Marine insurance market is sharpening its focus on cyber attack risk, says IUMI representative Nick Gooding, By James Brewer
Marine insurers are striving to establish better ways of providing cover for their shipping clients against the risks of cyber attacks. The peril is seen as significant, but relatively new.
“We face difficult challenges, as the market tries to assess a peril which has, to all intents and purposes, been excluded over the last decade, ” said Nick Gooding, one of the key people who over the years has helped identify marine policy approaches for the spectrum of terror risk.
A leading marine underwriter for many years, Mr Gooding is now the alternate officer representing the International Union of Marine Insurance at the International Maritime Organization. Speaking in Stockholm at the May 2015 Insurance Sweden Conference, Mr Gooding said that cyber risk is the most talked about topic in the insurance industry worldwide.
“It seems to me that the market needs to have a better understanding of the implications of a cyber attack on the wider maritime community, ” said Mr Gooding. As the industry moved further into a digital environment, ports, vessels and facilities were increasingly connected to and dependent on cyber systems. This included almost every facet of their operations, such as financial and human resources management, security systems, navigation, communications and the operation of key systems and equipment.
He said: “Insufficiently robust cyber security practices could lead to loss of life, increased criminality in the maritime sector, and given the importance of the maritime sector to international trade and supply chains, an operational disruption with significant adverse economic consequences.”
Mr Gooding listed a series of concerns. Researchers from the University of Texas demonstrated in 2013 that it is possible to change a vessel’s direction by interfering with its GPS signal. A hacker caused a floating oil platform off the coast of Africa to tilt to one side and temporarily shut down. Hackers infiltrated cyber systems in a port to locate containers loaded with illegal drugs and remove them undetected. Somali pirates employed hackers to infiltrate a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security which led to a hijacking. There had been reports of denial of service attacks against ports: a large number of requests made to a system to overwhelm it and cause a breakdown. Separate reports referred to efforts to gain unauthorised access to wireless networks in ports.
High-level studies had concluded that there is little awareness of these issues in the maritime sector, with few initiatives underway to enhance security.
All this is very alarming, said Mr Gooding, “but it is encouraging to note that through the combined efforts of the International Chamber of Shipping, BIMCO, Intertanko, and Intercargo, there is ongoing work to develop guidelines on cyber security on board ships. Draft guidelines are in place and it is hoped the final guidelines will be presented to the IMO for approval in 2016.”
How should marine underwriters respond when asked to cover the danger? “I think at an individual risk level it is possible to offer cover, but my fear, which I believe is shared by the Franchise Performance Management department at Lloyd’s, is about managing the aggregation of cyber-exposed risk, and understanding where that aggregation will come from, ” remarked Mr Gooding.
“I believe that underwriters should follow closely the work being done by the industry and be robust in their requests for appropriate information from clients as to their risk management of the cyber threat to their business.
“In addressing the threat, protection against the malicious insider should also be taken into account, as should the threat from hostile use of social media.
“Marine underwriters also need to consider geographical areas as potential flashpoints, such as the Strait of Hormuz, the Suez Canal and the Panama Canal.”
Mr Gooding drafted the Institute Cyber Attack Exclusion Clause, commonly referred to as Clause 380, issued in November 2003. Clause 380 was released on the same date as Clause 370, the Institute Radioactive Contamination, Chemical, Biological, Bio-Chemical and Electromagnetic Weapons Exclusion Clause. Looking back, Mr Gooding considered it a mistake to release both clauses together, which had led to the Cyber Attack Clause being misused.
“My view at the time, which remains the same today, is that Clause 370 should be used on every policy of insurance and reinsurance… however, on Clause 380 I believe it should be used as appropriate and applicable to the risk in question. In my view it was a clause to protect against an unacceptable aggregation of risk arising from a cyber attack.” He had not envisaged widespread use in marine insurance policies, where apart from an attack on, for example, the US grid with the reefer warehouses going into literal melt down, he could not see where the aggregation of risk from an attack could occur.
With rising demand for coverage from peril of a cyber attack, market committees were looking at wordings and examining Clause 380 to see if it is still fit for purpose.
Mr Gooding went on to warn: “We live an era where the marine market is consistently soft, but underwriters should not make the mistake of offering cyber cover without additional premium because there is a clear and present danger to maritime assets.”
London market committees were all working this issue, and it was on the list of topics being addressed by the IUMI Political Forum – only time would show how we could fight the menace of cyber risk, he said.