Globally represented law firm HFW, active in the aerospace, commodities, construction, energy, insurance, and shipping sectors, has warned that the shipping industry remains at risk from criminal cyber attacks. Operators have been strengthening their defences in the light of rapid awareness, but the issue remains live.
Two years on from a report commissioned by HFW, there is increased awareness of the risks posed to the marine industry by cyber threats. However, criminals and bad actors have become increasingly sophisticated and leverage new technologies. Increases in regulation are driving improved compliance, which mandates cybersecurity throughout the entire lifecycle of a ship are helping to focus the industry’s attention.
Liability depends on contract
A cyber attack is an unwelcome event in any circumstances, and every legitimate link in the logistics chain tries to avoid such incursions. However, when the criminals do break in, there is inevitable disruption. That leads to liability claims and further heartache. When a vessel or port operation is hit by a cyber attack, shipowners, operators, charterers, or even suppliers can find themselves at the sharp end, and that often leads to an insurance claim.
London-based HFW operates the biggest shipping practice in the world. In the sector, they have over 200 specialist lawyers and ten master mariners advising clients. “Liability will depend on the precise terms of the contractual agreements,” says Henry Clack, one of their senior legal team. “We have seen a number of clauses which seek to push all liability onto ship owners. Generally, ship owners seek to push back, arguing that their responsibility should only be to exercise due diligence, akin to seaworthiness.”
Regulatory pressure required
Crime, of course, can occur anywhere, at any stage of the logistics process, both online and in the physical realm. The EU has taken note, with it’s forthcoming directive (as WCN reported in July). For ship owners, there is also the possibility of issues with their own suppliers. “Most of these contracts include limitation of liability provisions, which means there is little chance of a meaningful recovery from these parties,” says Clack.
International regulators, such as the year-old UK International Maritime Cyber Security Organisation the UN’s International Maritime Organisation, have called for cyber-risk management to be built into Safety Management Systems. Clack says the United States, and to an extent Singapore, has taken the lead in checking whether cyber risk management is being taken seriously and has been built into vessels’ SMSs. Other port states have not been so proactive. “Simply having a checklist headed cyber is insufficient,” he says. “Shipowners should ensure that their crews are regularly practising how to respond, as they do with other risks they face at sea.
Real world costs and legal liabilities
From the legal profession, cyber risks will form part of a shipowner’s wider seaworthiness obligations, says Henry Clack. Losses arising out of a want of exercise of due diligence by a shipowner could result in a judgment or arbitration award being made against that owner. However, the actual level of such activity is hard to accurately quantify. “At present, we have not seen much litigation arising out of cyber incidents involving vessels. Our impression is that most smaller disputes are settled behind closed doors.”
Part of Henry Clack’s duties is an unenviable close contact with criminal elements. Naturally, he’s discreet over the exact nature of his work, for the sake of innocent parties involved. “We have been involved in a significant number of incidents whereby funds have been diverted to fraudsters as a result of ‘man in the middle attacks’. These can be very sophisticated. When this happens, liability to make payment (e.g. for a cargo or under a shipbuilding contract) will continue, so the paying party is left out of pocket unless we are able to freeze or recover the funds.”
Progress but bigger threats on horizon
Emerging cyber threats are evolving all the time. Despite the difficulty in keeping safe, Henry Clack has sage advice on what practical steps operators and port authorities should prioritise to avoid becoming the next high-profile target. “Anecdotally, we have heard that the size of ransoms being demanded is increasing, but that the number of successful ransomware attacks is falling. If these criminal organisations are making less money, it is unclear whether they will change tactics,” he says.
Henry Clack does, however, see a looming danger in the shape of cybercrime spilling over into outright cyber warfare. “Overarching all of this, there is the ever-present threat of cyber warfare in the event of war between world powers. In terms of practical steps, the concerns are too big for a single company to address. The focus should be on the smaller cybersecurity measures and training which can be performed to minimise the chances of falling victim to an attack.”