By Maurice Lynch and Jason Symons, partners, Mills Oakley
Australia is amid a tumultuous period of cyber upheaval. Last weekend, another large Australian business was exposed to a cyberattack. Australian businesses must now be thinking “If not now, when?”
The attack that occurred on the weekend targeted critical infrastructure at an Australian port terminal operator with operations in Sydney, Melbourne, Brisbane and Fremantle. According to media reports, this operator is the handler of 40% of Australia’s containerised trade and was forced to shut down its terminal operations as a result of the attack.
The shutdown of operations means that:
- many cargo owners may incur losses they may consider covered under a policy of marine cargo insurance;
- freight forwarders are prevented from collecting goods from ports and delivering them to their end user; and
- operators in the Australian transport and logistics space are reminded they are not immune from a cyberattack and must be planning (and practising) how they will respond to such an attack.
Marine cargo insurance – what is the cyber deal?
There are a number of losses ordinarily covered under a marine cargo insurance policy which a cargo owner could incur when a cyberattack causes ports to be closed. These include but are not limited to the following:
- damage to perishable goods that cannot be delivered to their market on time or which are in reefer containers which cannot maintain temperatures;
- loss of market due to the delay in delivery of goods; and
- on forwarding charges due to goods not being able to be discharged at their intended port and needing to be discharged at an alternative port.
- Although each insurance policy is different, most marine cargo insurance policies incorporate the Institute Cargo Clauses A 1/1/09, which provide cover for “all risks” of loss or damage to goods in transit subject to expressly named exclusions.
Unsurprisingly, given the clauses were developed prior to 2009 when cyberattacks were uncommon, none of the expressly named exclusions refer to excluding loss or damage caused by cyberattacks. Accordingly, in the absence of a specifically drafted cyber exclusion, loss or damage to goods caused by a cyberattack would be covered under the “all risks” cover provided by the Institute Cargo Clauses A 1/1/09. However, any loss or damage caused by delay would still be excluded under the delay exclusion, even though delay is caused by a risk insured.
Despite the above, since November 2019, most marine cargo insurance policies have incorporated into their terms, the LMA 5403 Marine Cyber Endorsement (or a similarly worded bespoke equivalent).
Such endorsements make it clear that in no case shall the marine cargo insurance policy cover loss, damage, liability or expense directly or indirectly caused by, or contributed to by or arising from the use or operation, as a means for including harm, of any computer, computer system, computer software programme, malicious code, computer virus, computer process or any other electronic system. That is, losses from cyberattacks are not covered.
The endorsement does not operate to exclude losses caused by cyberattacks in policies providing cover for risks of war, civil war, revolution, rebellion, insurrection, or civil strike, or any hostile act by or against a belligerent power, terrorism or any person acting with a political motive.
These endorsements are extremely broadly worded and have the effect of excluding from cover any loss or damage caused by a cyberattack. This includes the benefit of recovering forwarding charges under clause 12 of the Institute Cargo Clauses A 1/1/09 through which an insurer agrees to indemnify an insured for the costs of any extra charges for storing and forwarding goods to their insured destination after an insured voyage is terminated at a port or place other than the final destination. Such additional costs are likely to be incurred by cargo owners after a cyberattack at a port terminal which then has to close and not allow vessels to call as a result of such an attack.
If a cargo owner wants cover for any loss or damage caused by a cyberattack, then it should consider taking out their own dedicated cyber insurance product.
Although loss or damage caused by cyberattacks is usually not covered under a marine cargo insurance policy, if a vessel is unable to call into a port because of a cyberattack, the goods themselves will remain insured for covered “all risks”. This is because there is a continuation of cover pursuant to clause 8.3 of the Institute Cargo Clauses A 1/1/09 for delay beyond the control of the assured, any deviation, forced discharge, re-shipment, or transhipment. Accordingly, insurance cover will remain in place if a vessel is diverted to another country or port, and not allowed to call into a port.
If the contract of carriage is terminated by the carrier due to a vessel not being able to call into a port due to a cyberattack, then pursuant to clause 9 of the Institute Cargo Clauses A 1/1/09, cover for the goods will terminate unless notice is given to the underwriters, and continuation of cover is requested and any additional premium paid. But the cover is limited to when the goods are sold and delivered at the port or place where the transit has terminated, or delivered to any other new forwarded destination, or on the expiry of 60 days if the goods have not been sold or on forwarded.
Freight forwarders – the piggy in the middle
If a port terminal closes due to a cyberattack, a freight forwarder is not going to be able to collect containers from the port and deliver them to their client. Depending on the sector it is servicing and the contract it has with its customers, the freight forwarder might, if this occurs, be exposed to damages for delayed delivery which could be in the form of liquidated damages.
However, as the freight forwarder in these circumstances would usually not be the party responsible for, or the subject of the cyberattack, if it has an appropriately worded force majeure clause that excuses it from performing services when an event which happens is beyond its reasonable control (a cyberattack on a port terminal operator would be such an event), then the freight forwarder may rely upon that clause to be excused from performing its obligations, and avoid liability for any losses its customers suffer as a result.
Planning (and practising) for cyberattacks – what to do when it happens
Australian regulators are now of the clear view that a cyberattack is a ‘when’ rather than an ‘if’. In September this year, ASIC Chair, Joe Longo, warned that “If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”.
The question then is what is an Australian business expected to do in the wake of this further reminder it can happen to any business in any sector with significant consequences. As Chair Longo identified the answer is not purely a security one. Australian businesses should be consistently testing their cyber security posture against appropriate industry benchmarks. However, recent incidents demonstrate that strong cyber security cannot be the complete answer as threats evolve and humans can be exploited.
Businesses must be ready for when the inevitable happens through appropriate incident response planning and simulation exercises across a variety of attack scenarios. The exercise of planning for and practising cyberattacks builds the organisation’s cyber-resilience – being its ability to respond to and recover from a cyberattack.
A strong cyber-resilient business will have the buy-in of the tech team, senior management and the board. The plan should clearly articulate the external advisers that may be part of the team responding to the attack, including legal, IT forensics, and communications. The government agencies, regulators and other stakeholders that may need to be consulted should also be mapped out. Considering these matters for the first time in the heat of an attack can be catastrophic.
It has been seen recently that the early engagement of external legal counsel to retain the experts can better assure that communications relating to the incident’s investigation and with regulators are protected by legal professional privilege. This reflects the growing risk of cyber-related litigation.
As flagged above, a dedicated cyber insurance policy can also play an invaluable role when an attack occurs. The policy is specifically designed to support the organisation throughout the whole life cycle of the attack – from funding incident response costs and business interruption losses, to covering potential third-party liabilities or regulatory fines and legal costs. Understanding the coverage available and the claim process should be part of the broader incident response plan.