Ken Munro, Senior Partner at ethical hackers Pen Test Partners, has been investigating maritime cyber liability insurance policies and what he discovered has shocked him:
· •Premiums set with no understanding of the risk involved
· •Markets exposed to systemic losses that they had no understanding of
· •Proposal form questions that would reveal nothing about the actual risk
· •Bad policy wording
· •Policies designed to address irrelevant loss scenarios, based more on press hype around data breaches rather than actual incidents.
In his opinion, it is important that maritime insurers properly address cyber risk assessment by asking the right type of questions on proposal forms or difficult situations for insurers and insureds will undoubtedly emerge.
Mr Munro has condensed this down to three basic areas: Patches, passwords and people.
A common question in a cyber liability proposal forms is: “Do you keep your systems up to date with security patches?”
Many will respond in the affirmative but a better and more probing question would be: “Which of your systems are not kept up to date with patches and why not?”
In this way, insurers are asking the client to think more carefully about the question as there will be old systems that are not supported any more, also critical systems that crashed the last time they were patched, so are no longer touched to keep them running.
This will inform the insurer about the client’s approach to security and their understanding of the risk to their business.
If insurers ask: “Do you ensure that all passwords are complex and changed regularly” then again most of the responses will be “yes”.
A better question to ask would be: “Which of your passwords on your systems are blank, default, simple or re-used?”
Not changing default passwords is an obvious risk which can leave clients vulnerable to being hacked.
If insurers ask: “Do you have security awareness training” then the response from the client might suggest that training is covered, however dig a little deeper and the client may just have a short annual brief, or generic induction which may not be that effective.
A better question would be: “How do you evaluate the security awareness of your staff?”
This will give the insurer more specific information about how the client trains and tests its employees and how appropriate their awareness courses are. A generic online cyber awareness package for office staff will not necessarily be appropriate for seafarers for instance.
Finally, insurers should find out if their clients actually test their staff to see if they fall for online scams
Systemic loss cases
Finally, insurers should be careful not to unintentionally insure systemic issues. Examples might include:
· •A large fleet with the same satellite communications terminal, all of which have out of date vulnerable software. Hack one, hack them all, which will stop the whole fleet from operating
· •A fleet with identical ECDIS units, all with the same flaw. Hack the electronic charts and stop the entire fleet from moving
· •Take out an electronic chart provider; no updates can be issued so no vessels can move.
· •Cripple a smart port so no containers move.
· •Jam or misreport AIS data around a busy shipping lane.
Whilst there has been no evidence of systemic cyber security issues in the maritime sector yet, it is simply a matter of time.
Bear in mind that the Maersk incident wasn’t a hack, just collateral damage from a cyber campaign between nation states. So, if a $300M charge can result from simple collateral damage then what insurance pay-outs could result from a targeted attack?
Insurers need to fully understand the risks involved before insuring their clients against maritime cyber security incidents by asking probing questions.
Ken Munro describes himself as “a security entrepreneur and industry maverick” who has worked in infosec for over 15 years. After studying Applied Physics he tried his hand in the hospitality industry but said that he soon discovered a talent for hacking, persuading a till to print out mortgage amortisations. He went on to cut his teeth in the anti-virus industry before founding SecureTest, a penetration testing business that quickly established a reputation for delivering high spec services using a boutique business model. NCC Group bought SecureTest in 2007. In 2010 he set up Pen Test Partners in 2010 “which now boasts some of the best ethical hackers in the business, each of whom has a stake in the firm”.