P&I Cover and Cyber risk
At present there are no specific cyber exclusions in standard P&I cover. However, Members are obliged to ensure that cover is not prejudiced by acting in an “imprudent, unsafe, unduly hazardous or improper” way and this obligation extends to their conduct in relation to cyber risks.
At present there are no specific cyber exclusions in standard P&I cover. Members are therefore covered for P&I risks caused or contributed to by a cyber risk (though subject to the war risks exclusion, of which more below). They are however nevertheless obliged to ensure that cover is not prejudiced by acting in an “imprudent, unsafe, unduly hazardous or improper” way and this obligation extends to their conduct in relation to cyber risks.
Class certification and SMS
Members also obligated to ensure that the vessel is classed by an approved Classification Society and that they maintain all statutory certificates issued by the vessel’s flag state. Owners will shortly have to comply with International Maritime Organisation (IMO) “Resolution MSC 428/98 Cyber Risk Management in Safety Management Systems” which mandates that “cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the Document of Compliance after 1 January 2021”.
Consequently, when it becomes a statutory requirement by the flag state after January 2021 to maintain a certified cyber risk management system failure to do so may be prejudicial to Club cover.
War & terror
There is a developing threat of cyber risks of a nature which fall under war risks. Terrorist and ideological hackers are increasingly sophisticated and there is also the risk of state interference in GPS and associated navigation systems.
P&I clubs are not the primary underwriters of war P&I cover, which is often provided as an ancillary cover to an owner’s hull war cover. Liabilities arising out of a cyber-attack on a vessel may therefore fall within the war risks exclusion in P&I cover which excludes “any hostile act by or against a belligerent power or any act of terrorism”.
Whether a cyber-attack is an act of “terrorism” depends on the motivations of the author of the virus released or the hacker attacking systems. The UK Terrorism Act 2000 defines terrorism as being where the acts or threats are “made for the purpose of advancing a political, religious racial or ideological cause”. The definition of an act or threat amounting to terrorism includes those “designed to seriously interfere with or seriously disrupt an electronic system”
IG Clubs do provide a P&I war risk extension cover of up to US$500 million in excess of the amount recoverable under a vessel’s primary war P&I policy, but does not extend to losses caused by “the use or operation as a means of inflicting harm of any computer virus”. This has exclusion has similarities with the commonly used market cyber exclusion clause CL380 and which many primary war risk underwriters incorporate in their policies. This could potentially result in an owner who suffers a cyber-attack that falls within the scope of terrorism finding themselves effectively without cover for P&I risks.
There is however some limited cover offered to their Members by IG Clubs under Supplemental Cover 2004 (Biochemical Risks), but this is only in respect of liabilities to crew and under limited circumstances:
- The Member incurs a liability to a crew of a type that would fall ordinarily within their P&I cover.
- The cause of the liability comes within the scope of war risks exclusion for primary P&I and is not recoverable from the Club for that reason.
- The liability is not recoverable from the primary war risk underwriters:“Solely by reason of the operation of an exclusion of liabilities, costs, losses sand expenses directly or indirectly caused by or contributed to or by or arising from:
- The use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.”
- Cover is limited to “in the aggregate of US$30 million each ship any one occurrence or series therefore arising from one event.”
- Where is more than entry in the Club or other IG Clubs for the same vessel the aggregate limit remains US$30 million for all parties, so limiting a Member’s recovery to a proportionate amount.
Club cover is currently “silent on cyber” (except in relation to war risks) since it does not contain any express inclusion or exclusion of cyber risks.
The Bank of England regulates and supervises financial services through the Prudential Regulation Authority (PRA). On 30 January 2019, the PRA called on Lloyd’s and the insurance industry to take action on the issue of “silent cyber”.
Lloyd’s announced its response on 4 July 2019, mandating that all policies - including first-party property damage policies such as cargo, marine war and marine hull - incepting on or after 1 January 2020 must “provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.”
The Club will continue to seek to provide Members with the widest possible cover, but this must of course always be in accordance with the IG Pooling Agreement and the GXL reinsurance contract. As matters stand, as a general rule and subject always to individual certificates of entry, cover provided by the IG Clubs for P&I liabilities are not subject to an exclusion of cyber risks, provided that such liabilities arise from the operation of an entered vessel. The Pooling Agreement includes a clause affirming cover for cyber risks which the IG’s reinsurers follow accordingly.
These terms are reviewed as a matter of course in the run up to every renewal. In the meantime, the Club will continue to provide Members with cover for P&I risks arising from a cyber incident set out above, along with support and advice on their cyber exposure and insurance requirements.