Cyber risks – Mind the gap

By Henry Clack, Associate, with assistance from Alexandra McCulloch, HFW, IUMI Professional Partner,

In recent years, we have seen an increasing number of cyber-attacks in line with the growing digitalisation of the marine industry. Ransomware incidents, the most notorious of which was 2018's NotPetya attack which caused Maersk to incur costs upwards of USD $300 million, have impacted most of the major container lines. This has highlighted the growing requirement for effective cyber insurance products that provide adequate cover.

One potentially significant coverage issue facing shipowners is the uncertainty around cyber-attacks perpetrated by state actors. Generally speaking:

  • H&M underwriters tend to exclude both war and cyber risks (subject to buy-backs for non-malicious cyber cover using LMA 5403 and other similar clauses);
  • Cyber underwriters exclude war risks (as do P&I Clubs); and
  • With a few limited exceptions, war underwriters exclude cyber risks.

Therefore, there is a coverage gap for cyber risks which are malicious and could be considered to be war or terrorism.

Issues around the attribution of attacks also complicate matters. With attackers ranging from state supported groups and military units to criminal organisations and bored individuals, it is very difficult to establish who instigated an attack and what their motive was. To date, insurers have tended not to rely on war exclusion clauses when attacks have potentially originated from a state government. A notable exception to this is the ongoing litigation between Mondolez and Zurich in Illinois, USA. No doubt this case will be closely followed by both insurers and their assureds.

One potential solution would be for the market to adopt a definition for 'kinetic' war in order to differentiate between traditional warfare and acts of cyber aggression. To date, however, we have not seen much appetite in the market for this approach.

In the circumstances, the best way for an assured to avoid these issues is to do all they can to avoid becoming the victim of a cyber-attack in the first place. At HFW, we have joined forces with maritime cyber security company CyberOwl with a view to working together to help the maritime sector prevent and actively defend against commercial, legal, technical and operational risks, including reviews of vessel cyber security seaworthiness, cyber security monitoring, and related legal and consulting advice. Read more about HFW's new venture with CyberOwl HERE.

HFW is an IUMI Professional Partner (IPP). At the IUMI 2021 Annual conference, HFW Partner Richard Neylon will speak at the Legal & Liability Workshop. The full programme can be accessed HERE