Let us start with a simple question.
Are cyber risks covered under marine cargo insurance policies? It is usually shrouded in a haze of confusion as discussed in Cyber risks & marine cargo insurance. The Institute Cyber Attack Exclusion clause CL 380 forming part of all cargo insurance policies could cut both ways – A simple incident like a vessel’s navigation system failing leading to a collision causing damages to cargo will normally be an admissible claim if the policy was issued on ICC-A terms. However, if the failure of the navigation system could be traced back to a malicious intent/act/omission, direct or indirect ‘as a means for inflicting harm’, this very claim can be avoided by the insurers.
This appears quite draconian in nature, if looked at from an assured’s standpoint. However, insurers argue that there is great difficulty in establishing if a particular act /omission was done with an intent of inflicting harm. The long and short of it is that both the assured and the insurer are not clear if the marine cargo insurance policy covers cyber risks or not, despite the fact that CL 380 is attached to the policy. This led to the coining of the new term ‘Silent Cyber’ or non-affirmative cyber to describe losses which are covered under traditional cargo policies written without having cyber exposures in mind but which could be remotely related to a cyber risk.
Insurers have deliberated over this for long and come to a conclusion that cargo policies must clearly state if cyber risks are covered or not. There cannot be any Silent cyber or non-affirmative cyber in the policies as it hits the very root of Contract certainty. So, the logical conclusion one can presume is that the Institute Cyber Attack Exclusion clause CL 380 has outlived its utility and has to undergo a change. It has not happened yet, but the change is expected any time in 2020. As insurers pondered over the issue, it dawned on them that cyber losses can occur without there being an ‘intent of inflicting harm’. Hence, the terms used were ‘cyber risks’ and ‘cyber attacks’.
The UK P & I Club defines cyber risks as ” the risk of loss or damage or disruption from failure of electronic systems and technological networks”.
‘The Guidelines On Cyber Security Onboard Ships’ produced by the IUMI & BIMCO defines cyber attacks as ‘any type of offensive manoeuvre that targets IT and OT systems, computer networks and/or personal computer devices attempting to compromise, destroy or access company and ship systems and data’.
Japan P & I Club however combines both eventualities under their definition of Cyber risk – ‘ Cyber risk is a potential risk to lead to operation failure of the IT systems which will cause financial loss, disruption or damage to the reputation of an organisation. Cyber risk includes external factors ( such as computer virus, Trojans or attack over network, etc) and internal factors ( malfunction, mis-operation, system bugs, etc.)’
The International Underwriting Association (IUA) had in September 2019 come out with two alternative clauses for Cyber risks under Marine cargo policies – 1) IUA 09-081 The Cyber Loss Absolute Exclusion clause 2) IUA 09-082 Cyber Loss Limited Exclusion clause. The Lloyds Market Association ( LMA) too had come out with two model clauses on the same lines in November 2019 for use by its members. All Lloyds syndicates have declared that they will be using these wordings in all reinsurance contracts effective 1st January 2020. Only a matter of time before the Institute Cyber Attack Exclusion clause CL 380 gets amended.
The MARINE CYBER EXCLUSION clause ( LMA 5402) will not only exclude all cyber risks absolutely, it will be a ‘Clause Paramount’.
‘ This clause shall be paramount and shall override anything in this insurance inconsistent therewith.
- In no case shall this insurance cover any loss, damage, liability or expense directly or indirectly caused by, contributed to by or arising from:
1.1 the failure, error or malfunction of any computer, computer system, computer software programme, code or process or any other electronic system or
1.2 the use or operation,as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.
So this clause is much wider than CL 380 and makes it clear or affirms that cyber risks whether with an intent of inflicting harm or not stand clearly excluded.
A limited coverage for cyber can be extended affirmatively by adding MARINE CYBER ENDORSEMENT ( LMA 5403) to the policy, which is nothing but the current Institute Cyber Attack Exclusion clause CL 380 stated in an affirmative manner that if ‘inflicting harm’ was not the intent, such losses even if emanating from a cyber source will stand covered under the policy.
Marine Cyber Endorsement
- Subject only to Paragraph 3 below, in no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus, computer process or any other electronic system.
- Subject to the conditions, limitations and exclusions of the policy to which this clause attaches, the indemnity otherwise recoverable hereunder shall not be prejudiced by the use or operation of any computer, computer system, computer software programme, computer process or any other electronic system, if such use or operation is not as a means for inflicting harm.
- Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion,insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, paragraph 1 shall not operate to exclude losses ( which would otherwise be covered) arising from the use of any computer, computer system or computer software programme or any other electronic system in the launch and /or guidance system and/or firing mechanism of any weapon or missile.
A small observation here on Paragraph 3. It talks about the policy endorsed to cover war & terrorism viz. Institute War clauses & Institute Strikes clauses and if so losses caused by any computer, computer systems, etc used as a launch or guiding system or firing mechanism of any missile/weapon, such losses will NOT be excluded. It also talks about any person ‘ acting from a political motive’ using any computer or computer systems for the aforesaid purposes, such losses will NOT be excluded. A bit strange because the Institute Strikes clauses which cover Terrorism talk about a ‘ person acting from a political, ideological or religious motive’ will be considered a Terrorist. Why a different explanation here? Does it mean that if a person acting from a religious or ideological motive uses a computer system to detonate a bomb causing damages to cargo, the loss will not be payable notwithstanding the fact that the policy was subject to Institute War Clauses- Cargo & Institute Strikes clauses-Cargo ? Maybe the framers would like to take a re-look.
Discover more from BalasBroadcast
Subscribe to get the latest posts sent to your email.
Thanks for sharing this . Your last lines aee definitely to be pondered and I may have a few queries upon reading the clauses in totality.
Great article. Why are the cargo underwriters so reluctant to write cyber risks? The exposure is very limited.
Cargo underwriters are worried about accumulation issues. Imagine you are a cargo underwriting writing risks across many geographies with goods carried by various vessels. Imagine the global positioning system is hacked and all the vessel using the Sat Nav lost control and causes many vessels to sink or suffer a casualty. No company would be able to afford to pay all these losses happening at the same time.