5 minute read
Cyber
The silent cyber debate within the marine sector
Silent cyber is not an easy matter for the insurance market and risk managers in the marine sector and all others are not very happy with the way it has been handled by the insurance market. Claire Davey, Broker, Cyber Practice at Marsh JLT Specialty explains how this important topic affects the marine sector and what needs to happen next.
The deadline of 1 January has been and gone, and the silent cyber debate continues within the maritime insurance sector. Leading insurers such as Allianz and AIG publicly announced their intention to deal with this tricky matter last year and so the year-end renewal was always going to be a defining moment. The situation had to be clarified for the benefit of all – customers, brokers and insurers. It was mandated by Lloyd’s (Y5258), issued in July last year, and recommended by the Prudential Regulation Authority (PRA) that syndicates and insurers clarify the extent of cyber coverage within maritime insurance products. This impacts areas such as P&I, hull and marine, cargo and yachts, in addition to non-marine lines of business. Having completed the 1 January renewal season, and progressing into the first quarter of 2020, it is timely to highlight the misinformation and confusion in the market regarding silent cyber.
One very important fact to note is that Lloyd’s has mandated that syndicates clarify whether they intend to provide cover for losses arising out of a cyber-incident. It has not mandated that cover should be removed. Lloyd’s has not, however, prescribed a particular clause or approach that syndicates should adopt. This is leading to a proliferation of clauses being applied across the London market.
Company markets have not been ‘mandated’, only recommended, by the PRA to clarify whether the intention is to provide cover for losses arising out of a cyber incident. This means that they may choose the easy way out for now, and remain silent, as opposed to adopting an appropriate clause. This is not ideal.
The preferred approach, from the insured’s perspective, is to adopt a clause which provides affirmative coverage for losses arising out of a cyber-incident.
The likelihood of being able to successfully negotiate this clause is largely
dependent on market conditions for that particular line of business.
Whichever clause is applied to a maritime policy, the risk manager needs to be sure to check that it addresses malicious acts, and non-malicious i.e. operational error. Another important point to bear in mind is that, whichever clause is applied to the maritime policy, the risk manager needs to be sure to check that vague terms such as ‘computer system’, ‘data’, or ‘computer network’ are defined.
Also, beware of ‘carvebacks’. Risk managers need to check that the carveback offered is an affirmative carveback for all the coverage that is excluded and not a partial carveback. To confirm, exclusion carvebacks do not provide the insured with more cyber coverage than they had previously.
Even if the renewal is not due until later in 2020, it is prudent to discuss this matter with the broker as soon as possible. This will enable the insured to agree a strategy and alternative risk transfer solutions can be negotiated, if required.
AVOID COSTLY DISPUTES While the Lloyd’s mandate is a positive, pro-active approach, the market must be conscious that we are not sticking plasters on policies that were not intended to provide cyber coverage. As we have seen with cyber losses being notified to property insurance programmes, these insurers did not expect to indemnify such losses and, in turn, this can cause lengthy and costly disputes which all parties would rather avoid.
Key maritime cyber risks include the threat of malicious attacks on, or operational error of, operational technology, software and data. Unless these lead to property damage, it is unlikely that an existing maritime policy will pick up the losses arising from such risks not just the property damage, but also the enterprise risk.
EVEN IF YOUR RENEWAL IS NOT DUE UNTIL LATER IN 2020, IT’S PRUDENT TO DISCUSS THIS ISSUE WITH YOUR BROKER AS SOON AS POSSIBLE, IN ORDER THAT A STRATEGY CAN BE AGREED UPON AND ALTERNATIVE RISK TRANSFER SOLUTIONS CAN BE NEGOTIATED.
Claire Davey, Marsh JLT Specialty
A fit-for-purpose, stand-alone, cyber insurance policy would cover: l Lost income caused by loss of hire and costs involved to get back up and running; l Cyber incident response costs (legal, PR, IT forensics, crisis management, notification of data subjects) l Cyber extortion payments; l Privacy regulatory fines/penalties and investigation costs; l Third party damage claims and defence costs arising from the loss of personal or corporate data; and, l Data and software restoration costs. As with the silent cyber endorsements, there are many cyber insurance products available in the market. As a result, it can be confusing as to which offering provides the most value to your organisation. With the increasing reliance on technology, a cyber insurance policy is an efficient risk transfer method, but the following points should be considered ahead of making a purchase: 1. Which loss scenario is most likely? 2. Which loss scenario is likely to cause the biggest financial impact to your balance sheet? 3. How much cover do you have under existing policies? 4. Do you want to share your policy limit with other insureds, or know that it’s yours alone? 5. What existing cyber defences do you have in place? Would you benefit from building relationships with new cyber security/forensics vendors? 6. Revisit these questions on an ongoing basis – your answers may change, and this issue isn’t going away.
The Global Maritime Issues Monitor 2019, published by the Global Maritime Forum in partnership with Marsh, identified that cyber attacks and data theft were likely to have a large impact and high likelihood in the next 10 years. The maritime sector is in the crosshairs between geo-political risk and cyber risk, meaning that its exposure is at an all-time high. Yet, the transience and off-site positioning of mariners means that their cyber awareness training is often patchy.
The aforementioned report also identified the need for diversity within the maritime industry – and the two issues of cyber security and diversity are not mutually exclusive. Greater diversity would bring an array of skills, cultures and perspectives to the maritime industry, which could not only increase its technical cyber-readiness, but, also provide an alternative view on its risk management.
Insureds will have to look outside of the usual maritime pools of talent, or upskill those within the industry, in order to respond to this ever-pressing concern. When employees are the weakest link, it only seems natural that hiring and talent development practices should be one of the first functions under the spotlight.
In conclusion, cyber risk is ever-evolving, in the threats that it poses and the technical solutions on offer. It’s only right that our challenge and questioning of risk transfer solutions continues alongside this to make sure that insureds are advised of all the options and select the most appropriate for their risk appetite and ever-changing exposures.
