Insurance gaps leave
shipping exposed to growing cyber threats
Send a link to a friend
[January 13, 2017]
By Jonathan Saul and Carolyn Cohn
LONDON (Reuters) - Shipping companies grappling with the threat of cyber
attacks on vessels are finding insurance policies often fall short,
officials involved in both industries say, a risk that could feed
through into global prices.
Digitalization means electricity networks, emergency services, industry
and agriculture are all vulnerable to hacking by criminal gangs for
extortion or, for political reasons, by militant groups or foreign
But ships are also exposed to interference through electronic navigation
devices such as the Global Positioning System (GPS) and lack the backup
systems airliners have to prevent crashes.
With 90 percent of world trade transported by vessels, the stakes are
high. Gaps in insurance for ship owners and the disruptions that could
cause have the potential to drive up both industrial and consumer
In a particularly secretive industry, information about the nature of
attacks is scarce, which insurance and shipping officials say is an
obstacle to mitigating the risk.
There is also a gap in provision, because most existing cyber or hull
insurance policies will not cover the risk of a navigation system being
jammed or physical damage to the ship caused by a hacking attack.
"Shipping is very vulnerable not just to jamming of their systems but
now to spoofing as well," said professor David Last, strategic advisor
to the government-affiliated General Lighthouse Authorities of the UK
and Ireland, referring to devices that can transmit false GPS signals.
The most high-profile reported cyber attacks involving shipping so far
had wider targets.
Last year, South Korea said hundreds of fishing vessels had returned
early to port after its GPS signals were jammed by North Korea, which
denied responsibility, and an earlier hack by drug traffickers diverted
containers in Belgium's Antwerp port.
Other cases have had a lower profile: U.S. Coast Guard officials have
said GPS interference disrupted operations at an undisclosed U.S. port
for several hours in 2014 and reported a similar attack at a non-U.S.
port, also unnamed, in 2015.
In the latter attack, the Coast Guard said affected ships were able to
navigate using radar, compasses and landmarks and urged operators to
make sure such skills were not lost. It also called for more
information-sharing on cyber threats.
North, a British based international marine mutual liability insurer,
said last month there were likely to be gaps in cover as there was
little data and risks were not well understood.
Jamie Monck-Mason, executive director for cyber and TMT at insurance
broker Willis Towers Watson, said attacks on ships were not covered by
the insurance shipowners have traditionally held.
"Marine hull and cargo policies typically contain a cyber attack
exclusion," he said, while adding that large policyholders could
negotiate to have the exclusion removed.
However, an earlier report by North said attempts to cause shipping
accidents were rare at the moment. "The risks of this are currently
thought to be low for most companies," it said.
A veil was lifted on the scale of the wider problem when CSO Alliance, a
trade association for maritime security professionals, said a quarter of
the ship owners represented at a confidential workshop it had run
admitted cyber incidents in the past year.
[to top of second column]
An oil tanker sits anchored off the Fos-Lavera oil hub near
Marseille, France, October 15, 2015. REUTERS/Jean-Paul Pelissier/File
operator Consolidated Marine Management said in a presentation last month that "ransomware"
attacks, where hackers scramble a ship's computer system and seek a ransom to
unscramble it, were one of the main challenges.
Regulators are also concerned that a "silent" property policy - which neither
mentions nor excludes cyber attacks - is not adequate, a problem too for other
industries that face cyber attacks on their property such as power plants.
Britain's insurance regulator said in November such policies could leave
insurers open to large losses from cyber breaches and that policy holders "may
find it challenging to understand whether they are covered".
world's number one container shipping line Maersk acknowledged the cyber risk to
its fleet and said it was working to mitigate it. "We currently see a trend
towards the gap in insurance cover being closed," it said.
Products are emerging from specialist insurer Sciemus Cyber Ltd as well as large
insurers such as American International Group Inc(AIG), while reinsurer Munich
Re is also developing cover.
"Itís about figuring out how to connect the gap between a property loss and a
cyber loss," said Dieter Berg, head of business development, marine at Munich Re
and president of the International Union of Marine Insurers. "This is the
process of discussion with the client - where is your exposure?"
AIG launched a standalone cyber policy last year, CyberEdge Plus, which protects
the policyholder from property damage among other issues. It did not immediately
respond to a request for pricing comment and has previously declined to discuss
Sciemus was not immediately available to comment on the cost of its policies. It
has said it charges energy utilities about $100,000 for $10 million in data
breach insurance and as much as seven times that to cover attacks causing
Following an attack on a Ukrainian power plant in 2015, large utility companies
have warned of their exposure to cyber risks in annual reports to regulators and
that their insurance coverage might not cover all expenses related to an attack.
Those kind of warnings are largely absent from company reports in the shipping
world, which is just waking up to the risks and has tight margins to take into
account due to a near decade long industry slump.
Graeme Charnock, chief financial officer with Peel Ports, which operates
Liverpool port among other terminals in the UK and Ireland, said it was going
through a risk assessment and would share it with its insurers in due course.
"To the extent cover is available, it will ultimately come down to how much it
costs as measured against the perceived threats."
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.