Cyber security challenge continues for insurers

Lloyd’s CEO Inga Beale. Credit: Lloyd's
Lloyd’s CEO Inga Beale. Credit: Lloyd's

As the threat of cyber risk dominates much of the risk agenda, marine insurers are struggling with an inability to sell cover for attacks.

For insurers as a whole the demand for cyber coverage from business continues to rise but it is not being mirrored by the maritime sector.

Lloyd’s CEO Inga Beale, speaking at a summit in London this week, told IHS IHS Markit, “The estimate is that the current value of cyber insurance premiums is USD2 billion and of that figure 90% is in the US market.

“There is a way to go with other parts of the world, but we believe that it is becoming a bigger part of the board agenda for companies.

“There is a view that some companies are over-confident about the chances of falling victim to cyber-attack or believe they are already covered within their existing policies.”

It is clear that there are risks for the maritime market. Broker Marsh has issued a report for port and terminal operators on the threat of ‘black swan’ events and cyber-attack is seen to be high on the list of such threats.

Nick May (pictured), vice president at Marsh’s Global Marine Practice, told IHS IHS Markit the firm is discussing the issue of cyber attacks.

“We have numerous discussions with clients in the threat of major emerging risks such as cyber [attacks], and there are those who say not only are they aware of the issue but they have security in place.

“Cyber cover has been the biggest growth area for Marsh in the UK, for instance, with an 80% increase over the past five years. Following recent high-profile events, I think clients are looking at the issue a bit more; it is certainly on more firms’ radars.”

Internally marine insurers are struggling with several issues when it comes to cyber cover for marine clients.

The current situation is that there is cyber cover within the majority of hull and liability contracts but that cover specifically excludes cyber attacks.

As Neil Roberts, head of marine and aviation at the Lloyd’s Market Association, explained, “The issue for the underwriters is there remains very little data in which the risk can be modelled and therefore accurately priced.

“The moves to make the reporting of a cyber attack mandatory in the US and Europe will be a positive step but underwriters need to know who has been attacked, how often, and the level of liability.”

A consortium of London insurers, led by a Lloyd’s syndicate, created and continue to market a marine cyber-attack product; however, reports are that the take-up has been disappointing.

“The reasons behind the lack of take-up are not really clear,” said one London market broker. “It may be that owners do not think there is a risk, owners think they are covered, or that, in the current climate, they are not prepared to pay for the cover given the pressure on revenues and the need to reduce costs.”

However, the threat to the marine and energy market remains real. The most high-profile attack in recent years was in 2012 when energy firm Saudi Aramco suffered an attack via the Shamoon virus, which destroyed the hard drives of 30,000 of its computers.

While the firm could still produce oil its internal systems were significantly impaired and its efforts to replace the hard drives were affected by the floods that hit the computer chip manufacturing capability in Thailand in the months before. It was six months before the company had fully restored the affected machines and systems.

“Firms have to ask themselves if they could survive a major disruption of that period,” added Roberts.

While fears remain that criminals or terrorists could seek to hack into a vessel’s navigation system in an effort to take control of the vessel, the risk of a systemic attack is not seen as highly likely.

Experts believe that to do so would take a piece of malware being placed in a vessel’s computer system prior to installation that could then be activated at a given time.

One London underwriter added, “If a ship ran aground because of crew negligence it has run aground and physical damage has resulted. If a piece of technology was impacted and a vessel ran aground the vessel has suffered the damage, it has still run aground and it would be unlikely that the insurer would not pay the claim.

“I think the biggest issue at present is that we need a framework to understand just what risks we are talking about and that can then be communicated to the client.

“Marine insurance policies and contracts were not designed in the modern communication age.”

Have you been a victim of cyber crime? Take the IHS IHS Markit/BIMCO survey