Cyber Risk Management Comes Of Age
On 1 January 2021, pursuant to Resolution MSC. 428(98), IMO Administrations are to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of a ship’s Document of Compliance after that date. The resolution was originally adopted in June 2017 and, while many stakeholders could be forgiven for the distraction caused by this turbulent year, another deadline approaches in shipping compliance.
However, it is important to remember that ‘IMO 2021’ was not developed in a vacuum. Managing cyber risk in the maritime space has been a hot-button topic for over two decades, with the CL.380 Institute Cyber Attack Exclusion Clause receiving rapid and widespread uptake from first party loss insurers for hull and machinery risk on its release in 2003. Variants of the same language were also adopted by many P&I clubs.
Traditional Cyber Exclusion
The clause excludes coverage for losses “directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.”
The wide nature of the drafting led to the misconception that the clause excluded cover in relation to all-types of cyber-related loss, which is not the case. The exclusion is contingent on there being a ‘malicious’ peril intended to inflict harm using a computer or electronic system.
The increasing digitalization of shipping has not displaced the basic legal and technical notions of what the superstructure and machinery of a vessel consists of. Even if a certain loss is associated with a cyber event or process, cover should not be assumed as being excluded in every situation.
However, where policy terms have been silent on the extent of cyber cover, owners and underwriters pondered whether or not certain non-malicious cyber-related losses were in fact covered. For example, the losses arising from accidently downloading incorrect software updates on board a super yacht with automated rigging or propulsion might still give rise to a covered claim.
If cover is “All Risks”, and where there are no grounds to refuse an indemnity for unseaworthiness, unrepaired damage, error in design or other perils, and no evidence of malicious actor involvement; the likelihood that a cyber-related claim untouched by CL.380 could be refused is certainly reduced.
Even so, the situation was far from clear in the minds of many users. On 30 January 2019 the UK supervising body for insurers, the Prudential Regulation Authority (“PRA”) wrote to all firms noting that underwriters’ awareness of both affirmed and non-affirmed cyber risk should be enhanced- through improved quantitative assessments, claims expertise, and increased risk knowledge . As with modelling all ‘new’ risks, lack of data on cyber claims has hampered knowledge development.
Changing Risk Perception
The absence of any judicial decision from the English courts, in a claim where the meaning of CL380 was disputed, perhaps gave the (slightly misleading) impression that the bargain between policyholders and first loss insurers for cyber cover was on an established footing.
The perception of the risk owners face from cyber incidents is also relatively asymmetric. Like other businesses, shipping lines increasingly feared the hacking of onshore systems by perpetrators diverting hire or freight payments though elaborate phishing and spoofing tactics; and procured appropriate business liability cover. Meanwhile, the probability that a vessel would be physically lost or damaged through a cyber-attack seemed far more remote.
However, the status quo is being reconfigured in the face of widely publicised cyber incidents (particularly the threat posed from hostile state actors penetrating critical infrastructure), a tougher regulatory environment, pressure from government for key sectors to improve their cyber resilience, and disillusion with CL.380. Key stakeholders have responded.
On the 4 July 2019, a Lloyds of London Bulletin (No. Y5258) mandated that all first party property damage policies incepted on or after 1 January 2020 provide policyholders clarity regarding cyber coverage, by either excluding or providing affirmative coverage; regardless of whether cover is provided on an All Risks basis, or under a list of named perils. The change applies to renewals and new business. Cover holders, line slips and consortia placements are also required to adopt the clarification measures.
Loss Prevention and Implementation
On 3 November 2020 the UK National Cyber Security Centre (NCSC) – a part of GCHQ – published its fourth annual review since the organisation’s founding; and has reportedly dealt with 723 cyber security incidents this year – the highest on record. ‘Test and practice’ has become the new national anthem in the effort to increase the cyber resilience of organisations. 125 countries have apparently used the NCSC “Exercise in a Box” tool to test their cyber defences against realistic threats in the last year.
With all ship safety management plans required to include a cyber risk assessment from January 2021, CJC spoke with service provider IEIT Holdings, based in South Africa and Mauritius, to understand some of the practical changes shipowners should be considering when strengthening their cyber defences. In response to regulator pressure and ever-increasing interest from insurance markets, IEIT security staff said,
“In a world where cyber threats are on the rise and the cyber attacks themselves are malicious actions, the effort to mitigate against these attacks does not need to be intimidating. To this end, the IMO resolution is encouraging all vessels to start their cyber risk management journey by better understanding their current security posture and the desired state.
“Drawing up policies and upgrading tooling for access control, connectivity, and firewalls will assist in preventing intrusion. It is also imperative to have up-to-date back-ups to enable a quick and effective recovery should an attack arise.”
Vessels, and their machinery, may not be the only weak points, as IEIT further explained: “Crew on board tend to be the easiest target for cyber-attacks through phishing, malware and more, for this reason cyber risk awareness and training go a long way at protecting the vessel further.
“Our recommended approach to cyber risk management is not a one-off exercise, but rather something that needs to be looked after. The key is to ensure an ongoing balance between onboard flexibility and an effective security posture – with minimal noticeable disruptions.”
When deciding whether to accept the risk of providing marine insurance with affirmed cyber cover, owners may be able to satisfy their duty to insurers to make a fair presentation of that risk with details of their resilient policies and procedures. There continue to be major innovations in this field.
“We provide a Vulnerability Managed Services offering – a closely monitored security service amplified by our state-of-the-art tooling that uses AI technology to identify, protect, detect and respond to any threats based on predefined policies. When a threat is detected our Security Operations Centre (SOC) is ready to validate the risk and either block or endorse the event”, explained IEIT.
From the above, it is worth noting that the path to becoming more cyber resilient is a marathon, not a sprint. And every stakeholder in the shipping industry is on a steep learning curve. Underwriters will become increasingly more skilled in reviewing the cyber management practices of shipowners when offering terms of affirmed coverage, and the changing risk landscape will necessitate continuous monitoring for loss prevention and claim management purposes.