NHC Cyber Insurance, Service and Incident Response 19. oktober 2017
Why is cyber an insurance concern? Unknown potential for aggregation Could one single event impact two, ten, fifty, hundred vessels? How can insurers cope with that uncertainty? Whilst the market is still waiting for the first proper cyber claim, research and experiments indicate that incidents are theoretically possible.
The market approach Application of the exclusion clause Reinsurance driven Aggregation concerns Lack of expertise in marine / energy markets
The Cyber Gap INSTITUTE CYBER ATTACK EXCLUSION CLAUSE (CL 380) 10/11/2003 1.1 Subject only to Clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any electronic system. 1.2 Where this Clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1. Shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system computer software programme, or any electronic system in the launch and/o guidance system and/or firing mechanism of any weapon or missile.
War or Marine? It is a common misconception that Cyber attack is a war insurance concern only In the Nordic Marine Insurance Plan (the Plan), the borderline between marine perils and war perils are drawn up in clauses 2-8 (marine perils) and 2-9 (war perils). Clause 2-9: riots, sabotage, acts of terrorism or other social, religious or politically motivated use of violence or threats of the use of violence, strikes or lockouts It is natural for cyber attacks or similar acts to be categorized as some sort of sabotage. Cyber attacks (although considered sabotage ) may well be considered a marine peril if the attack lacks any political, social or religious motivation
Silence in the policies? Silence in the policies raises a number of issues: How will a market ignoring the cyber risk handle an emergency? How will a market ignoring the cyber risk handle the potential aggregation?
Lloyd s approach Lloyd s Market Bulletin Y4938 Cyber Attack : managing catastrophe- risk and exposures Lloyd s requires syndicates to have a specific risk- appetite for cyber- attack across all classes of business Structured processes for understanding cyber- attack exposures by class of business are to form part of syndicates formal risk management frameworks. [..] syndicates must then estimate their aggregate potential exposures [..] across all affected lines of business and report aggregate exposures to Lloyd s.
Rating implications Given the scope of these challenges, we would view aggressive growth in standalone cyber coverage, or movement to high portfolio concentration in cyber, as negative for an insurer's credit profile. Underwriting, pricing and reserving uncertainties would outweigh the potential earnings growth benefits. Controlled growth as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be neutral for the credit profile. Fitch Ratings, 15. may 2017
Balancing act
Marine Cyber Insurance Extortion & Threat USD 5m capacity per client Norwegian Hull Club Conditions 100% share
Marine Cyber Insurance - Clause 380 Buy Back USD 50m capacity per fleet Norwegian Hull Club Conditions 100% share
NHC Service concept 24 / 7 dedicated cyber response service Risk awareness workshops internally and externally Realistic cyber extortion scenario training
Risk Engineering Workshops that involve key users of the different business processes and IT/OT systems, including: Officers / Crew Shore staff (incl. IT staff, representatives of key functions) Owner representative and other actors relevant for the business. In these workshops, we raise questions that can help identify specific processes and identify the IT/OT systems involved in them, in order to capture the systems, interactions and critical dependencies for the business.