Member Login

Email address required.
Password required.

Dealing with cyber risks – before it is too late

Posted on: 2 December 2020

Legal firm Hill Dickinson’s Legal Director Colin Lavelle and Associate Michael French say that historically, cyber-attacks have traditionally focused on attempts to obtain personal or financially sensitive data. However, by their very nature, cyber threats are opportunistic, and so present constantly shifting challenges.

While shipping is considered a ‘key’ or ‘essential’ sector in many economies and has remained as busy (if not busier) than ever, notwithstanding the current pandemic-related issues, its unique features present skilled and creative hackers with a plethora of opportunities to take advantage of the wide range of industrial control systems employed throughout this vital area. A limited snapshot of these systems include port and ship-based cargo handling and container tracking systems, waterway access systems, navigation and propulsion systems, and automated processes to name just a few. Many of these systems rely on smooth and efficient operation, meaning that especially now, cyber-attacks can be all the more damaging.

Cyber-attacks can also have criminal motivations (as seen in Antwerp between 2011 and 2013) to highjack, divert, or steal cargo. Events over the last four years suggest that these types of systems are becoming increasingly vulnerable to attack with companies across all business sectors experiencing increasingly sophisticated and complex attacks that attempt to inflict damage to property and operations by taking control of industrial control systems.

Further, and by reference to The Maritime Safety Committee (MSC), Companies operating across all shipping sectors should bear in mind the recommended deadline to incorporate cyber risks within existing safety management systems (SMS) – a task that may easily have been overlooked following the outbreak of COVID-19. The MSC, via resolution MSC.428(98), encourages those in the industry to ensure ‘cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s document of compliance after 1 January 2021’.

To assist companies with this process, the MSC issued a document titled ‘MSC-FAL.1/Circ.3’, which provides guidance on maritime cyber-risk management. These guidelines provide a staged approach and suggest the following whenever possible:

  1. ‘Identify: define personnel roles and responsibilities for cyber-risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operations.
  2. Protect: implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  3. Detect: develop and implement activities necessary to detect a cyber-event in a timely manner.
  4. Respond: develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
  5. Recover: identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.’

While the implementation of cyber risks within the SMS may seem low in the list of priorities for many in the industry, we nevertheless recommend prompt action – especially in the current circumstances. Research suggests:

In light of these statistics, it is clear that assessing and seeking to manage cyber risks is not simply about complying with ‘red tape’, rather it is guarding against very real and significant risk of material loss.

A thorough risk assessment and compliance with the MSC guidelines will increase the chance of identifying vulnerabilities in systems and procedures, correction of which will help prevent attacks and the losses that can occur from a significant cyber incident.

The cost implications of a cyber incident should not be underestimated and can include:

  • The potentially massive loss itself
  • Financial risks associated with lack of insurance coverage where prudent measures have not been taken
  • Claims by customers for associated loss
  • Reputational damage; and importantly
  • Eye-watering fines for non-compliance

Fines for data breaches under EU legislation alone can be the higher of €20 million or 4% of total worldwide annual turnover. This is before claims for compensation (and the legal costs) by those affected by the data breach. Recent fines include British Airways who were fined £20 million (lowered from the £183 million initially imposed) after it was subject to a cyber-attack in 2018 and Marriot International Inc. who were fined £18.4 million after a cyber-attack in 2014.

In addition, the United States requires all ships calling at its ports to have appropriately addressed cyber-risk management within their SMS in accordance with MSC 428(98). It is reported that failure to be compliant may result in detention of offending vessels in US ports.

Accordingly, the effects of cyber incidents can be far ranging and have catastrophic implications to a business’s reputation and financial standing. Cyber incidents can entice payments to the wrong bank account and lead to hacked systems that could lead to business disruption and lost revenue.

Follow this link to find out more.

What is Maritime London?

Maritime London – the promotional body for UK based companies providing professional services to the international shipping industry

Funded by over 100 companies and organisations from a wide range of disciplines, Maritime London ensures that the UK remains a world beating location to base a maritime related business. Maritime London’s mission is to promote the UK as the world’s premier maritime business centre.

Our core Maritime Services

The UK is home to a world beating array of professional maritime service providers. Maritime sectors include:

© 2024 All Rights reserved. || Privacy/Terms