From paper and wheels to wireless devices

For more than two decades, the world economy has seen a dramatic increase of digitalisation. This has particularly increased in recent years with the Covid pandemic highlighting the need for digital solutions in business.

As an important part of the global economy, the supply chain has been massively impacted by this technological turning point putting transportation & logistics (T&L) companies under the spotlight of cyber-attacks.

Those attacks can have multifactorial origins, from mere criminal aims (e.g.: ransomware, cyberextortion), to competitors war (e.g.: business interruption loss of data), terrorism hacktivists or nation states motivation (e.g.: malwares affecting ports & terminal structures, energy distribution, blocking airports and transportation infrastructure).

Whatever the motivation, hackers are seeing T&L as an easy target for cyber-attacks as they are processing tremendous amount of data on vendors, buyers, shipping routes, cargo types and infrastructures, thus offering many attack opportunities and multiple entry points through operational technology (wireless devices).

Marine cargo Insurance: what is the current situation?

It is not necessary to remind anyone of major cyberattacks reported (recently or not) and their financial consequences for the T&L companies, but how is the marine cargo market currently considering this risk?

Setting aside the questions of financial losses and prejudice covered through dedicated cyber insurance products (e.g.: ransomware, data recovery cover), marine cargo insurance primarily focuses on loss and damage to cargo and the most agreed position is to exclude cyberattack from cover.

This exclusion is commonly worded through the LMA5403 Marine endorsement clause which has gained traction from insurers and has effectively replaced the former CL380 Institute Cyber-attack exclusion clause (10/11/2003) since 2019.

Indeed, given the rapid evolution of technology and risk factors since 2003, CL380 was deemed not as clear-cut or all-encompassing as originally thought and LMA5403 introduced a new paragraph which gives affirmative cover for cyber/electronic causes not aimed at inflicting harm (accidental or negligent act vs malicious intent).  

Thus, it formally describes the scope of the exclusion being any cyber cause resulting from a malicious act defined as electronic means with the will of inflicting harm. Nonetheless, as “inflicting harm” has not been defined in either of the clauses, it could still provide room for legal interpretation under certain circumstances.

Following the UK market, other local players have widely adopted the same position in their contracts replacing CL380 with LMA5403 or any local assimilated wordings (e.g.: AIMU exclusion clause in the USA).

Other markets where no cyber exclusion pre-existed have also recently moved from a historically silent position to affirmative exclusion and/or proposing alternative limited write-back following the global trend to exit from the silent context to an affirmative position (e.g.: the recent cyber/blackout clause of the German Insurance Association (GDV)). For those countries, the insurer’s position towards cyber risk is still heterogeneous but will likely move forward to a global practice driven by re-insurance constraints that will likely be imposed.   

Cyber risk in freight forwarding liability insurance: inflated factor?

Looking at freight forwarding liability insurance, cyber risk is largely excluded on the same basis as marine cargo insurance and should be similarly handled by insurers.

However, for bespoke contracts and non-standardised practices, there could be a situation where the policy is silent and/or clients and brokers would ask not to exclude cyberattacks. What would be the potential risk exposure for insurers?

On the one hand, risk exposure should be lower on freight forwarders liability (FFL) compared with marine cargo as, most of the time, it is being considered as an external event. Being so, like armed robberies, logistics operators would probably invoke Force Majeure (i.e., Act of God) to reject any liability following a cyberattack that would cause loss and/or damage to goods during shipments.

On the other hand, the claimant could point towards a cyber security breach to demonstrate the forwarder’s direct liability and thus demand that consequential losses be paid. This would be particularly true when the policy provides Error & Omissions cover that would be triggered by the insured when facing such situations.

When insurers are ready to consider any sort of write-back for cyber exclusion (limited or not) they should be cautious in assessing the potential consequences and triggering effect. Liability to be proven on FFL insurance could let them think that the risk is minimised but would face the issue of the cyber security system of their insured, who would have to prove the highest possible service and system standards to duly set aside any claimant’s requests.   

As of today it can be observed that the exclusion principle remains largely in place. Whether to go beyond this and to be more responsive to clients’ needs is an underwriting decision to be taken by individual insurers and underwriters.  If considering to go beyond the exclusion principle, marine insurers would need to extend beyond the liability aspect to properly define a robust security standard as a warranty on their potential affirmative inclusion clause that would not be easy to formalise.