Historically, cyber-attacks have traditionally focused on attempts to obtain personal or financially sensitive data. However, by their very nature, cyber threats are opportunistic, and so present constantly shifting challenges.

While shipping is considered a 'key' or 'essential' sector in many economies and has remained as busy (if not busier) than ever, notwithstanding the current pandemic-related issues, its unique features present skilled and creative hackers with a plethora of opportunities to take advantage of the wide range of industrial control systems employed throughout this vital area. A limited snapshot of these systems include port and ship-based cargo handling and container tracking systems, waterway access systems, navigation and propulsion systems, and automated processes to name just a few. Many of these systems rely on smooth and efficient operation, meaning that especially now, cyber-attacks can be all the more damaging.

Cyber-attacks can also have criminal motivations (as seen in Antwerp between 2011 and 2013) to highjack, divert, or steal cargo. Events over the last four years suggest that these types of systems are becoming increasingly vulnerable to attack with companies across all business sectors experiencing increasingly sophisticated and complex attacks that attempt to inflict damage to property and operations by taking control of industrial control systems.

Further, and by reference to The Maritime Safety Committee (MSC), Companies operating across all shipping sectors should bear in mind the recommended deadline to incorporate cyber risks within existing safety management systems (SMS) – a task that may easily have been overlooked following the outbreak of COVID-19. The MSC, via resolution MSC.428(98), encourages those in the industry to ensure;

'cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's document of compliance after 1 January 2021'.

To assist companies with this process, the MSC issued a document titled 'MSC-FAL.1/Circ.3', which provides guidance on maritime cyber-risk management. These guidelines provide a staged approach and suggest the following whenever possible:

  1. 'Identify: define personnel roles and responsibilities for cyber-risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operations.
  2. Protect: implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  3. Detect: develop and implement activities necessary to detect a cyber-event in a timely manner.
  4. Respond: develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
  5. Recover: identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.'

While the implementation of cyber risks within the SMS may seem low in the list of priorities for many in the industry, we nevertheless recommend prompt action – especially in the current circumstances. Research suggests:

In light of these statistics, it is clear that assessing and seeking to manage cyber risks is not simply about complying with 'red tape', rather it is guarding against very real and significant risk of material loss.

A thorough risk assessment and compliance with the MSC guidelines will increase the chance of identifying vulnerabilities in systems and procedures, correction of which will help prevent attacks and the losses that can occur from a significant cyber incident.

The cost implications of a cyber incident should not be underestimated and can include:

  • The potentially massive loss itself
  • Financial risks associated with lack of insurance coverage where prudent measures have not been taken
  • Claims by customers for associated loss
  • Reputational damage; and importantly
  • Eye-watering fines for non-compliance

Fines for data breaches under EU legislation alone can be the higher of €20 million or 4% of total worldwide annual turnover. This is before claims for compensation (and the legal costs) by those affected by the data breach. Recent fines include British Airways who were fined £20 million (lowered from the £183 million initially imposed) after it was subject to a cyber-attack in 2018 and Marriot International Inc. who were fined £18.4 million after a cyber-attack in 2014.

In addition, the United States requires all ships calling at its ports to have appropriately addressed cyber-risk management within their SMS in accordance with MSC 428(98). It is reported that failure to be compliant may result in detention of offending vessels in US ports.

Accordingly, the effects of cyber incidents can be far ranging and have catastrophic implications to a business's reputation and financial standing. Cyber incidents can entice payments to the wrong bank account and lead to hacked systems that could lead to business disruption and lost revenue.

Maersk know first-hand how devastating a cyber-attack can be, having suffered a well-publicised major incident on 27 June 2017 that affected its global network with a cost of up to $300 million. Fortunately for Maersk, no data breach or data loss to third parties occurred, which would have increased those losses significantly and likely exposed it to potential fines.

Consideration should also be given to malicious attacks involving vessels that could result in control of the vessel being taken away from the captain – consider, for a moment, the implications of such an attack on a cruise vessel.

Where the outcome has less dramatic consequences, a vessel sent on a voyage infected with malware, raises potential questions concerning seaworthiness, which could expose the owner to liability both in terms of their contractual obligations and the Marine Insurance Act.

In summary, cyber-attack risks are not diminishing, rather they are growing and becoming ever more sophisticated. Those in the shipping sector should therefore consider this an apposite and timely opportunity to review their cyber policies – not only to comply with recent guidance, but also to safeguard against potentially huge financial liabilities, business interruption, and significant reputational damage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.