Human factor remains critical in cyber-security insurance policies

People remain the top cyber-security risk in shipping, according to IUMI

While insurers are willing to examine the coverage of marine cyber risks, it must go hand-in-hand with robust cyber risk management.

Delegates at an event hosted by the International Union of Marine Insurance (IUMI) and law firm HFW in London on 1 March were told that the biggest threat to cyber security remains the human element.

Aron Sørensenhead of maritime technology and regulation at Bimco, said the association was already working on a cyber-contract clause in an effort to drive greater certainty.

“People represent the biggest risk,” he said. “They are either unaware or untrained. When you leave your home in the morning you do not leave the key in the front door inviting people in to steal your television. Unfortunately, we see it when we go on board vessels and find passwords to computers left on notes next to them.”

He added that Bimco has issued a definition of cyber-risk management, which includes the fact that shipowners need to ensure they are mitigating risk to an “acceptable level”.

“You have to take the cost of the steps you are taking to ensure cyber resilience and put that against the benefit that cost is delivering,” he added. “You can pay a fortune to put in place steps that are not applicable. We believe you cannot totally protect yourself against cyber threats.”

He added that recent high-profile attacks, such as that against the computer systems at Maersk, highlighted the need for vigilance and preparation for when the worst happens.

“Shipowners, ports, and agents are being attacked every day. Maersk showed the importance of getting your systems back up and running. Those preparations have to include the CEO and the board because they cost money.”

Lars Lange, secretary-general of IUMI, said the market would always be playing catch up with the evolution of technology both onshore and onboard.

“I have long said that cyber risk is a moving target,” he explained. “As insurers we do our homework until the next step in digitisation and technologic innovation occurs and we have to start all over again. We have to ensure that our clients are cyber resilient.

“For insurers we have to get an opinion on whether we understand our clients’ risks. We [need to] understand who understands the risks, and who runs the risk management. If it is done well, then we can offer an insurance cover to mitigate all or part of the risk.”