Cyber insurance struggles to find purchase (source: Lloyd’s List)

Insurers are excluding cyber from traditional policies, while shipowners’ reluctance to pay up limits how much capacity they will devote to maritime

Uptake of marine cyber insurance is at an impasse, with specialist cover available but too few shipowners willing to buy it. Parallels with piracy insurance offer hints as to how the deadlock may be broken

“SUCCESS breeds complacency. Complacency breeds failure. Only the paranoid survive.” So said Andy Grove, the founder of chipmaker Intel.

His words were cited to help explain why shipowners are reluctant to buy insurance against cyberattacks, which are becoming one of the industry’s biggest security threats.

“They measure success by the fact that they haven’t been hit yet,” says Thomas Brown, founder of Shoreline, a cyber insurer based in Bermuda. “That gives a false sense of security and a degree of complacency. And the reality is, only the paranoid among them will survive.”

Cybersecurity has shot up the industry agenda after attacks on big players like Maersk, CMA CGM, HMM and the International Maritime Organization.

The IMO has adopted a resolution requiring companies to demonstrate that cybersecurity is an integral part of their safety management system no later than their next annual Document of Compliance check.

Yet the marine insurance industry, geared towards dealing with property damage, has yet to come to terms with new challenges.

“We’re not yet seeing casualties at sea being caused by cyber events, though that is clearly only a matter of time,” says Alex Kemp, a partner at shipping law firm HFW.

“From an underwriter’s point of view, how do we know what risk we are writing? We’ve got no historical losses to go back and look at; we’ve got no idea how this is yet going to propagate.

“We’re in the middle of an evolving situation and not a mature one.”

Underwriters are increasingly reluctant to write cyber risk and specialist firms are taking over coverage from P&I clubs.

New exclusion clauses have emerged as insurers try to avoid overexposure to cyber risk. The exclusions try to sort “malicious” attacks from “non-malicious” events connected to cyber.

The risk of “silent cyber” — ambiguity over what is covered or excluded in a policy — remains a persistent problem. It is hard to determine what is covered, and whether attacks are “malicious”, when potential attackers range from bored teenagers to organised criminals, terrorists and nation states.

In the US, food conglomerate Mondelez and chemical company Merck are fighting their insurers in the courts over whether their losses from the 2017 NotPetya cyberattack, which also hit Maersk, were subject to exclusions for “a hostile or warlike action” by a government or sovereign power.

The cases will have implications for cyberattacks blamed on Russia, as NotPetya is by the US and UK.

HFW says while some underwriters are willing to write non-malicious risks using Lloyd’s LMA 5403 exclusion clause, they have no such appetite for cyber war/terrorism risks.

It says this pinch point between cyber, war and terrorism is “both the area most likely to give rise to claims, and the area that the market seems to have the least appetite to cover”.

There are also worries that treaty reinsurers will insist upon including the LMA 5403 non-malicious cyber exclusion within the group reinsurance contract at the International Group of P&I Clubs’ next renewal round in February.

Capt Brown says if this happens, P&I club managers will lose their back-to-back cover and may need to revise their own rules to limit their exposure.

There are questions about how this would affect the CLC Convention on preventing oil pollution, and clubs’ ability to issue blue cards as passports to trade.

Robert Dorey, chief executive of Astaara, a cyber insurer backed by the West of England P&I Club, says underwriters rely on their own cyber experts to gauge their appetite for risk, so there is significant disagreement about what constitutes good risk versus bad.

A lead underwriter with an appetite for cyber may struggle to find following underwriters or reinsurers to provide the client with the cover they need.oh

“This means that assureds are left with three basic choices: go uninsured and hope for the best; buy basic minimum cover to box tick without really understanding the limits of what they are buying; or invest in buying specialist insurance, which will usually include consultancy services and specialist risk assessment,” Mr Dorey says.

Capt Brown says the industry is at an impasse, unable to bridge the gap between what insurers want to charge for cover and what shipowners will pay for it.

This, in turn, discourages cyber insurers from devoting their capital to the marine market when they could get better returns elsewhere in less complex industries.

Cyber victims seldom report attacks out of fear for their reputations, so there is not enough data to understand the threat.

The Royal United Services Institute, a think tank, has said insurers’ inability to collect and analyse reliable cyber data is “a potentially insurmountable challenge”.

Julian Clark, senior partner at law firm Ince, calls the situation a ‘perfect storm’, with lack of demand by reluctant shipowners on one hand, and tightening supply and increasing cyber restrictions on the other.

He says ships will become more vulnerable to hacking, and the potential costs of attacks will rise as ships and their operational technology (OT) are increasingly connected to the internet.

While the grounding of the Ever Given (IMO: 9811000) in the Suez Canal was not cyber-related, Mr Clark warns it “very easily could have been”.

“A couple of minutes’ attack on the OT system, on the steering of that ship, could have created exactly the same incident that we saw — and look at the level of cost and disruption that that’s caused,” he says.

Mr Clark adds: “I fear that it will take a Maersk Alabama-type situation for people to actually sit up and recognise just how scary this can be.”

Kidnap and ransom insurance

The growth of kidnap and ransom insurance offers a glimpse of how the cyber impasse will be broken.

Incidents like the 2009 hijacking of Maersk Alabama (IMO: 9164263) off Somalia, which inspired the film Captain Phillips, highlighted the threat to seafarers’ lives and drove home the need for specialist K&R cover.

Insurers gave their clients access to crisis and PR managers, security teams and hostage negotiators to quickly jump into action when ships were attacked.

An expert industry sprang up to protect ships and international efforts suppressed the Somali threat.

Today in West Africa, where almost all marine kidnappings happen, the system for paying ransoms and releasing crew is well established. Captivity can be traumatic, but crew are mostly returned safe within one or two months.

It can be hard to determine whether ransom payments fall under P&I, hull or war risks, since unlike in Somalia, pirates grab only the crew, leaving the ship and cargo mostly untouched.

Like cyber, there is also a big gap between the best- and worst-prepared shipowners when it comes to security.

However, the K&R market is mature enough for specialist cover to be a no-brainer for ships operating in dangerous areas.

“Piracy premiums have reached the sort of levels where they’re so low now, and the coverage is so multifunctional, it really is the complete solution,” says Jonathan Gregory, global head of crisis solutions at AIG.

Mr Gregory says market acceptance of the need for specialist cyber cover is likewise inevitable, given the complexity and potential cost of that threat.

“The solution exists for shipowners; they’ve just got to go out and willingly buy that solution,” he said, adding: “If any shipowner is not aware of this issue, I’d be amazed.”

Capt Brown says cyberattacks do not threaten lives as traditional pirates do, so it is hard to compare the threats directly.

However, cybercriminals can be more disruptive to a company’s operations, while facing none of the physical limits on the damage they can do.

Securing shipping against cybercrime will be much harder than putting armed guards on board ships in the Gulf of Aden, or using security escorts in the Gulf of Guinea.

“The problem with cyber risk is the ephemerality, because you just release ransomware and you can send it in a wave across the world,” Capt Brown says.

He adds the industry will eventually follow the lead of the well-run shipping companies taking cyber seriously — but there is a long way to go.

“We’re still in that sort of no-man’s land, where things are beginning to change, but we’re not really seeing the outcomes of those changes as yet.”

Cambiaso Risso Marine S.p.A.
Corso Andrea Podestà 1- 16128 Genoa (Italy)
Ph. +39 010 5714.1 Fax +39 010 5714374/375
Share Capital Euro 500.000
V.A.T. 04990920961
PEC: amministrazionecambiasorissomarine@legalmail.it
soggetta a vigilanza I.V.A.S.S. (Istituto per la vigilanza delle assicurazioni)
iscrizione RUI B000134474 www.ivass.it
Si prega di consultare la pagina Tutela del Cliente per i recapiti sui reclami

CR International S.r.l.
Via Guantai Nuovi 11– 80133 Naples (Italy)
Ph. +39 081 668488 Fax +39 081 665963
Share Capital Euro 120.000
V.A.T 00822900940
Pec cr-marine@legalmail.it
soggetta a vigilanza I.V.A.S.S. (Istituto per la vigilanza delle assicurazioni)
iscrizione RUI B000101796 (www.ivass.it)
Si prega di consultare la pagina Tutela del Cliente per i recapiti sui reclami

Cambiaso Risso Shipping Agency Srl
Corso Andrea Podestà 1- 16128 Genoa (Italy)
Ph. +39 010 5710.1 Fax +39 010 589359
Share Capital Euro 95.000
V.A.T. 00435270103

© 2017 Cambiaso Risso Group | Privacy Policy | Cookies Policy | Tutela Cliente | Customer Care Ita | Customer Care Norway | Ethics Code | Model law 231/2001 | Whistleblowing

logo-3mediastudio logo-antworks

Cyber insurance struggles to find purchase (source: Lloyd’s List)Iran-Israel spat poses war risk rating question for underwriters (source: T...