While speaking at the recent SAFETY4SEA Cyber Masterclass, Mr. Colin Gillespie, Deputy Director (Loss Prevention), The North of England P&I Club, highlighted that the risk of cyber-attacks is a continuing and evolving threat across all industries and sectors. Shipping companies are no exception. The IMO has recognized the business and operational risks associated with cyber-attacks in the marine industry and will require ship operators to consider cyber risk management as a part of their safety management system from 2021. During his presentation, Mr. Gillespie briefly presented both the H&M and the P&I position in respect of cyber risks and the concept of cyber seaworthiness was introduced, and the need for action by ship owners was stressed. A number of useful tools and resources are now available to build awareness around the risks of cyber-attack including the ‘Be Cyber Aware At Sea’ initiative and the work being done by the CSO Alliance. Finally, Mr. Gillespie highlighted the need for shipping companies to start sharing information on cyber threats with each other and to continue building momentum across the maritime sector to counter cyber security threats.
North first started considering cyber risks a couple of years ago. At that time there were various views – some who remembered Y2K thought that the risk may not be real. But through talking to our members and to international experts it became clear that cyber was already a risk in the industry. This position was crystallized when the Club itself was subject to a couple of attacks. We concluded that cyber risk is a real business and commercial issue; it is something that needs to be managed, and something that the whole maritime ecosystem is going to be subject to. The Maersk attack in August 2017 further endorsed our view that the industry has to take steps to protect itself against potentially massive disruption and significant losses – although they may not stem from what we would view as a ‘traditional’ marine casualty.
Insurance for Cyber Risks
The H&M position
Cover is usually excluded from hull policies by Clause CL380:
“…in no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by or contributed to or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system”.
– while the scope of the exclusion provided by this clause may be open to interpretation, it is clearly intended to operate as a wide-ranging exclusion.
The H&M Solution. The cyber “buy-back” ”
Although H&M underwriters include the CL380 exclusion, many of them offer cyber cover on a “buy-back” basis. We understand that the buy-back is not necessarily risk-based. The underwriters may not require to be satisfied that a particular level of cyber-preparedness is demonstrated by the owner before offering the “buy-back”. They can simply charge an additional premium to provide the cover.
Interestingly, recent investigations and discussions reveal that the Cargo Insurance market is also including the CL380 wording in primary cargo policies. It is also understood that some of them are offering the cyber buy-back option, again on payment of an additional premium, and again, without any assessment of cyber risk or preparedness.
The P&I position
P&I insurance does not include the CL380 wording or any other term or condition seeking to exclude or limit cover for a cyber-related incident.
In effect cyber risks are new vectors for traditional P&I liabilities arising, but not necessarily new liabilities in themselves. Members need cover for this risk and Clubs are committed to providing flexible cover for Members.
Cyber seaworthiness – the bar is rising
When we started looking at cyber security in 2016, the message was (more-or-less), “Cyber security is an issue which you should be thinking about”. Since then, the need for proper cyber security and cyber resilience in the maritime context has increased.
The legal test for seaworthiness effectively requires an owner to take the same steps to equip, maintain and manage a ship. What does this mean now in relation to cyber-attacks and cyber security? This is still a difficult questions to answer definitively, but since 2016, not only do products such as Hudson Analytix mean that it is easier for owners to assess their level of cyber preparedness but, just as importantly, however, incidents such as Maersk mean that the implications of cyber vulnerability should be readily apparent to all shipowners. We are therefore at a stage where lawyers bringing claims against shipowners which have a “cyber component” will be asking: “What steps or procedures did you have in place to prevent or minimise this issue occurring?”
At worst, Owners should now be taking active steps to know where they are in terms of preparedness/vulnerability, both in terms of human training and in IT and operational systems terms. It would be even better if owners are actively managing their position to ensure that cyber preparedness is increasing and vulnerability is decreasing.
Fairly soon, both insurers and the claimant lawyers will be asking owners if the steps which they have taken are good enough. Why would a club do this? The short answer is mutuality. Why should owners with a high level of cyber-preparedness subsidise the claims of owners who are not addressing the issue?
Becoming Cyber Secure – What Can help?
North is actively promoting awareness and discussion of cyber security at sea. We are doing this through our messaging and projects to try to create forums for discussion between Members.
We have also created partnerships with the “Be Cyber Aware at Sea” programme, launched a partnership with a self-assessment product with Hudson Analytix and are investigating further opportunities to collaborate with CSO Alliance in an information exchange platform.
We also welcome moves by Classification Societies such as DNV and ABS to develop cyber notations: although these focus on new-builds, the framework which they outline/develop may well assist shaping the cyber-preparedness framework across the industry.
Cyber risks must be managed in order to protect your business.
Don’t let this drift, there is much to learn and much to done in this area. Keep up the momentum, share information on risks and over time your company and the industry will be less of any easy target for cyber criminals and others seeking to disrupt your business. Don’t delay – act now.
The above text is an edited article of Colin Gillespie’s presentation during the 2018 SAFETY4SEA Cyber Masterclass
You may view his video presentation below
The views expressed in this article are solely those of the author and do not necessarily represent those of SAFETY4SEA and are for information sharing and discussion purposes only.