At present there are no specific cyber exclusions in standard P&I cover. However, Members are obliged to ensure that cover is not prejudiced by acting in an “imprudent, unsafe, unduly hazardous or improper” way and this obligation extends to their conduct in relation to cyber risks.
At present there are no specific cyber exclusions in standard P&I cover. Members are therefore covered for P&I risks caused or contributed to by a cyber risk (though subject to the war risks exclusion, of which more below). They are however nevertheless obliged to ensure that cover is not prejudiced by acting in an “imprudent, unsafe, unduly hazardous or improper” way and this obligation extends to their conduct in relation to cyber risks.
Class certification and SMS
Members also obligated to ensure that the vessel is classed by an approved Classification Society and that they maintain all statutory certificates issued by the vessel’s flag state. Owners will shortly have to comply with International Maritime Organisation (IMO) “Resolution MSC 428/98 Cyber Risk Management in Safety Management Systems” which mandates that “cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the Document of Compliance after 1 January 2021”.
Consequently, when it becomes a statutory requirement by the flag state after January 2021 to maintain a certified cyber risk management system failure to do so may be prejudicial to Club cover.
War & terror
There is a developing threat of cyber risks of a nature which fall under war risks. Terrorist and ideological hackers are increasingly sophisticated and there is also the risk of state interference in GPS and associated navigation systems.
P&I clubs are not the primary underwriters of war P&I cover, which is often provided as an ancillary cover to an owner’s hull war cover. Liabilities arising out of a cyber-attack on a vessel may therefore fall within the war risks exclusion in P&I cover which excludes “any hostile act by or against a belligerent power or any act of terrorism”.
Whether a cyber-attack is an act of “terrorism” depends on the motivations of the author of the virus released or the hacker attacking systems. The UK Terrorism Act 2000 defines terrorism as being where the acts or threats are “made for the purpose of advancing a political, religious racial or ideological cause”. The definition of an act or threat amounting to terrorism includes those “designed to seriously interfere with or seriously disrupt an electronic system”
IG Clubs do provide a P&I war risk extension cover of up to US$500 million in excess of the amount recoverable under a vessel’s primary war P&I policy, but does not extend to losses caused by “the use or operation as a means of inflicting harm of any computer virus”. This has exclusion has similarities with the commonly used market cyber exclusion clause CL380 and which many primary war risk underwriters incorporate in their policies. This could potentially result in an owner who suffers a cyber-attack that falls within the scope of terrorism finding themselves effectively without cover for P&I risks.
Source: West of England P&I Club