Calculating the Risks of Cyber Attack
At the German Maritime Law Association annual meeting, Captain Markus Wähler, now at Munich RE, presented his experiences on maritime cyber risk management.
As an insurance agent, the first question asked is as to the likelihood of a particular risk - an essential ingredient in determining premiums and creating loss reserves. And since the emergence of the first computer virus in 1985, cyber attacks have, of course, been growing much more frequent.
A "cyber attack" is defined, generally, as the use of malicious code to in some way manipulate or disrupt a computer system.
Typically, cyber crimes are motivated by money, i.e. their goal is extortion. Cyber crimes are different from cyber warfare, cyber terrorism, cyber spying and hacktivism. All of these, however, taken together, are individual facets of cyber risk. 61 percent of all recorded, manifested cyber risks involve cyber crime. 28 percent involve hacktivism, seven percent involve cyber spying and four percent involve cyber warfare. Twenty-two percent, i.e. roughly one fifth of these attacks are targeted against the industrial/business sector.
In a purely actuarial sense, quantifying cyber risks is exceedingly difficult. Estimates of the total annual loss due to cyber risk vary greatly, from $114 billion to over $1 trillion, making any actuarial estimate of the insurable risk exceedingly tricky.
So, how does any of this relate to the maritime sector?
After all, one could easily imagine that ships are largely independent entities, except for their bunkering and provisioning needs. But today, ships are more linked with global networks than ever before - from navigation to communications. It is through these "back doors" that an attack against a ship could take place.
Of course, physical media like USB sticks offer an easy vector for cyber risks as well. Speed, course, draft and other aspects of ship operations could be subject to such an attack. At this time, however, such attacks are extremely unlikely.
But with new technologies being deployed day by day, such as, e.g., eNavigation, which includes AIS and ECDIS, the reliance of ships on networks, and thus their vulnerability to cyber risks, will continue to grow in tandem.
Offshore also manifests unique risks vis-a-vis cyber risks. Especially in light of the sometimes physical links to land, e.g. electrical cables, oil pipes, there are more attack vectors. Furthermore, platforms and other offshore equipment frequently have a higher degree of technological complexity than ships.
The value of this equipment concomitantly incentivizes cyber crime against these installations. Interruptions to operations are only one aspect of such a possible cyber attack. And perhaps the biggest risk is to LNG facilities, which rely on very sensitive cooling storage processes.
What types of insurance can be obtained in the marine sector against such risks? At this point in time, Clause 380, the Cyber Attack Exclusion Clause, rejects these cyber risks carte blanche. Only specialized underwriters and IT experts, like Munich RE, are offering coverage at present because only these entities have the requisite expertise to properly price the insurance risk.
Anyone in the market for maritime cyber risk insurance therefore has their work cut out for them in shopping their needs out to the big insurance providers, and is well advised to retain adequate legal counsel as a guarantee that their needs will be fully met by the policy they finally take out.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.