'Silent cyber' – have you heard it?
This article was co-authored by Ingrid Hu, Trainee Solicitor, London
Cyber risk insurance is generally available to cover organisations for first-party and third-party financial loss, disruption or damage to reputation resulting from some sort of failure of its technological systems (affirmative cover).
However, the growing influence and interconnectedness of technology in almost every sector along with the increasing sophistication of the hacking community, means cyber has become an insidious risk presenting one of the biggest insecurities to businesses today.
So what happens with policies that are silent on cyber but which purport to cover losses that might originate from a cyber-related incident?
The term 'silent cyber' (or 'non-affirmative cyber') has developed to describe losses that are seemingly remote but can be covered by traditional insurance policies not written with cyber exposures in mind and that as a result do not expressly include or exclude cyber risk. But the systemic nature of cyber risk means that this coverage ambiguity has led to exposures originating from cyber perils creeping into conventional lines of business including (but by no means limited to) property and liability, meaning that these policies can unintentionally cover a cyber related loss. This has resulted in the Prudential Regulation Authority and Lloyd’s calling on insurers to address this issue as a matter of urgency.
'Silent cyber' in marine
The modernisation and increased digitalisation of the marine industry has created new ports of entry for hackers, and it must pay careful attention to this extra risk exposure.
The vulnerabilities of technological systems have already been demonstrated in the targeted attacks on Barcelona and San Diego ports last year. Whilst operations were not affected in those instances, the same systems could easily be compromised to cause loss of power, loss of systems’ availability, and port congestion resulting in significant economic disruption to the logistics industry. When Maersk fell victim to the superworm NotPetya in 2017, the company was forced to halt operations at 76 port terminals.
Vessels are not insulated from cyber-attacks either. On-board systems are increasingly connected with each other and the shore, allowing hackers potential access through something as simple as an infected USB brought on board by crew to watch a movie. This, coupled with the widening geographical reach of hackers and the value of a vessel and/or its cargo can make vessels both attractive and vulnerable targets.
A vessel’s navigation system could be compromised, with minimal effort and from afar, to disable or steer a vessel off-course causing collisions or blockages to major shipping channels. We have already seen instances of this – in 2017, hackers took ‘full control’ of a container vessel’s navigation system and the Captain was left unable to manoeuvre until systems were restored 10 hours later. Industrial control systems could be tampered with to destroy perishable cargo, or even to cause fires or explosions on-board.
These events would result in tangible damage which could fall under physical loss or damage in traditional cargo policies.
Furthermore, as vessels become increasingly reliant on technology for their everyday functions, cyber risk will force a reconsideration of the term 'seaworthiness' in the context of the digital age.
'Silent cyber' – the challenges
The challenges facing the insurance industry remain considerable, despite a number of high-profile cyber-attacks. Property Claims Services estimated losses to insurers alone from NotPetya in 2017 to be upwards of USD 3 billion, an estimated 90% of which stemmed from 'silent cyber' cover triggered by physical loss and/or damage.
One of the biggest barriers to the provision of affirmative cover for cyber is the lack of data, models and experience. Insurers are faced with the uncertainty that comes with an emerging risk and the challenges presented by the speed at which the risks are evolving - given that so much of our everyday life is 'cyber-related', many losses under a policy will inevitably have some form of cyber involvement. This is further complicated by the varied and unpredictable nature and motivation behind cyber-attacks – unusually, NotPetya’s primary goal was suspected not to be financial, but rather to cause chaos and disruption.
This difficulty in determining, defining and quantifying potential exposure has led to gaps in coverage. In the absence of traditional methods appropriate for analysing cyber risk, insurers should look to experts and white hat hackers – ethical hackers who use their skills to improve security by exposing vulnerabilities – to help identify and evaluate potential cyber exposure buried within non-cyber policies.
'Silent cyber' – time to listen
In a letter published on 30 January 2019, the Prudential Regulation Authority called on Lloyd’s and the insurance industry to take action on the issue of 'silent cyber'.
Lloyd’s announced its response on 4 July 2019, mandating that “all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage”, applicable to first-party property damage policies (including Cargo, Marine War and Marine Hull) incepting on or after 1 January 2020 and to liability and treaty reinsurance to be phased in throughout 2020 / 2021.
The definition of cyber risk adopted for this purpose is any risk where the losses are cyber-related, arising from either malicious or non-malicious acts, involving tangible or intangible assets. The use of this all-encompassing definition reflects the increased understanding of the wide-reaching impact cyber events can have.
The move will help combat what is currently a grey area and provide much-needed contract certainty for policies that would otherwise expose insurers to 'silent cyber' risks that they did not intend to cover; or to allow insurers to be better informed of the risks that they do cover. Clarity and tighter policy wording coupled with continued growth and awareness of cyber threats will also lead to some self-regulation and risk mitigation as businesses change the way they act to comply with policy requirements.
The pace at which the nature of the risk is evolving and the widespread - and sometimes seemingly remote - losses that can flow from cyber risks means that traditional policies, written before the current digital era, are no longer fit for purpose either because they are silent on the issue or any exclusion is ambiguously worded. The most commonly used cyber exclusion in marine - the Institute Cyber Attack Exclusion Clause (CL380) - fails to account for non-malicious risks. Dating back to 2003, CL380 could not have foreseen the threats that cyber risks present today and, as such, is currently under review.
A pro-active approach to cyber risk management is therefore required and insurers’ would be wise to consider the strength of any exclusion clauses and revise policies prior to the Lloyd’s deadline.