TOP
In the field of marine and upstream energy business, the rise of digitalisation and technological progress has unlocked unprecedented opportunities, such as enhancing the transportation of goods and facilitating more efficient and more secure exploration of energy sources. Information technology (IT) systems are integral to virtually every aspect of operations and processes, becoming indispensable tools that organisations cannot function without. As such, IT systems are not just supportive elements but central components of strategic planning and execution. However, this has ushered in significant risks when those systems do not work properly. With a growing dependence on information technology, these sectors are increasingly vulnerable to cyber threats.
With this in mind, it needs to be considered that potential cyber risks are not confined to individual companies; they have systemic implications that can reverberate across multiple industries and regions simultaneously. This can happen when companies use the same IT system or parts of it that are attacked by malware or contain a non-malicious malfunction. Additionally, the interconnected nature of modern business operations creates challenges. A cyber incident affecting one entity can quickly cascade to impact numerous others within its supply chain, sector, and beyond. Cyber threats have the potential to transcend geographical boundaries, amplifying their reach and scale.
As a consequence, risk management departments across industries are tasked with finding effective solutions to mitigate these cyber risks. In terms of their own IT systems, it is essential for companies to invest in cybersecurity to safeguard, detect issues, and respond promptly.
Insurance plays a vital role in this landscape to protect insureds against the consequences of an IT hazard. However, as well as buyers of insurance, insurers must safeguard their financial stability at the same time to ensure they remain sustainable providers of effective solutions, especially when considering the potential of a systemic cyber incident. Therefore, it has become imperative for insurers of the various marine and upstream energy classes to implement clear and comprehensive cyber clauses in insurance contracts to define the boundaries of coverage.
In recent years, extensive efforts within the marine and upstream energy insurance sector have yielded a variety of cyber provisions across different insurance classes, such as hull, cargo, specie, marine liability, upstream energy, and their sub-classes. These provisions not only reflect an inherent interest of insurers in minimising ambiguity and defining the scope of coverage but are also necessary to comply with regulatory requirements in certain jurisdictions.
In addition to clear cyber coverage provisions, insurers may protect their exposure to IT hazards through the purchase of reinsurance. Conversely, reinsurers now also require clear cyber provisions in their contracts. However, the marine and upstream energy reinsurance market frequently encounters the challenge of accommodating the multiple insurance classes mentioned above within one single reinsurance contract.
There is a desire from the reinsured to encompass all the underlying clauses and coverages within these contracts. However, this aspiration often collides with the practical difficulty of finding a single clause that adequately reflects all the diverse components, languages and definitions of the original market. Consequently, scheduling all the underlying insurance clauses in use as the basis of coverage became a common approach in many reinsurance contracts.
While it might seem like a practical solution to include underlying insurance clauses in schedules, it is important to remember that these clauses were not originally designed for, and therefore are often not compatible with reinsurance contracts. In addition, it is difficult to predict how multiple insurance clauses would interact with each other during a loss event. This presents significant hurdles and leaves the effectiveness of this solution unproven. Furthermore, defining the potential aggregation of losses into a single event in a reinsurance contract is an essential component, but one which is not adequately addressed by this approach. Therefore, designing a reinsurance clause considering all the aspects above is challenging but crucial to provide a long-term solution for a subject that will only become more important for the marine and upstream energy industry in the future.
Based on this motivation and to comply with current UK regulations, the Joint Excess Loss Committee published Cyber Clause JX2023‑019 in October 2023. This outcome emerged after several years of dedicated effort, involving comprehensive consideration of insurance clauses and consultations with the original market. The length of the new cyber clause has been criticised due to its extensive nature. But as outlined above this is a consequence of the diverse nature of the underlying insurance classes it encompasses. While the clause’s length may appear daunting, its attention to detail ensures that it accurately reflects these complexities, thus providing greater clarity and certainty.
The overview below serves as an informative supplement to assist in understanding the framework of Cyber Clause JX2023‑019, which consists of the following paragraphs:
This paragraph ensures that indemnity under the contract is not prejudiced if a loss, damage, liability, or expense is caused by the use or operation of any IT device and/or data, provided that use was not done as a means to cause harm. This proactive stance acknowledges the reality that IT systems are embedded in nearly all processes of the original insured and may often prevent losses rather than cause them. A malfunctioning IT system, however, might result in significant losses, but not all cyber incidents are born out of malicious intent.
Simultaneously to the above, the exclusion of coverage for malicious cyber losses establishes a boundary of cover, given that malicious cyber presents a very different type of risk. First of all, it is essential for the insured to implement a strong cybersecurity defense to mitigate the chances of a successful attack or to respond effectively should one occur. Insurers need a completely different risk assessment to identify and quantify these risks and a different insurance product to cover the exposure effectively, for which a separate cyber market has developed over the last two decades. For these reasons, the original marine and upstream energy insurance market has excluded this cover in its products or provides it in only a limited way. The latter is considered with the exceptions shown in the paragraph below where reinsurers provide cover for malicious cyber intended to mirror that offered under the original policies.
Following consultation with the primary insurance market, there was an understanding that not all malicious cyber can be excluded in marine and upstream energy insurances and that exceptions therefore needed to be addressed in the reinsurance contract as well. This section lists specific scenarios written back by paragraph 3) where the Malicious Cyber Loss exclusion does not apply, for example:
As previously noted, these exceptions reflect an understanding of the original insurance market’s requirements. However, this understanding carries with it an inherent responsibility as a business partner to assist the reinsurer in assessing and quantifying the exposure. Consequently, it is crucial for the reinsured to furnish comprehensive information on certain risks prior to inception of the reinsurance, which is also addressed in this paragraph in respect of certain write-backs. This practice fosters transparency and strengthens the partnership by ensuring that both parties have a clear grasp of the risks involved.
This paragraph excludes coverage for losses arising from any data loss. It is important to understand that marine and upstream energy insurance is not designed to cover such risks, which belong in the cyber insurance market, as mentioned above. A specific risk assessment and bespoke insurance product are necessary to address the requirements for these kinds of risks, other than what is specifically written back in paragraph 5).
Similar to the operation of paragraph 3), this section outlines scenarios where the Data Loss exclusion does not apply, for example:
This paragraph outlines that losses resulting from the diversion of a conveyance due to an IT hazard (e.g. where a port was closed due to an IT incident), which does not directly contribute to the loss apart from the decision to divert, are eligible for coverage. The introduction of this exception was prompted by a scenario when a vessel had to alter its course due to a war event, ultimately resulting in a loss.
At the time, there was contention that since the loss occurred due to the vessel changing its route in response to war, and war was excluded from coverage, the loss should also be excluded. To pre-empt such arguments, this paragraph explicitly outlines the scope of coverage in such situations.
For this paragraph it needs to be considered that the Cyber Clause JX2023‑019 is designed for marine and upstream energy excess of loss per risk and/or per event reinsurance contracts. Therefore, the aggregation of losses caused by, related to, or in conjunction with, IT hazards should follow the same aggregation rules as events which do not involve information technology. In general, this means aggregating all losses occurring in the same way at the same time and in the same location.
This paragraph clarifies that losses caused by or connected to an IT hazard cannot be aggregated solely based on that IT hazard. Instead, losses covered by the contract resulting from or related to an IT hazard are aggregated according to specific criteria. These include aggregating all losses arising from certain physical perils to one event. Additionally, losses are aggregated based on distinct physical locations. Examples are:
The main purpose is to ensure a mutual understanding of the potential aggregation of losses in an event and the boundaries thereof before the event occurs. This proactive approach is the best way to avoid misunderstandings and to allow the assessment of the benefits reinsurance protections provide before the event occurs.
This paragraph provides definitions for key terms used throughout the Cyber Clause, ensuring clarity and consistency in interpretation. One key element to highlight is that data is not considered to be tangible property, nor can its loss be claimed as a physical loss or damage. Another important element is the definition of Distinct Physical Location which is needed for the aggregation paragraph and is a consequence of the dialogue with the primary insurance market to accommodate as many realistic scenarios as possible.
In conclusion, the development of Cyber Clause JX2023‑019 by the Joint Excess Loss Committee represents a significant milestone in addressing cyber risks within the marine and upstream energy re/insurance sector. The clause, resulting from extensive consultation and consideration, provides a comprehensive framework for managing cyber-related exposures. It includes provisions for both non-malicious and malicious cyber incidents, while also outlining exceptions to coverage exclusions to ensure clarity and certainty. By addressing specific scenarios and establishing clear boundaries, the clause aims to enhance risk management practices and promote resilience against cyber threats. While its length may seem daunting, it reflects the nuanced nature of marine and upstream energy insurance, providing a tailored approach to cyber risk mitigation. With defined rules for aggregation and clear definitions of key terms, the clause offers a robust foundation for effective reinsurance provision in the face of evolving cyber threats.
