Potentially owners may be exposed to gaps in cover arising from cyber incidents - an unsatisfactory situation in today’s connected world. For example, an owner’s hull and machinery insurance may contain a cyber risk exclusion which mirrors, or is derived from, institute clause 380.
There are also cyber exclusions in war risk policies that relate to computer viruses. The war risks clause is derived from market clause 3039. Many other market insurance policies specifically exclude losses or liabilities arising as a result of cyber risks.
Why is Cyber Excluded?
Cyber risks present a range of issues for insurers. Cyber risks are relatively new – claims data relating to these risks is quite limited. Another difficulty is that cyber security is not yet well established in the maritime industry. The sheer complexity of the information technology, operational technology and internet available across the industry also presents a challenge, as does the potential for cyber problems to spread quickly across the globe. As a result the likelihood, extent and costs associated with claims involving cyber risks are difficult to calculate and potentially significant, hence the reluctance to offer cover.
It is in an owner’s interests to scrutinise their various policies in order to identify potential gaps in their insurance cover. It is possible to close the gaps by working with insurers and brokers. This may require owners to demonstrate that they have robust cyber risk management practices in place both ashore and afloat. An additional premium may be payable. The market is responding to these risks – albeit slowly.
P&I Cover for Cyber Risks
The International Group of P&I Clubs’ poolable cover does not exclude claims arising from cyber risks.
This means that club members benefit from the same level of P&I cover should a claim arise due to a cyber risk, as they would from such a claim arising from a traditional risk. As always cover is subject to the club rules.
While there are currently no internationally agreed regulations in force as to what constitutes a prudent level of cyber risk management or protection, this does not mean that owners, charterers, managers or operators of ships can ignore the need to take proper steps to protect themselves in the belief that their club cover will always respond.
If a claim with a cyber element arises, an owner may need to demonstrate that they took all obvious steps to prevent foreseeable loss or liability. As more and more potential cyber risks are being identified, clubs will expect to see the operation of sensible and properly managed cyber risk policies and systems both ashore and on vessels.
Don’t delay – act now
Barely a month goes by without news of a major cyber-attack affecting a large or high profile commercial or government entity. Cybercrime is a rapidly growing global threat in all industries and the maritime supply chain is vulnerable as the problems experienced by Maersk in 2017 have demonstrated. In that incident problems ashore had a knock on effect on vessels, highlighting the fact that as marine transport operations become more connected, the more chance there is of problems impacting across the system both ashore and afloat.
The authorities and large charterers are concerned about the risk to operations ashore and afloat and are taking steps to drive change in the industry. Actively managing cyber risks is now both a commercial and compliance priority.
Cyber Risks & ISM Code
The IMO’s Maritime Safety Committee (MSC) has confirmed that cyber risks should be managed under the ISM Code.
Resolution MSC.428(98) affirms that an approved safety management system should take into account cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
Cyber risk management has been included in TMSA 3 under elements 7 and 13. KPI 7.3.3 includes cyber security as an assigned responsibility for software management in the best practice guidelines. Under element 13 cyber security is specifically identified as a security threat to be managed. It seems clear that the oil industry has recognised the need for action from tanker owners and is encouraging action through commercial pressure via TMSA 3. For tanker operators the time to act is already here.
Cyber risk management now forms part of Rightship inspections and a company’s cyber security maturity may be one aspect dry bulk charterers will take into account.
A Daunting Task?
The prospect of dealing with cyber security will be daunting for many shipping companies. It’s new, involves things that may not be fully understood, and most of us are not likely to have received any formal training in such risks.
What is a definite plus is that shipping companies will be very familiar with the risk management framework suggested by the IMO Guidelines on Cyber Risk Management and industry Guidelines on Cyber Security Onboard Ships. We can also use the experience gained in other sectors of industry that have already put cyber security systems in place.
2021 is not far away, but the potential for cyber risks to result in losses or liabilities is clearly already upon us.
Cyber risks can affect almost every part of a shipping company. There will be lots to do to identify risks and vulnerabilities and to take steps to prepare for, and respond to, cyber threats. It’s time for us all to act.
By Adrian Durkin, Director (Claims) & Colin Gillespie, Deputy Director (Loss Prevention), North P&I Club
Adrian Durkin, Director (Claims), North P&I Club
Adrian is an English-qualified solicitor who joined the Association in 1999. He has a broad legal oversight and advice role within in the P&I Department and retains management roles in respect of Dutch members
Colin Gillespie, Deputy Director (Loss Prevention) North P&I Club
Colin joined the Club's Loss Prevention Department in November 2006. He is involved in all aspects of North's Loss Prevention activities.