Insurers recognise the need for updated products, but are not sure of the best way forward.
Lack of claims data makes pricing difficult, while marine insurers debate the pros and cons of institute cyber attack exclusion clause 380.
The demand will probably be driven not only by owners’ requirements, but also by the insistence of charterers, with blue chips increasingly asking shipping companies to provide evidence of control, mitigation and recovery plans, including insurance.
While there are already some products out there, the sector as a whole is still finding its feet, not least given the current lack of claims data to enable correct pricing.
The issues involved were highlighted in a recent interview given by Rama Chandan, the Singapore-based head of marine at QBE.
Further product development may be necessary to meet client needs, he told Lloyd’s List. But the marine insurance sector will probably only be able to work out what is needed on the basis of experience. And it is early days yet.
“We have not been able to find a product that would suit the market at this point,” said Mr Chandan, who also serves as the chair of the International Union of Marine Insurance’s influential ocean hull committee. “But it is an issue that will get more exposure going forward.”
Such sentiments are echoed by Joe Hughes, chief executive of American Club.
“There are certain insurance products in the market that are available in relation to cyber risk, but they are in the nature of business interruption products,” he said.
Given that the range of cyber risks also includes loss and damage to vessels and loss or theft of data, that appears to many eyes to be insufficient.
Maritime cyber risk as currently constituted has to be slotted into the existing framework constituted by P&I and hull and machinery insurance.
Generally speaking, there are no cyber exclusions in the rules of a typical International Group club, except if the cyber risk is created by an act of war, or where terrorism is involved.
But as North P&I claims director Adrian Durkin told a seminar in London earlier this year, in practical terms it is sometimes difficult to be certain what occurrences result from war, and which from crime.
Mr Hughes said: “All the clubs are encouraging shipowners to be very aware of the nature of cyber attack and cyber risk generally, and to do everything they can to protect themselves against the dangers, almost as it were as a prudent non-insured.”
In the case of hull cover, there is widespread reliance on institute cyber attack exclusion clause 380 — which, while not mandatory, is widely placed on hull policies.
This provides that, except in a limited range of circumstances, “in no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system”.
If the wording sounds slightly anachronistic, that is because clause actually dates back to the far-off days of 2003, when cyber risk was conceptualised in terms of the Y2K panic and 9/11, and the main fear was the potential for an unmanageable aggregation of loss.
Critics argue that the wording is too wide and perhaps overly cautious. After all, general cargo loss from almost any cause has traditionally been covered by a standard ‘all risks’ form. Where the clause is in a hull policy, the owner is effectively not covered against most cyber risk.
If the very job of insurance is to protect the innocent uninsured, why shouldn’t they enjoy the same degree of protection they do from this more modern peril too?
Then there is an additional layer of legal complexity, as highlighted by Robert Alexander, managing director of Alston Gaylor in Lloyd’s List sister publication Insurance Day.
English law states that an insurer is only liable for a loss if the insured peril the proximate cause — and, of course, losses can have more than one cause.
According to the International Underwriting Association, “where there are two proximate causes of loss, one of which is specifically covered and the other is neither specifically covered nor specifically excluded, the insurer will in principle be liable for the loss”.
However, “where there are two proximate causes of loss, one of which is specifically covered and the other is specifically excluded, the insurer can rely on the exclusion in relation to the entire loss”.
So if a casualty is marked by cyber attack, the insurer would likely have grounds to exclude it, Mr Alexander points out.
The controversy doesn’t stop there. Other industry voices believe that the aggregation risk has reached the point at which clause 380 actually needs to be extended, given the challenge of correctly pricing the risks and quantifying the scale of potential exposure.
After all, it might be that thousands of ships are affected in a single incident. This alone incentivises the market to limit cover.
Cyber risk is increasing as connectivity increases and ships carry more technology, they aver. Any new wording should explicitly take into account the growing likelihood of non-malicious attack, they feel.
Insurance Day reported in July that both Lloyd’s and the Prudential Regulation Authority are among those who want to see the clause broadened.
The advantage here would be clarity; at least everybody would know where they stood.
Adding to the need for new forms of cover, Mr Hughes went on, are planned changes to the International Ship Management code, which will incorporate a cyber element from 2021.
This will have insurance implications for vessels that do not have the extent of protection expected under the code, which might lead to issues of seaworthiness.
Inevitably, some underwriters have started to tout standalone cyber risk policies, covering losses arising damage to vessels, non-physical loss of hire, onshore business interruption, trade disruption, extortion and threat, liabilities and defence costs.
Their basic selling point is that they cover everything clause 380 does not, and buyers can go bespoke, with packages tailormade to fit an insured’s specific cyber risk profile.