Insurance Gaps Leave Shipping Exposed to Cyber Attacks
Ships exposed through GPS systems, have limited back-up; cyber insurance typically doesn't cover jamming, property damage.
Shipping companies grappling with the threat of cyber attacks on vessels are finding insurance policies often fall short, officials involved in both industries say, a risk that could feed through into global prices.
Digitalisation means electricity networks, emergency services, industry and agriculture are all vulnerable to hacking by criminal gangs for extortion or, for political reasons, by militant groups or foreign states.
But ships are also exposed to interference through electronic navigation devices such as the Global Positioning System (GPS) and lack the backup systems airliners have to prevent crashes.
With 90 percent of world trade transported by vessels, the stakes are high. Gaps in insurance for ship owners and the disruptions that could cause have the potential to drive up both industrial and consumer prices.
In a particularly secretive industry, information about the nature of attacks is scarce, which insurance and shipping officials say is an obstacle to mitigating the risk.
There is also a gap in provision, because most existing cyber or hull insurance policies will not cover the risk of a navigation system being jammed or physical damage to the ship caused by a hacking attack.
"Shipping is very vulnerable not just to jamming of their systems but now to spoofing as well," said professor David Last, strategic advisor to the government-affiliated General Lighthouse Authorities of the UK and Ireland, referring to devices that can transmit false GPS signals.
The most high-profile reported cyber attacks involving shipping so far had wider targets.
Last year, South Korea said hundreds of fishing vessels had returned early to port after its GPS signals were jammed by North Korea, which denied responsibility, and an earlier hack by drug traffickers diverted containers in Belgium's Antwerp port.
Other cases have had a lower profile: U.S. Coast Guard officials have said GPS interference disrupted operations at an undisclosed U.S. port for several hours in 2014 and reported a similar attack at a non-U.S. port, also unnamed, in 2015.
In the latter attack, the Coast Guard said affected ships were able to navigate using radar, compasses and landmarks and urged operators to make sure such skills were not lost. It also called for more information-sharing on cyber threats.
North, a British based international marine mutual liability insurer, said last month there were likely to be gaps in cover as there was little data and risks were not well understood.
Jamie Monck-Mason, executive director for cyber and TMT at insurance broker Willis Towers Watson, said attacks on ships were not covered by the insurance shipowners have traditionally held.
"Marine hull and cargo policies typically contain a cyber attack exclusion," he said, while adding that large policyholders could negotiate to have the exclusion removed.
However, an earlier report by North said attempts to cause shipping accidents were rare at the moment. "The risks of this are currently thought to be low for most companies," it said.
A veil was lifted on the scale of the wider problem when CSO Alliance, a trade association for maritime security professionals, said a quarter of the ship owners represented at a confidential workshop it had run admitted cyber incidents in the past year.
Ship operator Consolidated Marine Management said in a presentation last month that "ransomware" attacks, where hackers scramble a ship's computer system and seek a ransom to unscramble it, were one of the main challenges.
Regulators are also concerned that a "silent" property policy - which neither mentions nor excludes cyber attacks - is not adequate, a problem too for other industries that face cyber attacks on their property such as power plants.
Britain's insurance regulator said in November such policies could leave insurers open to large losses from cyber breaches and that policy holders "may find it challenging to understand whether they are covered".
The world's number one container shipping line Maersk acknowledged the cyber risk to its fleet and said it was working to mitigate it. "We currently see a trend towards the gap in insurance cover being closed," it said.
Products are emerging from specialist insurer Sciemus Cyber Ltd as well as large insurers such as American International Group Inc(AIG), while reinsurer Munich Re is also developing cover.
"It's about figuring out how to connect the gap between a property loss and a cyber loss," said Dieter Berg, head of business development, marine at Munich Re and president of the International Union of Marine Insurers. "This is the process of discussion with the client - where is your exposure?"
AIG launched a standalone cyber policy last year, CyberEdge Plus, which protects the policyholder from property damage among other issues. It did not immediately respond to a request for pricing comment and has previously declined to discuss pricing.
Sciemus was not immediately available to comment on the cost of its policies. It has said it charges energy utilities about $100,000 for $10 million in data breach insurance and as much as seven times that to cover attacks causing physical damage.
Following an attack on a Ukrainian power plant in 2015, large utility companies have warned of their exposure to cyber risks in annual reports to regulators and that their insurance coverage might not cover all expenses related to an attack.
Those kind of warnings are largely absent from company reports in the shipping world, which is just waking up to the risks and has tight margins to take into account due to a near decade long industry slump.
Graeme Charnock, chief financial officer with Peel Ports, which operates Liverpool port among other terminals in the UK and Ireland, said it was going through a risk assessment and would share it with its insurers in due course.
"To the extent cover is available, it will ultimately come down to how much it costs as measured against the perceived threats."
By Jonathan Saul and Carolyn Cohn