Attacks and Protection
In the next twelve months, businesses will experience on the order of 1.5 million cyber incidents (Ponemon Institute, 2016). If we assume that cybercriminals, like the rest of us, celebrate Christmas and New Year’s, take vacations and a few days sick leave, we can estimate that about 5,000 incidents occur daily, or about 208 each hour someplace on the globe. In the ten minutes it takes to read this post, 35 incidents will take place. So, it’s not unreasonable to think that some readers may need to respond to an incident before they’ve had the chance to finish. We’ll be brief.
Incident frequency is expected to continue growing at a very rapid rate, but the actual rate will likely be higher. As intrusions become more sophisticated, they often remain undetected until long after they’ve penetrated, and to avoid adverse publicity a fair number of incidents are never reported at all.
But reported or not, targets quickly realize that incidents are costly. A prudent response will require legal counsel, crisis managers and forensic experts. Systems and software will need to be cleansed and restored and files rebuilt. New hardware may be required, and while that’s being installed you’ll want to mount a competent public relations effort to contain client losses. Regulators will require that you reach out to every afflicted data owner, and guarantee that identity theft is monitored and minimized-so think about multiple call centers running 24/7. And if your breach has impacted vendors and customers, it is never too early to prepare a defense for third party claims.
In 2016, Advisen estimated a 30% increase in the number of cyber incidents which led to business interruption losses, but even more damaging are reputational losses. These are hard to quantify, but to the extent customers consider a cyber incident indicative of a lack of dependability or preparedness, reputational losses are hard to recover from. This is especially true when you compete in a fragmented business, like maritime services, where many firms offer products and services with only minor differentiation.
These financial threats have made cyber insurance the fasting growing business segment for many of the estimated 50 carriers now offering these policies. From under $1 billion in 2013, cyber premiums are expected to exceed $7 billion in 2020.
But growing faster than incidents and insurance premiums are the number of conferences, seminars, books, software, guidelines, regulations, certifications, warnings and solutions – all designed to help your business avoid becoming a cybercrime statistic. This post will focus on the financial aspects of cybercrime. We will examine common exposures, how the insurance you have will respond, and whether additional insurance has value. We will consider the impact of failure, when all the books, software, seminars, regulations, and warnings fail to prevent a cyber incident.
Rational Criminals
Behavioral economists would explain that cybercrime is a rational economic response to the three objectives of those who engage in cybercrime. Those objectives are, 1) simply profit, 2) profit and disruption designed to promote and fund awareness of an ideology or grievance, and 3) “recreational hacking”. Cybercrime is a cheap, efficient, quick, and simple way to raise money and gain attention, and it’s safer than piracy, kidnapping, traditional theft, drug dealing, and human trafficking. But keep in mind, these deliberate attempts to exploit the weaknesses of your IT and Operational Systems are only half the story. While half of all cyber events are deliberate, the balance are innocent, no more than negligent unintended acts by an employee, vendor, or visitor to your vessel or operations center where the only weapons employed are iPhones, laptops, memory sticks, and portable data storage devices. Negligence is predictable and manageable, but not avoidable, accidents happen. Combined, intentional and unintentional cyber events cost businesses an estimated $445 billion in 2016 (RMS blog).
Let’s get back to economic efficiency. Kidnap and ransom is profitable, and at times the motivation is political. Kidnap and ransom is globally about a $100 million business for Al Qaeda. Pre-2008, Somali pirates managed to generate about $100 million a year in kidnapping. But there are costs. Pirates need to get paid, anywhere from $30,000 to $75,000 per year and even more if they bring their own weapons.
Compare piracy to a ransomware or malware attack. Ransomware is a much better business-it has lower expenses, fewer management problems, and you can work at home. The biggest problem with a successful ransomware effort might be storing, transferring and accessing the gains, but recent ransomware threats have demanded cryptocurrencies so that contact with traditional financial institutions may be avoided. It is estimated that ransomware proceeds approached $1 billion in 2016. With that kind of revenue, we anticipate pirates returning to school to learn how to write code.
Operational Vulnerabilities
Let’s consider how vulnerable the increasingly data driven and connected maritime transport business has become. In 2013, teams of students from the University of Texas and Cornell University, motivated only by the promise of good grades, used about $2,000 in equipment and their programming skills to commandeer a 65-meter superyacht in the Mediterranean. This was accomplished by spoofing the vessel’s electronic charts which caused the master to pursue an alternate course.
Fortunately, this was a controlled experiment and the students had the necessary permissions. But not so in April 2016, when 280 vessels were forced to return to port after experiencing corruption to their navigation systems linked to North Korea.
We have learned a lot in the past few years. An unnamed spokesperson for a container line stated in 2014, “We consider cyber risk a threat, but vessels are no more vulnerable to such attacks than onshore systems and organizations, we are taking this risk seriously and ensuring that we are protected against such threats.”
In 2017, after suffering a multi hundred million dollar loss following a global malware incident, the company said it suffered “significant business interruption” and that its “antivirus programs were not effective protection” and it was installing “different and further protective measures.”
Financial Response
What is the prudent financial response to the threat of a cyber event? The prudent response is determined by considering:
So what are your chances of being a cyber-victim? Publicly, the head of cyber underwriting at a prominent global carrier was quoted describing his job as, “Throwing darts at a dartboard.” Cyber insurance is new. Cyber insurance is not standardized and there simply is not enough data for sustainable precision in rate setting. Your chances of becoming a victim were described by a knowledgeable attorney at Blank Rome, “…the question is not if, it is when.”
But not everyone agrees. The Joint Hull Committee predicted in 2015 that, “The risk of loss or damage caused to or by a ship as a direct result of cybercrime is currently low for bulk or general cargo shipping, but higher for specialised or technically advanced ships….” P&I club North of England recently advised its members,
“Until relatively recently, cybersecurity has not been an issue for ships. They were not connected to the outside world…now…they are not only networked…they are also connected.”
Maritime trades are connected, and part of what is called, “the internet of things”. Maritime industries will not face material liabilities from the unauthorized release of customer lists, they will face liabilities resulting from physical loss, bodily injury and business interruption.
What can it cost?
Ordinary data breaches might cost a company $4 million according to a recent Ponemon Institute data breach study. The costs to the Port of Antwerp where a breach was perpetrated by drug smugglers was reported to be in the $10 million range. World Fuel Services lost $18 million to an online bunkering scam. Pirates have successfully breached the firewalls of a container shipper to identify containers carrying millions in high value cargo.
Owners know the value of their vessels and equipment and the anticipated revenue and profitability of every charter and voyage. Recovery from a breach can take weeks. Owners routinely insure against fire and collision, war and weather, piracy, and loss of use. What operators need to consider is whether the threat of cybercrime is as real as the threats routinely insured against.
Policy Review
Though a business may not have purchased cyber specific coverage, valuable cyber protections can sometimes be found in conventional insurance forms. A review should start with business property policies.
“All risk” policies covering business property on vessels and land based locations may provide indemnification for loss of equipment, and possibly data. But exclusions are often found. In UK forms endorsements NMA 2914 & 2915 exclude losses consequent to electronic intrusion. Also, look for war risk exclusions. A virus or malware which is politically motivated may be considered a form of terrorism and therefore excluded. But your broker may have been successful in having these exclusions removed, but it may take a claim to find out for sure. Lloyd’s reported,
“…there is significant ambiguity in policies where cyber is neither affirmed nor excluded, so until we experience a catastrophic loss we might not know how much cyber coverage is embedded in common policy forms.”
Review the cover on your vessels. On hull policies, members of one of the international group clubs or other mutual arrangement, may expect to find Institute Clause 380 which denies coverage where loss is the result of a cyberattack. But fortunately, P&I policies do not exclude coverage for cyber unless it is consequent to terrorism or war, in which case a war risk extension may pick up coverage that is otherwise excluded.
It makes sense to review your crime, and kidnap and ransom coverage. When incidents involve extortionate demands related to a cyber intrusion, or the theft of funds as part of a phishing or malware scam, some policies will be responsive.
Lastly, directors and officers policies need to be reviewed. First, privacy breaches can lead to bodily injury claims citing mental anguish, and in most forms bodily injury is excluded. Insured v. Insured exclusions can also limit coverage where insiders are involved in a cyber event.
A thorough policy audit will tell you where you have cyber coverage, where you may have cyber coverage, and where it has been excluded. While physical assets are easy to value, potential losses due to business interruption are more difficult to pinpoint and these are best addressed by your CFO and auditors.
Addressing Gaps
Exclusions can be bought back, and coverage where absent can be added. Some policy forms limit benefits to indemnification, while others provide comprehensive loss prevention, mitigation and crisis response services. Shipowners can buy back their “380” exclusions and new broad form “DIC” policies can add protections which are limited or excluded from underlying property and liability policies.
As for limits, Travelers, focusing on midmarket business, says their median policy is about $4 million, while global broker Marsh says their average placement is about $17 million. It is reported that capacity exists for limits of as much as $300 million. The market is benefitting from the entrance of new carriers and new capital, but each newly reported breach causes carriers to become more cautious and concerned about their exposure to data networks that have become increasingly interconnected.
Recommendation
Insurance will not prevent an incident, nor fully indemnify a business against loss. Your first investment should be in prevention and that starts with a vulnerability assessment by competent professionals. Know the coverages you have and your ability to absorb the expense of a response. Probe the markets, and even apply for coverage. While the process is arduous, you’ll discover a lot about your company’s data security practices and whether they are viewed as adequate or at risk.
The content of the above post is based upon a recent address the authors made at Capital Link’s 7th Annual Operational Excellence in Shipping Forum in Athens, Greece.
By: Stephen A. Cooper and Tyler Schapiro, Fourth Insurance Office, Inc.
Fourth Insurance Office, Inc. is a consulting business specializing in transaction related exposures, management and cyber liability, and broker assessment.