Marine insurers face coverage uncertainty as GPS spoofing incidents rise

The Association of Average Adjusters (AAA) has published a discussion paper highlighting significant concerns about insurance coverage for GPS spoofing related vessel casualties.

The organisation warns that cyber exclusion clauses are creating unexpected coverage gaps for incidents that would traditionally fall under standard marine insurance policies.

What are GPS spoofing incidents?

GPS spoofing incidents have increased across major shipping routes, with vessels experiencing false position data that can lead to groundings and collisions. Unlike simple signal jamming, spoofing involves broadcasting false satellite signals that deceive navigation systems, causing ships to calculate incorrect positions. Recent incidents have occurred in geopolitically sensitive regions including the Black Sea, Persian Gulf and Eastern Mediterranean.

The insurance coverage challenge

The coverage challenge centres on the hybrid nature of these incidents. Whilst the attack method involves electronic interference, the consequences are entirely physical; these include vessel groundings, hull damage, and potential third-party liability. This creates classification difficulties for insurers accustomed to clear distinctions between cyber and traditional marine risks.

The LMA5403 cyber exclusion clause

The AAA has identified particular concerns with the widely-used LMA5403 cyber exclusion clause, which excludes losses “directly or indirectly caused by or contributed to, by or arising from the use or operation, as a means for inflicting harm, of any computer or electronic system.” The organisation notes that this language creates a dual evidential burden; insurers must prove both that electronic systems were used and that there was malicious intent to cause harm.

This requirement presents significant practical challenges. Establishing that GPS spoofing occurred requires sophisticated technical analysis, whilst proving deliberate intent adds another layer of complexity. The AAA emphasises that, in many cases, particularly those involving state-sponsored interference or attacks in politically sensitive areas, demonstrating specific intent to harm individual vessels may prove difficult or impossible.

The organisation warns that insurers cannot simply rely on the occurrence of spoofing to trigger exclusions but must meet higher evidential standards. AAA Chair Chris Kilbee noted that the intent requirement creates substantial hurdles for insurers, as causation, crew conduct and cyber attribution now intersect in ways that create significant ambiguity in claims assessment.

Different sectors of the marine insurance market are experiencing varying impacts. P&I clubs face scenarios where single spoofing incidents could trigger both hull damage and liability claims. Cargo insurers are dealing with supply chain disruption claims, particularly for time-sensitive shipments. Hull and machinery insurers are questioning whether spoofing-related physical damage falls within standard coverage or cyber exclusions.

The AAA has highlighted the potential importance of cyber buy-back clauses, which can restore coverage where exclusions might otherwise apply. These provisions could prove crucial in cases where spoofing is suspected but definitive attribution remains unclear.

What does this mean for insurers?

The AAA's analysis reveals that marine insurers face significantly greater exposure to GPS spoofing claims than initially anticipated, as the high evidential bar for applying cyber exclusions may favour policyholders in coverage disputes. The requirement to prove both electronic interference and malicious intent creates practical challenges that many insurers are ill-equipped to handle, particularly given the sophisticated technical analysis required to establish that spoofing occurred, and the near-impossible task of proving specific intent in cases involving state actors or geopolitically motivated interference. This means that many incidents insurers assumed would be excluded under cyber clauses may actually remain covered under traditional policies, requiring urgent reassessment of risk exposure and policy language. Insurers must develop new technical capabilities for investigating digital interference, potentially through partnerships with cybersecurity specialists and forensic experts, whilst understanding that the legal thresholds for successfully applying exclusions are higher than previously thought. The intersection of traditional marine risks with cyber threats demands enhanced expertise in areas ranging from signal analysis to geopolitical attribution, forcing insurers to consider whether current policy wordings adequately reflect their intended coverage scope. The AAA's emphasis that cyber buy-back clauses could become crucial suggests that insurers may need to review these provisions more carefully, whilst the organisation's warning that GPS manipulation is now an operational reality rather than theoretical risk underscores the urgent need for industry-wide adaptation to emerging hybrid cyber-physical threats that challenge traditional coverage boundaries.