Published 28 February 2022
50 predictions: Construction & Engineering
After a flurry of regulatory and governance activity in 2017, market attention towards marine cyber risks had gone comparatively quiet until 2021 when a re-energised focus emerged following the implementation of International Maritime Organisation (IMO) Resolution MSC.428(98). In essence, the resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021.\n
After a flurry of regulatory and governance activity in 20171, market attention towards marine cyber risks had gone comparatively quiet until 2021 when a re-energised focus emerged following the implementation of International Maritime Organisation (IMO) Resolution MSC.428(98). In essence, the resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 20212.Being advisory in nature, the resolution did not fundamentally alter the regulatory environment of marine cyber risk management. It did, however, provide a useful practical framework upon which insurers could build up a platform of best practice for the mitigation of cyber risk, forming as it did so a foundational element for some marine cyber policies.Regarding the nature of that risk, a valid question to ask is, what makes marine cyber special? The widespread use of ransomware by threat actors is largely agnostic of industry sectors, so why is there a need not only for specialised cyber insurance, but for cyber insurance relating only to the marine sector? The answer lies in two parts: (i) the fact that marine sector activity is broadly split between very different legal, regulatory, and physical environments ashore and afloat; and (ii) the differences between vulnerabilities in ships relating to information technology (IT) and to operational technology (OT).On the first issue, a number of insurers offer what is essentially a rebranded version of their standard cyber cover for ashore operations. This means that all of the basic business administration needs of the shipping industry can be covered in much the same way as any other commercial concern. Cover often includes ‘cradle to grave’ breach response services, with the inherently international nature of the marine sector accounted for in these provisions. In a sector in which numerous business administration nodes are likely to be located in different jurisdictions, but share a network vulnerability, such considerations are crucial. Afloat cyber cover is often linked to, or offered as an extension to pre-existing hull products and loss of hire policies.Regarding the second point above, it is important to understand the differences between IT and OT, but also to appreciate their increasing interconnectedness. In basic terms, IT cover generally relates to data loss and business systems interruption; conversely, OT cover deals with potential physical damage caused by interruption to operational functions such as steering gear, propulsion, or instrumentation. Advances in technology mean that OT is increasingly networked, both between component systems, and with external networks. This is particularly the case with regard to system diagnostics and fault rectification applications. Although these developments have given rise to significant advances in ship safety, they present a degree of risk in so far as any vulnerability to a network to which OT is connected may give rise to an associated vulnerability to that piece of OT.If the potential vulnerability outlined is especially serious, it is at least conceptually possible that physical damage might occur. Whilst the most extreme examples remain unlikely, such vulnerabilities to OT may very well mean a loss of redundancy to system-monitoring for example, which could place a strain on lean-crewed ships which, in turn, could give rise to greater vulnerability of physical damage. This is where an aggregation of marine insurance products becomes important. Whilst the cyber aspect of cover will relate principally to IT afloat, an IT vulnerability may increase an OT risk, and an OT risk may increase the potential for individual error, for example, or situational mismanagement, creating the risk of physical damage. In destructive maritime incidents, it is rarely, if ever, one single issue that causes a collision, fire, or flood3; however, it is entirely plausible that a cyber-incident could form a constituent part of the causal chain leading to physical damage, particularly where OT is adversely effected.The scope for legal support in this growing market is clear, creating as it does a complex and interrelated array of potential areas of dispute. Breach response counsel in this sector will be in as much demand as elsewhere, with the possibility for greater international and inter-organisational integration of legal advice across multiple jurisdictions and regulatory frameworks.References1Guideline on Maritime Cyber Risk Management, MSC-FAL.1/Circ.3 5 July 2017.2Maritime Cyber Risk Management in Safety Management Systems. Resolution MSC.428(98).3The International Safety Management (ISM) Code. International Maritime Organisation.DAC Beachcroft is pleased to welcome cyber-specialist barrister, Tom Evans, who joins Marine, Energy and Transport Insurance Partner, Toby Vallance, in developing its marine cyber offering. Tom joins from the Royal Navy, in which he has held high profile maritime cyber advisory roles in NATO, the Ministry of Defence and the US Department of Defense in the Pentagon. Bringing a wealth of experience in the areas of cyber breach, AI, autonomy and maritime legal and regulatory compliance, Tom adds unique expertise to Toby’s well-established marine insurance team. Both Toby and Tom welcome enquiries on all aspects of marine cyber incident response and advisory work using the contact details below.