In this article, we will explore the emergent topic of cyber risk and P&I (Protection and Indemnity) coverage in relation to the maritime and insurance sector.
Cyber risk has become an increasingly relevant concern for companies around the world. Cyber threats are constantly evolving and can cause significant damages to businesses, including data breach, theft of sensitive information, and financial loss. In particular, companies in maritime field are facing unique challenges related to such a new phenomenon due to their special activities.
Cyber-attacks on shipping companies, such as Maersk, CMA CGM and HMM, have shown that the threat is real and can cause serious financial and operational damage. As a result, more and more shipping companies are considering the need to get insurance coverage for cyber risks for the shore side and improvement for the seaside. Regarding the casualties on the sea, albeit with lower limits, the standard P&I cover includes the cyber risks in its terms. The events covered can be as like as the unintentional malware installation by the crew and resulting damage or any other damage related to cyber risk from which arises a liability to third parties; however, such cover alone leaves owners uninsured for the costs of restoring systems and data, and for losses where a vessel goes off hire or is unable to trade as a result of cyber-attack.
Nevertheless, the are many limitations and exclusion to take into account in this regard. For example, where a cyber casualty is linked to a public aim there will probably be an exclusion from the P&I cover, falling under War risks. Consequently, it will enter in force the P&I war risk cover which however will be in second instance up to the H&M insurance’s limits. Moreover, the P&I war risk cover is subjected to other limitation which in this case would also affect the cyber risks coverage. Whether the cyber events are directed to create damages to people or property there will be an exclusion by war risks cover too. P&I clubs have tried to cover at least in part liabilities even for these specifics’ events creating a special pool, for ensuring such casualties, up to 30M under the Bio-Chemical cover which includes the limitations of the war cover above but only in regard to crew and legal liability.
It is central to outline that the P&I insurers provide coverage only for such risks connected to the ship, consequently for the shore side there is not extension. Nonetheless, there are specific insurers which have expertise on cyber risks, and they can cover enlarged risks, as like the hacking of banking payment, but they don’t offer insurance products for marine matter; they are focused on shore side cyber risks. Despite the limited cover offered from P&I clubs in respect to cyber risks when connected with a public cause or whether targeted to damage, something will change in next future because being an emergent issue, the IG clubs will enlarge their P&I risks cover following the request of the market. The IG is already working on these themes to meet the shipowners’ need to cover such risks. The first example came out with the new insurance product, offered by the Steamship mutual Club, aimed at assisting shipowners respond to a cyber-attack on their vessels and insuring them for any loss of income arising from it.
Still a major part of the cyber-casualties results from human error or poor consideration of management, for this reason the International Maritime Organization has modified the ISM and ISPS Code implementing cyber security guidelines. It is vital for marine field to insert cyber risk management into existing management systems for reducing and avoiding such casualties being potentially hazardous to the safety of ships and port infrastructure as well as financially and reputationally. Surely, the most important touchpoint in order to drive the biggest improvements in risk outcomes are leadership, training, and culture. Marine companies would have to adopt best practices of management for the cyber-risks and remain updated on the new standards and governmental directives if they want to be able to protect their assets and data in an increasingly complex and threatening environment.