Maritime cyber-attacks have increased by 400%1 since February 2020, with attacks on operational technology up by 900%2 over the past three years. Ince’s Julian Clark considers the risks
When Maersk fell victim to the NotPetya ransomware cyber-attack in 2017 (resulting in a loss of over £300M3 ), it highlighted that no shipping company is immune to cyber-attack – even IMO has been hacked. Cyber risk has been on the IMO agenda for some time and on 1 January 2021, MSC 428(98) was finally adopted. Tanker operators and managers are not sufficiently protected by being compliant with the new regulation – this is a ‘level-one solution to a level-four threat’ – accordingly, a tick box approach to compliance is far from sufficient.
The lack of adequate protection is particularly prevalent in relation to cyber-attacks on on-shore and on-vessel operations technology (OT) networks and control systems, as just 42% of organisations protect their vessels from OT cyber threats4. Additionally, an alarming 92% of the estimated costs arising from a cyber-attack are uninsured5 and the access and limits of cover are often restricted, which has serious risk-management implications for tanker owners and operators.
The devastating effects of a cyber-attack are not only financial and reputational, but crucially also legal. Tanker owners could face real challenges in order to establish due diligence and protect themselves legally if an incident arose from their vessel being cyber-compromised. They can expect cargo interests and others to raise arguments that there was a failure to make use of available cyber-security protection systems to ensure they were adequately protected.
“A tick-box approach to compliance is far from sufficient”
In relation to the concept of due diligence and the application of the Hague Visby Rule Article IV Rule (ii) defences, shipowners will need to show due diligence in relation to protecting their vessels against a cyber-attack. The duties of due diligence are generally not delegable, so while a contractual provision ensuring that the manufacturer takes responsibility for cyber-integrity creates a potential right of recourse, this does not itself provide a defence to a claim. Additionally, where there are systems available in the market that can provide protection against a cyber-attack, and an owner has failed to implement appropriate measures or is unable to show they have an effective system in place to address cyber-risk, such omissions could amount to recklessness, giving rise to a possibility to break limitation.
We can expect to see claimants raising issues of unseaworthiness where they suffer loss or damage as a result of a vessel being cyber-compromised.
It is critical for tanker owners and operators to take an integrated, comprehensive approach to protecting their organisations against cyber threats. Our recent venture with Mission Secure (leaders in providing military-grade cyber security for OT systems) to launch an industry-first, integrated legal advisory, consultancy and technology cyber-security solution, addresses this market need by providing both advisory and action to fully protect companies beyond the current regulatory guidelines.
Julian Clark is global senior partner at Ince
Notes: 1 Source: Naval Dome; 2 Source: Marine Log; 3 Source: Threat Post; 4 Source: British Chamber of Commerce; 5 Source: ISP Association