Some of the key points in this article are:

• The international shipping industry is responsible for the carriage of around 90% of world trade, so vessel safety is critical to the global economy.
• The largest shipping companies have been victims of cyber attacks in recent years. Port operators have also been affected such as the Port of Durban in 2021.
• Just under half (44%) of maritime professionals reported that their organization has been the subject of a cyber-attack in the last three years. Of these, 3% agreed to pay a ransom, which averaged at around $3mn.
• Security agencies have warned of a heightened cyber risk due to the conflict in Ukraine.
• The worst-case scenario is a terrorist attack or a nation state group targeting shipping in a bid to inflict damage or major disruption to trade, such as blocking a major shipping route or port.

The international shipping industry is responsible for the carriage of around 90% of world trade, so vessel safety is critical to the global economy.

The 2022 report reveals that the maritime sector continued its long-term positive safety trend over the past year with 54 total losses of vessels reported globally, compared with 65 a year earlier.

This represents a 57% decline over 10 years (127 in 2012); while during the early 1990s the global fleet was losing 200+ vessels a year.

The 2021 loss total is made more impressive by the fact that there are an estimated 130,000 ships in the global fleet today, compared with some 80,000 30 years ago. Such progress reflects the increased focus on safety measures over time through training and safety programs, improved ship design, technology and regulation.

However, the industry is not without its challenges. Russia’s invasion of Ukraine, costly issues involving larger vessels, crew and port congestion and managing decarbonization targets, means there is no room for complacency.

Another growing challenge facing the shipping industry is cyber security. The digital era may be opening up new possibilities for the maritime industry but its growing reliance on computer and software and increasing interconnectivity within the sector, is also making it highly vulnerable to cyber-attacks.

All four of the largest shipping companies, Maersk, Cosco, MSC (and CMA CGM), have been victims of cyber-attacks in recent years.

Port operators have also been affected. Even the United Nations’ global shipping regulator, the International Maritime Organization was recently targeted by a cyber-attack, forcing some of its services offline. In particular, ransomware has become a global problem.

According to a recent industry survey just under half (44%) of maritime professionals reported that their organization has been the subject of a cyber-attack in the last three years.

Of these, 3% agreed to pay a ransom, which averaged at around $3mn. It also found 32% of organizations do not conduct regular cyber security training while 38% do not have a cyber response plan.

To date, most cyber incidents in the shipping industry have been shore-based, such as ransomware and malware attacks against shipping companies’ and ports’ database systems. But with the growing connectivity of shipping, the fact that geopolitical conflict is increasingly being played out in cyber space, recent years have seen a growing number of GPS spoofing incidents, particularly in the Middle East and China, which can cause vessels to believe they are in a different position than they actually are, and with the concept of autonomous shipping, there is little doubt that cyber risk will become a more important exposure that will require much more detailed risk assessment going forward.

At the same time, the crippling ransomware attack against the 9,000km long Colonial oil pipeline in the US in May 2021 has raised concerns that critical maritime infrastructure, could be increasingly targeted in future.

The attack resulted in the pipeline’s systems, which connect some 30 oil refineries and nearly 300 fuel distribution terminals, being forced offline, resulting in petrol shortages across the eastern US.

As geopolitical risks rise, so does the prospect of malicious digital disruption. Security agencies have warned of a heightened cyber risk due to the conflict in Ukraine. NATO warned vessels in the Black Sea faced the threat of GPS jamming, Automatic Identification System (AIS) spoofing (prior to the Ukraine invasion there had already been a number of these incidents, reported in the Middle East and China), communications jamming and electronic interference.

The US Cybersecurity and Infrastructure Security Agency also warned the maritime transportation sector could be a target for foreign adversaries.

There is concern that shipping assets and ports could become collateral damage if the conflict in Ukraine results in an increase in cyber activity.

Marine insurers have been warning for years about the cyber risk to shipping. From a hull perspective, the worst-case scenario is a terrorist attack or a nation state group targeting shipping in a bid to inflict damage or major disruption to trade, such as blocking a major shipping route or port. While this would seem a remote possibility, it is a scenario we need to understand and monitor. Although an accident, the recent blockage of the Suez Canal by the ultra-large vessel Ever Given is an eye-opener on many fronts as it shows the disruption a momentary loss of propulsion or steering failure on a vessel navigating a narrow waterway can cause.

The good news is that the shipping community has grown more alert to cyber risk over the past couple of years, in particular in the wake of the 2017 NotPetya malware attack that crippled ports, terminals and cargo handling operations. However, reporting of incidents is still uncommon as owners fear reputational risk and delays from investigations. Meanwhile, cyber security regulation for ships and ports has been increasing.

In January 2021, the International Maritime Organization’s (IMO) Resolution MSC.428(98) came into effect, requiring cyber risks to be addressed in safety management systems.

The EU’s Network and Information Systems Directive also extends to ports and shipping. This is a step in the right direction but the problem at the moment is quite extensive. Despite these measures we have seen a sharp rise in attacks.

Increased awareness of – and regulation around, cyber risk is translating into an uptake of cyber insurance by shipping companies, although mostly for shore-based operations to date. Typically, marine hull insurance policies exclude coverage against cyber-attack or any loss arising from a malicious act involving the use of a computer system, given the potential loss accumulation issues from such scenarios. Instead, shippers have to purchase standalone cyber insurance coverage, but to date the readiness of many in the sector to buy a marine hull specific cyber cover has been limited.

However, the threat to vessels is growing as more and more ships are linked to onshore systems for navigation and performance management.

Smart ships are coming, and we would expect demand for insurance to develop accordingly. What we may see in the future is a potential increase in demand for a combination of onshore/offshore coverage and this is something we will need to discuss and observe with our clients and brokers to see how far this can be taken by marine hull insurance and how far it can be taken by a broader scope of cover in a combined policy.

Fortunately, there are also a growing number of resources available to help mariners learn about common vulnerabilities.

Just one example is the internationally-recognized United States Maritime Resource Center, which assists the industry in cyber awareness, safety and security through evidence-based research. Then there are an increasing number of cyber security guidelines which can be followed, such as those from the IMO, but also from other important organizations such as BIMCO, CLIA, Intercargo and Intertanko.

There are also standard practices that can be implemented to reduce cyber risk, such as defining personnel roles and responsibilities for cyber risk management and identifying the systems, assets and data that, when disrupted, pose risks to ship operations. Ship-owners also need to implement risk control processes and contingency planning, developing and implementing activities necessary to quickly detect a cyber event. Identifying measures to back up and restore cyber systems impacted by a cyber event is obviously crucial.

Of course, these are challenging times for the shipping industry. However, IT security should not be put on the backburner. It is vital that investment in cyber risk education and security is not neglected at this time, despite economic pressures, as this risk has the potential to have catastrophic consequences, given the right confluence of events.

======

Captain Rahul Khanna is the Global Head of Marine Risk Consulting at Allianz Global Corporate & Specialty (AGCS)

Key Points:

• Pandemic outbreak drops from first to ninth position as majority of companies are less concerned and feel adequately prepared for future outbreaks.
• Political risks and violence is still a major concern in Nigeria as it moves from fifth to second.
• AGCS CEO Joachim Mueller: “’Business interrupted’ will likely remain the key underlying risk theme for this year. Building resilience is becoming a competitive advantage for companies.”

The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the Covid-19 pandemic, all of which have heavily affected firms in the past year.

Globally, cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021.

Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%). The annual survey from Allianz Global Corporate & Specialty (AGCS) incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings. Watch the video.

“’Business interrupted’ will likely remain the key underlying risk theme in 2022,” AGCS CEO Joachim Mueller summarizes. “For most companies the biggest fear is not being able to produce their products or deliver their services. 2021 saw unprecedented levels of disruption, caused by various triggers. Crippling cyber-attacks, the supply chain impact from many climate change-related weather events, as well as pandemic-related manufacturing problems and transport bottlenecks wreaked havoc. This year only promises a gradual easing of the situation, although further Covid-19-related problems cannot be ruled out. Building resilience against the many causes of business interruption is increasingly becoming a competitive advantage for companies.”

Violence, changes in legislation and regulation rising concerns in Nigeria

According to the Allianz Risk Barometer 2022, political risks and violence and changes in legislation and regulation are rising concerns for businesses in Nigeria. Political risks and violence moved from fifth to second following #EndSars in 2020. Changes in legislation and regulation moves up four places to fourth in the country.

“Fortunately, large scale terrorism events have declined drastically in the last five years. However, the number, scale and duration of riots and protests in the last two years is staggering and we have seen businesses suffering significant losses,” says Bjoern Reusswig, head of Global Political Violence and Hostile Environment Solutions at AGCS. “Civil unrest has soared, driven by protests on issues ranging from economic hardship to police brutality which have affected citizens around the world. And the impact of the Covid-19 pandemic is making things worse – with little sign of an end to the economic downturn in sight, the number of protests is likely to continue climbing.”

“Preparation is key – in particular for exposed sectors such as retail,” explains Thusang Mahlangu AGCS Africa CEO. “Businesses need to review their business continuity plans (BCP) and should be aware of what is happening around them. Typically, these only focus on national catastrophes, but there is a need for BCP plans to address political disturbances and other types of business disruption like cyber. Having defined, and preferably tested, procedures in place is crucial – these should include staff, client and general communication and social media plans. It is imperative for companies to think deeply about how they can best protect their assets and people.”

Ransomware drives cyber concerns while awareness of BI vulnerabilities grows

Cyber incidents ranks as a top three peril in most countries and regions surveyed including Nigeria, South Africa as well as Africa and Middle East, shows the Allianz Risk Barometer 2022.

The main driver is the recent surge in ransomware attacks, which are confirmed as the top cyber threat for the year ahead by survey respondents (57%).

Recent attacks, the Allianz Risk Barometer 2022 document, have shown worrying trends such as ‘double extortion’ tactics combining the encryption of systems with data breaches; exploiting software vulnerabilities which potentially affect thousands of companies (for example, Log4J, Kaseya) or targeting physical critical infrastructure (the Colonial pipeline in the US).

Cyber security also ranks as companies’ major environmental, social and governance (ESG) concern with respondents acknowledging the need to build resilience and plan for future outages or face the growing consequences from regulators, investors and other stakeholders.

“Ransomware has become a big business for cyber criminals, who are refining their tactics, lowering the barriers to entry for as little as a $40 subscription and little technological knowledge. The commercialization of cyber crime makes it easier to exploit vulnerabilities on a massive scale. We will see more attacks against technology supply chains and critical infrastructure,” explains Scott Sayce, Global Head of Cyber at AGCS.

Business interruption (BI) ranks as the second most concerning risk globally and in Africa and Middle East and South Africa but moves down two places to sixth in Nigeria. However, it ranked first in Ghana, Kenya, Morocco and Namibia.

In a year marked by widespread disruption, the extent of vulnerabilities in modern supply chains and production networks is more obvious than ever.

According to the survey, the most feared cause of BI is cyber incidents, reflecting the rise in ransomware attacks but also the impact of companies’ growing reliance on digitalization and the shift to remote working.

Natural catastrophes and pandemic are the two other important triggers for BI in the view of respondents.

In the past year post-lockdown surges in demand have combined with disruption to production and logistics, as Covid-19 outbreaks in Asia closed factories and caused record congestion levels in container shipping ports. Pandemic-related delays compounded other supply chain issues, such as the Suez Canal blockage or the global shortage of semiconductors after plant closures in Taiwan, Japan and Texas from weather events and fires.

“The pandemic has exposed the extent of interconnectivity in modern supply chains and how multiple unrelated events can come together to create widespread disruption. For the first time the resilience of supply chains has been tested to breaking point on a global scale,” says Philip Beblo, property industry lead, Technology, Media and Telecoms, at AGCS.

According to the recent Euler Hermes Global Trade Report, the Covid-19 pandemic will likely drive high levels of supply chain disruption into the second half of 2022, although mismatches in global demand and supply and container shipping capacity are eventually predicted to ease, assuming no further unexpected developments.

Awareness of BI risks is becoming an important strategic issue across entire companies. “There is a growing willingness among top management to bring more transparency to supply chains with organizations investing in tools and working with data to better understand the risks and create inventories, redundancies and contingency plans for business continuity,” says Maarten van der Zwaag, Global Head of Property Risk Consulting at AGCS.

Pandemic preparations improve. Next up – making businesses more weatherproof

Pandemic outbreak remains a major concern for companies but drops from second to fourth position globally and from first to ninth in Nigeria (although the survey predated the emergence of the Omicron variant). However, the risk moved up from fourth to third in Ghana, which shows that companies are still concerned about the peril.

While the Covid-19 crisis continues to overshadow the economic outlook in many industries, encouragingly, businesses do feel they have adapted well.

The majority of respondents (80%) think they are adequately or well-prepared for a future incident.

Improving business continuity management is the main action companies are taking to make them more resilient.

The rise of Natural catastrophes and Climate change to third and sixth position globally respectively is telling, with both upwards trends closely related. Recent years have shown the frequency and severity of weather events are increasing due to global warming. For 2021, global insured catastrophe losses were well in excess of $100bn – the fourth highest year on record.

Hurricane Ida in the US may have been the costliest event, but more than half of the losses came from so-called secondary perils such as floods, heavy rain, thunderstorms, tornados and even winter freezes, which can often be local but increasingly costly events.

Examples included Winter Storm Uri in Texas, the low-pressure weather system Bernd, which triggered catastrophic flooding in Germany and Benelux countries, the heavy flooding in Zhengzhou, China, and heatwaves and bushfires in Canada and California.

Allianz Risk Barometer 2022 respondents are most concerned about climate-change related weather events causing damage to corporate property (57%), followed by BI and supply chain impact (41%).

However, they are also worried about managing the transition of their businesses to a low-carbon economy (36%), fulfilling complex regulation and reporting requirements and avoiding potential litigation risks for not adequately taking action to address climate change (34%).

“The pressure on businesses to act on climate change has increased noticeably over the past year, with a growing focus on net-zero contributions,” observes Line Hestvik, chief sustainability officer at Allianz SE. “There is a clear trend for companies towards reducing greenhouse gas emissions in operations or exploring business opportunities for climate-friendly technologies and sustainable products. In the coming years, many corporate decision-makers will be looking even more closely at the impact of climate risks in their value chain and taking appropriate precautions. Many companies are building up dedicated competencies around climate risk mitigation, bringing together both risk management and sustainability experts.”

Businesses also have to become more weatherproof against extreme events such as hurricanes or flooding.

“Previous once-in-a-century-events may well occur more frequently in future and also in regions which were considered ‘safe’ in the past. Both buildings and business continuity planning need to become more robust in response,” says van der Zwaag.

Other risers and fallers in this year’s Allianz Risk Barometer:

• Shortage of skilled workforce (13%) is a new entry in the top 10 risks at number nine. Attracting and retaining workers has rarely been more challenging. Respondents rank this as a top five risk in the engineering, construction, real estate, public service and healthcare sectors, and as the top risk for transportation.
• Changes in legislation and regulation remains fifth (19%) globally but moves up four places to fourth in Nigeria. Prominent regulatory initiatives on companies’ radars in 2022 include anti-competitive practices targeting big tech, as well as sustainability initiatives with the EU taxonomy scheme.
• Fire and explosion (17%) is a perennial risk for companies, ranking seventh as in last year’s survey. Market developments (15%) falls from fourth to eighth year-on-year but moves up six places to fourth in Nigeria. Macroeconomic developments (11%) falls from eighth to 10^th globally but remains unchanged at number three in Nigeria.