RECENT DEVELOPMENTS IN CYBER SECURITY IN THE MARITIME INDUSTRY

JUSTIN WHELAN, PARTNER

E: JUSTIN.WHELAN@HFW.COM

T: +971 2 235 4913

This presentation has been prepared by HFW MEA LLP exclusively for the AIDA event on 4/5 October 2019 and is not to be distributed

INTRODUCTION

• Background

• Digitalisation

• Damage

• Incident examples

• Insurance

• Guidance and Regulations

• Summary

BACKGROUND

“Data is the new oil”

Clive Humby,

UK mathematician and

architect of Tesco Clubcard

“Data really powers

everything that we do”

Jeff Weiner, LinkedIn CEO

“Cybercrime is the greatest threat

to every profession, every industry,

every company in the world.”

Ginni Rometty, IBM President & CEO

“Cyber is uncharted territory. It's going to get worse,

not better. There's a very material risk which didn't

exist 10 or 15 years ago and will be much more

intense as the years go along.”

Warren Buffet, Berkshire Hathaway Chairman & CEO

BACKGROUND

• Cybercrime 2nd greatest global risk behind environmental risk.

• Cybercrime landscape vastly more sophisticated over last 5 years.

• Dark web economy USD 6 trillion.

• Do not need to be skilled-can purchase professional hacking services on underground market place.

• Very cheap list of itemised services.

• Such services even offer customer service departments.

BACKGROUND

EUROPEAN UNION AGENCY FOR NETWORK AND

INFORMATION SECURITY ( ENISA) THREAT LANDSCAPE

REPORT 2018 - MAIN TRENDS:

• Cyberattacks increasingly automated.

• Mail and phishing messages are primary malware infection

vector.

• IoT emergence a concern due to lack of protection

mechanisms.

• Technical orientation is an obstacle towards raising

awareness of executive management.

MARINE DIGITALISATION

• Increased connectivity from ship to shore.

• IoT supported routes.

• Predictive maintenance.

• Crewless ships and unmanned vessels.

• Standardised fleets.

• Collision detection and avoidance.

• Real time data exchange.

• Always-on satellite communications.

MARINE DIGITILISATION

2015-2018 Internet access growth in maritime sector – FutureNautics 2018 Survey

MARINE DIGITALISATION

• BYOD – Average seafarer brings at least 3 devices on board

• FutureNautics 2018 Survey

• 72% bring smart phones

• 58% bring lap tops

• 47% bring ordinary phones

• 13% bring smart watches

• 8% bring fitness trackers

• Wide range of cyber risks

• First and third party data

• Financial loss

• Misappropriation of goods

• Business Interruption

• Reputational Damage

• Intellectual property

• Physical damage

• Personal injury

DAMAGE

• 2011-2013 Mafia hacked Port of Antwerp.

• 2013 – Chinese Military hacked commercial ship contracted to US navy.

• 2016 – Somali pirates hacked container systems.

• 2016 – North Korea hacked GPS signals to ships in Port of Incheon.

• 2017 – 20 ships spoofed in Black Sea.

• 2017 – AP Moller Maersk infected by NotPetya – closure of 76 terminals.

MARINE INCIDENTS

• 2017 – Cyberkeel reported medium sized shipping firm hacked by competitor.

• 2018 – Cosco hit by ransomware across the Americas.

MARINE INCIDENTS

• Maritime sector among worst affected by NotPetya June 2017.

• Ships, ports, logistics disrupted.

• Mumbai, Rotterdam, New York, Los Angeles ports and terminals closed.

• No market uniform coverage terms

• Common terms include e.g.

• Notification to authorities of ransomware/extortion

• Reasonable steps to avoid/mitigate loss

• Claims control – insurer right but not obligation

• Claims cooperation – provision of all relevant information and data

INSURANCE

• Coverage typically includes e.g.

• Restoration of first party data

• Third party liability arising from data breach

• Ransomware/Extortion

• Business interruption

• Reputational damage

• Incident response

• Regulatory fines where permissible in law

INSURANCE

• Coverage typically excludes e.g.

• Physical damage

• Personal injury

• Losses occurring prior to retroactive date

• Cloud failure

• External services

• Fraud, dishonesty, reckless conduct of a director/senior officer

• Use of illegal software

• Losses recoverable under another policy

• Uninsurable fines

INSURANCE

INSURANCE

• MANY TRADITIONAL POLICIES DESIGNED WHEN CYBER WAS NOT THE RISK IT IS TODAY AND CYBER RISKS NOT EXPLICITLY EXPRESSED

• JULY 2017 PRA PUBLISHED SUPERVISORY STATEMENT (SS) 4/17 SETTING OUT ACTIVE MANAGEMENT OF NON-AFFIRMATIVE (‘SILENT’) CYBER RISK

• MAY 2018 PRA SURVEY,

• IN ASSOCIATION WITH INDUSTRY ASSOCIATIONS AND LLOYDS

• largest silent exposure risk across casualty, financial, motor and A&H lines

• wide divergence of views in potential exposure within property, marine, aviation and transport lines from anywhere between zero risk to full limits

• low silent exposure risk for energy lines due to use of CL380

• January 2019 PRA noted responsibility on insurers to align with expectations of SS4/17 and expected:

• Adjustment of premium to reflect additional risk of silent cyber

• Offer of explicit specific limits of cover

• Introduction of robust wording exclusions

INSURANCE

• Adjustment of premium

• Cyber underwriting is a specialist class, pricing and aggregation across cyber risks requires expertise.

• Lack of historic data/models to quantify risk.

• Rating not keeping up with frequency and extent of loss events.

• Market conditions.

INSURANCE

Explicit cover

• Cybercrime and potential for silent cyber

losses increasing across all lines,

particularly tech-heavy areas such as

marine, transport and property.

• July 2019 Lloyd’s Market Bulletin

Y5258 – all policies to be clear on

whether coverage is provided for losses

caused by a cyber event

INSURANCE

Explicit cover

• July 2019 Lloyd’s Market Bulletin Y5258

• By 1 January 2020 all first party property damage risks, including marine and energy lines, must contain explicit policy language as to whether cyber coverage exists or is excluded.

• Applies to new and renewal policies, whether written on an All Risks or Named Perils basis. Includes direct and facultative.

• For liability lines and treaty reinsurance - working group carrying out market consultation details to be released early 2020.

INSURANCE

Explicit Cover

• July 2019 Lloyd’s Market Bulletin Y5258 –

• ‘For the avoidance of doubt, Lloyds view policies where no exclusion exists and there is no express grant of cyber coverage as ‘non-affirmative’. In all these cases action should be taken to provide clarity of coverage for customers to comply with the requirement’.

• 2020 PRA to conduct 'deep-dive' review of firms to assess how expectations are being met.

INSURANCE

Exclusions

• Marine hull, cargo and liability policies commonly use Institute Cyber Attack Exclusion Clause CL380 to exclude cyber incidents.

• 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process of any other electronic system.

INSURANCE

• CL380

• Malicious exclusion. Any computer/electronic system used to inflict harm = excluded.

• But incident not ‘as a means for inflicting harm’ e.g. employee error/accident = not excluded.

• Burden on underwriters to prove ‘as a means for inflicting harm’.

• Drafted in 2003 – anachronistic.

• Issue today is security of data - howsoever the breach.

INSURANCE

Explicit cover – Write backs

Write backs can significantly increase exposure of cyber claims

Commonly used LMA model cyber wordings have narrow scope and do not introduce coverage for new perils

Majority of LMA model clauses address only malicious cyber incidents

INSURANCE

Explicit cover - Write backs

• CL380 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection or civil strife arsing therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses which would otherwise be covered arising from the use of any computer, computer system, computer software programme or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.

Does not introduce coverage for a new peril - provides coverage for otherwise covered losses triggered by a cyber incident.

INSURANCE

Explicit cover - Write backs

• Specie Clause JS2018-001 as per CL380 1.1 and 1.2 plus

• 1.3 It is understood and agreed that Clause 1.1 shall not apply to an otherwise covered physical loss of or physical damage to the Insured’s property caused by a Targeted Cyber Attack. The burden of proving cover under this write-back shall be on the Insured.

• For the purpose of Clause 1.3 Targeted Cyber Attack means the use or operation, as a means of inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system where the motive is to inflict harm solely on (or upon) the Insured or the Insured’s property.

• Again, does not introduce coverage for a new peril - provides coverage for otherwise covered physical losses caused by a Targeted Cyber Attack i.e. a malicious attack.

INSURANCE

Explicit cover - Write backs

• Electronic data endorsement NMA2914 and NMA2915 exclude all losses resulting from ‘ loss, damage, destruction, distortion, erasure, corruption or alteration of Electronic Data’

• Non-malicious exclusion

• Write back then provides cover for otherwise covered perils of fire and explosions resulting from loss of Electronic Data.

INSURANCE

Explicit cover

Ambiguity in cyber coverage unhelpful to all concerned - ultimately leads to litigation

Need to agree scope of write-back cover between Insurer and Insured

Need for cyber perils to be adequately evaluated and priced, and for cyber products to evolve

INSURANCE

Exclusions

• May 2019 International Underwriting Association of London (IUA) proposed:

• IUA 09-081 Cyber Loss Absolute Exclusion Clause - designed to broadly exclude any direct or indirect loss, malicious or otherwise incl. liability for human error/accident; and to give clarity to definitions

• IUA 09-082 Cyber Loss Limited Exclusion Clause - designed to do the same as 09-081 but only in respect of direct losses

INSURANCE

• IUA 09-081 Cyber Loss Absolute Exclusion Clause

• 1. Notwithstanding any provision to the contrary within this contract, this contract excludes any Cyber Loss.

• 2. Cyber Loss means any loss, damage, liability, expense, fines or penalties or any other amount directly or indirectly caused by:

• 2.1 the use or operation of any Computer System or Computer Network;

• 2.2 the reduction in or loss of ability to use or operate any Computer System or Computer Network or Data;

• 2.3 access to, processing, transmission, storage or use of any Data;

• 2.4 inability to access, process, transmit, store or use any Data;

• 2.5 any threat or any hoax relating to 2.1. to 2.4 above;

• 2.6 any error or omission or accident in respect of any Computer System, Computer Network or Data.

INSURANCE

IUA 09-082 Cyber Loss Limited Exclusion Clause

• 1. Notwithstanding any provision to the contrary within this contract, this contract excludes any Cyber Loss.

• 2. Cyber Loss means any loss, damage, liability, expense, fines or penalties or any other amount directly caused by:

• 2.1 the use or operation of any Computer System or Computer Network;

• 2.2 the reduction in or loss of ability to use or operate any Computer System or Computer Network or Data;

• 2.3 access to, processing, transmission, storage or use of any Data;

• 2.4 inability to access, process, transmit, store or use any Data;

• 2.5 any threat or any hoax relating to 2.1. to 2.4 above;

• 2.6 any error or omission or accident in respect of any Computer System, Computer Network or Data.

INSURANCE

• Computer System – any computer, hardware, software, application, process, code, programme, information technology, communications system or electronic device owned or operated by the Insured or any other party. This includes any similar system and any associated input, output or data storage device or system, networking equipment or back up facility.

• Computer Network – group of Computer Systems and other electronic devices or network facilities connected via a form of communications technology, including the internet, intranet and virtual private networks, allowing the networked computing devices to exchange Data.

• Data – information used, accessed, processed, transmitted or stored by a Computer System.

INSURANCE

• Chris Jones, IUA Director

“These two new model clauses provide broad policy exclusions which may be utilised as a starting or reference point for underwriters offering cover for traditional business classes that may include an element of cyber risk.

By developing class-specific write backs insurers can then explicitly state the extent of any cover provided for such losses.”

INSURANCE

INSURANCE

International Association of Engineering Insurers (IMIA) Advanced Cyber Exclusion 2018

1. Any loss, damage, liability, costs or expenses directly or indirectly caused by or contributed to or resulting from the cyber incidents as set forth in the following provisions a) to g) are not covered by the Policy, regardless of any other cause or event contributing concurrently or in any other sequence to the loss, damage, liability, costs or expenses

a) Damage to or Loss of Data occurring on the Insured’s Computer Systems, or

b) A Computer Malicious Act on the Insured’s Computer Systems, or

c) Computer Malware on the Insured’s Computer Systems, or

d) A Human Error affecting the Insured’s Computer Systems, or

e) A System Failure occurring on the Insured’s Computer Systems, or

f) A Defect of the Insured’s Computer Systems, or

g) A Cyber Extortion

2. Where this Cyber Exclusion is endorsed on policies covering risks of war or terrorism this Cyber Exclusion shall also

exclude Cyber Terrorism or Cyber War according to Clause 1 above.

INSURANCE

International Association of Engineering Insurers (IMIA) Advanced Cyber Exclusion 2018

Draft Write Back 1

Subject to the terms, conditions, deductibles, limits, exclusions and extensions contained in this Policy, this Cyber Write Back Endorsement obliges the Insurer to indemnify the Insured for any loss, damage, liability or expense which the Insurer would have been able to decline solely due to the operation of Clause 1 and/or Clause 2

Draft Write Back 2

It is hereby agreed and understood that the Advanced Cyber Exclusion shall be amended as follows:

Clause 1 and Clause 2 shall be deleted.

INSURANCE

‘A.M Best believes a transition to standalone cyber policies may contribute to better pricing and reserving methods, which ultimately may lead to refinements in modelling tools and contribute to more accurate understanding of risk aggregation’

INSURANCE

• New marine products.

• Beazley ‘Cyber Defence for Marine.’

• Affirmative cover for physical damage and loss of

hire arising from cyber incident impacting vessel

operational facilities.

• Based on risk management services via inclusion of :

‒ Self-assessment questionnaire

‒ Cyber security workshop

‒ On-board cyber survey

• DNV GL service provider for preparation

and assessment services.

INSURANCE

• Beazley ‘Cyber Defence for Marine’

• Covers single commercial vessels

and fleets.

• Purchased standalone or as

extension to hull policies.

• Limits

‒ Loss of hire – US$5m

‒ Physical damage – US$50m

• No internationally agreed marine cyber

regulations in force yet - but policyholders

will need to show took all reasonable steps

to prevent foreseeable loss/liability.

GUIDANCE

• 2016 – UK Government Security Code of Practice for Ports & Port Systems.

• 2017 – UK Government Cyber Security Code of Practice for Ships.

• 2017 - BIMCO, CLIA, INTERCARGO, INTERTANKO, IUMI, OCIMF – Guidelines on Cyber Security Onboard Ships.

• 2017 - OCIMF third edition Tanker Management and Self-Assessment Guide (TMSA3) - necessary for oil transporters to certify vessel cyber secure.

REGULATIONS

• In 2017 IMO Maritime Safety Committee set out high level recommendations for cyber risk management.

• By 1 January 2021:

• Cyber security requirements to be formalised under Chapter IX International Convention for the Safety of Life at Sea (SOLAS) Regulations 1-6, Management for Safe Operation of Ships.

• IMO to incorporate mandatory cyber security requirements into International Safety Management Code (ISM).

GUIDANCE

2019 IMO Maritime Safety Committee endorsed 3rd version of industry guidelines on cyber security on board ships.

• Not intended to be technical guidance.

• Aims to raise understanding and awareness of cyber risk management.

• Includes information on cyber incident response/recovery and cyber risk management in safety management systems.

PROPOSALS

• 2019 Proposals before IMO for interim guidelines

for autonomous shipping.

• Countries looking to align global regulations with fast

developing technology.

• Finland, Japan, South Korea, UAE – as well as BIMCO

– raised concerns IMO will not have guidelines in place

before implementation of technology.

• Working group to agree what defines various levels of

autonomy and how to certify on-shore operators of

autonomous ships.

• IMO Maritime Safety Committee preparing scoping

exercise to develop a regulatory overview.

MARITIME RESPONSE

• No reference to cyber liability in standard contracts widely used by maritime industry.

• Increasing need to focus minds and apportion liability between parties.

• June 2019 BIMCO launched maritime industry's first standard cyber security clause.

• Contractual obligation to:

• implement “appropriate” cyber security procedures and systems

• update counterparts and share information so as to mitigate losses

• No contractual obligation to insure liability.

• Likely to be catalyst for discussions between charterers and ship owners.

SUMMARY

• Increased digitalisation

• Increased risk

• Increase in new insurance products

• Increased regulation

• Increased compliance

©2019 Holman Fenwick Willan LLP. All rights reserved

Whilst every care has been taken to ensure the accuracy of this information

at the time of publication, the information is intended as guidance only.

It should not be considered as legal advice.

Americas | Europe | Middle East | Asia Pacific

THANK YOU

This presentation has been prepared by HFW MEA LLP exclusively for the AIDA event on 4/5 October 2019 and is not to be distributed