Cyber exclusion clauses – are they fit for purpose?
The forwarding and supply chain industries are, like virtually any other industry, making increasing use of information technology. As with other industries this comes with its own risks - one of which is cyber attack.
The carriage and distribution of goods is particularly vulnerable to such issues. Supply chain management requires forwarders to be linked to their customers, to customs authorities, to carriers, to ports and various other organisations. Carriers often have considerable fleets of vessels, vehicles or aircraft which are linked via IT systems.
Some cyber attacks can have devastating consequences and while insurers do often rely on blanket exclusions, is a general exclusion of cyber crime and cyber related damage something of a sledgehammer employed to crack a nut?
What are you excluding?
Much of the theft relating to the carriage of goods has some connection to the use of IT. Whether it be wrongful release of containers from a port or use of fraudulent details when bidding for “back-loads” on internet haulage sites, computer systems usually play some part. Is it, however, really the intention of underwriters to exclude all of these events?
The Institute Cyber Attack Exclusion Clause - CL.380 - is incorporated into many marine insurance contracts and is currently accepted as the market clause for this issue.
1.1 [I]n no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.
It is hardly modern - it was drafted in 2003. Its impact is pretty draconian - if any electronic system is used to inflict harm then this can result in the exclusion applying.
Taken at its most basic level, the point can be distilled to this:
If a thief causes a truck driver to pull over and then assaults him with a brick and steals the load, the insurers for both the cargo and the haulier will become involved. If, however, the thief hits the driver over the head with a laptop, both insurers apply the exclusion and walk away from the claim.
This may be a reasonably extreme example and may seem to be somewhat facetious, however, less extreme examples demonstrate that the point is an important one in practice.
For example, if a fraudster wishes to collect a cargo from a port, they may decide to create a bill of lading which is a replica of the original and which allows the fraudster to obtain the release of the cargo. Very often, such documents are created using computer programmes to scan, copy and then alter the original document.
Does cover really depend on whether or not the fraudster has used a computer system to create the forgery? Is it underwriters’ intention to analyse the document used to perpetrate the fraud? So:
- If the fraudster has used a colour copying machine, correction fluid and a type writer there is cover; but
- If the fraudster has used a computer to create the documents the exclusion applies?
It’s theft, but not as we know it!
The theft of information and documentation is not a new phenomenon. It is the method by which those documents are created, stored, processed and accessed which is new.
Where there is a physical loss of goods arising from the use of documents stolen using computers, the market tends to pay the claim. It can be difficult to say whether the loss has been caused by an excluded peril. If this is the practice of the market, it is possible that reliance on a blanket cyber exclusion clause such as CL. 380 is something of a distraction from the real issue under consideration - that of document security.
Perhaps, rather than relying on the comfort blanket of CL. 380, underwriters need to consider appropriate warranties in relation to internet and computer system security.
Further, if insurers decide not to rely on CL. 380 for one-off thefts, they could risk a court finding that they have waived their right to rely on the clause in other instances. It is unlikely that the courts will favour a ‘pick and choose’ application.
It is appreciated that cyber risks throw up issues which many underwriters wish to exclude and avoid under standard cargo and freight liability policies. However, the broad-brush approach of simply avoiding anything to do with the malicious use of computers is unlikely to result in a cover which is fit for purpose as it fails to recognise the extent to which insureds rely on information technology.
The market is reviewing CL. 380 and that is to be welcomed. It is important that consideration is given to what it intends to exclude and what cover it intends to provide. For example, if insurers want to exclude catastrophic cyber events rather than one-off thefts, would it be preferable for the clause to look at the result of a cyber attack as the excluded issue rather than the cause?
This must also be considered alongside a general update of the applicable policies where cyber risks are covered - security is central to the issue of cyber risk and should be addressed within the policy wording.