March 2018 Q&A 1

Q&A

What are “cyber risks”?

• Cyber risks can be defined as the riskof loss or damage or disruption fromfailure of electronic systems andtechnological networks

• All businesses rely heavily uponcomputer systems to sustain theiroperations, but these systems arevulnerable

• Cyber risks comprise risks related tohacker attacks, virus transmission,cyber extortion, network downtimeand data security breaches

• A maritime cyber risk can be definedaccording to the IMO InterimGuidelines on Cyber RiskManagement as “the extent to whicha technology asset is threatened by apotential circumstance or event,which may result in shipping-relatedoperational, safety or security failures

as a consequence of information orsystems being corrupted, lost orcompromised”

How can cyber risks occur in theshipping industry?

• Commercial ships are increasinglymore dependent upon computersand computer software to operateand control various shipboard systems

• Safe ship operations are reliant onbridge systems such as ECDIS(Electronic Chart Display andInformation System),AIS (AutomaticIdentification System) and GPS(Global Positioning System)

• Main and auxiliary propulsion systemsrely increasingly on computers tooperate efficiently

• Ship networks are connected to theinternet

• As with computers ashore, shipboardsystems are vulnerable to cyber-attacks

• Hackers can take advantage ofvulnerabilities in a network to accessservers; this can enable hackers to access,remove and manipulate sensitive data

• Even a simple mobile phonecharging process using a USB port inthe ECDIS system can cause a virusto render a system inoperable

• If ships’ systems are attacked, theeffect could be extremely perilous

• A cyber-attack could catastrophicallyimpact the safe navigation of a vessel,both in terms of its ability to avoidhazards and in terms of its stabilityand cargo operations

• A cyber-attack could lead to collision,personal injury, property damage,pollution or even to a shipwreck

Cyber risks and P&I insurance

Q&A

• These possible scenarios could leadto liabilities of P&I Club Members

Are cyber risks excluded fromP&I cover?

• No.As a general rule, P&I liabilities –which are set out in Rule 2 of theUK Club Rules – are not subject toany exclusion of cyber risks

• Nor is the International GroupPooling Agreement subject to a cyberrisk exclusion

• Some maritime cyber risks, however,don’t come within the scope of P&Ibecause they don’t arise from theoperation of a ship.An example is therisk of monetary loss where a shippingcompany is blackmailed to pay aransom for the restoration of IT dataor restoration of IT systems that havebeen compromised by cyber-attack

Are there any exceptions to thegeneral rule?

• Yes - some P&I claims resulting fromcyber risks may be excluded fromcover by virtue of exclusions relatingto paperless trading, or exclusionsrelating to P&I war risks

• The Club provides an ExcessWarRisks P&I cover,which is subject to anexclusion of loss resulting from useor operation of a computer virus as ameans for inflicting harm.PrimaryWarRisks P&I cover, such as that providedby the UKWar Risks Club, is subjectto a similar specific exclusion

Paperless trading –Electronic Bills of Lading

• Normal P&I cover is subject to anexclusion – set out in the ‘Addendumfor Owners’ in the UK Club RuleBook - in respect of liabilities, losses,costs and expenses arising from the useof any electronic trading system,otherthan an electronic trading systemapproved by the Managers in writing,to the extent that such liabilities, losses,costs and expenses would not havearisen under a paper trading system

• Electronic trading systems could bevulnerable to cyber-attacks

• Although the exclusion does notexpressly refer to cyber risks, anyliabilities, losses, costs or expensesarising out of a cyber-attack (such ashacker attacks) affecting a non-approved electronic trading systemwould not be covered

• This exclusion does not apply toapproved systems for electronictrading, of which there are currentlythree: Bolero, ESS, and E-Title

P&I War Risks(including terrorist risks)

• P&I cover is subject to an exclusionin respect of P&I liabilities, costs orexpenses arising from war risks asdefined in UK Club’s Rule 5E,including acts of terrorism.Theexclusion applies irrespective of anycontributory negligence on the partof the Owner or his servants oragents.A key part of the definitionrefers to P&I losses caused, orcontributed to, by “War, civil war,revolution, rebellion, insurrection orcivil strife arising therefrom, or anyhostile act by or against a belligerentpower, or any act of terrorism”

March 2018 Q&A 2

• Depending on motive, a cyber-attackcould constitute an “act of terrorism”or even in warlike circumstances a“hostile act by a belligerent power”

• Terrorist acts are generally regardedas those aiming to kill, maim ordestroy indiscriminately for apolitical, religious or ideologicalcause.The Club’s Directors havepower under the Rules to determinewhether a particular event constitutesan act of terrorism for the purpose ofapplying the exclusion

• A cyber-attack on an individual shipis, however, likely to be regarded as ahostile act of a belligerent power onlyin the context of civil war or where arebellion extends to the occupationof territory and organised politicalauthority over military forces

• A cyber-attack on an individual shipcould arise for a variety of reasonsthat do not engage the war exclusion– including, for example, commercialsabotage, or the malicious act of anindividual with a grudge against theowning company – and in any suchcases a Member’s normal P&I coverwill respond (subject to theremainder of the Rules)

Q&A

What happens if the cyber-attackconstitutes an excluded risk understandard P&I cover by operation ofthe Club’s War risks exclusion?

• If a cyber-attack constitutes an act ofwar, or an act of terrorism, it isexcluded from standard P&I cover

• In general, some cyber risks will beexcluded from primary war risksinsurance policies too, including, forexample, the war risks insuranceprovided by the UKWar Risks Club(which is an independent,ThomasMiller managed, mutual war risksassociation)

• The UKWar Risks Club excludescover for any losses, liabilities, costs orexpenses directly or indirectly causedby or contributed to by or arising fromthe use or operation, as a means forinflicting harm,of any computer virus.Cyber risks caused by a “computervirus” are therefore excluded

• However, for 2018 the computervirus exclusion will only apply onceclaims within the scope of the clause

exceed, for the UKWar Risks Club,US$50 million in the aggregate inthe 2018 PolicyYear

• In the case of the HellenicWar Risks,its approach to cyber risks is similarto that of UKWar Risks Club, savethat liabilities and losses resultingfrom otherwise excluded cyber risksare included for the 2018 policy yearup to US$150 million in theaggregate across HellenicWar Risks’membership as a whole

• Liabilities and losses resulting fromotherwise excluded cyber risks aretherefore included in the coverprovided in 2018 by the UKWarRisks Club up to US$50 million inthe aggregate or US$150 million inthe aggregate for the HellenicWarRisks’ membership.The aggregatelimit applies respectively across theUKWar Risks Club’s membershipand the HellenicWar Risks’membership as a whole, so claimswould be settled by those Clubs on apro rata basis if incurred losses in thePolicyYear were to exceed therelevant aggregate limit

March 2018 Q&A 3

Are cyber risks included in ExcessWar Risks P&I Cover?

• As an exception to the war risksexclusion, the UK Club provides$500 million of ExcessWar RisksP&I Cover to its Members.This isnot a primary war risk P&I cover, butresponds to claims in excess either ofthe “proper value” of the entered shipas defined in Rule 5D (which, forthose purposes is deemed not toexceed US$100 million), or theamount recoverable in respect of theclaim under any other policy ofinsurance, whether of war risks orotherwise, whichever is greater

• Members will normally buy PrimaryWar Risks P&I cover together withWar Risks Hull cover from aspecialist commercial or mutual warrisks underwriter

• The UK Club’s ExcessWar RisksP&I Cover has a limit of US$500million, each ship, any one accidentor occurrence or series thereofarising from any one event

• The UK Club’s ExcessWar RisksP&I cover is subject to a combinedCyber Risk and Bio-Chem exclusionwhich bars recovery of “losses,liabilities, costs or expenses directly orindirectly caused by or contributed toby or arising from any chemical,biological, bio-chemical orelectromagnetic weapon or the use oroperation, as a means for inflictingharm, of any computer virus”

Taking the example of UK WarRisks Club, what happens if a P&Icyber war risk claim exceedsUS$50 million?

• As noted above the UK P&I Club’sExcessWar Risks cover is subject to acyber exclusion

• Thus, taking an example of a Memberwhose ship is insured by both UKWar Risks Club and UK P&I Club, ifa cyber risks claim comprises war andterror risks and exceeds US$50million, the excess over $50 million

Q&A

cannot, unfortunately, be recoveredfrom the UK P&I Club’s ExcessWar Risks P&I Cover. However, seenext section

Is there any other insuranceavailable from the UK P&I Club forP&I war risks claims arising fromcyber risks?

• Yes. UK P&I provides a limitedadditional cover for P&I war risksclaims arising from cyber risks wherethey constitute Bio-Chem claims

• A Bio-Chem claim is a claim forcrew risks or a claim for legal costs,where recovery of such claims hasbeen excluded from UK P&I’sWarRisks Excess Cover or from anyprimary war risks cover by reason ofa defined Bio-Chem Exclusion

• Crew risks comprise damages,compensation, costs or expenses inconsequence of personal injury to orillness or death of any Seaman(including repatriation and substituteexpense, shipwreck unemploymentindemnity and diversion expenses) asset out in Rule 2, Sections 2, 3, 4, 5,6, 7 of the Association’s Rules

• Legal costs comprise all legal costs andexpenses as set out in Rule 2, Section25(B) of the Association’s Rules

• A Bio-Chem Exclusion is an exclusionin a war risks policy of liabilitiesarising from any chemical, biological,biochemical, electromagnetic weaponor the use or operation, as a meansfor inflicting harm, of any computer,computer system, computer softwareprogramme,malicious code,computer virus or process or anyother electronic system

• The cover is pooled by the IG undera Supplemental Pooling Agreementand is limited to US$30 million inthe aggregate any one event. If thereis more than one entry in the Cluband/or any other IG insurer inrespect of the same ship, insured forcyber risks under the Bio-Chemcovers, each such entry’s cyber risksclaims are pro-rated accordingly

• The Directors can in their discretionexclude certain areas from the coveror cancel the cover subject to a 24hours’ notice period

• Liabilities arising from explosives orthe methods of the detonation orattachment thereof, the use of theentered ship or its cargo as a meansfor inflicting harm (unless such cargois a chemical or bio-chemicalweapon) and the use of anycomputer, computer system orcomputer software programme orany other electronic system in thelaunch and/or guidance systemand/or firing mechanism of anyweapon or missile, are excluded fromthe cover

Conclusion – taking an example ofa ship insured by both UK P&I Cluband UK War Risks Club:

• P&I claims arising from cyber risksare covered by UK P&I in thenormal way, subject to any separateexclusion under the Rules such asthose in respect of war risks or non-approved electronic trading systems

March 2018 Q&A 4

• P&I war risks claims resulting fromcyber risks may be covered by primarywar risks underwriters – for examplethe UKWar Risks Club (whereincurred by the member of that club),but in the case of that club subject to alimit of US$50 million in the aggregateacross all such claims of all membersarising in the 2018 policy year

• Additional cover is available fromUK P&I for P&I war risks claimsresulting from cyber risks where suchclaims are in respect of crew liabilitiesor legal costs falling within the scopeof the Bio-Chem exclusion, subjectto a limit of US$30m in theaggregate any one event.�

Thomas Miller Specialty offers a “classic butbespoke” Cyber Risk Insurance product. It isa business interruption product i.e. insuringlost income (and digital information) from amalicious cyber event or IT system failure.Third party coverage relates to data andprivacy liability in respect of both customersand employees. Customer care and crisismanagement support is also provided. Forinformation on this product, Members maycontact alan.dainty@thomasmiller.com