News + Resources

New rules based on repeat of NotPetya attack six years ago, but insureds have massively increased defences since then

David Osler chats to Robert Dorey, CEO Astaara – the original version appeared in Lloyd’s List

‘We are not dealing with the same degree of cyber vulnerability in 2023. There’s an argument that the horse has already bolted and the world has moved on’; says Astaara chief executive Robert Dorey

LLOYD’S new cyber war and terror exclusion clauses are based on outdated assumptions and represent a one size fits all solution that does not meet the industry’s needs, according to a prominent marine cyber risk.

In particular, they fail to take into account the vast improvements shipping companies have undertaken to their cyber defences in recent years, charged Astaara chief executive Robert Dorey.

Since the end of March, Lloyd’s has stipulated that all standalone cyber attack policies must include an exclusion for state-backed attacks, including those mounted by security and intelligence services.

The requirement has divided market opinion, with some participants highlighting the difficulty in proving state involvement, as well as defining which entities should be recognised as a state.

The upshot, according to the critics, is that insureds would be left uncertain as to whether they would get paid out if they suffer an attack.

Dorey maintained that the restrictions seem to be based on Lloyd’s fear of a rerun of the NotPetya attack of six years ago.

Responsibility for the incident in June 2017 has not been definitively established. But the UK’s official National Cyber Security Centre has declared itself “almost certain” that it was the work of Russia’s military intelligence service.

NotPetya is thought to have caused around $10bn in economic losses, of which somewhat under £3bn was insured.

The attack targeted Ukraine’s financial, energy, and government institutions and was not designed to extort money, exfiltrate data or even spread any further.

But ultimately it became the first global cyber incident, with victims including containership operator Maersk as well as pharmaceuticals major Merck and snack food giant Mondelez.

Maersk got caught out when one of its truckers paid customs duty at a Ukrainian customs booth and emailed an infected PDF of the receipt to Maersk headquarters in Copenhagen.

Within 14 minutes of the email being open, NotPetya destructionware had wiped the master boot record of thousands of Maersk computers and deleted data, whether encrypted or not.

It was not enough to delete the malware, and Maersk ultimately had to foot the bill for new kit. The company ended up $300m out of pocket.

“The thing is that shipping companies now do not organise their cyber security now in the way they did in 2017,” said Dorey.

“If they had been running Windows 8 or had patched up to recommended levels from the service provider, and had segregated their systems, then you would not have had this incident as it is now reported.

“We are not dealing with the same degree of cyber vulnerability in 2023. There’s an argument that the horse has already bolted and the world has moved on.”

It used to be the case that when companies “fall over” – to use the jargon term for being taken down by cyber attack – their IT systems would be out of commission for three to six months.

Now the “RTO”, as experts abbreviate returned time to operations, is likely to be measured in days if not hours.

As a result, Astaara feels it is reasonable to write the risk if cover is contingent on companies having sufficient protective measures in place.

Dorey also pointed out that higher national regulatory standards have been introduced in many jurisdictions since 2017, and that International Maritime Organization guidelines make cyber preparedness a condition of seaworthiness.

Britain’s Prudential Regulation Authority has also updated its guidelines on cyber underwriting.

“If you are a reinsurer and you are underwriting lots of managing general agents, you may think you have no way to manage your exposure or to assess or model your potential downsides.

“But that’s as much to do with the way people underwrite than what the underlying risk looks like.”

He feels the Lloyd’s cyber exclusion clauses miss the point for bigger operators in critical state infrastructure, such as industrial manufacturers, pipelines, airlines, ports and major shipowners.

Such companies generally have enough corporate leadership and risk management discipline to run their businesses to a high level of cyber maturity.

What marine insurers now need to debate is where these clauses should be focused, rather than whether they should be deployed at all.

“What you are doing is denying the opportunity of credible, well-managed businesses to have cover when they most need it.”

The maritime community is a sophisticated insurance buyer, and knows what it wants and why it wants it. If Lloyd’s does not provide it, it risks losing the business.

“The biggest impediment on buying cyber insurance is that people don’t trust it to pay out when it needs to.

“The feedback we’ve had from shipowners, ports and offshore operators is that they’ve had experience of other products where a war or terror exclusion has denied them access to an insurance recovery.”

Astaara has deliberately targeted its underwriting capacity outside of Lloyd’s. As its policies are written net line, they are not subject to the clauses.