Cybersecurity In The Maritime Industry
The global shipping industry – much like air, road and rail transportation – is undergoing a technological revolution. From hull cleaning to collision avoidance systems, automation has made incredible advances in recent years. There is more to come, too. Norwegian company Yara has partnered with the engineering group Kongsberg with plans to launch the world’s first automated container ship in 2018. Rolls-Royce is also joining the fray, having revealed plans in September to build autonomous naval vessels.
There are good reasons for embracing these innovations. For starters, unmanned ships are thought to be potentially safer and more fuel efficient. Automation also frees seafarers from the drudgery of paperwork. But these benefits come at a cost. One of the key challenges in the coming years (and one of the focal topics of BLG’s Maritime Law Seminar on December 1, 2017), is how the shipping industry will cope with the growing threat from cyber attacks.
“Ships have an opening to the outside world,” Chris South, a senior underwriter for West of England P&I, told the audience present at the seminar in Montréal. “And wherever there is an opening there is a vulnerability.”
A recent case in point is shipping company Maersk, which suffered $300 million in damages following a hit by the NotPetya ransomware outbreak in June of 2017. The shipping giant picked up an infection that spread into its global network and was forced to halt operations at dozens of port terminals around the world.
“Four factors are at play in the maritime industry”, said South. The first is automation itself, as machinery on vessels is increasingly controlled by software. The second is integration. On any given vessel, there may be multiple systems connected together. The third is the ability of ship-to-shore systems that communicate via remote monitoring. “Ships are now talking to head offices continuously,” says South. The fourth factor is that all these systems are connected through the internet.
Virtually any company that now relies on these systems is exposed to a cyber cascade of sorts, South added, “where one part of the industry ends up infecting another.” So a shipping company’s systems might get infected at headquarters. The infection then spreads to the ship and charterers before moving on to ports and terminals, the logistic companies and ultimately the manufacturing plants receiving the merchandise.
Too big to cover?
The alarming question for insurers in the maritime industry, who view cyber as a growing systemic risk, is “where does the liability stop?” Insurers have voiced concern that the risks are too big for them to cover alone – without government intervention.
Understandably, cyber and data risk insurance is limited when it comes to coverage. “A typical cyber risks policy will cover breach costs, such as forensic investigations, legal advice and those associated with notifying customers and regulators”, said South. It will also cover business interruption; repair and replacement of websites, programs and data caused by hackers; extortion; and the cost to defend and settle claims made for failing to keep customers’ personal data secure. “But it does not substitute or replace the covers lost,” South warned.
New laws on the horizon
One area where governments are stepping in is on the legislative front. Data security breaches are nothing new, but gone are the days when organizations could conveniently sweep them under the rug. “Canada is the latest country about to implement a new breach notification regime”, said Éloïse Gratton, a BLG partner and nationally renowned expert in privacy and data protection.
Following recent amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), private-sector organizations doing business in Canada must report the breach to the Privacy Commissioner and, generally, notify customers if there is a risk of significant harm resulting from a data security breach. Gratton expects regulations prescribing the breach notification process in Canada to be in place as early as during the first quarter of 2018.
“There are record-keeping obligations,” she added. “When you have a security incident you’re supposed to keep the data.” The duration of record keeping is still being decided by the Privacy Commissioner, but could possibly extend to as long as five years. Organizations that suffer a breach must also be mindful of additional provincial breach notification regimes in Québec, Alberta and British Columbia. Additionally, most states in the U.S. also have breach notification laws on the books.
Another game changer, said Gratton, is the coming into force in May 2018 of the European Union’s General Data Protection Regulation (GDPR), which applies to any processing of personal data, namely its collection, use, disclosure or storage. Under the GDPR, organizations that suffer a breach must notify the relevant national data protection regulator as well as anyone who has been affected, and where the breach is likely to result in high risk to their rights and freedoms. Fines for non-compliance are considerable — up to 4 percent of an organization’s annual worldwide turnover or €20m. The GDPR also creates a right of private action against data controllers and data processors.
“Complicating matters further”, Gratton said, “the EU regulation has extra-territorial reach”. It applies to organizations that offer goods and services to European residents or who monitor their behaviour, through the use of persistent cookies for instance. That includes businesses based outside of the EU.
How far liability extends will also depend in part on the contractual terms. Contractors are increasingly required to meet cybersecurity standards, and can be held liable for damages to a company’s systems as a result of a virus or malware introduced by an agent or employee.
Being prepared and mitigating the damage
To safeguard ships from cyber threats, companies should follow International Maritime Organization approved guidelines on cyber risk management, which focus on identifying the systems, data and capabilities that pose a risk to operations, when these are disrupted. To do that, companies must implement risk control processes and have the ability to detect cyber events in a timely manner. They must also be able to back-up and restore systems necessary for shipping operations or services impaired following a cyber event.
To mitigate the damage that can result from a breach, Gratton urges organizations to have a breach incident response plan in place well in advance. “You have to know who your internal core team is, and who your external team is,” she said. That includes legal, forensic, PR, and information security experts.
It is also advisable, when responding to a breach, to ask legal counsel to retain and deal with cyber forensic experts for the purposes of maintaining solicitor-client privilege.