The NotPetya ransomware attack in June showed just how connected the marine and logistics supply chain has become and just how reliant the industry is on critical onshore systems and data. This dependence is now giving rise to a growing focus on cyber risk management and security by regulators and the shipping industry alike.

Threats

Newer ships, ports and cargo handling facilities are increasingly automated and inter-connected. But, as has been seen with recent events, this exposes the industry to the risk of significant business disruption, financial loss and reputational damage.

The ransomware attack in June this year showed how costly a cyber attack or IT outage can be – shipping firm Maersk were prevented from taking new orders for several days whilst their IT systems were disabled, and said it expects business interruption and costs associated with the attack to reach $300 million. But shipping companies and ports are exposed to a wide range of cyber risks that can result in physical damage, theft, business interruption and third party liabilities.

Criminals and pirates, for example, have been using cyber vulnerabilities to trick, extort or steal from shipping companies. Maritime cyber security firm CyberKeel recently revealed that cyber criminals planted malware in a shipping firm’s IT system, diverting funds intended to pay for bunker fuel.

There is also growing concern that a cyber attack against a large vessel in a busy shipping lane could result in a major casualty. Ships systems are known to be vulnerable to attack, while fears have been growing for so-called ‘spoofing’ - the hacking of GPS systems to jam or ‘spoof’ ship navigation systems.

Regulatory shift

Given recent attacks it is no surprise that governments and regulators are turning their attention to cyber security. Looking to protect critical infrastructure, the US government already has port and shipping cyber security in its sights.

The US Coastguard has also moved to more clearly define cyber security and risk management requirements for vessels and facilities in US waters. In July the Coastguard issued a draft circular Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act Regulated Facilities, which will bring about potential fines for a lack of cyber preparedness.

At an international level, the International Maritime Organisation (IMO) took a significant step forward in June when it introduced maritime cyber risk management guidelines and adopted Maritime Cyber Risk Management into the ISM Code. Essentially, the move will require shipping companies address cyber risk via safety management systems by 2021.

Guidelines

The past two years has also seen a flurry of maritime cyber risk management guidelines and standards emerge from across the industry.

In September 2017 the UK’s Department for Transport published a new code of practice for maritime cyber security while a group of international shipping and insurance organisations, led by BIMCO, updated their cyber security guidelines in July.

Classification societies are also incorporating cyber security into class rules. The International Association of Classification Societies (IACS) has established a joint cyber risk management working group in tandem with its expansion into the classification of cyber security systems.

Contractual

Like other sectors, concerns for cyber related liabilities and business disruption in the supply chain are likely to drive changes in contractual requirements between charterers and ship owners.

We are already seeing some charterers require ship owners and other service providers to meet certain cyber security standards and insurance requirements. Such contractual requirements are likely to become more common place in the maritime sector as awareness of the potential risks increase.

Insurance

As awareness of cyber risk has increased, marine insurance buyers are starting to review existing property damage and liability cover, and in some instances explore solutions to more challenging aspects of cyber risk.

Some traditional policies neither explicitly include or exclude cyber losses, and therefore may provide some cover. In recent years insurers have introduced cyber exclusions in some marine policies, although it may be possible to have these exclusions removed or to ‘buy back’ cover.

Most traditional policies, however, will not pick up the costs of dealing with a cyber attack, nor are they intended to cover non-damage cyber business interruption of the kind caused by the NotPetya disruption to Maersk. Cover for these types of losses can be obtained from the specialist cyber insurance market.

Here to help

If you would like to discuss the evolving cyber threats facing the shipping industry or for further information on related cover, please contact Miller’s Marine insurance specialist Jake Fisher.