Cyber-risk exclusion clauses have been applied across nearly all areas of marine insurance apart from protection and indemnity cover, but how long can that continue?
The issue came into focus for shipowners last year when the Lloyd’s of London market required underwriters to clarify whether malicious cyber-attack was included as an insured risk, due to confusion in the market.
Underwriters responded by writing explicit cyber-risk exclusion clauses into many hull and machinery, loss of hire and war risk policies. Owners have since had to turn to supplementary bespoke cyber insurance to fill the gaps in cover.
Ince senior partner Julian Clark likens the shuffling of cyber-risk between underwriters to a game of “pass the parcel”.
Mainstream P&I insurance, which is controlled by shipowner mutuals, has so far maintained cyber-attacks as an insured risk.
But even that is showing signs of coming under pressure. From the beginning of this year, P&I clubs included cyber exclusion clauses in their fixed premium and charterers P&I business, which are both handled outside the main mutual P&I lines.
However, the ability to maintain cyber in the mutual P&I insurance is set to be tested at the renewal of the International Group of P&I Clubs’ $3.1bn reinsurance policy in February.
The general expectation is that the International Group’s reinsurers are likely to seek to apply a cyber exclusion clause to the policy.
The group’s reinsurance scheme kicks in for claims in excess of $100m. The big question for the clubs will be whether they can still maintain cyber cover within their own retention if it is excluded from their upper layer of reinsurance above $100m.
Clark thinks the renewal talks pose a dilemma for the clubs.
“Come this renewal, if the exclusion goes into the reinsurance contract — and I’m pretty sure it will — that is going to create a problem. The clubs are either going to have to adopt the exclusion or continue to keep cyber cover in place, but then they won’t be back-to-back on their reinsurance cover,” he said.
If the terms of the mutual cover are not in line with the International Group’s reinsurance, it could create issues with Civil Liability Convention certification, also known as Blue Cards, Clark suggested.
Legal test
The clubs will also face questions over the interpretation of terms such as “malicious” or “harmful” attacks, which have yet to be legally tested.
“The problem ... with the cyber exclusion is what does it mean — what is harm, what is malicious and what is not malicious? It has not been judicially tested, so that is an issue,” he said.
The view from the P&I clubs is that they have a long-running relationship with their reinsurers and the strength of those ties will help them forge a deal on cyber when the policy is renewed.
Some managers are not concerned about the reinsurance renewal because they believe the chances of a cyber-related P&I claim eating into the international P&I reinsurance cover is remote. P&I cover usually includes third-party liability costs such as pollution, salvage, wreck removal and damage to cargo.
Not so, said Clark, citing the grounding of the 20,388-teu Ever Given (built 2018) in the Suez Canal. The incident was unrelated to a cyber-attack but, in theory, he said, it is the sort of casualty that could be caused by a malware attack on on-board systems and lead to a P&I claim of more than $100m.
“There is no evidence that the Ever Given had anything to do with cyber, but it very easily could have been. An attack on operational technology that moves the rudder a couple of degrees could very well cause a grounding like the Ever Given to close Suez,” he said.
Amid the uncertainty around cyber cover and marine insurance, Clark believes owners should be checking policy terms and taking extra care to make sure ship and shore operations are cyber-resilient.
“One of my mantras when speaking to assureds is: one, go for a quality cyber insurance product, really invest in loss prevention, get cyber drills in place and make sure you know what you are going to do in the event of an attack. Look at adding clauses that confirm P&I cyber coverage and confirm you are back-to-back on hull terms.”
