Asia-Pac ports underinsured against cyberattacks; one attack could cause up to US$110b in losses

Singapore

LOSSES from a cyberattack on ports in Asia-Pacific could range from US$40.8 billion to US$109.8 billion, according to scenarios studied by the Singapore-based Cyber Risk Management (CyRiM) project.

But insurance industry losses would just be between 8 and 9 per cent of the total loss, suggesting high levels of underinsurance, said the report.

CyRiM is led by Nanyang Technological University's Insurance Risk and Finance Research Centre (NTU-IRFRC), in collaboration with industry and academia. It is overseen by a board with representatives from the Monetary Authority of Singapore, the Cyber Security Agency of Singapore, NTU-IRFRC, and industry members.

The report was produced on behalf of CyRiM by the University of Cambridge Centre for Risk Studies, in partnership with Lloyd's.

It makes no claims about the probability of the scenario, devised "as a stress test for risk management purposes".

"Cyber risk is one of the most critical and complex challenges facing the Asia-Pacific maritime industry today," said Lloyd's Singapore country manager Angela Kelly.

"As this risk grows with the increasing application of technology and automation in the industry, collaboration and future planning by insurers and risk managers is critical."

In the scenario, a virus attacks a ship management firm's software, corrupting the cargo manifests of the ships that it manages.

When the documents are opened in ports, the virus infects management services and logistics firms too. Ports are forced to shut down for the manual sorting and identification of cargo.

Three variants are considered. In the first, six ports in Japan, Malaysia and Singapore are affected, resulting in US$25.7 billion in direct losses and US$15.1 billion in indirect losses.

The second scenario adds three ports in South Korea, with total direct losses of US$36.8 billion and indirect losses of US$19.1 billion.

The third adds six ports in China, for a total US$83.7 billion direct loss and US$26.1 billion indirect loss.

The report included detailed estimates of the impact by country and sector. It also modelled the insurance industry's exposure to such a scenario.

"This scenario presents a substantial insurance gap, leaving about 92 per cent of the losses uninsured," said the report.

Many traditional marine insurance policies exclude cyber and non-physical events, it added.

There are opportunities for insurers to grow their business in relevant insurance classes such as cyber insurance, concluded the report.

A Lloyd's spokesperson said that ports which detect ships with corrupted manifests can take measures to isolate the virus and protect themselves, but added: "However, with how interconnected and digitalised our world is today, it can be difficult to stop a major cyberattack.

"Cybersecurity in ageing infrastructure is often difficult to patch, but this is not the only weak point in the maritime industry.

"It is essential that all points in the digital supply chain are secure - ensuring proper password and security measures are taken at all points, patches are done in a timely manner, and there is a strong culture of cybersecurity and cyber safety in the network."