What can maritime insurers learn from cyber liability insurers?
I first got involved in cyber liability insurance back in 2011. An underwriter contacted me for some advice around a new ‘cyber’ thing that they were planning to launch and had seen me speak at a conference. What I discovered about the nascent industry shocked me:
- premiums set with no understanding of the risk involved
- markets exposed to systemic losses that they had no understanding of
- prop form questions that would reveal nothing about actual risk
- policy wording train wrecks
- policies designed to address irrelevant loss scenarios, based more on press hype around data breaches rather than actual incidents.
So, I spent the next three years delivering more than one seminar per month to insurers just about hacking risk, simple risk assessment and trivial mitigation steps in the cyber space. I spent far too long at numerous venues in and around the Lloyds building, though the lunches were good!
In the end, I boiled basic risk assessment for cyber insurance down to three simple questions:
Patches, passwords and people
Exactly the same principles are relevant to shipping security. So here’s how you use these to qualify risk, though it’s very important HOW you phrase the question:
If you give the client risk manager a prop form about cyber, they’ll pass it to their IT guy, who doesn’t want to admit to not having ideal security. So they tick ‘yes’ to everything to avoid awkward internal questions.
Don’t ask in your prop form ‘Do you keep your systems up to date with security patches’ as virtually everyone will answer ‘yes’
Instead, ask a more probing question: “Which of your systems DON’T you keep patched up to date and why not?”
That way, you ask the client to think more carefully about the question: there will be old systems that aren’t supported any more, also critical systems that crashed last time they were patched, so aren’t touched in order to keep them running.
Using this question you will uncover far more about the clients approach to security and their understanding of risk to their business.
If you ask ‘do you ensure that all passwords are complex and changed regularly’ then you’ll get a ‘yes’
Instead, ask ‘which of your passwords on your systems are blank, default, simple or re-used’
Then you’ll find out that their key customer database is on the public internet and has a default password! Not an ideal risk…
At this point you’ll now have a view about the client’s approach to risk.
Next, design your maritime cyber insurance policy to address risks that clients will actually face
It’s very tempting to try to cover (or not cover!) the next Maersk incident. But that’s not really cyber. That’s business interruption
Avoid systemic risk
One satcom box
Learn from credit cards