The growing awareness of the marine market to the threat of cyber risk needs to be matched with a more concerted approach to risk management.
Last year’s attack on Maersk, which has been estimated as costing USD400 million and affecting some 45,000 computers has focused the minds of many in the sector but the insurers believe there have been many more smaller attacks that have gone unreported, or more alarmingly, undiscovered.
There is little doubt that the maritime market is recognising the threat that the increased use of technology, both on shore and on board is creating and they are looking to the insurance sector to provide solutions.
“Cyber is also a concern,” said the chair of the Cargo Committee of the International Union of Marine Insurance. “Most policies remain silent on cyber issues, but the recent Maersk NotPetya attack highlights potential exposures and consequences.
Policies that raise the greatest potential risks include Freight Forward Liability cover such as NVOCC Legal Liability, Indirect Air Carrier Liability, and Errors and Omissions.”
Neil Roberts, head of marine underwriting at the Lloyd’s Market Association said, “In marine, there is some elevation in client awareness, possibly heightened by security firms in the press. There is, however, generally low demand in the physical damage world and that gets lower if a premium is required. In the quite separate data loss market, there is strong demand.
“The Prudential Regulatory Authority [PRA – the United Kingdom’s commercial insurance regulator] has asked some open questions about clarity and exposure and the market is particularly aware that the silent coverage (ie accidental and inherent cover) clients have is being viewed as non-affirmative by the PRA who wants it identified, quantified, and managed. Answers on clarity in relation to causation can really only be theoretical as there have been few, if any, physical damage incidents.
Dennis Culligan of marine and energy insurance advisor, Longdown EIC, warns the marine market and its insurers need to work together to reduce risks and create workable insurance solutions.
“The cyber insurance market is developing but playing catch up,” he said. “Can insurers assess aggregate exposure for a risk that is not geographically limited?”
“The problem is that the top five global hackers are all ‘unknown’. Still unanswered to any great degree is how can a cyber attack be defined for insurance purposes?”
Culligan said the industry has yet to define what constitutes a cyber attack and with it whether cyber insurance a separate product or just a write-back of existing policy exclusions such as war, sabotage, and terrorism.
He said it is clear that the increasing interconnectedness of operational technology and IT via artificial intelligence or machine learning is increasing the level of cyber risk.
“Experts say there are only two types of companies,” said Culligan. “Those that have been hacked and know it and those that don’t know it yet.”
He said companies should be spending more time on cyber risk management including doing scenario testing and regular BCP updates.
Culligan said marine firms need to pay greater attention to the physical control of access to networks by staff and third parties.
“The number of administrators should be carefully monitored and kept to a minimum.”
Insurers for their part are looking to provide solutions and currently there are cyber products available. However, the lack of historical claims data and the changing dynamics of cyber risk have seen underwriters reluctant to provide cover at levels that would meet the needs of the global marine sector and its assets.
Therefore, brokers are having to look to create layered insurance programmes across a range of insurers and with it a range of cyber covers and exclusions absent a definition across the insurance industry as to what constitutes a cyber risk.
One leading marine underwriter told IHS Markit, “The issue remains that if a ship runs aground, the hull and P&I insurers will meet the physical and liability obligations. The vessel may have seen its control systems taken over by an external hacker but the result of physical damage to the vessel or the discharge of a pollutant will elicit a response from the market.”