Marine: Silent cyber at sea
Impending International Maritime Organization (IMO) recommendations on cyber risk management and scrutiny of the issue of ‘silent cyber’ by the Prudential Regulation Authority and Lloyd’s pose challenges for insurers and ship owners alike. Richard Young, head of hull & war, and Kelly Malynn, senior risk manager, at Beazley discuss why the marine insurance market needs stand-alone cyber cover.
Model marine cyber clauses issued recently by the Lloyd’s Market Association (LMA) to underwriters was a welcome attempt to bring greater certainty for clients and maturity to the insurance market in respect of cyber exposure.
Publication of these clauses in November 2019 followed a series of consultations between the LMA and its members, the Prudential Regulation Authority (PRA) and Lloyd’s to encourage greater clarity from insurers around their exposure to cyber risks. However, despite the heightened focus by regulators and industry bodies on the risks posed by cyber, more progress is needed.
In January 2019 the PRA wrote to all supervised insurance companies, asking about their cyber exposures, and challenging them to eliminate unintended exposure to cyber due to policy wordings that remained silent on cyber1. Having engaged with these firms, the PRA highlighted a “significant divergence in firms’ views of the potential exposure” to unintended cyber coverage due to non-affirmative wordings. As a result the PRA requested that firms develop actions plans to identify and reduce their unintended exposure.
Lloyd’s went further than the PRA’s requirement by mandating that all policies “provide clarity regarding cyber coverage by either excluding or providing affirmative coverage” by issuing market bulletin Y5258 in July 2019. Those issuing first-party coverages, such as marine hull policies, were subject to the requirement, as of 1st January 2020. The next tranche of classes required to affirm inclusion or exclude coverage have been confirmed and requirements come in to place on 1st June 2020.
While the desire to affirm coverage inclusion or exclusion within the wording of policies has gained momentum and market clauses are available, both the PRA and Lloyd’s requirements go beyond this.
In October 2019, Lloyd’s then-performance management director, Jon Hancock, wrote again to the market urging managing agents to comply with the 1st January 2020 deadline. He also outlined the associated risks with providing coverage firms needed to ensure:
‘that the risk associated with all coverage provided is understood, assessed, priced, clearly articulated in the terms and conditions, and monitored so that both individual risk and systemic risk can be assessed and managed within defined appetites.’
In its communications with insurers, Lloyd’s made it clear it does not differentiate between malicious and non-malicious acts in its definition of cyber and that the risk extends to tangible assets.
Lloyd’s intends to test the market’s compliance with cyber risk during the course of 2020, starting first with managing agents required to make an additional attestation of compliance on cyber against all 11 minimum standards in March 2020. Specific cyber exposure management thematic reviews are planned and cyber risk will be a theme through all Lloyd’s reviews.
There remains a high degree of market dislocation when it comes to understanding and addressing the threat posed by cyber risks to shipping and marine infrastructure.
With greater regulatory scrutiny and the rapidly evolving cyber threat it has become imperative for ship owners and insurers alike to have clarity on cover and to commit to fully understanding the risks posed. There are signs in the market that progress is beginning.
At Beazley we rose to the challenge ahead of the regulatory requirements with the launch in 2019 of Cyber Defence for Marine, which followed a 12 month project to understand the risks the industry and the potential aggregation. The product is designed to provide cover for both malicious and non-malicious cyber.
Risk management services at the heart of the product, conducted separately from the underwriting assessment, are designed to reduce the likelihood of a cyber-incident occurring and help owners demonstrate compliance with International Maritime Organization (IMO) recommendations.
The IMO recommends that cyber security is addressed in vessel’s safety management systems by January 2021. In Resolution MSC .428(98) the IMO affirmed, in respect of safety management, that: “an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.”
The marine market needs certainty on cyber risks and the market initiatives driven forward by Lloyd’s, the PRA and the LMA are to be welcomed. This is not activity in isolation; it comes at a time when the shipping companies are becoming more aware of the threats posed by cyber and of specific incidents affecting their industry, as well as heightened interest on the part of regulators. And as operational technology on board vessels becomes ever more digitalised with greater interconnectivity between shore-based and on-board systems – including systems responsible for navigation, propulsion and power control – the need for affirmative cyber cover is all the more pressing.
The United States Coastguard, BIMCO and the International Chamber of Shipping have also recently released guidance for ship owners in respect of cyber security. Clearly cyber risks are here to stay and a prudent ship owner should be thinking about how best to manage these risks.
Most ship owners are now taking the threat of cyber and the increasing complexity of their supply chain and on-board technology seriously and ensuring they have adequate coverage in place to protect against the risk is part of that.
Engaging with an insurer that understands the risk and can offer cover designed specifically to meet the threat, while providing risk management services to reduce the likelihood of a loss, provides ship owners with certainty of cover while helping them to meet IMO guidelines.
About the author:
Richard joined Beazley in September 2017 from AEGIS London as a Marine Hull and War underwriter. He became Head of Hull & War in January 2019.
About the author:
Kelly was appointed Senior Risk Manager responsible for Insurance risk, in January of 2011. This includes oversight of risk within Underwriting, Reserving, Claims, Reinsurance and Exposure Management. In 2014 she took on responsibility for Group Risk and Strategic Risk.