At an exclusive event held at the Ince & Co headquarters in Aldgate Tower, Simon Cooper, partner at Ince & Co, talked delegates through the threat of cybercrime and its possible implications for superyacht insurance.
“Firstly, superyacht owners need to consider the necessity of cyber-specific cover,” says Cooper. “What cover might you have under your current policy? Have I got an all-risk policy covering me, and if I have, are there any relevant exclusions for cyber breaches? Am I a beneficiary of what underwriters might call ‘silent cyber insurance’, referring to when a policy is far reaching and doesn’t necessarily exclude cyber risk? In this eventually you may already have some protection.”
Insurers are becoming increasingly aware of silent cyber insurance and the risk that they are, inadvertently, providing cyber coverage free of charge within other policies such as hull insurance. “This means that we are beginning to see more and more exclusions coming into standard policies that eliminate the risk of silent cyber cover,” states Cooper.
One such example is the Institute Cyber Attack Exclusion Clause (cl 380), which states: “in no case shall this insurance cover loss damage liability or expense directly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any electronic system.”
This exclusion only applies in circumstances where a computer system is used as a means of inflicting harm. When you consider that 50 per cent of cyber incidents are malicious, it is easy to see how it may be applied to mitigate certain claims. Its insistence on inflicting harm does provide some support for the insured, however new and other clauses are being created and used that do not provide the insured with as much support.
Cooper explains that one of the difficulties with cyber insurance is that there is no unity of definition, in that within a number of different cyber policies the definitions of elements such as computer systems or network are likely to be different. It makes a comparative analysis particularly difficult and the need to check definitions becomes of paramount importance.
“Think too, when looking at potential policies, about the kinds of limitations and exclusions they have,” Cooper continues. “A lot of cyber policies were originally designed to deal with issues like data protection and the loss of specific data. They would not necessarily protect you from the kinds of losses that we are talking about in the context of superyachts.”
A shocking statistic from the UK government’s Cyber Security Breaches Survey 2017 document revealed that, by their own admission, 37 per cent of the UK businesses that had purchased cyber insurance did not understand how their cyber insurance functioned.
Under the new Insurance Act, there is an obligation for potential insureds to disclose material information and to make a fair presentation of the risk to potential insurers. This process requires senior management to disclose any information that is material to the risk a cyber event may cause. It is extremely difficult, in the context or superyachts or companies that manage or work with numerous superyachts, to imagine what kind of information they would be required to disclose and how comfortable yachts or businesses would be doing this.
“You need to have a discussion with the underwriters to find out what it is they want to know,” explains Cooper. “How are they going to assess your risk from the cyber point of view? There needs to be some engagement here about the disclosure requirements they may have. I have spoken to various buyers, including the buyers of extremely extensive covers, and they have voiced concerns about confidentiality, especially in relation to how their own cyber security systems work.”
According to Cooper, ordinarily it is a condition precedent to your coverage that you notify the insurer of losses as soon as reasonably possible, or you notify of circumstances that may give rise to a loss as soon as reasonably possible. Because it is a condition precedent to the policy, if it is not observed, then the insured will not be able to claim on their insurance. However, when you consider that, on average, it takes 200 days from the time which a system is penetrated to the breach being discovered (usually by a third party), it makes it incredibly difficult to notify the insurer of the loss or notify the insurer of the circumstances that may give rise to a loss.
In the UK there has been a 300 per cent increase in cybercrime over the last five years. Not only is this figure likely to increase further, but the various means of cyber-attack themselves are only going to grow in their variety, scale and sophistication. Cybercrime is not an imminent threat, it is a current threat, and superyachts and the businesses that work within the superyacht industry need to start considering how best to avoid and respond to cyber events, including, but not limited to, how best to approach the issue of insurance.