Cyber Security Isn’t Expensive - It’s Priceless

Widespread digitalization has brought many benefits to shipping. Seafarers can call home more easily and frequently. Port management systems are now much smarter, and digital navigation tools are improving voyage times and reducing emissions.

However, shipping’s increased reliance on digital systems has also created new vulnerabilities. Some of these are relatively easy to fix. Paper charts and working knowledge of a sextant have guided mariners for centuries, and can fully overcome any ECDIS failure. Others are both harder to detect and less easily fixed.

As The Maritime Executive has reported, criminals are using GPS jamming to help them to plunder cargoes. Similarly, the technology needed to spoof – or deceive a vessel as to its actual location – is inexpensive and easy to find online. Should a hacker be able to access a ship’s digital core, it could prevent any internet-enabled activity. A ship without the ability to communicate could quickly be deemed ‘off hire’ by a charterer.

The unfortunate reality is that digital threats to shipping companies are increasing rapidly. One survey by Naval Dome, an Israeli defence company, estimated that there had been a 400% growth in attempted attacks on maritime targets between February and June 2020.

In the last month numerous container majors and even the IMO have been victims, and Covid-19’s social restrictions have seen the increased use of connectivity by OEMs, technicians, and others to service ships. This is likely to have increased the possible attack surfaces and number of incidents further still.

New practices under the revised ISM Code

Back in 2017, the IMO adopted Resolution MSC.428(98) and MSC-FAL.1.Circ.3 which recognise that digital threats are no longer a technical issue but an integral part of the ISM Code and safety management systems from 1 January 2021.

The guidelines are designed to create a system of continuous improvement for cyber-risk management. Shipowners and operators must now ensure that they are regularly working to improve their risk management and adapting their procedures and processes as the complexity and danger from digital attacks evolves.

The first step to take when updating your cyber risk management is to specify who will be responsible for administering and supervising, and identifying which systems are vulnerable to attack. Once that is complete, risk control processes must be regularly tested, and the lessons learned embedded within ongoing resilience and contingency planning. Cyber-insurer Astaara has created this comprehensive explanation of the new rules, which explains the new processes and obligations in more detail. 

The implications of non-compliance

The consequences of this are potentially huge. If an owner of a vessel cannot show that it has performed appropriate due diligence in managing its cyber risks in line with the new guidelines, the vessel may be found to be unseaworthy. Should this happen, it’s likely to jeopardise contracts of carriage and could compromise a shipowner’s ability to rely on the Hague or Hague Visby Rules, and their defences and limitations.

Similarly, many financing agreements require compliance with all elements of the ISM Code. It is therefore possible that a breach of the Code could put a borrower in default on his loan contracts.

Currently there is no cyber exclusion in mutual P&I Club cover for traditional P&I risks. In practice, this means that a digital failure or hack that creates a P&I claim will be covered – as long as the Member has prudently and diligently ensured that her vessels are appropriately managing their cyber risks and in compliance with Flag State and Class requirements.

However, there will remain numerous risks that are not covered. An attack by a nation state or a terrorist would be a war risk and therefore not covered by a typical P&I policy, and owners would have to look for cover to the War Risk underwriters many of whom may have cyber exclusions in their policies. Additionally, owners and charterers with fixed premium rather than mutual insurance are typically finding that their policies now contain cyber risk exclusions.

At present there is a limited cyber insurance market for marine risks. But in light of the growing number of cyber-attacks and the very visible consequences to some of shipping’s biggest companies, we’re expecting the demand for cover to grow rapidly and the question is whether the insurance market has the desire or capacity to respond.

The updated ISM Code provides welcome standardization and updates to enhance the safety of ships and the seafarers that crew them. However, failing to address its requirements could have an enormously detrimental impact on a company’s ability to trade.

Capt. Simon Hodgkinson is the Global Head of Loss Prevention and Chris South is a Senior Underwriter at West P&I.