‘GPS spoofing and groundings: Are shipowners still covered?’ asks the AAA

A significant issue exists regarding the interplay between traditional marine perils, such as a vessel grounding, and emerging threats stemming from GPS spoofing. This is particularly relevant in the context of modern cyber exclusion clauses found in standard Hull & Machinery policies. This is the subject of a discussion paper released by the Advisory and Dispute Resolution facility offered by the Association of Average Adjusters (AAA) recently.

Chris Kilbee (pictured), Chair of the AAA explains: “GPS spoofing is where false positioning signals mislead a vessel’s navigation systems giving misreported positions which have the potential to cause a grounding. A vessel grounding caused, or contributed to, by GPS spoofing would normally be covered under a traditional Hull & Machinery insurance policy but the increasing inclusion of cyber-exclusion clauses has now muddied the waters.” 

Under standard conditions, such an event would typically fall within the scope of coverage as a peril of the sea, even if navigational negligence was a factor. However, insurers are increasingly relying on cyber exclusion clauses, particularly LMA5403, to limit recoverability in cases where electronic systems are used “as a means for inflicting harm.”

The LMA5403 clause excludes losses “directly or indirectly caused by or contributed to, by or arising from the use or operation, as a means for inflicting harm, of any computer or electronic system.”  This requires an examination of:

- whether GPS spoofing constitutes the use of an "electronic system";    

- the degree to which such spoofing must causally contribute to the loss;

- the burden on insurers to prove that the spoofing was used as a “means of   inflicting harm”.

A key issue lies in interpreting the intention behind the spoofing. While spoofing may inherently cause disruption, the clause requires insurers to demonstrate that such actions were executed with the intent to cause harm. Contextual factors—such as whether the vessel was operating in politically sensitive or high-risk regions—may influence how courts assess intent, potentially triggering or invalidating cyber exclusions depending on the facts.

Building on this, Kilbee said: “The additional difficulty in determining whether spoofing was intended to cause harm potentially means that insurers face a much higher bar in evidencing that harm was intended by the spoofing actor. This introduces a significant grey area in claims assessment, where causation, crew conduct, and cyber attribution intersect.”

Whilst it may be possible to draw certain inferences depending on the circumstances of a case, the AAA believes that reliance on the cyber exclusions will be difficult based solely on the basis that spoofing occurred; intent and causality remain critical. Nonetheless, the legal ambiguity and evidentiary burden present commercial risks for both insurers and shipowners.

The paper also highlights the increasing relevance of cyber buy-back clauses, which for an additional premium, can reinstate cover in cases where cyber-related exclusions might otherwise apply. These endorsements can be critical in grounding scenarios where spoofing may be suspected but not clearly attributable.

In summary, Kilbee said: “GPS manipulation is no longer a theoretical risk and it's not always clear who is behind it or why. This creates a tension between traditional coverage expectations and the application of broadly drafted cyber exclusions. In this context, stakeholders across the shipping and insurance sectors are encouraged to closely review policy wordings and understand the legal thresholds required to engage or avoid exclusions in the event of a digitally influenced casualty.”