Albert Einstein is reported to have said “It has become appallingly obvious that our technology has exceeded our humanity”. Have we reached such a tipping point in shipping? Technology creates new opportunities but this unavoidably also creates new threats and risks. Cyberattacks, however, are nothing new. Arguably, the first recorded cyberattack occurred in France in 1834 – well before the internet was invented – when two thieves stole financial market information by hacking the French telegraph system.
From this point forward, the number of cyberattacks has grown exponentially with the attacks evolving and threat actors adopting new tactics, techniques, and procedures. Cyberattacks are becoming increasingly prevalent in shipping, and taking them seriously is not just a sensible precaution but a legal requirement.
Building robust cyber security strategies on board ships should be placed on an equal footing as the requirements placed on an owner by, say, the International Convention for the Safety of Life at Sea (SOLAS).
Risks, cyber (sea)worthiness, and contract considerations
A cyber incident resulting in a physical, financial, or data loss could trigger numerous consequences. These could include loss of life in the event of groundings or collisions, damage to the environment as a result of pollution, loss of reputation, and business interruption. They could also cause financial losses from wreck removal costs, regulatory fines for breaching sanctions or making illegal payments, and a breach of seaworthiness obligations.
A crucial point relevant to owners, managers, charterers, and their insurers is that of “cyber worthiness”, which can impact a vessel’s seaworthiness. The provision of a seaworthy vessel is enshrined in common law as well as most charter parties.
By virtue of Resolution MSC.428 (98), Owners’ Safety Management Systems (SMS) should take into account cyber risk management per the objectives and functional requirements of the International Safety Management (ISM) Code. As such, owners are responsible for ensuring the robust technological and technical infrastructure of their vessels, their effectiveness, safety and security.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataThis is a non-delegable obligation. An owner who fails to patch software, run drills for crew, or carry out insufficient cybersecurity checks may well not only face claims of unseaworthiness from cargo owners, guests, passengers, and/or charterers but also run the risk of being denied cover if they suffer a security attack.
Building cyber awareness and cyber resilience is key; cyber insurance policies and even cyber business interruption cover could prove essential in mitigating damage in the event of a cyber incident. These are not issues just to be aware of but an option to be thoroughly considered. If owners choose to not take out separate cyber risk-based insurance then they should ensure their existing policy wording adequately protects them against cyber risks (to the extent it is possible).
Charterers should also consider if an owner must have suitable cyber insurance in place or at least, agree in the charterparty what should happen to the agreement if, for example, hire is unpaid as a result of an attack. Contracts with third-party providers should also be carefully reviewed, to confirm adequate safeguards are in place.
Legal and regulatory framework
The legal and regulatory provisions are piecemeal and vary depending upon a number of factors, such as jurisdiction. Staying ahead of changes and developments can be difficult with a host of guidelines and regulations in place, including from the EU, the US SEC, and the UK Government, as well as the IMO.
In addition, classification societies are now also introducing their own guidance; the International Association of Classification Societies (IACS) has introduced two Unified Requirements (URs) regarding the cyber resilience for newbuild vessels, to be applied to all classed vessels and offshore installations contracted to be constructed on or after 1 July 2024.
Briefly, UR E26 concerns the “Cyber Resilience of Ships” and UR E27 deals with the “Cyber Resilience of On-Board Systems and Equipment”. This places an obligation on shipowners, shipyards, designers and suppliers to be responsible for “cyberproofing” vessels to ensure compliance with UR E26 and E27. If a vessel is not “fit” from a cybersecurity perspective, then classification societies may not sign off the vessel.
Ways forward
So, have we reached a tipping point? Yes, in the sense that the shipping industry now needs to galvanise itself to respond to the threat that is posed by new technology. A complete analysis of the current cybersecurity landscape and relevant requirements would stretch to hundreds of pages, but there are some key takeaways for stakeholders to consider.
Stakeholders should install, maintain, and preserve a robust cybersecurity system on board the vessel and ashore, ensuring the crew operating these IT and OT systems have been trained adequately. Not only is enhancing a crew’s technical skills important but enhancing their cyber risk perception is critical too. As attacks become more complex, vessel systems will have to become more sophisticated so proper training will be vital.
Ensuring that the SMS system on board has a properly developed response plan so that in the event of a cybersecurity breach, a clear strategy can be followed is also important. The crew’s cyber preparedness can positively contribute in this context, and the crew should be familiar with the plan.
In the event of an attack, insurers should be notified promptly and a line of communication with them engaging the right teams should be established. If coverage for cyber is in place, compliance with the conditions of the policy wording is a matter of priority.
Stakeholders should also take steps to understand the legal and regulatory requirements in which they are working. This may require carrying out certain due diligence and seeking legal advice before making a ransom payment in certain jurisdictions.
Finally, rather than hiding or stigmatising cyberattacks, stakeholders should consider sharing information with stakeholders in the maritime sector so that they are better equipped and more conscious about the scale and nature of cyber risks. Just as piracy incidents are now openly discussed, there is no (good enough) reason to not adopt the same approach when it comes to cybersecurity.