Filling the Cyber Coverage Gap in Marine
Take up of cyber insurance in the marine sector to date has been slow, but that’s bound to change.
One key reason is that the maritime industry is changing rapidly, said Dieter Berg, head of marine business development for Munich Re.
“Until recently, ships were isolated, and the logistics process was not technologically advanced. This market is changing very quickly to digital communications and connectivity.”
Those changes include more than just electronic navigation and communication, they extend to smart containers and real-time logistics routing and scheduling.
“This digitalization changes the risk profile for the marine industry,” said Andreas Schlayer, senior cyber underwriter for Munich Re. “The more an operation is electronic, the more the dependence on data changes the risk profile and the behavior.”
Christine Marciano, president of boutique brokerage Cyber Data Risk Managers (CDRM), concurred.
“Marine has been slow to purchase cyber insurance,” she said.
“So far the consensus has been that a marine underwriter can understand cyber more easily, and add that to the policy form, than a cyber underwriter can understand the marine industry. But everyone, insureds and underwriters, are still exploring how best to approach coverage.”
To Schlayer, there is little material difference between a hack and a malfunction in terms of potential P&C losses.
“The question is rather, should the shipper or the container owner or the terminal operator carry the liability? Mixing marine with cyber or P&C with cyber can be confusing. One solution that we have seen in many cases is to exclude cyber.”
Whether a container is lost in a storm because the fastenings fail or because it is stolen at random or targeted from hacked information is a distinction without a difference: The property loss is the same in any case, he said.
“A gap has been identified between property and cyber,” said Schlayer. “Insurers are working from both ends to fill that gap. These are early days so there is no standard yet. But one way of thinking is that cyber is everything nontangible. Tangible things are well to remain within traditional coverage. But in either case, risk management now has to extend to both cyber and property.”
Defining Marine Cyber Loss
Marciano laments the dearth of history, because what happens at sea tends to stay at sea. “There have not been a huge number of instances or losses. Physical losses from cyber perils may be happening more than we know and just not reported. Marine companies are not obligated to report.”
“Cyber attacks are under-reported in general,” said Patrick Hickey, executive vice president and head of U.S. marine for Aspen Insurance.
“A breach of any sort creates questions with customers and no industry or company wants this as a matter of public record so I believe losses are largely under-reported,” he said.
“I believe some marine policies are picking up cyber losses today and that they will continue to uptick in the years ahead.
“The marine industry needs to pay very careful attention to the cyber crime that is sitting at its doorstep,” Hickey said.
New York-based insurance broker Integro is looking for some answers.
“We have a department that handles cyber, and is working with several underwriters on wording for marine coverage,” said Tom Angiolino, principal.
He also noted that the potential market is much bigger than the container ships that first come to mind.
“Marine is highly varied; there are bulkers, tankers and cruise ships. Each has very different risk profiles.” Marine also includes port operations, container yards, ship yards and bulk terminals.
“We identified a growing need two years ago,” said Tracie Grella, head of cyber risk insurance, AIG. “Traditional cyber polices excluded property damage and bodily injury; the policies were designed to focus on financial loss. Many insureds believed that because their P&C or GL policies did not specifically exclude cyber perils that they were covered.”
That may have been true to some extent, but not in every instance. “P&C typically excludes intentional acts, and a hack can certainly be intentional,” said Grella.
“Terrorism is often excluded, as are acts by an insider. As insureds came to understand the risks created by the failure of network security, they started to ask about their coverage more specifically.”
AIG’s product provides potential cyber/physical exposure that includes property damage, bodily injury, business interruption or product liability, along with traditional cyber such as data disclosure, cyber extortion and breach response, she said.
Cost varies widely with the size of the placement as well as the controls and protections that the insured has in place.
“Property damage from cyber peril has been far less frequent, at least less frequently reported, but can be catastrophic.
“There may have been instances of a ship’s navigation being altered, but if it recovered quickly and there was no harm, there was likely no claim reported.
“Both insureds and owners are still coming to understand the P&C risks of cyber,” Grella said.
Earlier this year Lloyd’s introduced a risk code for physical loss from a cyber peril, said Geoff White, business group leader of cyber and technology at Barbican Insurance Group, a Lloyd’s managing agency.
“There has been some take up, but it has not been massive. We are trying to educate owners that there is cover available.
“It is a stand-alone cyber cover with the same underwriting and controls as the other cyber coverage. Pricing is also comparable. In Lloyd’s there is half a billion dollars of cyber capacity.”
Cyber Risk Market
According to Barbican, the global market for cyber risk in 2012 was $850 million in GWP and tripled in three years to $2.5 billion.
In June 2014, a study by the Centre for Strategic and International Studies estimated that cyber crime costs the global economy about $445 billion every year.
No source had figures specifically on marine cyber property premiums, capacity or claims.
Lloyd’s collects anywhere from a fifth to a quarter of global cyber premiums. Barbican itself has seen growth of 350 percent over the last two years, with a 50 percent increase in submissions seen in the first quarter of 2015, relative to the first quarter of 2014; of those submissions, 70 percent were first time purchasers.
Growth for cyber-related physical loss in general, and marine cyber in particular, will be meaningful but will be slower than general cyber has been over the past few years, said White.
“Marine coverage has typically been bespoke; that can be done in cyber too. Anyone looking into new cover should consider a method of risk transfer because cyber relates to any entity, from an individual to the largest corporation.
“Still, the market is likely to be less dramatic, in terms of growth than general cyber has been to date,” he said.
The point that White hopes to drive home is that “the insurance market can actually be very nimble.” The gap in cyber coverage for property and casualty was recognized and is being addressed. “I discuss these things with customers many times a day.”
All the development efforts still come up against the willingness of owners to accept transferring that risk.
“When coverage in this sector was first developed, it was a tough sell because the losses were not there,” said Rob Rosenzweig, national cyber risk practice leader at Risk Strategies.
“Once claims rose there was more understanding and also some regulatory mandates.”
Total losses have still been relatively minimal in examples specific to marine, but those could rise if bad actors see the sector as less prepared and less well protected than the financial, health care and retail operations that have been targeted to date.
“Cyber risk is essentially the same for every industry,” said Aspen’s Hickey.
“It’s the compromising of customers’ data and violation of trust. In addition, the marine industry has to consider the public welfare.
“If hazmat cargoes, or ports handling those goods, are compromised by cyber attacks, the liability to the public is essentially unlimited.
“It’s one thing to have cargo redirected or stolen,” said Hickey.
“If a city adjacent to a port is attacked and, as a result, impacted by a cyber hazmat cloud, the impact could be like nothing we have ever seen.”
Rosenzweig cautioned smaller companies against complacency.
“There are different criminals with different budgets. Sure, there are sophisticated hacker groups that will go after big banks or retailers, but it is easier and quicker for smaller operations to go after smaller targets.”
A mugging rather than a bank robbery. But still a loss. &
New Policies Fill Gaps in Green Energy
Ambitious underwriters are learning to make hay while the sun does not shine. And when the wind does not blow, and the rain does not fall on watersheds.
For years, the intermittent nature of nature vexed the green energy industry. Until recently it was addressed as a technical problem of storage and backup generation.
But recently, several insurers developed coverage that offer a financial recovery approach. To be sure, the demand is coming primarily from lenders and capital investors that back green power projects. The effect, if the markets grow, will be to help normalize both power and profitability.
While the mechanisms for the new programs are new, financial weather instruments are not, said Michael J. Perron, senior vice president for Northeast property placement at Willis Towers Watson, and a 2016 Risk & Insurance Power Broker® in the alternative utilities category.
“Wind productivity was down over the last couple of years, and banks are requiring some type of protection from insureds. The industry has these wind curves and they are just not performing.”
Generators themselves are not yet asking for coverage, said Perron, “but banks are saying, ‘your charts are nice but we need protection.’
“Risk managers at the generators may feel very comfortable with the long-term performance, but banks are asking for more. In some cases the lenders or investors are named as loss payee.”
In general, Perron said, the new demands from backers and the coverage being offered to meet them is beneficial in direction, if not always in degree.
“We do push back on occasion,” he said.
Using an analogy from earthquake coverage, he noted that “we had one client for which the bank demanded $100 million of protection. We modeled the case and found that the 500-year event would cost $20 million so we suggested buying $35 million in coverage.”
Weather Risk Transfer
Underwriter GCube brought its “weather risk transfer mechanism” to North America to respond to “increasing demand from U.S. project-financed wind operators, notably those refinancing or going through acquisitions,” the company stated.
“Utilities and independent power producers have directly cited below-par wind resources as a contributing factor to net losses in 2015 and the first quarter of this year,” it said.
“This financial underperformance, if left unchecked, threatens to undermine the reputation of wind energy as a low-risk, reliable investment — particularly with the emergence of new investors with less tolerance to lower returns.”
“There can be a straight trigger payment, or more complex arrangements more like a cash flow swap or collar.”– Bill Hildebrand, executive vice president, GCube
The basic concept, said Bill Hildebrand, executive vice president of GCube Insurance Services, is a contract with wind or hydro power generators. If the wind or rain is insufficient for the generators to provide the power that they have contracted to deliver, then parametric triggers would result in a payment under the contract.
“We are seeing increased requirements from insureds on behalf of their capital providers for revenue certainty,” said Hildebrand.
“At the same time, we have had carriers come to us with contracts they would like to distribute. Weather insurance has been around for a long time with the same interest in consistency and smoothing of revenue. What is new is this type of flexible contract that we are bringing on behalf of the capacity behind us.”
GCube is using Lloyd’s syndicate papers for backing. As a result contracts can be made on different terms.
“There are options,” said Hildebrand.
“There can be a straight trigger payment, or more complex arrangements more like a cash flow swap or collar.”
The contracts are being offered only to wind and hydro generators, not solar at this point. That is for two reasons: Solar has not seen the dips that the other green energy types have, and because the performance data on solar is not as extensive.
Early in May, a consortium of carriers executed a 10-year proxy revenue swap with a large U.S.-based wind farm. The arrangement allows for hedging wind volume risks for wind farms, to try to ensure stable revenues despite uncertainty of intermittent wind.
Advances in risk modeling and maturity of risk appetite were credited with making the deal more long-term in scope.
The 10-year agreement is designed to secure long-term predictable revenues and mitigate power generation volume uncertainty related to wind resources for the 100-plus MW farm.
But solar is not being neglected. Early in May, specialty insurer Sciemus launched a policy to protect the owners of solar farms against a lack of sunlight.
The policy pays if levels of sunshine fall below an agreed amount, and it is available as a hedging instrument for solar farm operators for up to 10 years.
Other lack of sun insurance schemes are available, but they are tied into property damage programs, experts said. The Sciemus insurance can be purchased as a stand-alone.
The insurance is index-linked and pays a fixed price per unit of lost sunlight at the end of each 12-month period. It is calculated on the sunlight either at the solar farm or at the nearest weather station.
The coverage is available in Europe and North America, and Sciemus plans to roll it out into the Middle East and North Africa later this year.
Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.