Marine cyber risk and insurance
Published
Read time
Cyber risk is real, and a corporate strategy for on-board and on-shore digital risk management is higher on corporate agendas than has ever been the case. Companies are exposed through hacks, viruses, malware, ransomware, as well as unknown risks. Each of these risks contain technical sub-categorisations, and can impact both shore and vessel operations.
In this advisor we review the work done by the IMO and by BIMCO, and consider tools available for enhancing companies’ digital risk preparedness in the maritime industry. We also review insurance clauses limiting cover for cyber incidents in marine insurance policies and outline available risk transfer solutions both for on-board and on-shore uncovered risks.
Digital risk management
In pursuing a digital risk management strategy, we outline what such a process might look like, with an implied continuous feedback loop. The process would apply in a similar way across a broad range of organisations in the maritime industry.
Work done by the IMO
The IMO has issued:
- IMO Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems, dated 16th June 2017 and
- IMO Guidelines on Maritime Cyber Risk Management MSC-FAL.1/Circ.3, dated 5th July 2017.
IMO Resolution MSC. 428(98) encourages flag state administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the Company’s Document of Compliance after 1st January 2021.
IMO Circular MSC-FAL.1/Circ.3, contains high-level recommendations and functional elements for effective maritime cyber risk management. It defines maritime cyber risk as a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety, or security failures as a consequence of information or systems being corrupted, lost, or compromised; and cyber risk management as the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders.
The IMO has set out the following five pillars in support of an effective cyber risk management strategy, being (i) Identify, (ii) Protect, (iii) Detect, (iv) Respond, and (v) Recover. Many flag state administrations are offering additional resources to aid shipowners and stakeholders prepare for implementation. .
Work done by BIMCO
BIMCO has issued the BIMCO Cyber Security Clause 2019.
The purpose of the clause is to attempt to address cybersecurity risk using standardised wording that can be incorporated in a wide range of maritime contracts. It requires the parties to implement and maintain a level of cybersecurity “appropriate” to their businesses and use reasonable endeavours to ensure that their subcontractors do the same.
If an incident occurs, the parties are required to notify each other promptly and share further details within 12 hours. There is a duty to take reasonable steps to mitigate and/or resolve the incident, and to share relevant information as it becomes available.
The clause does not deal with payment fraud, and does not contain any force majeure provisions, so the parties are not relieved of their other duties under the contract.
Parties are liable in damages for a breach up to a suggested cap of USD 100,000 (subject to gross negligence or wilful misconduct). This cap can be amended, presumably to not exceed the contracting parties’ common risk tolerance or available cyber insurance arrangements.
ISO27000 Family of Standards
In seeking a standardised approach to compliance, the ISO27000 family of standards is available to shipowners and other stakeholders in the maritime industry.
They can be used as a tool for raising awareness and embedding compliance for maritime cyber risk management, both on-board and on-shore, and as a tool for certifying an Information Security Management System (ISMS).
An example is ISO27001, which provides a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s ISMS.
Marine insurance gap analysis - Hull & P&I
The commentary made below is made at a high level without review of risk factors that may be specific to you. On request, we can offer greater and customised analysis following a review of your marine insurance policies.
CL380 - Institute Cyber Attack Exclusion Clause
This clause was present in the vast majority of marine Hull insurance contracts until late 2019. Most insurance contracts renewing now contain a revision of this clause (see below – LMA5403). The clause excludes cover where cyber is simply a trigger for a loss insurers might otherwise be prepared to cover e.g. a hack of a vessel’s navigation system leading to a grounding and cargo damage.
The clause only excludes cover where there is a cyber attack. It does not deal with, for example, an accidental loss such as a maintenance upgrade that goes wrong. One of the reasons this clause is being discontinued is because it was open to interpretation in such situations relating to “silent cyber cover”, which is no longer permitted at Lloyd’s. A policy may afford silent cyber cover if (a) Cl.380 is not used or (b) for non-malicious cyber even if CL.380 is used.
Going forward, the international insurance market such as Lloyd’s of London is driving change such that cover and exclusions should aim to be clear. The clauses noted below are some of the replacements for CL.380.
LMA5402 - Marine Cyber Exclusion Clause
The clause has been drafted for use across all marine insurance categories including Hull. Cyber loss is excluded, irrespective of whether it is malicious or non-malicious. The language used in the exclusion is broad, and the clause is drafted as a paramount clause.
LMA5403 - Marine Cyber Endorsement
This is the most common ‘cyber exclusion clause’ that will be used in Hull insurance policies going forward. The clause excludes malicious cyber loss, in line with LMA 5402, however, it affirms cover for non-malicious cyber provided a loss would otherwise be recoverable under the policy.
There is no aggregation wording (see below – LMA5403), and there is no paramount language.
Note however the phraseology of the clause, which refers to “any computer” (and equally broad exclusions) as a contributor to the loss, without the need for direct causation. Vessel-specific cyber insurance should be considered where shipowners wish to transfer this significant and growing risk.
Protection & Indemnity insurance
International Group P&I Clubs – There is no express exclusion, but cover is subject to the war risks exclusion when a claim is caused by “any hostile act by or against a belligerent power or any act of terrorism”. In such instances, there is a cover buyback that is automatically in place referred to as “Supplemental Cover 2004 (Biochemical risks)”, which provides cover for $30m each ship any one occurrence for limited perils arising from risks including “the use or operation, as a means for inflicting harm, of any computer virus.”
Fixed premium insurance market – most insurance policies have a broader exclusion based on CL380, and likely transitioning to one of the LMA5402 or 5403 exclusion variants.
Cover available to members of one of the International Group P&I Clubs is therefore broader.
We emphasise the importance of having a war risks policy with a primary P&I cover extension, otherwise there is a possibility of an uncovered P&I risk and resultant unquantified balance sheet exposure due to a third party liability arising from cyber risk.
Why transfer risk?
The benefits of cyber insurance
Stakeholders should consider the following:
- Basic on-shore cover is inexpensive to low limits, and a cyber-cover buyback for vessels is not prohibitively expensive.
- Cover is broad and it gives the assured access to a wide range of pre- and post-event experts, who hand-hold during a highly technical and difficult claims investigation and management process.
- Insurance integrates into existing IT processes and existing teams, and complements the organization’s existing response capabilities, if any.
- It is a tool to comply with IMO’s 2021 cyber requirements, and for claims made against you under BIMCO’s Cyber Security Clause 2019.
- There might be benefits when entering into contracts that involve safekeeping of data in proactively stating that cyber risk management tools are in place (provided there are no confidentiality provisions in the insurance contract).
Exposure for a company's Directors and Board Members
Employees and customers who have had their data stolen, or shareholders whose investments have fallen following a cyber breach, might look to a company’s Directors and Board Members. The exposure is heightened for stock-market listed companies – a falling share price after, for example, a company’s intellectual property has been lost or data compromised, might invite claims.
As regulation evolves and litigation becomes more accessible to claimants, the personal liability of Directors and Board Members poses heightened personal and corporate risk.
A digital risk management strategy, including the availability of cyber insurance, would likely mitigate such exposure.
Cyber insurance and support
With an on-shore cyber insurance policy, assureds get immediate – and at no additional cost – access to experienced legal counsel, IT forensic experts, crisis management experts (for example, needed when dealing with ransomware), and public relations experts equipped to deal specifically with the negative impact a cyber attack might cause. Such experts can also be integrated within an organisation’s existing structure at time of incident.
What is covered - on-shore cyber policy
Cover for third party claims would include:
- Claims resulting from loss or corruption of data;
- Claims resulting from internet or network failure and assureds not being able to access their data;
- Notification costs to the assured’s clients, including legal assistance in the event of their data being lost or stolen;
- Identity theft costs, and personal exposure monitoring costs.
Cover for first-party claims would include:
- Data recovery or restoration costs;
- Forensics expert assistance;
- Cyber extortion;
- Public relations consultants costs after a loss;
- Business interruption income / revenue loss as a result of network failure.
What is covered - off-shore cyber policy
The insured perils mirror the relevant part of the CL380, LMA5402 or LMA5403 exclusion clause as it applies within your Hull or War policy. The policy is an annual renewable policy, and is managed in a similar way to a traditional Hull or War placement.
For any questions regarding the contents of this Marine Client Advisor or for any other marine insurance enquiries please do get in touch.
Howden Insurance Brokers is not a technical, commercial or legal adviser. Any commentary made in this document should not be construed as such, and we do not guarantee in any way the accuracy of the resources used or referenced in this document. In case of doubt, formal advice should be obtained that is directly relevant to your circumstances.