The Bermuda-based insurer — best known as a provider of certificates of financial responsibility (COFR) guarantees for ships trading to the US — is teaming up with the XL Catlin group in the Lloyd’s of London market to offer up to $30m of cover that makes no distinction whether the loss is from a cyber-attack or fraud, or both.
The launch date is targeted for 1 May.
Shoreline said the cover breaks new ground in an evolving area of risk where few shipping businesses have cover for either a cyber-threat or commercial crime.
Shoreline and XL Catlin’s partner in the initiative is shipping services group HudsonAnalytix, which will be providing software to enable potential buyers to carry out a preliminary self-assessment. This is before more extensive risk management help for those going ahead with the policy.
The Crawford & Co adjusting group will supply a 24-hour cyber hotline providing post-attack crisis support.
Shoreline’s move into the crime and cyber risks arena has been led by Nicholas Taylor, who retired as a senior Marsh broker in 2016 after 39 years in the marine-insurance business. Since retirement, he has become an independent director of the North of England Protecting and Indemnity Association and a consultant to Shoreline.
“There is still a lot of ignorance about cyber and crime risks and 'it can’t happen to me' complacency,” Taylor said. “Shoreline is stepping in where others have feared to tread.”
But it is a risk where going out to buy insurance is not enough.
A key part of the integrated crime and cyber insurance is a pre-inception risk management package, giving underwriters the confidence they are taking on a client aware of the threat, with systems and training in place to counter most of the risk.
After the self-assessment, Taylor warned there will be a look into staff training to combat the cyber and criminal threat and how funds are handled.
The $30m of cover is the annual aggregate cover for any one event or client. It is expected that most shipowners will buy a lower limit of perhaps $10m to $20m.
Although the limit is perhaps one-tenth of what last year’s NotPetya malware attack is estimated to have cost AP Moller-Maersk, it should be adequate for the vast majority of shipping operations that do not have the scale and risks spanning ships, terminals and logistics operations of the biggest container line.
Taylor said that even a large tanker fleet with many VLCCs does not have the complex systems or exposure of a liner company and may well outsource technical and crew management. As a result, it is generally less vulnerable to disruption or delay.
The cover is not only for the immediate damage but for business interruption or loss of profit, which is likely to be the most costly consequence of any attack.
There is also cover for legal and mitigation costs as well as third-party liabilities. But there is no cover for physical damage, as this risk is insured under traditional policies. For example, if an attack on ship systems resulted in a collision, grounding or oil spill, this would be insured under hull or protection and indemnity cover.
Taylor said the Shoreline cover would respond to NotPetya and WannaCry — two of the most serious ransomware attacks of recent times — as well as liabilities arising from theft or loss of data.
Some of the biggest real-world threats arise from negligent, disaffected or criminal employees, with these risks covered.
Taylor said the integrated policy avoids gaps in cover or arguments about double insurance emerging.
So how affordable is the integrated crime and cyber cover going to be?
Taylor said it is difficult to provide numbers, as the product has yet to be launched and pricing the risk is going to be a bigger challenge than for hull or P&I cover, with policy holders required to make a pretty significant investment in cyber security.
“One of the biggest determinants is going to be the state of preparedness of your cyber security plan,” Taylor said. “We have got to strike a balance. It can’t be horribly expensive. It will be a modest percentage of the cost of hull or P&I cover.”
There are no launch buyers lined up but Taylor said there is plenty of interest.
“I was in Denmark recently and saw six owners," he said. "Five said they were going to fill in an application form.”
Taylor suggested stock market-quoted outfits are the most likely early buyers, as they will be most sensitive to crime and cyber threats affecting their reputations.
He is not anticipating a rush to take up the integrated crime and cyber cover from the launch in May, but he said there should be capacity available from XL Catlin and following underwriters for all clients.
There is going to be only a small panel of Lloyd’s underwriters involved in the cover to avoid lines becoming diluted and making the return on their commitment inadequate.