A Cyber Christmas or a Hacky New Year?
There are two types of company, former CISCO CEO John Chambers said; those that have been hacked and those who don’t yet know they’ve been hacked. If that’s too gnomic for you, how about Warren Buffet’s remark that it takes 20 years to build a reputation and five minutes to ruin it?
Think about cyber risk this way, and you will begin to do things differently. In fact, cyber attacks and hacks are no different from groundings or collisions; a casualty for which companies can prepare and from which they must pick up the pieces.
As Scott Pilkington, partner with law firm HFW points out, when the finger of blame is pointed at you, the best first defence is to demonstrate that you did everything reasonable to protect yourself, something many shipowners are only just waking up to.
Pilkington says he remembers clearly when this changed. “I was talking to a group of Asian shipowners in May and they were not interested, they all sat there arms folded. Then Maersk happened, now they ring me up. It’s suddenly got very real for them.”
He can cite growing examples of hacking, ransomware, phishing and even whaling. Earlier this year he got a call from a client who had realised just in time that the emails asking him to transfer USD1m to a supplier were not, in fact from the CEO and the payment was stopped just in time.
Events range from the outrageous – the offshore rig whose stability system was hacked causing it to list 18 degrees – to the audacious. When global commodity trader Glencore went to pick up a container of high value minerals it found that the PIN number issued by the carrier had been hacked and the container stolen.
The carrier relied on a defence of contributory negligence and ultimately the case failed on lack of evidence, but it was one of the first occasions that cyber was raised as a legal defence. But the law has some way to go to catch up.
“There is a legacy problem, because standard clauses in charterparties do not mention cyber and there is a need to define it as a potential reason for off hire. If you are obliged to pay hire every 30 days then an owner can withdraw the vessel if you don’t. What you’re going to need is an exception and an alternative means to pay if that is interrupted.”
Similar is true for voyage charterparties where the wording hasn’t caught up with the risk. Most Laytime and Demurrage disputes stem from issues with the ship, not if business is interrupted because the terminal’s systems are offline.
A key issue is whether being hacked is the equivalent of making a ship unseaworthy and Pilkington thinks it might, or certainly that it leaves the vessel vulnerable because the shipowner will be judged by the standards of the market. Equally, a hacked port or terminal could be termed unsafe, raising further liability issues.
Insurance too is playing catch-up, from its starting point of an approach based on exclusions, thereby potentially absolving insurers from liability. “There are big coverage gaps, the products are coming out but you have to be careful what you are buying. In cases such as theft of data you may already be covered,” says Pilkington. “Trying to price risks such as business interruption and loss of goodwill or reputation is not easy for buyer or seller.”
Most P&I cover is deemed sufficiently broad enough to cover effects on physical navigation or onboard IT systems but owners are expected to demonstrate that they took all reasonable steps to avoid the problem. At the insurer’s discretion, some types of attack could be seemed as war risks if they are considered as terrorism.
Pilkington says the solution he advocates is simple: a management-led, top-down approach that goes beyond products and patches to training people not to take avoidable risks “We need to be paranoid about it,” he adds. “The industry is good at training for man overboard, collision and pollution incidents but not the shoreside operations and backroom stuff.”
There is plenty of advice around, in fact, he suggests there may be too much at times, but some of the cornerstones such as the BIMCO guidelines and NIST framework can be easily identified.
At the end of a year that has seen cyber hog the headlines, Pilkington says that when renewing contracts, companies should make clear who will be responsible if an attack happens and remember that however much money they spend, they will only be secure for a period of time.
And by now, nobody should imagine this is another Y2K in the making. HFW is advising other industries and it is not just shipping that is playing catch-up. He says every organisation needs a plan that works for their structure and these will vary not just from sector to sector but from company to company.
“There is a video doing the rounds of an ethical hack on an ECDIS where the attackers fail to get into the Operating System but they do manage to plant a virus in the help file. The officer doing the passage plan then accessed that file and brought up a ransomware message. He rebooted but it made no difference. The camera then pans round the bridge and every PC on the network is infected. I understand the scepticism but this is really happening.”