Cyber Risk in Shipping: From Technical Threat to Business Reality

 

Cybersecurity in shipping is still too often framed as a technical issue, something for IT teams to manage in the background. From Marcura’s position across financial, operational and compliance workflows, it is increasingly clear that it has become something far more fundamental: a question of business resilience, financial integrity, and trust across an increasingly complex global ecosystem.

Few organizations sit closer to that reality. I see first-hand how cyber risk manifests in day-to-day shipping and where some of the industry’s assumptions still fall short.

The real weakness isn’t technical

For all the investment in firewalls, monitoring systems and infrastructure, many of the most significant vulnerabilities still sit within everyday workflows and human interaction.

Cyber incidents rarely begin with highly sophisticated technical breaches. More often, they exploit gaps in processes, communication, or decision-making under pressure. This is not about individuals being careless, but about how systems are designed, how information flows, and how people are supported to identify and respond to risk.

In maritime operations, this often takes the form of business email compromise. A bad actor may gain access to a trusted email account, such as that of a port agent, and insert fraudulent banking details into an otherwise legitimate disbursement request. The process appears routine, the parties are familiar, and the timing is often urgent, making the manipulation difficult to detect without the right controls in place. The financial consequences, however, can be immediate.

This is something we see play out repeatedly across global port operations. In fact, over recent years, Marcura has prevented more than 100 fraud attempts, protecting over US$10 million in customer funds by implementing controls around disbursement workflows and payment verification. These are not isolated incidents, but part of a consistent pattern across global port disbursement workflows.

The lesson is clear: cyber risk is no longer about whether systems are secure in isolation. It is about whether entire business processes, and the people operating them, can withstand manipulation.

An ecosystem problem, not a company problem

Shipping is uniquely exposed because it does not operate as a closed system. Every voyage depends on a network of agents, suppliers, port authorities, financial institutions and service providers; many of whom operate with vastly different levels of cyber maturity.

This creates concentrated points of failure, or clusters of risk at critical operational touchpoints.

Port agents, for example, are often small, local businesses with limited cybersecurity investment. Yet they sit directly within high-value financial workflows. A compromised agent email account can be enough to trigger fraudulent disbursement payments, with legitimate stakeholders unknowingly cut out of the loop.

The probability of breach in maritime is high because of the number of actors involved, and not all of them have invested in security. The industry’s fragmentation and global nature create a structural challenge: even if large organizations strengthen their internal controls, they remain exposed through trusted external relationships.

Cyber risk, in other words, is only as strong as the weakest link in the chain.

Following the money

Another shift shaping the threat landscape is the motivation behind attacks. While early cyber incidents were often driven by curiosity or reputation, today’s attacks are overwhelmingly commercial.

Most breaches today are financially motivated, and the question attackers are asking is simple: where is the money, and what is the easiest path to get to it?

Digitalization has made that path significantly easier. Where physical bank robberies once required coordination and risk, today’s attackers can operate remotely, targeting financial flows through phishing, credential theft and social engineering.

Crucially, these attacks do not require deep technical sophistication. The barrier to entry has lowered dramatically, and is falling further.

AI is accelerating both sides                                                                           

Artificial intelligence is now reshaping cybersecurity at speed, and not just for defenders.

On one hand, AI is enabling advanced detection capabilities, allowing organizations to process vast volumes of data and identify anomalies that would be impossible for human analysts alone. On the other, it is making attacks more scalable and convincing.

The guidance we used to give, such as looking for bad grammar or spelling in phishing emails, is no longer relevant. AI has removed those signals overnight.

Attackers can now generate highly personalized, context-aware communications at scale. Combined with automation, this creates a 24/7 offensive capability, one that continuously probes for vulnerabilities.

The result is a widening gap: defenders are still reacting, while attackers are increasingly proactive.

Awareness doesn’t mean readiness

There is no doubt that awareness of cyber risk has improved across shipping. Regulatory pressure, customer scrutiny, and insurance requirements are all driving the issue higher up the agenda.

However, awareness does not necessarily translate into readiness.

One of the most persistent challenges remains training and behavior. While most organizations now run cybersecurity awareness programmes, measuring their effectiveness is far more difficult.

Marcura, for example, has implemented structured training over more than a decade, alongside phishing simulations and internal reporting processes. Yet even with high completion rates, the question remains: are people truly internalising the risks, or simply ticking a compliance box?

Cybersecurity is not the responsibility of one person or one team, but of the organization as a whole. Changing behavior at scale is one of the hardest problems.

For shipowners and operators, this means rethinking cyber risk not as a compliance function, but as a control layer embedded across financial and operational workflows.

From cost center to commercial enabler

One of the more significant shifts underway is how cybersecurity is being perceived at a leadership level. Historically viewed as a cost centre, it is increasingly becoming a commercial differentiator.

Large customers, including major shipping companies, financial institutions and energy firms, now expect robust cybersecurity credentials as a prerequisite for doing business. Certifications, audit reports and demonstrable controls are no longer optional; they are part of the commercial conversation.

In practice, this has translated into sustained investment, not just for compliance, but as a means of enabling trusted service delivery at scale. Cybersecurity is not simply about risk avoidance; it is about unlocking business opportunities.

Towards collective resilience

Despite these advances, one structural issue remains unresolved: the lack of effective information sharing across the industry.

Cyber threats are not competitive, yet responses often are. Organizations tend to manage incidents in isolation, limiting the sector’s ability to learn collectively.

There’s no central mechanism for sharing lessons in cybersecurity. We often hear about incidents too late, or without enough detail to make a meaningful difference.

For an industry as interconnected as shipping, this limits the sector’s ability to build collective resilience.

Improving resilience will require a shift from isolated defense to shared intelligence, where insights from one part of the ecosystem can strengthen the whole.

A business imperative

Cybersecurity in maritime is no longer a future concern. It is already shaping financial outcomes, operational continuity, and competitive positioning.

Organizations that recognize this, and treat cyber risk as a business issue rather than a technical one, will be better placed to navigate an increasingly complex threat landscape.

In a sector built on global interdependence, resilience is not just about protecting systems, it is about protecting trust across every transaction and interaction.

Taher Afridi is Deputy Chief Compliance Officer and Head of Information Security at Marcura, the sponsor of this message.