What can maritime insurers learn from cyber liability insurers?
I first got involved in cyber liability insurance back in 2011. An underwriter contacted me for some advice around a new 'cyber' thing that they were planning to launch and had seen me speak at a conference. What I discovered about the nascent industry shocked me:
- premiums set with no understanding of the risk involved
- markets exposed to systemic losses that they had no understanding of
- prop form questions that would reveal nothing about actual risk
- policy wording train wrecks
- policies designed to address irrelevant loss scenarios, based more on press hype around data breaches rather than actual incidents.
So, I spent the next three years delivering more than one seminar per month to insurers just about hacking risk, simple risk assessment and trivial mitigation steps in the cyber space. I spent far too long at numerous venues in and around the Lloyds building, though the lunches were good!
Clause 380 (link opens PDF - go to page 39) has been implemented for many years to remove cover for cyber incidents in shipping. However, as the number of cyber incidents and wider awareness increases, CL380 buy-backs are emerging, an example being the Norwegian Hull Club.
It's important that maritime insurers address cyber risk assessment, or difficult situations for insurers and insureds will undoubtedly emerge.
In the end, I boiled basic risk assessment for cyber insurance down to three simple questions:
Patches, passwords and people
Very similar principles are relevant to shipping cyber security. So here's how you might use these to qualify risk, though it's very important HOW you phrase the question:
If you give the client risk manager a prop form about cyber, they'll pass it to their IT guy, who doesn't want to admit to not having ideal security. So they tick 'yes' to everything to avoid awkward internal questions.
Result: your insured has potentially answered in a misleading manner, making for an awkward claim.
A common question in cyber liability prop forms is 'Do you keep your systems up to date with security patches.' Many IT staff will answer 'yes'.
Keeping security patches up to date is important, otherwise systems are far easier to hack.
Instead, ask a more probing question: "Which of your systems DON'T you keep patched up to date and why not?"
That way, you ask the client to think more carefully about the question: there will be old systems that aren't supported any more, also critical systems that crashed last time they were patched, so aren't touched in order to keep them running.
Using this question you will uncover far more about the clients approach to security and their understanding of risk to their business.
It's perfectly acceptable to have old, unpatched systems in use at a business, but it's essential to build additional layers of security around them.
If you ask 'do you ensure that all passwords are complex and changed regularly' then you'll get a 'yes'.
The IT guy is thinking 'our user passwords are good' but they're not thinking about other areas.
Instead, ask "which of your passwords on your systems are blank, default, simple or re-used?"
Then you might find out that their key customer database is on the public internet and has a default password! Not an ideal risk...
If you ask 'do you have security awareness training' you'll get a bland response. Maybe the client just has a short annual brief, or at induction. That's not much help.
Instead, ask "How do you evaluate the security awareness of your staff?"
So now you can have a meaningful conversation about how they train, how they test and how appropriate their awareness courses are.
For example; a generic online awareness package is great for office staff, but not great for seafarers. Be Cyber Aware at Sea would be much more appropriate for mariners.
Finally, find out if they actually TEST their staff to see if they fall for online scams.
It's about how you ask the question, that's all.
Future loss scenarios
I've been looking around the insurance market to try to find an offer that addresses shipping cyber risks.
I still haven't found one, which suggests to me that there is a significant opportunity.
There are several policies targeted at shipping, but they appear to be structured around general cyber policies and don't address shipping specifically.
They cover generic cyber issues such business email compromise, not specific cyber-related BI such as a hack of a navigation system.
Systemic loss cases
Finally, insurers should be careful not to unintentionally insure systemic issues. Examples might include:
- A large fleet with the same satellite communications terminal, all of which have out of date vulnerable software. Hack one, hack them all, stop the whole fleet from operating
- A fleet with identical ECDIS units, all with the same flaw. Hack the electronic charts, stop the vessel moving
- Take out an electronic chart provider; no updates can be issued so no vessels move.
- Cripple a smart port; no containers move.
- Jam or misreport AIS data around a busy shipping lane.
Whilst we haven't seen evidence of systemic cyber security issues in the maritime sector yet, it is simply a matter of time.
Bear in mind that the Maersk incident wasn't a hack; they were collateral damage from a cyber campaign between nation states.
If a $300M charge can result from collateral damage, what damage could be caused from a genuinely targeted attack?
Don't inadvertently insure cyber security incidents in shipping without fully understanding the risks involved.
However, to my mind there is a significant opportunity in the market to help shipping organisations manage their cyber exposure through insurance.
Ask probing questions of your insureds and bring in expertise as required.