Filling the Cyber Coverage Gap in Marine
Take up of cyber insurance in the marine sector to date has been slow, but that’s bound to change.
One key reason is that the maritime industry is changing rapidly, said Dieter Berg, head of marine business development for Munich Re.
“Until recently, ships were isolated, and the logistics process was not technologically advanced. This market is changing very quickly to digital communications and connectivity.”
Those changes include more than just electronic navigation and communication, they extend to smart containers and real-time logistics routing and scheduling.
“This digitalization changes the risk profile for the marine industry,” said Andreas Schlayer, senior cyber underwriter for Munich Re. “The more an operation is electronic, the more the dependence on data changes the risk profile and the behavior.”
Christine Marciano, president of boutique brokerage Cyber Data Risk Managers (CDRM), concurred.
“Marine has been slow to purchase cyber insurance,” she said.
“So far the consensus has been that a marine underwriter can understand cyber more easily, and add that to the policy form, than a cyber underwriter can understand the marine industry. But everyone, insureds and underwriters, are still exploring how best to approach coverage.”
To Schlayer, there is little material difference between a hack and a malfunction in terms of potential P&C losses.
“The question is rather, should the shipper or the container owner or the terminal operator carry the liability? Mixing marine with cyber or P&C with cyber can be confusing. One solution that we have seen in many cases is to exclude cyber.”
Whether a container is lost in a storm because the fastenings fail or because it is stolen at random or targeted from hacked information is a distinction without a difference: The property loss is the same in any case, he said.
“A gap has been identified between property and cyber,” said Schlayer. “Insurers are working from both ends to fill that gap. These are early days so there is no standard yet. But one way of thinking is that cyber is everything nontangible. Tangible things are well to remain within traditional coverage. But in either case, risk management now has to extend to both cyber and property.”
Defining Marine Cyber Loss
Marciano laments the dearth of history, because what happens at sea tends to stay at sea. “There have not been a huge number of instances or losses. Physical losses from cyber perils may be happening more than we know and just not reported. Marine companies are not obligated to report.”
“Cyber attacks are under-reported in general,” said Patrick Hickey, executive vice president and head of U.S. marine for Aspen Insurance.
“A breach of any sort creates questions with customers and no industry or company wants this as a matter of public record so I believe losses are largely under-reported,” he said.
“I believe some marine policies are picking up cyber losses today and that they will continue to uptick in the years ahead.
“The marine industry needs to pay very careful attention to the cyber crime that is sitting at its doorstep,” Hickey said.
New York-based insurance broker Integro is looking for some answers.
“We have a department that handles cyber, and is working with several underwriters on wording for marine coverage,” said Tom Angiolino, principal.
He also noted that the potential market is much bigger than the container ships that first come to mind.
“Marine is highly varied; there are bulkers, tankers and cruise ships. Each has very different risk profiles.” Marine also includes port operations, container yards, ship yards and bulk terminals.
“We identified a growing need two years ago,” said Tracie Grella, head of cyber risk insurance, AIG. “Traditional cyber polices excluded property damage and bodily injury; the policies were designed to focus on financial loss. Many insureds believed that because their P&C or GL policies did not specifically exclude cyber perils that they were covered.”
That may have been true to some extent, but not in every instance. “P&C typically excludes intentional acts, and a hack can certainly be intentional,” said Grella.
“Terrorism is often excluded, as are acts by an insider. As insureds came to understand the risks created by the failure of network security, they started to ask about their coverage more specifically.”
AIG’s product provides potential cyber/physical exposure that includes property damage, bodily injury, business interruption or product liability, along with traditional cyber such as data disclosure, cyber extortion and breach response, she said.
Cost varies widely with the size of the placement as well as the controls and protections that the insured has in place.
“Property damage from cyber peril has been far less frequent, at least less frequently reported, but can be catastrophic.
“There may have been instances of a ship’s navigation being altered, but if it recovered quickly and there was no harm, there was likely no claim reported.
“Both insureds and owners are still coming to understand the P&C risks of cyber,” Grella said.
Earlier this year Lloyd’s introduced a risk code for physical loss from a cyber peril, said Geoff White, business group leader of cyber and technology at Barbican Insurance Group, a Lloyd’s managing agency.
“There has been some take up, but it has not been massive. We are trying to educate owners that there is cover available.
“It is a stand-alone cyber cover with the same underwriting and controls as the other cyber coverage. Pricing is also comparable. In Lloyd’s there is half a billion dollars of cyber capacity.”
Cyber Risk Market
According to Barbican, the global market for cyber risk in 2012 was $850 million in GWP and tripled in three years to $2.5 billion.
In June 2014, a study by the Centre for Strategic and International Studies estimated that cyber crime costs the global economy about $445 billion every year.
No source had figures specifically on marine cyber property premiums, capacity or claims.
Lloyd’s collects anywhere from a fifth to a quarter of global cyber premiums. Barbican itself has seen growth of 350 percent over the last two years, with a 50 percent increase in submissions seen in the first quarter of 2015, relative to the first quarter of 2014; of those submissions, 70 percent were first time purchasers.
Growth for cyber-related physical loss in general, and marine cyber in particular, will be meaningful but will be slower than general cyber has been over the past few years, said White.
“Marine coverage has typically been bespoke; that can be done in cyber too. Anyone looking into new cover should consider a method of risk transfer because cyber relates to any entity, from an individual to the largest corporation.
“Still, the market is likely to be less dramatic, in terms of growth than general cyber has been to date,” he said.
The point that White hopes to drive home is that “the insurance market can actually be very nimble.” The gap in cyber coverage for property and casualty was recognized and is being addressed. “I discuss these things with customers many times a day.”
All the development efforts still come up against the willingness of owners to accept transferring that risk.
“When coverage in this sector was first developed, it was a tough sell because the losses were not there,” said Rob Rosenzweig, national cyber risk practice leader at Risk Strategies.
“Once claims rose there was more understanding and also some regulatory mandates.”
Total losses have still been relatively minimal in examples specific to marine, but those could rise if bad actors see the sector as less prepared and less well protected than the financial, health care and retail operations that have been targeted to date.
“Cyber risk is essentially the same for every industry,” said Aspen’s Hickey.
“It’s the compromising of customers’ data and violation of trust. In addition, the marine industry has to consider the public welfare.
“If hazmat cargoes, or ports handling those goods, are compromised by cyber attacks, the liability to the public is essentially unlimited.
“It’s one thing to have cargo redirected or stolen,” said Hickey.
“If a city adjacent to a port is attacked and, as a result, impacted by a cyber hazmat cloud, the impact could be like nothing we have ever seen.”
Rosenzweig cautioned smaller companies against complacency.
“There are different criminals with different budgets. Sure, there are sophisticated hacker groups that will go after big banks or retailers, but it is easier and quicker for smaller operations to go after smaller targets.”
A mugging rather than a bank robbery. But still a loss. &