Graff Diamonds Ltd, a luxury British jeweller, fell victim to a ransomware attack resulting in a ransom payment of US$7.5 million which it sought to recover from its insurers. Insurers denied cover and Graff went on to sue them. We consider the issues and emerging cyber risks in the fine art and specie market in light of the Graff ransomware attack, and provide our recommendations on possible risk mitigation strategies.
Graff Diamonds Ltd ransomware attack
Graff Diamonds Ltd (Graff) was a victim of a ransomware attack in September 2021 by a Russian group called ‘Conti’, which stole sensitive data, including personal client information. Conti threatened to leak sensitive information about Graff’s clients, among them celebrities such as Donald Trump and Oprah Winfrey. A month later, Conti published some of the information it obtained and demanded a ransom payment of US$15 million. Graff then agreed to pay the equivalent of half of this sum in Bitcoin. In November 2021, Graff formally requested an indemnification for its loss, which was not provided by its insurers, Travelers Syndicate Management Ltd (on its behalf of all underwriting members of Lloyd’s Syndicate 5000 for the 2019 year of account).
In response, Graff commenced legal proceedings against its insurers for failing to provide policy cover for the US$7.5 million cyber ransom payment, plus US$1.5 million in related costs. Graff argued that the ransom payment fell within ‘cyber-extortion’ clause within its policy and would therefore be covered. It also sought US$1.5 million in crisis management costs including those arising from public relations consultants, negotiators, and solicitors.
Even though the claim was discontinued in September 2022 with no details provided with regard to settlement, it is a timely reminder of the growing concern in the insurance market over the rising risks of cyber-attacks. This is evidenced by Lloyd’s recent report, entitled 'Shifting powers: Physical cyber risk in a changing geopolitical landscape', which shows that the number of cyber attacks on critical infrastructure rose from 10 incidents in 2013 to almost 400 incidents in 2020. This is evidenced by Allianz’s 2022 Risk Barometer, which identified cyber incidents as the biggest business risk in 2022, with ransomware attacks ranking as the top cyber exposure.
New risks for fine art insurers
The Graff case arises at a time where luxury brands are welcoming in the advent of new media wherein luxury brands are embracing new forms of media promotion and expanding their product and client base to include digital assets. An example of this is Tiffany and Co.’s recent collaboration with CryptoPunk, an NFT collection of 10,000 images or ‘tokens’. The collaboration saw owners of CryptoPunk receiving a pass which gave them the option to not only receive a limited edition customised Tiffany pendant and necklace, but also a digital rendering of the pendant as an NFT. The total price of which was 30 Ethereum, which, as at the date of writing, converts to about US$50,000.
This opens up a new sub-class of risk which insurers will need to consider and respond to. Artnet News have reported that more than US$100 million worth of NFTs have been stolen in 2021-2022 as scams continue to arise. Elliptic, a London-based blockchain analysis company, suggests that the rate of cybercrimes seems to be increasing.
Future trends in the market
While an increase in cyber attacks can mean increased losses for insurers, the use of emerging technologies, such as blockchain, can also assist in reducing risk in the fine art and specie market.
Disruptive companies such as Everledger are exploring the way in which markets can utilise blockchain in order to authenticate the chain in ownership. NFTs by their very nature are a ledger which records a chain of ownership. A number of luxury watch manufacturers are also exploring the use of blockchain technology to record ownership and authenticity. Breitling and Vacheron Constantin were among the first luxury watchmakers to offer digital passports on the blockchain; the former providing each watch with its own NFT and the latter a similar digital certificate which works with a QR code.
As implemented by some of the big players in the luxury watch industry, this method would provide a secure record of the ownership chain of an item. This would not only ensure the appropriate provenance and ownership of high value items, but may also reduce the risk of inauthentic items circulating on the marketplace.
This is of particular relevance to the fine art and specie market and may be used in a way which could see a reduction of the risk of claims made in respect of authenticity and ownership of luxury items. Further considerations by insurers will however need to be given to protecting the owner’s privacy should they wish to protect their identity.