June saw a further warning for marine insurers about the nature and extent of their potential exposure to cyber risk.
In the last 18 months or so the maritime sector has worked hard to address cyber security. The IMO has issued Guidelines on Maritime Risk Management and cyber security should now form part of a Safety Management System. Marine insurers similarly have been increasingly active in this area.
Two events in 2017 illustrated just how real this risk has become. First, on 22 June, the US Maritime Administration posted a report of an incident in the Black Sea. It described how the crew of a ship had discovered that its GPS system was no longer working properly and, rather than placing the ship in its correct position off the Russian port of Novorossiysk, GPS was showing it to be more than 32kms inland at the Gelendzhik Airport.
The ship’s captain contacted some 20 other nearby ships and discovered that their AIS systems also placed all of them at Gelendzik Airport.
If confirmed, this will be the first successful spoofing of marine GPS systems. An attack of this nature is of much more concern than simple jamming of GPS which had been considered previously to be a more likely danger. The reason for this is that when a vessel loses contact with a GPS system an alarm will normally sound alerting the crew to the problem. Where the system is spoofed, however, so that it continues to operate but provides misleading information, no such alert is provided.
Although the source of this spoof is unknown, it is widely believed to have been authorised if not executed by the Russian Government testing its cyber warfare capabilities. That may be a cause of concern in itself but, clearly, if the technology comes into the hands of terrorists or criminals, one can imagine the chaos that may ensue.
The extent of this problem was highlighted by a further series of incidents which occurred thousands of miles from the Black Sea off the Korean Peninsula. Hundreds of South Korean fishing boats have been forced to return to port after their GPS systems were jammed. Again, the source of the jamming is unknown but almost certainly emanates from North Korea.
Clearly, these incidents are a concern for mariners but do they also present difficulties for insurers? Many marine policies will contain cyber exclusion clauses often based on the well-known clause CL380. This clause excludes insurers’ liability for
“loss, damage, liability or expense directly or indirectly caused by or contributed by or arising from the use or operation as a means of inflicting harm, of any computer, computer system, computer software programme, … or process or any other electronic system”.
As with all policy exclusions, it will be for insurers to prove on the balance of probabilities that a particular exclusion has been triggered. In incidents such as those in the Black Sea and off the coast of Korea, that may not be a straightforward process. There is also some uncertainty over the construction of terms such as “… as a means for inflicting harm …” which is key to the operation of the clause.
Further, commercial pressures mean that this clause can appear in a more diluted form or is excluded altogether from the policy.
This is not just a marine problem, however: many land based transport systems also rely on GPS technology and it is widely used in industries as diverse as energy, mining and aviation. GPS systems in these sectors must also be vulnerable to the kinds of incident that we have seen recently and it is far from clear that insurers of those classes of business will have the necessary policy exclusions.
This is another example of the continuing evolution of the cyber risk and the constant need for insurers to review their policy wordings.