Spyware-on-sea: how insurers can protect maritime infrastructure

Throughout human history, a key fact has shaped economies at every level: it is usually easier to move large cargoes by sea than over land.

The invention of the aeroplane ended most long-distance marine passenger services, but ships still dominate cargo movement – according to the World Bank, more than 80% of all goods travel to market by sea.

The result is a vast lattice of maritime infrastructure. According to the UN Trade and Development (UNCTAD), there were 105,500 vessels displacing at least 100 gross tonnes in January 2023. Lloyd’s List counts more than 7,000 ports and harbours worldwide and the company maintains a database of 95,408 owners and operators.

Colossal, decentralised and increasingly digitalised, the global maritime transport industry is highly vulnerable to cyber attacks. Hackers, ransomware operators and other malefactors can interfere with navigation, cripple corporate operating systems, steal protected data and damage physical infrastructure.

Although insurers have been in the marine line longer than almost any other sector, cyber insurance is relatively new and the market remains fairly shallow. While cyber attacks on maritime targets are becoming more frequent, marine operators may be insufficiently protected from them, both in terms of their countermeasures and their insurance cover.

Increasingly cybernetic

Robert Dorey, group chief executive of managing general agent (MGA) Astaara, says “the proportion of IT dependency [in the maritime sector] is growing generally and there is increasing connectivity between IT and ‘operational technology’”.

Some parts of maritime operations, like commun­ication, navigation and cargo tracking, rely almost entirely on digital systems, Dorey says. Dry bulk carriers increasingly use electronic bills of lading. At sea, vessels use automated systems for navigation, maintenance and engine control. On land, some ports have automated cargo-handling cranes and logistics firms can use IT for inventory management and security.

Robert Dorey, Astaara

Digital technology also handles the interface between ship and shore. Svante Einarsson, head of maritime cyber security Advisory at Norwegian classification society DNV, says: “The International Maritime Organization [IMO] has mandated cyber risk management of electronic data and systems onboard vessels.”

Tom Scriven, principal strategic consultant at Google-owned cyber security firm Mandiant, says the growing extent of digitalisation “further adds to the complexity of the situation by increasing the attack surface area”.

“European marine operations with more than €10m of revenue and with more than 50 employees will be captured from October 18, 2024 under NIS [Regulation] 2 with more onerous requirements to manage cyber risk”
_{Robert Dorey
Astaara}

Shipping and port operators, like all other businesses, are likely to make even more use of information technologies in the coming years. Yara Birkeland, a Norwegian vessel that began sailing in 2022, is intended to be the first fully autonomous, uncrewed cargo vessel.

The need to cut greenhouse gas emissions will also require more use of technological solutions. In its Review of Maritime Transport 2023, UNCTAD said the maritime sector would need to use IT more extensively to reduce its carbon footprint. For example, digital technologies can improve modelling of fuel use and make port management more efficient. Einarsson says IT applications also reduce the risk of accidents.

A crescendo of cyber attacks

The maritime sector has already experienced high-profile cyber attacks. The Maritime Cyber Attack Data­base (MCAD), a record kept by a research group at NHL Stenden University of Applied Sciences in the Netherlands, has counted more than 160 cyber attacks on marine targets since 2001. MCAD includes attacks on warships as well as civilian vessels.

James Pearce, account executive for financial lines at re/insurance broker Gallagher, tells Insurance Day cyber attacks have become increasingly frequent since the start of this decade. “There was a reported 400% increase in maritime cyber attacks during 2020 and a 900% increase in attacks targeting ships and port systems over the previous three years,” Pearce says. “Major seaports have reported an average of 10 to 12 cyber attacks a day.”

James Pearce, Gallagher

Tom Walters, partner at global law firm HFW, says “attacks on vessels remain rare or are certainly going unreported”. However, cyber attacks on shipping and land-based infrastructure are becoming more common, he indicates. Scriven agrees cyber attack numbers on shipping sector targets are rising, although this may be a byproduct of “growing awareness and stricter reporting requirements”.

Cyber assailants are a mix of private criminals and state agents. Stephen McCombie, professor of maritime IT security at NHL Stenden and leader of the MCAD research team, tells Insurance Day cyber attackers fall into three main categories: “traditional cyber criminals”, who also attack other sectors; “sea pirates and smugglers”, who have adapted their traditional activities to cyberspace; and governments and those working on government contracts, who may use cyber attacks for spying or in geopolitical and regional conflicts.

“There was a reported 400% increase in maritime cyber attacks during 2020 and a 900% increase in attacks targeting ships and port systems over the previous three years. Major seaports have reported an average of 10 to 12 cyber attacks a day”
_{James Pearce
Gallagher}

“There is a broad range of threat actors, ranging from bored teenagers to [a] sophisticated professional organisation that may have political motivations,” Walters says, adding finding a culprit can be difficult.

Individual attacks can cause millions of dollars – or even hundreds of millions – in damage. Participants in a 2023 survey of industry professionals conducted by consultancy Thetius and its partners, including HFW, reported each cyber attack cost them an average of $550,000. For ransomware attacks, respondents said the average payment was $3.2m.

At the higher end of scale, Danish shipping giant Maersk suffered $300m in losses after its IT systems were infected with NotPetya ransomware in June 2017. In January 2023, ransomware operators struck DNV itself, affecting perhaps 1,000 vessels that use its ShipManager software.

Across the maritime sector, cyber attacks could cause billions in damage. In 2019, the Cyber Risk Management (CyRIM) consortium, which includes Lloyd’s and Aon, published a report describing three cyber attack scenarios in the Asia-Pacific region. In the worst-case scenario, involving 15 Asia-Pacific ports, CyRIM calculated a maliciously introduced virus could cause almost $110bn in total losses. The scenario planners estimated insurance would only cover about 8% of these losses.

Scriven neatly sums up the overall impact: “Generally, cyber attacks on the maritime sector are low-frequency but high-impact events.”

Regulatory response

The IMO adopted new guidelines governing the management of cyber risk in 2017, which came into effect at the start of 2021. The IMO resolution stipulates “an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM [International Safety Management] Code”. The IMO urged national regulators to incorporate cyber risk considerations into its regulatory oversight.

Tom Walters, HFW

The International Association of Classification Societies (IACS) has built upon the IMO resolution, passing new standards for assessing the cyber readiness of ships and ship’s equipment, which came into effect at the start of 2024. The new IACS regulations “are designed to increase resilience across the industry by requiring cyber security to be factored in, from the initial design stage for new vessels and throughout their operational lives”, Walters says.

National and regional regulators have also introduced new requirements for shipping operators. Dorey tells Insurance Day the US Securities and Exchange Commission now obliges listed companies to inform it of cyber breaches and make annual cyber readiness reports.

“Until there is an example of physical damage to a vessel and/or a claim being brought in the High Court relating to the vessel’s (un)seaworthiness, cyber security will not become a top priority for owners and operators”
_{Tom Walters
HFW}

“European marine operations with more than €10m of revenue and with more than 50 employees will be captured from October 18, 2024 under NIS [Regulation] 2 with more onerous requirements to manage cyber risk,” Dorey adds.

The first line of defence is you

Marine operators have at least two lines of defence against cyber attacks: their own cyber security systems and their insurance cover. Neither is necessarily sufficient.

In the Thetius survey, published in the 2023 report Shifting Tides, Rising Ransoms And Critical Decisions, 67% of respondents said their businesses had spent at least $100,000 on cyber defences, up from 44% in 2022. However, 44% in the 2023 survey replied “they have no idea about how much their organisation invests in cyber security management each year”.

Stephen McCombie, NHL Stenden

McCombie believes maritime operators should devote more attention to cyber threats than they currently do. “I think there are limited budgets and often physical security is seen as a much higher priority,” but this is changing as cyber attacks become more frequent.

For the carriers that seek to protect shipping, the problem may not be lack of concern but limited information. “I think it is challenging for insurers to assess the likelihood and impact of a maritime cyber attacks due to limited data available,” McCombie says.

“I think there are limited budgets and often physical security is seen as a much higher priority. I think it is challenging for insurers to assess the likelihood and impact of a maritime cyber attacks due to limited data available”
_{Stephen McCombie
NHL Stenden}

Walters also mentions cost pressures. “Shipping is an industry based on slim margins where operating costs are closely scrutinised,” he says, so companies will only implement inexpensive forms of defence like staff training.

“Until there is an example of physical damage to a vessel and/or a claim being brought in the High Court relating to the vessel’s (un)seaworthiness, cyber security will not become a top priority for owners and operators,” Walters argues.

Einarsson mentions the sector must overcome “outdated systems, lack of cyber security awareness and the evolving nature of cyber threats”.

“While significant progress has been made, continuous investment in cyber security training, technology and best practices is essential,” Einarsson continues.

Insurers themselves can help marine operators better understand their vulnerabilities and improve their defences. “Brokers and insurers often conduct risk assessments to identify vulnerabilities in a company’s cyber security infrastructure,” Pearce says. They may also offer training and help with drafting countermeasures and recovery plans.

Einarsson mentions several services insurers can provide, including threat surveillance and evaluations of potential and risk and cyber security defences.

The second line of defence is insurance

Andy Maher, head of cyber and technology at Axis’s London office, says “cyber coverage is not included in a standard marine policy as per a 2020 Lloyd’s mandate”. Lloyd’s required insurance providers to specify whether their policies included cyber attack protection that year.

Standard marine insurance carries “malicious cyber exclusions”, Dorey says. The standard exclusion, known as CL380, stipulates a policy will not “cover loss, damage, liability or expense directly or indirectly caused by or contributed to, by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any electronic system”.

Andy Maher, Axis Capital

Protection and indemnity (P&I) clubs do offer “mutual cover”, which extends to cyber attacks but does not cover war or terrorism, Dorey continues, while “fixed-premium P&I cover will have malicious cyber exclusions contained therein”. Walters highlights “politically motivated cyber attacks” may fall outside existing categories of marine coverage, including war risks policies.

In any case, “traditional marine insurers have no skill sets to manage the unique cyber exposures and aggregation challenges”, Dorey believes, whereas cyber insurers will examine a client’s defences and ability to recover from cyber incidents.

“We are seeing a consistent uptick in demand for marine CY [traditional cyber] cover as the awareness of cyber threats and how they can impact all areas of businesses continues to increase”
_{Andy Maher
Axis Capital}

Insurers have developed specialised cyber products for shipping, Pearce says. These trigger in cases of physical damage or business interruption and provide for “incident response” services. Maher says shipping companies tend to seek dedicated “cyber security property damage” policies to cover the gap created by the cyber exclusion in standard policies.

“However, we are seeing a consistent uptick in demand for marine CY [traditional cyber] cover as the awareness of cyber threats and how they can impact all areas of businesses continues to increase,” Maher adds.

Walters notes that Astaara and Beazley are offering cyber cover specifically for the marine sector. Dorey says his MGA’s offering is “unique in offering risk management/loss prevention services within the insurance product; and independently of insurance”.

Maher says Axis introduced its present marine cyber offering, which is a property policy, in 2020. “Our marine cyber cover provides one aggregate limit that can be shared across both areas of cyber coverage [property and traditional cyber], so the customer selects the areas they want to cover,” Maher adds.

But despite the availability of these policies, Einarsson says “many maritime sector businesses still lack sufficient cyber coverage”.