The shipping industry is becoming ever more reliant on technology, making it at the same time more vulnerable to cyber attacks. Protection from cyber threats is key, although there are a lot of uncertainties in this field as well. Obtaining insurance for a company’s assets in case of a cyber attack is one way of making sure the ship owner or operator stays protected. Nonetheless, there are numerous challenges at the moment with regard to cyber risk insurance.
In an interview with World Maritime News, Lars Lange, Secretary-General of the International Union of Marine Insurance (IUMI), said that the main challenges with cyber risk are threefold.
“Initially, the threats and vulnerabilities of the risk must be identified, which can be challenging as cyber risk is constantly evolving and developing. Once these have been identified then the risk exposure must be assessed accordingly to see how it can be insured. Finally, it is vital that the insured’s crew, staff and all stakeholders are trained and educated on the potential dangers of cyber risk in order to gain a better understanding of the issue and how to protect themselves from it,” Lange explained.
Speaking of the role of marine insurers in helping maritime industry players protect themselves from cyber attack risks, Lange said that IUMI’s role “is to invest in educating and informing our members on key trade issues, as well as helping in assessing the risk.”
“Through cooperation with all stakeholders and partnerships with a variety of other organizations, we are using our knowledge and expertise to ensure accurate risk assessment of cyber attack risks and helping to identify and implement best practice solutions.”
IUMI is an active member of two industry-working groups created to better address cyber safety concerns. Namely, IUMI is a member of the joint industry-working group, spearheaded by BIMCO, which recently published the second edition of “The Guidelines on Cyber Security Onboard Ships”.
The new version includes information on insurance issues, as well as a new subchapter examining a shipowner’s insurance coverage following a cyber incident, as this is an important part of the risk assessment that shipowners should now take into consideration.
IUMI is also part of the International Association of Classification Societies (IACS) Joint Working Group on Cyber Systems which supports the IACS Cyber Systems Panel. This panel was introduced to focus on developing recommendations as a first step.
“Alongside all of this, we are also engaged in the transparent discussion of cyber threats and are particularly part of the discussions at the International Maritime Organization (IMO),” Lange explained.
WMN: How would you assess the market preparedness to cyber threats following the Maersk attack and BIMCO’s release of recommendations on cyber security management? Should this preparedness and risk assessment be mandatory for shipowners?
Lange: The market is certainly making progress on cyber security and recommendations such as BIMCO’s Guidelines of Cyber Security Onboard Ships are steps in the right direction. But the industry is not ready yet since this is a “moving target”.
Activities are underway to make the risk assessment of cyber threats mandatory for shipowners. At the Maritime Safety Committee (MSC) 98 Meeting (June 2017) it was decided that cyber risk management onboard ships should become part of the ISM Code and accordingly, it would be part of the ship’s mandatory Safety Management System by 2021. IUMI welcomes this. The same direction was chosen by the EC’s “NIS directive”.
WMN: Based on your experience, has there been a rise in insurance claims due to cyber attacks?
Lange: Not yet to our knowledge which is why cyber risk is challenging to assess. It is likely that there have been many cyber incidents that have already happened without knowing that the root cause of the incident was cyber. When it comes to potential cyber attacks there is a lack of claims experience.
WMN: How high could damage claims from a cyber attack go, should systems on board ships like 20,000 TEU containerships or VLCCs get hacked? What are the worst-case scenarios?
Lange: Anything is possible, from a disappeared single container up to a total loss of a vessel and total loss of the cargo to an act of “cyber piracy”. At this stage, our claims experience is very limited and we do not have examples of major incidents so we do not know yet the impact that a “successful” attack could have, but it should be taken very seriously.
WMN: As efforts on making autonomous ships a reality gain pace, what are the main risks to be considered from an insurance point of view? How would the removal of crews from ships impact situations such as response to fires and groundings along with damages resulting from such occurrences?
Lange: This will be determined by the technological development of autonomous shipping – will the vessel be remote controlled? Will the vessel have crew support? Will it have a completely autonomous system? These questions need to be answered to have a better understanding of the potential risks.
Autonomous shipping will certainly impact the insurance sector and at IUMI we are monitoring the developments and working on understanding the potential risks but it is still too early to judge what impact it will have.
Nowadays, the majority of claims are due to human error so autonomous shipping is a positive development but it will pose new threats in relation to cyber and technology, of course.
WMN: In conclusion, what is the way forward for the maritime industry in tackling insurance-related issues stemming from technological advancements, including automation and digitalization? Should bigger and more technologically-advanced ships be a cause of greater concern for marine insurers?
Lange: I do not believe that bigger and more technologically advanced ships need to be a cause of concern, as long as we are prepared and understand the risk then we will be a competent partner to the industry by providing knowledge, expertise, recommendations, and assistance with risk assessment and mitigation.
The marine insurance industry is based on risk and we will not shy away from what needs to be done in order to be prepared.