|
|
With new International Maritime Organization requirements on cyber risk management imminent, CJC Senior Associate Richard Murray and IEIT Cyberlogic conclude that making ships truly cyber secure involves a marathon not a sprint.
On 1 January 2021, pursuant to Resolution MSC. 428(98), IMO Administrations are to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of a ship's Document of Compliance after that date. The resolution was originally adopted in June 2017 and, while many stakeholders could be forgiven for the distraction caused by this turbulent year, another deadline approaches in shipping compliance.
However, it is important to remember that ‘IMO 2021’ was not developed in a vacuum. Managing cyber risk in the maritime space has been a hot-button topic for over two decades, with the CL.380 Institute Cyber Attack Exclusion Clause receiving rapid and widespread uptake from first party loss insurers for hull and machinery risk on its release in 2003. Variants of the same language were also adopted by many P&I clubs.
Traditional Cyber Exclusion
The clause excludes coverage for losses "directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system."
The wide nature of the drafting led to the misconception that the clause excluded cover in relation to all-types of cyber-related loss, which is not the case. The exclusion is contingent on there being a 'malicious' peril intended to inflict harm using a computer or electronic system.
The increasing digitalization of shipping has not displaced the basic legal and technical notions of what the superstructure and machinery of a vessel consists of. Even if a certain loss is associated with a cyber event or process, cover should not be assumed as being excluded in every situation.
However, where policy terms have been silent on the extent of cyber cover, owners and underwriters pondered whether or not certain non-malicious cyber-related losses were in fact covered. For example, the losses arising from accidently downloading incorrect software updates on board a super yacht with automated rigging or propulsion might still give rise to a covered claim.
If cover is "All Risks", and where there are no grounds to refuse an indemnity for unseaworthiness, unrepaired damage, error in design or other perils, and no evidence of malicious actor involvement; the likelihood that a cyber-related claim untouched by CL.380 could be refused is certainly reduced.
Even so, the situation was far from clear in the minds of many users. On 30 January 2019 the UK supervising body for insurers, the Prudential Regulation Authority ("PRA") wrote to all firms noting that underwriters' awareness of both affirmed and non-affirmed cyber risk should be enhanced- through improved quantitative assessments, claims expertise, and increased risk knowledge . As with modelling all 'new' risks, lack of data on cyber claims has hampered knowledge development.
Changing Risk Perception
The absence of any judicial decision from the English courts, in a claim where the meaning of CL380 was disputed, perhaps gave the (slightly misleading) impression that the bargain between policyholders and first loss insurers for cyber cover was on an established footing.
The perception of the risk owners face from cyber incidents is also relatively asymmetric. Like other businesses, shipping lines increasingly feared the hacking of onshore systems by perpetrators diverting hire or freight payments though elaborate phishing and spoofing tactics; and procured appropriate business liability cover. Meanwhile, the probability that a vessel would be physically lost or damaged through a cyber-attack seemed far more remote.
However, the status quo is being reconfigured in the face of widely publicised cyber incidents (particularly the threat posed from hostile state actors penetrating critical infrastructure), a tougher regulatory environment, pressure from government for key sectors to improve their cyber resilience, and disillusion with CL.380. Key stakeholders have responded.
On the 4 July 2019, a Lloyds of London Bulletin (No. Y5258) mandated that all first party property damage policies incepted on or after 1 January 2020 provide policyholders clarity regarding cyber coverage, by either excluding or providing affirmative coverage; regardless of whether cover is provided on an All Risks basis, or under a list of named perils. The change applies to renewals and new business. Cover holders, line slips and consortia placements are also required to adopt the clarification measures.
Loss Prevention and Implementation
On 3 November 2020 the UK National Cyber Security Centre (NCSC)
|
|
发表于 2020-12-21 10:11
提升卡
变色卡