Cyber attacks represent one of the most significant threats facing the marine and energy sectors. We review current and developing dangers, including groundings and ‘iShips’, and assess the insurance implications.

The increasing interconnectivity of devices and a growing reliance on technology brings with it increasing vulnerabilities. This is not a new concept. However, the potential exposures have transcended far beyond the simple data loss scenarios that were initially contemplated. Catastrophic scenarios now envisioned include significant business interruption, total loss, damage to property and even loss of life.

The state of play

There have already been a number of notable cyber-related marine incidents. To name a few:

  • 2003: a denial of service attack froze a United States (US) port's web service.
  • 2011: hackers working with a drug smuggling gang infiltrated a computerised cargo tracking system at the Belgium port of Antwerp.
  • 2012: criminal syndicates penetrated cargo systems operated by Australian customs and the Chinese military was reported to have allegedly hacked a commercial ship on contract to the US military.
  • 2013: a major fuel supplier fell victim to an online bunkering scam.
  • 2014: a hacker caused a floating oil platform to tilt to one side, forcing a temporary shutdown, and a US port facility suffered a denial of service attack.

Developing dangers

It is increasingly likely that hackers will take advantage of cyber security exposures for malicious ends. Somali pirates have been known to use hackers to infiltrate digital shipping systems so as to identify ships carrying high value cargoes with minimal on-board security.

With over 90 per cent of international trade and transport estimated to be based on maritime transport, the safety of shipping vessels, port operations, marine facilities and other elements of the maritime transportation system is critical to the global economy.

Researchers have identified significant holes in the key technologies sailors use to navigate ships:

  • In 2013, researchers demonstrated that it was possible to change a ship’s direction by faking a Global Positioning System (GPS) signal.
  • An internet security firm was able to exploit a weakness in a ship’s Automatic Identification System (AIS) to impersonate a port authority’s communications with the ship, shut down all communications between the ship and onshore stations and even create ‘phantom’ ships.

The increasing realisation of the vulnerabilities of a ship’s main navigation systems has led to ships passing through known pirated waters either turning off their navigation devices or faking data so it looks like they are somewhere else altogether.

It is now conceivable that a cyber attack could result in a ship’s grounding. Also, with ships getting bigger, and crews getting smaller, companies are increasingly exploring the possibility of autonomous vessels, ‘drone ships’ or ‘iShips’. Unmanned ships will be remotely controlled and use dynamic positioning systems, with data collected from satellites, gyrocompasses and stabilizing sensors to hold position in rough seas. The susceptibility of unmanned ships to cyber attacks is another risk that needs careful consideration.

Managing the gap

In the event of an incident, which policy will respond? Is the loss a product, professional, general or cyber liability?

Typically, marine insurance policies exclude computer-related liability and losses arising from computer and network security failure. One such exclusion is the Institute Cyber Attack Exclusion Clause CL380 (CL380), which is well established and widely adopted across marine and energy policies. Generally, CL380 operates to exclude cover for loss arising from a cyber attack.

Standalone cyber insurance policies typically exclude, or significantly limit, third party property damage and personal injury loss. Up until recently, this left marine and energy companies significantly exposed.

The market has now responded, with a number of insurers offering ‘cyber-gap’ insurance aimed at covering situations that are excluded because of CL380 type clauses.

Conclusion

The increasing number of potential loss scenarios to the maritime and energy sectors poses significant opportunities as well as challenges for insurers and brokers. While insurance cover for cyber attacks in these sectors is an emerging risk market, there is no doubt that cyber attacks continue to evolve at a rapid pace. This is the new shot across the bows that cannot be ignored.