Cyber Attacks Against Ships – Are You Covered?
Imagine this scenario: A ship’s captain is given a laptop by a relative. It contains a virus, and the captain is unaware of this. The laptop is used aboard a ship without anti-virus protection and the virus infects the ship’s systems. The vessel collides with another ship.
Scenarios like this are why cyber risk is a major concern for the marine industry and raise questions about how insurance would respond.
Some shipowners have given permission to specialist companies to carry out cyber-attack penetration tests. The result of a recent vulnerability test concluded that it was possible to:
- Disrupt electronic chart display and information system (ECDIS) and show misleading radar information.
- Distort the ship’s location.
- Hide natural ocean obstacles.
- Disable essential machinery.
- Override fuel and ballast management systems.
It is easy to see how an attack could result in catastrophic consequences, but what is less clear is how traditional insurance would respond.
The Institute Cyber Attack Exclusion Clause (ICAEC) states:
“Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process, or any other electronic system.”
The effect of this exclusion in a marine hull insurance policy is unclear. In the UK, it has not been tested at law; therefore, any view is based on our understanding of how the exclusion language may be interpreted by insurers.
Without the ICAEC, to advance a claim, the shipowner needs to discharge the burden of proof and show that the loss occurred due to a peril it is insured against. In order to avoid the claim, insurers would have to show that the claim was excluded in another way.
The ICAEC potentially changes this position. Insurers may opine that the meaning of the first paragraph of the exclusion is absolute, and the clause does not require insurers to show that the malicious code was the proximate cause of the loss but simply contributed to it.
Keeping this in mind, you should:
- Check whether your hull insurance cover is subject to the ICAEC or similar.
- Be up to date with industry guidance, such as BIMCO’s The Guidelines on Cyber Security Onboard Ships.
- Make sure to adequately stress test processes and systems.
- Have a robust command and control strategy for dealing with an attack.
- Take steps to meet current and future obligations in vessel cyber security. For example:
1. Tanker owners, subject to vetting under the Oil Companies International Marine Forum, are required to incorporate cyber risk as part of their policies from 1 January 2018.
2. The International Maritime Organization’s Resolution MSC.428(98) requires that cyber risks are appropriately addressed in safety management protocols and international safety management (ISM) code by 1 January 2021.
Marsh will continue to look at the implications for shipowners of future cyber-related events.