Mr John Neal, CEO, Lloyd’s of London
Ladies and Gentlemen

1.     Thank you for inviting me to join you today. Let me begin by congratulating the Cyber Risk Management Project or CyRiM, on the launch of its catastrophic cyber attack scenario report. CyRiM is led by the Nanyang Technological University’s Insurance Risk and Financial Research Centre, in partnership with industry Founding Members Aon Centre for Innovation and Analytics, Lloyd’s, MSIG, SCOR and TransRe, and has partnered the University of Cambridge Centre for Risk Studies for the scenario workstream.

2.     This scenario report, focused on the maritime sector, is aptly named Shèn 蜃, after a shapeshifting sea monster from Chinese mythology. Regulators, policymakers, and companies within the insurance, maritime and cyber security sectors can use this report to understand the scale, scope and extent of financial impact from a catastrophic cyber attack. In a hypothetical extreme scenario of a cyber attack on the software management systems of a shipping company that impacts up to 15 ports in Asia, global economic losses can run up to US$110 billion, with about a fifth incurred in Asia alone. Due to low cyber insurance penetration, the protection gap is a staggering 92%!

3.     Stakeholders can incorporate these insights into their planning, awareness building, risk and financial impact mitigation, and business development efforts.

The Need to Boost Cyber Resilience in the Maritime Sector

4.     Trade and shipping are the lifeblood of Asia. Trade accounts for between 38% to over 300% of GDP for Asian economies. International shipping is responsible for over 80% of world trade by volume and Singapore is the world’s busiest transhipment hub. Therefore, disruptions to trade or shipping could have major economic and financial impact.

5.     With ships increasingly connected, digitised and dependent on technology for navigation, monitoring, satellite communications, cargo tracking and management, the maritime sector is vulnerable to cyber risk, as with other sectors. For example, Maersk, the world’s largest shipping firm, incurred an estimated US$300 million in losses from the NotPetya ransomware attack in 2017. The ports of San Diego, Barcelona and Long Beach suffered cyber attacks in 2018.

6.     Although a survey of shipping companies indicated that over a fifth of respondents had experienced a cyber attack, only about half of respondents have a business continuity plan in placeSurvey of 350 companies conducted in June 2018 by IHS Fairplay in association with the world’s largest international Ship owner association the Baltic and International Maritime Council (BIMCO). . Investments into cyber resilience will need to step up significantly in the new normal world where cyber attacks are a matter of “not if, but when”.

Regulatory Efforts to Enhance Cyber Security

7.     Maritime regulatory authorities and international groups are taking steps to strengthen the cyber resilience of this sector. The International Maritime Organization, or IMO, released Guidelines on Maritime Cyber Risk Management in 2017 and has mandated that cyber security be addressed in ships’ safety management systems by 2021. In December of 2018, a leading group of maritime industry bodiesThis comprised Baltic and International Maritime Council (BIMCO), COLUMBIA Shipmanagement Ltd Cruise Lines International Association (CLIA), CyberKeel International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Chamber of Shipping (ICS), Union of Marine Insurance (IUMI), InterManager Maersk Line Moran Shipping Agencies, Inc, NCC Group Oil Companies International Marine Forum (OCIMF) and World Shipping Council. published improved Guidelines on Cyber Security Onboard Ships, aligned with the IMO guidelines.

8.     The Maritime and Port Authority of Singapore, MPA, launched a new 24/7 Maritime Cybersecurity Operations Centre, in May 2019, called MSOC. MSOC will strengthen Singapore’s maritime cybersecurity posture through early detection, monitoring, analysis and response to potential cyber-attacks on maritime Critical Information Infrastructure providers, working in concert with its Port Operations Control Centre. MPA is, with its partners, also developing a new “Maritime Cybersecurity Intermediate Training Course” for maritime personnel and is working on a Maritime Cybersecurity Research Programme focused on the protection of shipboard systems.

Role of Cyber Insurance in Building Cyber Resilience

9.     Apart from mounting cyber defences, more needs to be done on cyber risk financing and mitigation to boost cyber resilience, and that’s where most of you come in. The maritime sector needs to be able to quickly respond, recover from, and manage the financial impact of cyber attacks. This is where cyber insurance plays an important role.

10.     Insurance purchase is not new to the maritime sector. Global marine insurance premiums reached US$28.9 billionInternational Union of Marine Insurance (IUMI) Data, released in September 2019. in 2018, with Asia Pacific accounting for about 31% of premiumsEurope has top share of premiums at 46.4%.. Singapore is the 3rd largest marine insurance market in Asia, contributing close to 16% of Asia’s premiums.

11.     Cyber insurance does not just cover the financial costs of a cyber attack. Many cyber insurance policies include access to a panel of experts to help manage the forensics and investigation, system repair and recovery, and public relations aspects of a cyber attack. Cyber insurance underwriting involves working with clients to help them enhance their cyber security posture and rewarding companies with more robust risk management practices with lower premiums and better coverage.

Challenges Impeding Cyber Insurance Purchase in Maritime Sector

12.     Coverage for cyber risk in the maritime sector, however, is lagging. Marine policies tend to have cyber exclusions. Stand-alone cyber coverage is also not being widely purchased.

13.     There are several challenges impeding cyber insurance penetration within the maritime sector. First, cyber risk is a newer line of risk, and across industries, cyber insurance penetration is low. Global cyber insurance premiums account for only about 1%KPMG Cyber Insurance Report 2017. of commercial insurance premiums. Purchasers of cyber insurance tend to be concentrated in sectors more exposed to personal information given growing data privacy and breach regulations.

14.     Second, while there is growing awareness of cyber risk, converting this awareness into action, in the form of buying cyber insurance, remains a challenge.

15.     Third, the lack of standardisation in policy language and definitions of cyber has caused confusion to buyers and lowered their confidence in  cyber insurance policies. There is uncertainty as to whether cyber is covered as part of property, and whether an act of war is covered, as well as how to prove that an event is an act of war, especially in the case of state-linked attackers.

16.     Fourth, on the supply side, cyber underwriting, which is already challenging due to the lack of historical data in this newer line of risk, has even less claims data, to rely on for the maritime sector, due to low cyber insurance penetration rates. There is also chronic under-reporting of cyber events at about only 11.7%IHS Fairplay survey with Baltic and International Maritime Council (BIMCO), 2016..

Research and Risk Management Solutions to Address Challenges

17.     In response to these challenges, bespoke insurance solutions have been developed by a range of specialty insurers, and Protection & Indemnity Clubs. Several of the key cyber insurers and brokers have established cyber insurance teams in Singapore, overseeing Asia Pacific. These teams perform deeper dives on local and regional market dynamics, partner with cyber security firms and data providers, and engage and educate potential buyers, in partnership with multipliers such as industry associations and boards.

18.     Public private partnerships, such as CyRiM’s catastrophic port cyber scenario report today, add value by improving our understanding of this complex risk.

Conclusion

19.     So, in closing, I would like to urge the insurance, cyber security and maritime sectors to deepen their collaboration, conduct joint research, buyer education and outreach, and develop more insurance and risk management solutions to narrow the massive protection gap in cyber risk for the maritime sector. Thank you.