securityPOLITICAL RISK INSURANCE
Business / Cyber PillarRisk Level: High

Cyber Insurance for Shipping & Logistics.

Generic cyber policies frequently exclude or sub-limit losses arising from operational technology failures, pollution, and physical damage. A purpose-built cyber-for-shipping policy aligns the wording with the operational realities of vessels and terminals.

Request a quoteTalk to a specialist
First-party · Third-party · OT extension · Pollution carve-back

# Cyber Insurance for Shipping & Logistics

In late June 2017, the NotPetya wiper malware tore through A.P. Moller-Maersk's global network. Within hours, the world's largest container line lost its booking system, terminal operating systems at 17 of its 76 terminals went dark, and ten days of operational paralysis followed. Maersk later disclosed the loss at $250 million to $300 million; subsequent reporting placed the full economic impact higher. The carrier was not the intended target. NotPetya was a Russian state-sponsored attack on Ukrainian tax-accounting software that escaped its target environment and propagated through Maersk because a single finance workstation in Odesa was running an unpatched copy of the M.E.Doc accounting tool. That accident reset how the shipping and logistics sector thinks about cyber risk, but it has not yet reset how most operators insure it.

Most shipping and logistics companies in the United States today carry no dedicated cyber insurance. Those that do frequently carry policies written for generic small or mid-market businesses without the marine-specific endorsements that make the cover responsive to actual maritime exposures. The result is a category of risk that is severe, well-documented, and structurally under-insured.

Why Marine Cargo and Hull Policies Will Not Respond

The first thing operators need to understand is that the standard marine insurance program does not cover cyber loss. Two clauses do the work.

The Institute Cyber Attack Exclusion Clause (CL380), 10 November 2003. This clause has been embedded in most London-market cargo, hull, and war risk wordings for more than two decades. It excludes loss, damage, liability, or expense "directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system." A narrow write-back exists for war risk policies on a "Cyber Risk" basis, but ordinary marine policies treat CL380 as a hard exclusion.

The war and terrorism exclusions on standard property and liability policies. When NotPetya claims hit the property market, several insurers asserted that the attack constituted a "hostile or warlike action" attributable to a sovereign state, triggering the war exclusion. The Mondelez and Merck NotPetya litigation tested that position. Mondelez ultimately settled with Zurich; Merck won a $1.4 billion verdict in New Jersey in 2022 affirming that the war exclusion in its all-risk property policy did not apply to NotPetya because the exclusion contemplated traditional armed conflict. The lesson for shipping operators is not that the war exclusion always loses — it is that whether a cyber event is covered under a non-cyber policy will be litigated for years, while a properly placed cyber policy responds in days.

The market answer is a standalone cyber policy underwritten by an admitted U.S. carrier. The major capacity providers in this space include Chubb, AIG, Beazley, Hiscox, Travelers, Coalition, and At-Bay. Each maintains a distinct appetite for marine-adjacent risks, and several have developed maritime-specific endorsements that address OT exposures the standard form does not contemplate.

IT Versus OT: The Exposure That Generic Cyber Policies Miss

The shipping sector runs two distinct technology stacks, and most cyber insurance is written for only one of them.

Information Technology (IT) covers the corporate side — email, ERP, customer booking systems, terminal operating systems, freight management software, electronic data interchange (EDI) with customs and carriers, and the financial back office. This is the surface NotPetya exploited at Maersk. It is also the surface a standard cyber policy covers competently.

Operational Technology (OT) is the systems that move the ship and the cargo: Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), Global Positioning Systems (GPS), engine and propulsion control systems, ballast water management, cargo monitoring and refrigeration controls, terminal cranes, and port automation. OT systems were largely air-gapped a decade ago. They are no longer. The IMO MSC.428(98) resolution required cyber risk to be incorporated into Safety Management Systems by 1 January 2021, formally recognizing OT cyber risk as a safety-of-life issue, not a back-office IT problem.

OT exposures that have been demonstrated in the field include:

  • GPS spoofing — documented incidents in the Black Sea (2017) and reported repeatedly in the Strait of Hormuz and East China Sea, in which vessels' GPS receivers report false positions. A grounding or collision that results from spoofing-induced position error is a marine casualty with cyber as its proximate cause.
  • AIS manipulation — vessels appearing in locations they are not, or transmitting false identification. The implications for sanctions compliance, port state control, and collision avoidance are direct.
  • ECDIS compromise — corrupted electronic chart data leading the bridge team into hazards. Several syndicates now distinguish ECDIS-related claims in their underwriting questionnaires.
  • Ransomware on terminal operating systems — the 2023 attack on the Port of Nagoya halted Toyota's principal export terminal for approximately two days. Comparable cyber events have disrupted other major port and inland-logistics operators in recent years, including the South African Transnet operations.

A generic small-business cyber policy will respond to the IT side of a shipping operator's exposure. It is unlikely to respond cleanly to a claim alleging that an OT compromise caused a marine casualty, because the marine casualty implicates hull, P&I, and cargo policies that themselves exclude cyber under CL380. Bridging that gap requires either an extension to the cyber policy contemplating physical loss arising from cyber, or — more commonly — careful coordination of cyber and marine policies with matching definitions and a documented intent on which policy responds first.

What a Shipping and Logistics Cyber Policy Covers

A properly structured cyber policy for a shipping or logistics operator includes both first-party and third-party coverage parts.

First-party coverage. The insured's own losses.

  • Incident response costs. Forensics, breach counsel, public relations, customer notification. Typically delivered through the carrier's panel of vetted vendors, which materially shortens response time.
  • Data restoration. The cost of restoring corrupted or destroyed data and reconfiguring systems to a known-good state.
  • Business interruption and contingent business interruption. Lost gross profit during the period of restoration. For shipping operators this is the largest exposure: Maersk's ten-day NotPetya interruption produced the bulk of its $300 million loss. Contingent BI extends to outages at a critical IT vendor (cloud provider, port community system, customs broker software).
  • Cyber extortion and ransom. Payment of ransom and the costs of negotiation, subject to OFAC and other sanctions screening. Following the 2020 OFAC advisory on ransomware payments and the 2021 update, carriers have built sanctions-screening protocols into the claims process. Payment to a sanctioned threat actor is not permitted under U.S. law regardless of policy wording.
  • Funds transfer fraud and social engineering. Coverage for fraudulent payment instructions, with sub-limits commonly applied. Shipping operators handling large freight payments, demurrage invoices, and bunker fuel transactions are repeated targets.

Third-party coverage. Claims by others against the insured.

  • Network security and privacy liability. Damages and defense costs arising from a breach affecting customer or counterparty data.
  • Regulatory defense and fines. Coverage for investigations and civil penalties under GDPR, CCPA, the New York DFS cyber regulation, and parallel state laws. Insurability of the fine itself varies by jurisdiction.
  • PCI assessments. For operators that handle card payments — common in passenger ferry operations, charter, and some logistics portals.
  • Media liability. Often included; relevant where the operator publishes tracking or status content.

Limits placed by mid-market shipping and logistics operators typically fall between $5 million and $25 million, with larger carriers placing $50 million to $100 million on a tower basis through multiple carriers. Self-insured retentions have hardened materially since 2021, with six-figure retentions common in the mid-market and seven-figure retentions standard above $25 million in limits.

Underwriting: What Carriers Will Ask

Cyber underwriting has matured into a forensic exercise. Carriers do not rely on the applicant's self-assessment; they verify controls. Operators preparing to approach the market should expect to demonstrate:

  • Multi-factor authentication on email, remote access, and privileged accounts. Absence of MFA is now a near-automatic decline for most carriers above a small-business threshold.
  • Endpoint detection and response (EDR) deployed across the IT estate. Legacy antivirus alone is insufficient.
  • Privileged access management and removal of standing administrative rights.
  • Backups that are tested, segregated, and either offline or immutable. Backup integrity is the single most discussed control in ransomware underwriting because it determines whether the operator must pay to recover.
  • Patch management with a documented cadence for critical vulnerabilities.
  • Email filtering and anti-phishing controls.
  • Incident response plan that has been tabletop-tested within the prior 12 months.
  • Vendor management with cyber requirements imposed on critical third parties.

Shipping-specific questions increasingly appear: separation between IT and OT networks, ECDIS update procedures, AIS validation, GPS redundancy and dead-reckoning capability, port and terminal connectivity controls.

The Under-Insurance Problem

Industry surveys consistently show that a substantial share of mid-market shipping and logistics operators carry no standalone cyber insurance, and that many of those who do carry limits that would not absorb a NotPetya-scale event. The reasons are familiar: cyber is a younger line than marine; the policy is purchased outside the traditional marine broker relationship; and the marine cargo and hull policies the operator already carries appear, on the cover page, to address "all risks." They do not, because CL380 sits in the wording.

For operators trading internationally, the gap is wider still. The IMO cyber resolution and the corresponding flag-state implementations have created a regulatory expectation of cyber-risk management in vessel safety management systems, but compliance does not equal coverage. Port state control inspections increasingly request evidence of cyber risk integration in the SMS; insurance is a parallel obligation, not a substitute.

How Cover Is Placed

Cyber insurance for U.S. shipping and logistics operators is an admitted-carrier product. It is not surplus lines, and it does not require a Lloyd's placement. The major admitted markets — Chubb, AIG, Beazley, Hiscox, Travelers, Coalition, At-Bay, and the specialty units of large composite carriers — write the cover directly through licensed retail producers.

This page is a U.S. retail placement. Coverage is bound directly with admitted carriers under the writer's P&C license. The wholesale broker channel is not required for ordinary cyber placement, although it is sometimes used for the largest fleets to access additional capacity above $25 million.

Request a Cyber Coverage Review

If your operation carries marine cargo or hull insurance but has not separately placed cyber, the gap is structural — not a matter of premium negotiation but of policy form. Closing it requires an admitted cyber policy aligned to your IT and OT exposures and coordinated with your marine program.

We review existing cyber coverage against the operator's IT and OT footprint, the marine program in force, and the carrier's panel-vendor and ransom protocols. The objective is a defensible position before an incident, not a coverage debate afterward.

Specialist quote desk

Request a business / political risk quote

Tell us about the exposure — supply chain, contract receivables, foreign assets, or cyber footprint — and we will route to the right specialty market.

Submitting this form does not bind coverage. We respond within one business day. Inquiries are handled in confidence.

The Monday Brief

Weekly market intelligence — JWC Listed Areas, premium movement, casualties.

The Monday Brief

Subscribe to the weekly brief

JWC Listed Areas changes, hull war premium movement, notable casualties and political risk developments — every Monday morning.

No promotional content. Unsubscribe in one click.

Speak to a specialist

Ready to place coverage?

Talk to a war risk specialist. No call centers, no automated quote engines — a direct conversation with a licensed broker who tracks the JWC Listed Areas and the London market daily.

Request a quoteContact a specialist