The end of silent cyber
As we move towards 2021, the level of cyber awareness amongst the maritime community is increasing rapidly. There has been a marked change in attitude over the last few years, particularly since the well-publicised Maersk cyber-attack of 2017, which was a wakeup call to an industry who often thought cyber was a problem that might disappear.
We all now know that there are many more incidents occurring in this sector than are reported and that the underreporting of cyber crime is leading to a false sense of security (see page six of the September edition of Phish and Ships). To illustrate this, BIMCO offered seven examples of verified cyber incidents that have occurred onboard vessels within their guidelines to highlight a few of the problems shipowners have faced to date (see version 3.0 of the Guidelines on Cyber Security onboard ships). With anonymous reporting platforms such as the CSO Alliance, it will not be long before we start to understand the true scale of the problem.
It is now a widely accepted view that the industry has moved from an 'if-it-happens' to a 'when-it-hap-pens' approach, which means the demand for insurance to provide certainty around cyber coverage has intensified. Shipowners are becoming increasingly dissatisfied that their Hull and Machinery (H&M) insurance policies are excluding physical damage to their vessels caused by cyber, due to the CL380 exclusion. Occasionally, where no CL380 exclusion exists on the policy, shipowners face the uncertainty of "silent cyber" - no affirmative cover is given, but cover is not specifically excluded, either. So, shipowners are crossing their fingers and hoping that either their insurers decide to pay, despite cyber not being included as a peril, or that a court would rule in their favor should their vessel have an incident caused by cyber. This lack of certainty is something that Lloyd's of London and the Prudential Regulation Authority (PRA) have now addressed.
From 1st January 2020, Lloyd's will require insurers to provide certainty on whether cyber coverage is provided. This means that it must be absolutely excluded from H&M policies or affirmatively included. No more silent cyber! This removes the ambiguity that currently exists about cyber and ensures that insureds know exactly what is covered.
When the new Lloyd's rules come into force, ship-owners have several options if they are concerned about their exposure to cyber perils. If cyber is excluded from their H&M policies, cyber coverage can be bought from various specialist insurance providers. If cyber is included in their H&M policies, shipowners still have several concerns to think about. Is the cover sub-limited? Is loss of hire covered after a cyber event? What happens if a vessel cannot navigate due to a cyber event causing loss of income i.e. business interruption costs? Is the cover for malicious attacks only? What if the corporate network is affected - would that be covered? What happens in the event of a cyber incident/breach - are there breach response services who will know how to respond? All of these scenarios are insurable, but cover is unlikely to be available under a standard H&M policy.
To purchase cover for concerns such as those listed above, you will need a standalone maritime cyber policy which can cover everything from breach response, business interruption, loss of hire, physical damage to vessels, system restoration and more. If this is an area of concern for you, your insurance broker should be able to advise.
Article by Georgie Furness-Smith - Cyber insurance underwriter at Axis Article by Georgie Furness-Smith - Cyber insurance underwriter at Axis
Source: Phish&Ships Magazine #30 -November 2019