According to a 2019 risk report from Lloyds of London, there are massive gaps in the insurance coverage for the economic fallout of a cyber attack on Asian Pacific ports. Shen Attack: Cyber risk in Asia Pacific ports supposes the ramifications of a virus stemming from a ship management company and the cascading financial impacts that would be felt by adjacent industries, companies, and nations.
90% of the worlds goods are still transported by international shipping, 55,000 cargo ships are in transit at any given time, and 1,500,000 crew members are employed aboard them. The global supply chain is pinned up by the cargo ships and ports of the world. The Shen Attack Report demonstrates the shocks that a cyber attack in could send through a host of seemingly unrelated nations and industries. The report makes an obvious case for the necessity of insurance to protect from the impending loss. What is less obvious is the best way to undertake making the shipping industry safe from cyber attack.
The shipping industry already has a vested interest and responsibility in guarding itself against the cyber threats occurring with increasing frequency. As the insurance industry continues to increase its underwriting of cyber risks, it also incurs this interest. According to Lloyds, only 8% to 9% of the $109.8 billion total economic loss felt by the worst-case cyber attack would be insured. 50%, the largest portion of the uninsured billions, would be felt by port owners and managers. On the lower end of the financial backlash would be the ship owners and the ship managers. These will only be responsible for 1% and 3% of the total economic loss, respectively. This does not seem particularly odd, until the following section that states that "technology has improved the shipping industry" but "aging ships are a problem." The report continues on to say that "many vessels at sea are over thirty years old and were not designed with cyber in mind." The disparity between where the report explicitly states that risk occurs and who is financially liable causes an agency problem in the prevention of cyber attacks. How can insurance companies and ports incentivize the sophistication of the cyber capabilities of privately owned ships in order to prevent the financial loss that accompanies the current vulnerability of many ships on the sea?