The application of AI, as a part of any insurer’s innovative IT infrastructure, is not new. After more than a decade of intelligent systems deployment, the 2018 report by the House of Lords Select Committee on Artificial Intelligence — then chaired by Lord Clement-Jones — titled AI in the UK: Ready, Willing and Able? discussed many regulatory options concerning AI’s increasing commercial use, competitive value and possible risks.

It is in that context that the Bermuda Monetary Authority’s recent report concerning that sector’s use of “artificial intelligence” and “machine-learning” technology in Bermuda is particularly informative.

That report, based on the BMA’s late-2021 survey of Bermuda insurers, provides many valuable and informative insights — both concerning the use of AI in that sector and the BMA’s indications as to the future of AI regulation in Bermuda.

As for the current and future use of AI by Bermuda’s insurers, 38 per cent of all respondents reported they currently use some form of AI in their operations. As well, 23 per cent of insurers reported that they plan to adopt AI solutions within the next five years, thus indicating that within five years the majority of Bermuda insurers will use AI.

The AI use numbers are even more impressive among the larger insurance enterprises, defined in the report as “insurance groups”.

Sixty-eight per cent of those respondents, all of whom have international affiliates, reported that they use AI.

Of particular interest to boards of directors, insurance executives and their legal advisers are four categories of survey response that the BMA reviews in the report.

First, six out of eight of the top concerns insurers expressed about managing the risk and operational quality of AI solutions identified AI’s explainability, auditability, modelling challenges, security, consistency of output and execution challenges.

However, insurers must remember that where AI is deployed, all of those legitimate operational concerns are routinely addressed in the course of commercially contracting for those projects.

To successfully manage those risks, well-drafted AI development and service contracts pervasively stipulate the operational specifications, security features, functional service levels, and acceptance testing requirements that are required before any intelligent system is permitted to go live.

Second, most respondents indicated that their AI systems are either provided by third-party service providers or procured as third-party, off-the-shelf systems.

In that regard, all of the usual commercial, risk allocation and other contract terms that apply to the procurement of all IT goods and services from third parties, including outsourcing transactions, are equally applicable to intelligent systems and service contracts, including AI.

Third, a few revealing responses arose concerning AI corporate governance when the BMA asked “what governance and control measures are currently in place”.

Although 26 out of 30 respondents indicated “senior management” has accountability at the business unit level, only ten respondents (33 per cent) indicated that AI systems were governed at the board level.

Although the steep trend of governance best practice is to ensure that all material IT systems and services (including contracts) receive direct board oversight, I expect that board governance over AI use will organically increase as AI systems become more material to insurers.

Fourth, when the BMA asked insurers what their concerns are when considering the adoption of AI systems, both “regulatory compliance” (seventh) and “legal liability” (eighth) were among the top nine answers.

However, most of the same challenges that insurers address at present to govern their existing IT infrastructure, including security, are applicable to AI systems. Where AI solutions are secured as third-party services, regulatory compliance and legal liability can be addressed in well-drafted AI service contracts, including all privacy, outsourcing and cyber security requirements.

Remember, the use of AI systems can also reduce legal liabilities. For example, many AI systems are being used for internal analytics, modelling, decision tree formation, outcome predictability and risk management, and are not used for business-to-business or consumer applications, which tend to carry the greatest third-party liability risk.

As well, where “big data” AI applications are used for complex modelling and advanced analytics, the aggregated data used is often anonymised, thus avoiding any privacy liability risk.

Where bespoke AI solutions provide distinct competitive advantages, enterprises often use those AI systems “within the castle walls” and possibly without web access, thus reducing operational cyber risk.

The BMA’s AI survey report also provides a generous indication of how the BMA may regulate the use of AI by Bermuda’s insurers in the future, including:

  • The governance of AI use should now be proportionally considered within the existing frameworks of governance, risk management and business conduct
  • The BMA will likely expand its Operational Cyber Security Code of Conduct to include specific guidelines for the use of AI
  • The BMA will likely strengthen its oversight of outsourced services where those third-party service providers use AI

I expect that the BMA’s very thoughtful approach to assessing the unique capabilities, risks and governance requirements associated with AI’s increasing use among Bermuda’s insurers will be well received.

When I spoke at an AI Business & Law conference with Lord Clement-Jones in 2019, he reiterated one of his Select Committee’s AI recommendations, which the BMA is living up to: “We believe that existing sector-specific regulators are best to consider the impact on their sectors of any (AI regulation) which may be needed.”

First published in The Royal Gazette, Legally Speaking, December 2022

Share
Twitter LinkedIn Email Save as PDF
More Publications
25 Jan 2023

Chambers Insurance & Reinsurance Guide 2023: Bermuda

This guide provides the latest information on sources of insurance and reinsurance law, overseas-bas...

23 Jan 2023

Sponsored Dependants; How and Where Can They Work?

If a person arrives on the island under a work permit with their spouse or partner who is a sponsore...

19 Jan 2023

Applications expected under the Investment Business Act

Persons who must comply with the requirements of the amended Investment Business Act 2003 should con...

4 Jan 2023

Artemis Q4 2022 Catastrophe Bond and ILS Market Report

Fresh capital will enter the insurance linked securities (ILS) market, but while catastrophe bond de...

19 Dec 2022

Bermuda Insolvency and Restructuring Law Update

Bermuda’s insolvency and restructuring landscape is distinct in a number of ways. In this article...

9 Dec 2022

Americas Restructuring Review 2023

This article discusses the defining features of Bermuda’s insolvency landscape and the primary ins...

5 Dec 2022

Business Crime and Investigations in Bermuda: Overview

A Q&A guide to business crime and investigations in Bermuda.

24 Nov 2022

Information Technology, Outsourcing, Privacy & Data Protection

All aspects of Bermuda's economy rely on information technology and data processing - an essential i...

Contributors: Duncan Card
22 Nov 2022

A Look Back on 2022 and What to Expect for 2023

As we approach the end of 2022, we are able to look back and say with certainty that the arena of la...

14 Nov 2022

When will the court enforce a promise?

As we all know, promises are made and broken all the time. What, if anything, can the law do to assi...