In 2017, the NotPetya malware attack hit Maersk, destroying 49,000 laptops, 1,200 servers, and taking down booking systems across 76 port terminals. The estimated cost was $300 million. But the insurance aftermath revealed something even more concerning than the attack itself.
When Mondelez International filed a $100 million claim with Zurich Insurance for its own NotPetya damages, Zurich denied the claim under the policy's war exclusion clause, arguing NotPetya was a state-sponsored attack attributable to the Russian military. The case settled in 2022, but the precedent was set: cyber attacks with state involvement may not be covered under standard insurance policies, even when the insured was not the intended target.
For maritime operators, this matters enormously. Most have not examined whether their existing insurance actually covers the cyber scenarios most likely to affect them.
Lloyd's Market Bulletin Y5381: The Rule Change
In August 2022, Lloyd's of London issued Market Bulletin Y5381, requiring all Lloyd's market participants to include cyber exclusion clauses in standalone cyber policies from March 2023. The bulletin required policies to exclude losses arising from cyber operations that are:
- State-sponsored: Attacks carried out by or on behalf of a state, whether or not formally attributed
- Conducted during armed conflict: Cyber operations that form part of a wider military campaign
- Retaliatory: Cyber attacks conducted in retaliation for state actions, even against commercial targets
To implement these exclusions in the marine market specifically, the Lloyd's Market Association developed clauses LMA5402 and LMA5403. These marine-specific cyber exclusion clauses define exactly what is and is not covered in marine policies when cyber events occur. LMA5402 provides a broad exclusion with limited write-back (re-inclusion) provisions. LMA5403 offers a narrower exclusion with more generous write-back terms but at higher premium.
The practical effect is that marine insurance policies written through the Lloyd's market now explicitly exclude most state-related cyber events - which represent some of the highest-impact attack scenarios the maritime industry faces.
What P&I Clubs Typically Exclude
P&I clubs provide core liability coverage for most commercial vessels, but P&I coverage for cyber incidents is limited and inconsistent. Most P&I policies exclude or limit coverage for:
- State-backed cyber attacks: Following the Lloyd's market direction, P&I clubs are incorporating cyber war exclusions that deny coverage for attacks attributable to state actors
- Acts of cyber warfare: Events classified as warfare or hostile acts by a state, even when the vessel is not the primary target
- Failure to maintain reasonable cyber security measures: This is the exclusion that catches most operators off guard. If an operator cannot demonstrate that they took reasonable steps to protect their systems, the club may deny coverage even for incidents that would otherwise be covered
- Consequential losses from system failures: Business interruption, loss of hire, and consequential damages from IT/OT system failures caused by cyber events often fall outside standard P&I coverage
The "reasonable measures" exclusion is particularly important because it is subjective. What constitutes "reasonable" cyber security is determined after an incident, when the club's loss adjusters examine what controls were in place. Without documented evidence of risk assessment, vulnerability management, access controls, and incident response procedures, the operator's position is weak.
The Coverage Gap: Hull, P&I, and Standalone Cyber
Maritime operators typically hold three types of insurance that might apply to a cyber incident, but each has significant limitations. Hull and Machinery (H&M) policies cover physical damage, but many now include the Institute Cyber Attack Exclusion Clause (CL380), which excludes losses caused by cyber attacks entirely. P&I covers third-party liabilities like pollution and cargo damage, but the state-backed exclusions and "reasonable measures" provisions could deny coverage after a cyber-caused grounding or spill. Standalone cyber policies are available but expensive, carry high deductibles, and - following Lloyd's Y5381 - now exclude state-backed attacks.
The result is a coverage gap. The most damaging cyber scenarios - state-sponsored attacks, widespread malware campaigns, attacks on port infrastructure - are the very scenarios most likely to be excluded from all three policy types.
What Insurers Want to See
Whether you are applying for standalone cyber coverage, renewing your P&I entry, or defending a claim after an incident, insurers and loss adjusters increasingly want to see specific documentation:
- Documented risk assessments: A formal evaluation of cyber threats and vulnerabilities specific to your vessel and operations, reviewed and updated regularly
- Incident response procedures: Written procedures for detecting, containing, and recovering from cyber incidents, with defined roles, communication chains, and reporting obligations
- Patch management evidence: Records showing that software and firmware on vessel systems are kept up to date, with a documented process for evaluating and applying security patches
- Training records: Evidence that crew members have received cybersecurity awareness training appropriate to their role, with documented completion dates and training content
- Vulnerability scanning results: Regular assessments of vessel systems for known vulnerabilities, with documented remediation actions and timelines
- Access control documentation: Evidence of role-based access control, individual user accounts (not shared passwords), and audit logs of system access
The common thread is documentation. Insurers do not just want to know that controls exist - they want evidence that those controls are maintained, tested, and updated. A cybersecurity policy document that was written three years ago and never reviewed provides little comfort to an underwriter assessing current risk.
How NCoDE Command Satisfies Underwriter Due Diligence
NCoDE Command is designed to produce exactly the documentation that insurers and loss adjusters require. Every module generates audit-ready evidence that can be exported and presented during underwriting reviews, renewal negotiations, or post-incident investigations.
Risk Register with Severity Scoring
NCoDE Command maintains a living risk register where each identified cyber risk is categorized, scored for likelihood and impact, assigned to a responsible person, and tracked through its mitigation lifecycle. This is not a static document - it updates as new risks are identified and existing risks are addressed. Underwriters can see that risk assessment is an ongoing process, not a one-time exercise.
Document Vault with Version Control
All cybersecurity policies, procedures, and plans are stored in NCoDE Command's document vault with full version control. Every revision is timestamped and attributed, creating an audit trail that demonstrates documents are reviewed and updated regularly. When an underwriter asks to see your incident response plan, you can show not just the current version but the complete revision history.
Vendor Tracker
Third-party vendors and suppliers with access to vessel systems represent a significant cyber risk. NCoDE Command tracks every vendor relationship, including what systems they can access, what security requirements they must meet, and when their access was last reviewed. This vendor risk management documentation is increasingly requested by underwriters as supply chain attacks become more common.
Patch Lifecycle Management
NCoDE Command tracks the patch status of every system in the vessel's inventory, from discovery through evaluation, testing, deployment, and verification - including documented justifications for patches deferred due to operational constraints. This provides the patch management evidence that insurers specifically request.
Exportable Compliance Reports
All documentation can be exported for insurer review. Compliance reports aggregate risk assessments, vulnerability scan results, patch status, access control configurations, training records, and incident response activities into a single document package - making underwriting and renewal faster for both operator and insurer.
The Cost of Being Uninsurable
The maritime cyber insurance market is tightening. Operators who cannot demonstrate robust cyber risk management face higher premiums, coverage denials on claims they assumed were covered, or inability to obtain cyber coverage at all. The investment in proper documentation is minimal compared to a single denied claim that could cost millions in unrecovered losses.