Hidden Exposure

Worrying Lack of Coverage for Cyber Risks

By Lars Gustafson

Shipping operations are more exposed to cyber risks than many other businesses because of their increased reliance on technology and the global interconnectivity of the maritime supply chain.

In fact, just one cyberattack on the major Asia-Pacific ports could trigger US$110 billion in economic losses – equivalent to nearly half the cost of all the natural catastrophes that occurred worldwide in 2018, according to a recent report published by insurer Lloyd’s of London. The study, conducted by the University of Cambridge Centre for Risk Studies in partnership with Lloyd’s, was based on a potential attack scenario involving a software virus scrambling cargo database logs at 15 major ports in Japan, Malaysia, Singapore, South Korea and China.

According to the report, which was conducted on behalf of the Cyber Risk Management (CyRiM) project, a research initiative led by Singapore’s Nanyang Technological University’s Insurance Risk and Finance Centre, port operators would account for half of all related losses, while businesses affected along the supply chain would account for 21 percent of losses, and logistics and cargo-handling companies would make up 16 percent of losses. Business interruption costs would account for 60 percent of all losses.

Because so many IT systems used in the logistics industry are connected to the Internet, such an attack also would trigger a domino effect impacting business operations in the downstream transportation, aviation, aerospace, manufacturing and retail sectors. Businesses in Asia would feel the most impact, with losses estimated as high as US$27 billion, followed by Europe, which would likely take a US$623 million economic hit, and North America, where losses would amount to US$266 million, the report found.

Despite this huge exposure affecting so many different components of global shipping and other related industries, the report estimated that 92 percent of economic costs stemming from such widespread IT system disruption would be uninsured, creating a gap of US$101 billion should an extreme cyberattack like that depicted in the report occur.

Awareness of Wider Risks

Companies that transport cargo are using more Internet-connected technology today than ever before to track cargo shipments, transfer connections, storage and just-in-time deliveries, making them especially vulnerable to the cyberattack scenario depicted in the Lloyd’s-Cambridge report. But there are many other threats lurking in cyber space that can potentially take down the breakbulk and project cargo market, including:

• Ransomware/extortion attacks in which cyber criminals download malicious code in IT systems to seize control of them and then demand payment to release them.

• Social engineering where cyber criminals masquerade as company officers and order payments or fund transfers to offshore accounts that they control.

• Phishing attacks in which cybercriminals hack into IT systems and recover logins and passwords, enabling them to access and drain bank accounts.

• Denial-of-service attacks where robotic hackers bombard IT systems with so many requests for information that it causes them to crash.

While breakbulk businesses can take precautions to shield their operations from cyberattacks, such as installing firewalls and anti-virus software, they have little or no control over how well their business partners are protected. Cybercriminals can access IT systems through many portals other than the front door. In the business world, that translates into a multitude of vendors, suppliers and other partners whose level of cybersecurity may be well below that of your company.

Cyber insurance can help breakbulk businesses survive should they fall victim to either a direct or indirect cyberattack. It provides both first-party and third-party coverage, compensating breakbulk businesses for such losses as:

• Lost income and expenses incurred because of network disruption or inability to access a computer system due to cyberattack.

• Additional storage costs if cargo cannot be delivered due to a cyberattack.

• Expenses and payments (including ransom) to a third party to avert potential damage.

• Costs associated with replacement of a computer system impacted by security compromise.

• Cost of audits by a Qualified Security Assessor to certify Payment Card Industry, or PCI, compliance following a security breach.

• Cost of PCI Assessments levied in the wake of a breach involving credit cardholder information.

Cyber policies also cover breach response costs including:

• Hiring a crisis public relations consultant to mitigate reputational damage.

• IT forensics experts to isolate and contain a cyberattack.

• Customer notification, credit monitoring and other costs to meet other legal requirements.

• The cost of regulatory investigations and fines levied for violations of privacy laws.

• The cost of defending any lawsuits filed by affected businesses or individuals seeking to recover damages.

Even if your company has the best IT security in place, you can still be hacked. Many businesses erroneously think that their property, liability, crime or Directors & Officers coverage would respond in the event of a cyberattack. But those other business insurance policies either exclude cyber risk or provide very limited coverage for this exposure. Purchasing cyber insurance is essential to ensuring business resiliency in the aftermath of a cyberattack.  

Lars Gustafson is managing director of Gallagher’s Marine practice, www.ajg.com.

Image credit: Shutterstock