While speaking at SAFETY4SEA Cyber Masterclass, Mr. Nick Taylor, Consultant, Shoreline, provided feedback on the topic of Cyber or IT Security from the insurer’s perspective, noting that shipowners are facing a number of calls to address them across all aspects of their operations. The pressure is not yet as severe as that imposed by the Oil Pollution Act 1990, where attitudes to preventing environmental pollution had materially to change, and successfully so. In response to evident client demand to address the situation, the insurance industry has been led by Shoreline into offering to indemnify the financial costs of the disruption caused by a Cyber Crime attack in respect of the whole business, at sea or ashore. Mr. Taylor further said that the insurance will take its place in accepting the transfer of those risks that are either too costly to prevent or where the threat remains as yet unrecognised, as an integral part of a well-developed risk management programme.
I look at cyber as an extension of piracy. It started years ago by simple attempts to gain money by threatening violence at sea and has been followed more recently by what has been going on in Somali land. Now, in the 21st century, we have moved into experiencing what DNV describes as ‘Piracy: release 4.0’ and every organization, we believe, has to take this new, emerging risk into consideration at Board level.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
It comes in many different guises and it manifests itself variously according to the motives of the perpetrators. They could be environmentalists, ideologues or politically motivated activists, cyber criminals who just want to steal money, through to organized crime who want to get hold of data and be able to sell it onwards, not necessarily overtly, but in the darkness. On a grander scale, cyber terrorism can provide a platform for disruption at corporate level, even at nation state level by attacking the economy of another country.
DNV’s view is that support for ship-owning operations is divided in between information technology and operational technology. In the simplest of terms, operational technology underlies activities on board a ship. Yet ECDIS and SCADA software are notorious for the lack of any built-in security and unauthorized access to shipboard systems is relatively easily achieved.
The impact of a cyber attack on a ship is likely to be limited to life or personal injury to those on onboard the ship, maybe third party life and injury, damage to property through to the environment via a possible pollution incident. Insurance is readily available through hull and machinery policies and P&I club entries.
What supports the ship-owning or operating business as a profit making enterprise, however, is the information technology: for example, the cargo booking systems, machinery and equipment maintenance schedules, crew rosters etc. Collectively this is what supports an owner’s ability to deliver on their promise to perform for charterers as contracted, the disruption to which can prove costly in expense and reputation and, ultimately earnings per share.
The maritime industries are reliant on software, but the more extensively software is used and the greater the interconnectivity between ship and shore, the more vulnerable ship owners are to attack. ABS, at a recent conference, predicted that the new norm will be even more data intensive. Interconnectivity is improving all of the time, but the downside is that viruses travel ever faster and further.
The trends are there for us to see. The WannaCry virus, a ransomware crypto-worm spread to 200,000 users in over a hundred countries in a matter of hours. The sophistication of home computers is now almost as great as a business computer and computers are now more easily programmed. Creating malware has become relatively easy: hackers can be contracted in to “do a job” for activists or organized crime.
Surprisingly, the sea changes that followed Piper Alpha and the health and safety implications following on from that disaster and, similarly, from Exxon Valdez in terms of pollution, do not yet appear to have been triggered following the Not Petya attack that Maersk inadvertently suffered, originally in Ukraine.
I like to think this debate is now under way in a number of major ship owners’ offices. The threat should be evident enough but elimination of the cybercrime threat is virtually impossible and impracticable. The debate should concentrate on the extent to which a company can protect itself and minimize the impact of an attack at reasonable cost. At this point the insurance market is ready to assume those risks for which the costs of elimination would be exorbitant as well as those risks which are not yet identified.
So, how does the insurance market view cyber crime? The following table was originally authored by HudsonAnalytix:
The risks summarized in the bottom quadrants have already been shown to be manageable through hull insurance and a P&I Club entry.
The top two quadrants focus on the financial losses that would potentially be incurred as the result of a cybercrime intrusion. In short, the costs of the disruption to a ship owner’s operations. They focus on the restoration of IT assets damaged in an attack, the rebuilding of any data lost, the cost of business interruption, without the need to provide evidence of physical damage having occurred, and on liabilities.
The challenge put to the traditional markets to provide a composite cybercrime insurance was met with insurers promoting their traditional supply of commercial crime and fidelity cover and, second from a wholly different segment of the market, cyber insurance can be purchased. Despite increasing overlap, the market has largely resisted the marrying up of the two product lines: old fashioned supply driven thinking from a compartmentalized insurance world with little consideration for the client who thinks in terms of the loosely used expression CyberCrime.
The objective I set myself a year ago was to try to develop a wording relevant to the operations of a ship owner that integrates the risks associated with crime and cyber, that delivers a product which focuses on your operations at sea and ashore and that is contingent upon P&I cover.
Summarizing, the following image identifies the source of many of the costs suffered by ship owners following a cyber or crime attack:
New-age piracy is a financial menace. I think the maritime industry is yet to wake up to the threat. Risk management is key: the insurance is now available to complement the CyberCrime security strategy. The quality and extent of the risk management strategy will be reflected in the rating of the insurance.
Remember what Darwin said: ‘It is not the strongest of the species that survives, it is the one that is most adaptable to change’.
Above text is an edited article of Nick Taylor’s presentation during the 2018 SAFETY4SEA Cyber Masterclass
You may view his video presentation below
The views expressed in this article are solely those of the author and do not necessarily represent those of SAFETY4SEA and are for information sharing and discussion purposes only.
After 38 years of engagement in the marine insurance sector, closing as the head of Marsh’s Global P & I Practice, Nick Taylor, now as an independent consultant to Shoreline, is introducing a new insurance product for the Marine Transport sector.
Having been involved in the creation of Shoreline 23 years ago, and having been influential in the formulation of the revision to the Athens Convention in 2006 and the subsequent provision of War Blue Cards by Shoreline, Nick has now dusted down his creativity to turn his focus onto the fast changing world of Cyber and Crime Insurance for ship owners, operators and other marine service providers.
The insurance market has adopted a tramline approach to these risks assigning certain elements to “Crime” and others to “Cyber”. In reality the two are enmeshed and the distinction between the two is increasingly blurred. Nick has been fashioning an integrated insurance product for Shoreline that, in collaboration with XL Catlin, will encompass all the elements of cover associated with the loosely used expression Cyber Crime.
