Lord Hodge and Lady Arden recognised the risk of affirming the existence of the legal duty to make a disclosure which might not lead to an arbitrator’s disqualification or removal if not complied with. Lady Arden acknowledged that “There is a concern that the duty of disclosure carries no sanction if an application is made to the court about a non-disclosure by the arbitrator and fails.” But in her view, this missed the point, which was that “it would still be a breach of the terms of appointment with such consequences, if any, as the law of contract prescribes. In addition, a person may commit a breach of contract but incur no liability as a result, and the situation postulated falls into that category.” [Para 169]
Lord Hodge explained how in circumstances of a breach of the legal duty to disclose, an “arbitrator might, depending on the circumstances, face an order to meet some or all of the costs of the unsuccessful challenger or to bear the costs of his or her own defence.” [Para 111] In other words, the failure would amount to a breach of a strictly legal obligation with the usual consequences associated with such a breach – though it would have no bearing on the situation obtaining at the date of a removal hearing and the assessment to be carried out then.
The Supreme Court’s decision may cause disquiet in some quarters, especially amongst those who expect a failure to make a material disclosure to have more significant consequences – notably disqualifying an arbitrator from acting, or continuing to act, altogether. The fact that the disclosable information in this case came to light by chance will only reinforce the sense of arbitrariness that some observers may have in the idea of assessing the issue at some point in time after the disclosure should have been made, but was not. This in turn risks perpetuating any concerns participants in international arbitration proceedings may have as to the willingness and ability of English law to police the conduct of those who decide their disputes and their failure to make material disclosures affecting the fairness of proceedings.
More generally, one cannot help but wonder whether the court’s decision might result in some arbitrators showing less concern for their duty to make disclosures of relevant information in English-seated arbitrations in future. This would be a shame, especially in light of the highly confidential nature of commercial arbitration and the difficulty of obtaining credible information as to the reliability and trustworthiness of arbitrators in advance of appointment as things stand.
However, it is not a given, and we must hope that it will not be the case. Further, we should welcome the fact that the court’s decision brings clarity as to the nature of an arbitrator’s legal duty of disclosure, and how and when the examination of apparent bias will fall to be conducted.
Equally, we should be thankful for the court’s clarification as to the interaction between the duty to disclose involvement in multiple proceedings and any duties of confidentiality owed by that arbitrator to the various parties involved across the disputes. Lady Arden explained that “the implied term as to confidentiality is independent of the implied term that the arbitrator should comply with his impartiality duty. It is truly a self-standing term”. [Para 175.] A customary high-level disclosure made on an anonymised basis will usually suffice to provide a party with the necessary information to enable it to assess whether or not it wishes to object to an arbitrator’s appointment. However, if further information that is confidential is reasonably required by a party to make that assessment and would require another party’s consent in order to be divulged, then “if consent is not forthcoming, the arbitrator will have to decline the proposed appointment”. [Para. 188] It is not hard to appreciate the reasonableness of Lady Arden’s logic: arbitrators are, for better or worse, private judges who undertake paid appointments on a commercial and contractual basis. If a request for consent to provide detailed information is made in the context of “the voluntary decision of the arbitrator to pursue a further appointment” (para. 180) and refused, then that is tough luck for the arbitrator in question who will simply “have to decline the proposed appointment”. (Para. 188).
Finally, we should congratulate the Supreme Court for spelling out in terms that party-appointed arbitrators are subject to precisely the same obligations, and precisely the same standards, as tribunal chairs when it comes to impartiality and considerations of fairness. This point was made in passing in reference to Halliburton’s appointment of Mr William Park as its arbitrator in three references against different insurers in insurance claims arising out of the Deepwater Horizon disaster, without any disclosure; juxtaposed with Mr Park’s statement of “profound disquiet about the arbitration’s fairness” made when the award was rendered in the Halliburton v Chubb arbitration, based on Mr Rokison’s non-disclosure of other appointments (Para. 26). The court was, understandably, unimpressed by the suggestion that a party-appointed arbitrator should be afforded greater leniency in respect of his or her choice of disclosures compared with a chair, since “that is not a distinction which English law would recognise as a basis for a party-appointee avoiding the obligation of disclosure. The disagreement among people involved in international arbitration as to the role of the party-appointed arbitrator is a circumstance which points to the disclosure of such multiple nominations; it does not provide a ground for nondisclosure”. (Para 144). This view echoes the position taken by the courts of other major arbitral centres around the world in relation to the strict disclosure obligations of party-appointed arbitrators (see for example the 25 February 2020 decision International Commercial Chamber of the Paris Court of Appeal in Dommo v Barra y Enauta). Moreover, it is hugely reassuring to hear the court reaffirm what all participants in international arbitration proceedings hope and expect to be the case in respect of each and every one of the arbitrators mandated with the resolution of their legal dispute.
The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry. Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company.
BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%. Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.
Facts of RealPage case:
RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.
The payment process involved the following:
A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls to Stripe’s server either through Stripe Dashboard or the On-Site application.
Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.
The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage
The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.
Insurance Policies with National Union and Beazley
At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy. Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant
Ownership of Property; Interests Covered:
The property covered under this policy is limited to property:
(1) That you own or lease; or
(2) That you hold for others whether or not you are legally liable for the
loss of such property.
We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Funds Transfer Fraud:
We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.
Insurance Claims and Responses
RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.
The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.
RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.
RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.
While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.
If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.
To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor. In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.
We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:
i) assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you
ii) your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are
In the event that any party other than an insured person enters into an agreement with a third party entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.
The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer…’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.
This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.
For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:
1. loss of or damage to Money, Securities or Property resulting directly from
Computer Fraud committed solely by a Third Party; or
2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a
“Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype
or telephone instructions by a Third Party issued to a Financial Institution directing such
institution to transfer, pay or deliver Money or Securities from any account maintained by
an Insured at such institution, without the Insured’s knowledge or consent.
Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.” Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.
Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module:
Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.
Fund transfer fraud does not include loss due to social engineering fraud.
Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.
Social Engineering Fraudmeans the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:
an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
a written or printed payment instruction obtained by fraudulent impersonation.
In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’. It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.
 Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)
In London Arbitration 7/21 a vessel was chartered to carry coal. The owners were given the option to load between 27,000 and 33,000 mt of cargo, and the charterers were bound to provide a safe port/berth at the specified terminal. The owners exercised their option to load 33,000 mt
Prior to the fixture being concluded the owners had emailed the charterers’ agents at the loading port and had been advised that the maximum draft at the terminal was in excess of 13 m. The agents indicated that the vessel would berth at a specified berth where the vessel would have had no problem in loading 33,000 mt.
Charterers ordered vessel to load at a different berth where there was a lower maximum sailing draft and failed to change the berth nomination. There was a shortfall of 1,590 mt of cargo.
The tribunal held that the owners were entitled to exercise their option as to cargo quantity unfettered, and the charterers were bound to load whatever amount the owners opted for up to 33,000 mt. If, by their choice of berth, the charterers prevented the vessel from loading that quantity, they put themselves in breach of that obligation. By ordering the vessel to a berth where the draft was so limited as to stop the vessel loading 33,000 mt, the charterers frustrated the exercise of the owners’ option. Charterers were liable to owners in damages for the shortfall in cargo loaded
On 15 December 2018, while under time charter to Navision the “Mookda Naree” was arrested at Conakry in respect of a claim against sub-sub charterers Cerealis, and remained under arrest for nearly a month. The claim related to an alleged shortage claim against them by SMG in respect of cargo discharged at Conakry from a previous, unrelated vessel. The head charter and the sub-charter were time charters on the Asbatime form with additional clauses. In both cases, additional clause 47 put the ship off hire inter alia upon her being detained or arrested by any legal process, until the time of her release, “unless such … detention or arrest [was] occasioned by any act, omission or default of the Charterers and/or sub-Charterers and/or their servants or their Agents.” Additional clause 86 of the head charter, not included in the sub-charter, provided as follows:
When trading to West African ports Charterers to provide adequate security guards during port stays in these countries to protect the vessel her crew and cargo.
When trading to West African ports Charterers to accept responsibility for cargo claims from third parties in these countries (except those arising from unseaworthiness of vessel) including putting up security, if necessary, to prevent arrest/detention of the vessel or to release the vessel from arrest or detention and vessel to remain on hire.
By cl.43 the Inter-Club Agreement was incorporated into the head charter.
Owners claimed that the vessel never went off-hire and that Navision was liable in damages for breach of cl.86. It was common ground that in the context of both time charters, Cerealis was a “sub-Charterer” within the clause 47 proviso.
The tribunal heard separate references by the sub charterer against the time charterer, and by the time charterer against the owners. They held that the clause 47 proviso applied, so that the vessel was not off hire after 12:00 hrs on 17 December 2018, because by that time her detention under arrest thereafter was occasioned by Cerealis’ failure promptly to deal with or secure SMG’s claim so as to procure her release.
In the head charter reference, the arbitrators held that the second paragraph of cl.86 applied, and was not limited to claims concerning cargo carried under the head charter. Therefore, the vessel was off -hire for the entire period under arrest.
On appeals by sub-charterers and time charteres against the awards, Andrew Baker J held,  EWHC 558 (Comm) 10.3.21, that the tribunal had correctly concluded that the detention of “Mookda Naree” after 12:00 hrs on 17 December 2018 was occasioned by Cerealis’ failure to act. It ought reasonably to have acted to deal promptly with the claim being made against it by SMG, that being an “act or omission or default of … sub-Charterers” within the meaning of the proviso to clause 47 of both charters. As regards s.86 under the head charter which concerned the award of hire up to 12,00 on 17 December 2018 it was clear that clause 86 was intended to create a different regime to that generally applicable by reason of clause 47. The vessel never went off-hire during the period of the arrest.
The arbitrators had erred in their construction of clause 86 and should have said that SMG’s claim, though it related to a cargo that had been carried to a West African port, was not a cargo claim within clause 86 of the charter between the Owner and Navision because it did not concern “Mookda Naree’s” West African trading pursuant to that charter but a different ship altogether. It was therefore not a claim allocated to be Navision’s full responsibility by clause 86, any more than it would have been a claim to be dealt with under the Inter-Club Agreement pursuant to clause 43 in the absence of clause 86. Navision’s appeal against the award in the head charter reference succeeded to the extent that because the arbitrators misconstrued clause 86 they wrongly held that the ship never went off hire, whereas they should have held that when arrested she went off hire under clause 47 until the proviso bit from 12:00 hrs on 17 December 2018. They had also wrongly held that Navision had a liability for damages to be assessed for breach of clause 86.
What happens if an assured fails to disclose to the insurer the fact that special conditions were imposed by another insurer as part of another insurance contract? Could that amount to an actionable non-disclosure under s. 18 of the Marine Insurance Act (MIA) 1906? This was the main issue in Niramax Group Ltd v. Zurich Insurance plc  EWHC 535 (Comm). The assured, Niramax, is a company carrying out the business of waste collection and waste cycling from various sites in north-east England. Niramax held a suite of insurance policies with the insurer, Zurich, which provided cover for a variety of risks relating to its plant and machinery. One of these policies was a contractor’s plant policy which provided all risks cover for a mobile plant owned by the assured (the Policy). Niramax also held buildings cover separately with a variety of other insurers. One of these insurers was Millennium Insurance. In the process of providing insurance cover for a building owned by Niramax in 2014, a risk survey report was prepared by Millennium which laid out seven risk requirements. One of these requirements was the installation of a fire suppression system at the main recycling facility of Niramax located at Hartlepool. Even though the assured was reminded by Millennium of the need to install the fire suppression system on several occasions, the system was never installed and as a result special conditions stipulated by the policy came into force on 22 October 2014 increasing the deductible to £ 250,000 and requiring Niramax to self-insure for thirty five percent of the balance of any loss.
In December 2014, Niramax renewed its policy with Zurich on the mobile plant. In 2015, Niramax acquired another mobile plant (Eggersmann plant) and in September 2015, Zurich was persuaded to amend the Policy to extend cover to the newly acquired plant until the renewal date of mid-December 2015. On 4 December 2015, a fire broke out at Niramax’s premises and the Eggersmann plant along with the other plant was destroyed. Niramax made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. Zurich refused to pay stating that it was entitled to avoid the Policy for material non-disclosure and/or misrepresentation. Niramax brought the current proceedings against Zurich.
It was held that the assured’s non-compliance with risk requirements under the buildings policy with Millennium and the imposition of special terms under that policy were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. However, the insurer (Zurich) failed to demonstrate that, if the facts had been fully disclosed, the Policy for the plant (effected in December 2014) would have been renewed. On the other hand, Zurich was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company (Niramax) by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer, Zurich, was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. The insurer was required to return the premium received for the endorsement. Otherwise, the original Policy stood and the insurer was bound to indemnify Niramax for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.
Two comments are in order. First, it is interesting to see that the trial judge (Mrs Justice Cockerril) found that the original policy stood (i.e. there was no inducement) even though it would have not been written on the same terms (i.e. with higher premium to reflect the correct multiplier) if full disclosure had been made by the assured. This certainly raises an interesting question going forward on the application of the test of inducement and seems to be at odds with the sentiments expressed by Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group  EWCA Civ 1642;  Lloyd’s Rep IR 131, at  (emphasis added): In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation, he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of his doing so.
Second, the contract was obviously concluded before the Insurance Act 2015 (IA) came into force but is highly unlikely that the application of the AA 2015 would have led to a different outcome. The materiality test applicable under the IA 2015 (under s. 7(3) of the IA 2015) is practically the same and there is still a need to prove inducement for actionable non-disclosure under the 2015 Act.
Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world. It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.
Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.
Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
Second, it would create what’s called a web shell to control the compromised server remotely.
Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.
What is not affected?
The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.
In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.
But what does this mean for insurers?
This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies.
In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.
There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.
Applicable cyber insurance clauses and possible response of insurers
Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:
for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;
The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.
We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:
Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.
ii. failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.
Third party providers
arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;
ii. The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.
Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.
Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.
which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;
Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China. Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.
Conclusion and the way forward
As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .
While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats. Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.
Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.
Reasonable steps to avoid Loss
The Insured shall protect its Computer system by:
a. having Virus protection software operating, correctly configured and regularly or automatically updated;
b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;
c. having a fire wall or similar configured device to control access to its Computer system;
d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;
e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;
f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;
g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;
h. having an operational system for logging and monitoring user activity on its Computer system;
i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available