Australia: Cyber risks and maritime industries: risk identification, mitigation and response

First published in Maritime Risk International

Maritime industries are becoming increasingly reliant on technology and the use of data. On the one hand, this represents a shift towards industries that are safer, more efficient and more profitable – prime examples being the increasing use of e-bills of lading and automated systems for the operation of container ports. However, this greater reliance on technology also brings with it a range of increased risks.

This article explores the scope of those risks, the potential exposures and the means by which those risks can be mitigated by maritime industries.

The scope of cyber risks

The threat is a real one, as demonstrated by a prominent example of a criminal hacking of a port, which occurred at the Port of Antwerp in 2011. In this case, hackers remotely accessed the Port's network to identify containers in which they had hidden illegal goods, and removed the goods before they were searched by authorities. This was done by sending Trojans to the port's staff, resulting in the port's IT system being infected, as well as key logging devices being installed to capture the passwords of port employees. The criminal enterprise is thought to have continued for two years.

The maritime industries are also vulnerable to more generic types of cyber risk, such as economic cyber-crime. A recent example of this was the interception and redirection (through email infiltration and impersonation) of a multi-million dollar funds transfer from an owner to a shipbuilder. Other incidents involving the theft, misuse, loss or destruction of personal data (such as data belonging to employees or customers) can also lead to significant losses being incurred.

However, there are very few such examples and, to date, the maritime industries have not suffered many high-profile adverse cyber incidents. IBM's 2015 Cyber Security Intelligence Index suggests that the majority of adverse cyber incidents happen within the finance and insurance, manufacturing, and information and communication industries, rather than in the shipping or logistics sector. This may be partly explained by the fact that maritime industries have been slower to embrace the use of technology and also that the business is rather 'invisible' to the general public - insufficient information is known about how the industry works for many hackers or criminals to invest their time. There are simpler and more rewarding targets.

Nevertheless, today's reality is that the maritime industries now use vast quantities of electronically-stored and transmitted data and criminals will increasingly look to the sector. This leaves the industry vulnerable to a range of cyber risks. An obvious example is the threat posed by potential cyber-attacks on shipping or port infrastructure, such as an attack on an automated navigation or logistics system. This could involve the manipulation or destruction of data which could cause automated systems to malfunction or fail entirely - or expensive and valuable cargoes to be stolen. An attack of this nature can come about in a variety of ways – access to data can be gained by phishing attacks or by the opportunistic use of networks with inadequate security, as well as by more sophisticated hacking techniques.

The consequences of such an attack could be broad-ranging. For example, ship collisions could occur due to hacking of e-navigation and other systems, resulting in physical loss of or damage to ships, bodily injury to crew, loss of cargo, pollution and business interruption. Disruption to the port's activities could also arise, leading to considerable business interruption losses for the port and those doing business in it.

An adverse cyber incident of this nature could affect all of the organisations that use a port's infrastructure, including those who are not in a position to influence the port's cyber-security or have a role in responding to the incident.

The many and varied costs of an adverse cyber incident

The costs and liabilities arising from an adverse cyber incident could be surprisingly broad and the scale of losses might be considerable, particularly if an incident were to cause damage to ships, port infrastructure or other physical assets.

In addition to losses caused by damage to, or destruction of, physical assets, considerable costs may need to be incurred in responding to an adverse cyber incident. For example, if the personal data of employees or customers is compromised, significant legal fees may need to be incurred in notifying the data protection regulator and the data subjects themselves as well as in defending legal proceedings. These costs are likely to increase in Europe due to the forthcoming reform of EU law in the shape of the new General Data Protection Regulation. This regulation is set to implement mandatory reporting of certain adverse cyber incidents to the relevant data privacy regulators. This is a particular issue for the cruise and ferry sectors. For example, claims may be brought by individuals under data privacy legislation or, depending on the jurisdiction, in tort for breach of a duty of care. In the UK, there is an expectation that claims of this nature are set to become more common due to recent legal developments. In the US, class-action law suits relating to data privacy are already commonplace. Claims against the boards of companies that suffer adverse cyber incidents, often brought by shareholders, are also on the rise – directors in these cases are often alleged to have breached their fiduciary duties by not preventing the incident in the first place.

The loss of commercially confidential data would involve a breach of typical service provider agreements. IT consultancy services are likely to be necessary to mitigate the effects of a breach, remediate IT systems and restore the confidence of customers and counterparties. Investment in IT infrastructure, cyber security and cyber risk education in the aftermath of an incident, could be expensive and time-consuming.

Preparation for and mitigation of cyber risk

There are a number of ways in which organisations in the maritime industries can prepare for adverse cyber incidents and mitigate the cyber risks that they are facing.

The first step is often to address the lack of understanding of cyber risks. Indeed, most adverse incidents come about because of:

  • human error (e.g. an accidental loss of data),
  • poor cyber-hygiene (e.g. a lack of encryption of devices), or
  • poor risk awareness (e.g. an inability to spot a phishing scam).

This can be a particular issue in industries where a knowledge of cyber risks has not traditionally been required, which would include many maritime industries. Thorough training of boards and employees can make a considerable difference to the number of adverse cyber incidents that an organisation suffers.

An organisation's cyber-security should also be thoroughly tested and constantly reviewed to ensure it is appropriate to the evolving nature of cyber risk that an organisation is facing.

Co-dependency of organisations in the maritime industries is a key issue. If an organisation manages its own cyber risks well, it still remains at risk if its counterparties or service providers do not. This type of risk was evident in the recent high-profile data breaches affecting retailers in the US, where the source of the issue was found to be poor cyber-security on the part of third party suppliers, which eventually allowed hackers to infiltrate the retailers' networks. Detailed cyber due diligence should therefore be carried out on all counterparties and service providers. Port community user groups could also be used as a vehicle to improve all organisations' commitment to cyber risk management.

  1. Cyber incident report plan
  2. Organisations should also prepare and implement a detailed cyber incident response plan, in order to ensure that an adverse cyber incident can be dealt with swiftly and effectively. This can significantly mitigate the impact of an incident. An effective plan should be comprehensive, covering every aspect of the incident; from detection and containment through to evaluating the implications, notifying the relevant parties to the extent necessary and finally taking remedial steps to ensure further incidents do not occur in future.

  1. Cyber insurance
  2. Cyber risk management can also be aided by the effective use of cyber insurance. Traditional insurance products taken out by organisations that are active in the maritime industries may cover some losses arising out of cyber risks – for example, some cover may be provided under general liability policies for bodily injury and property damage policies may cover damage to physical property – but these products are unlikely to cover all of the cyber risks that an organisation is facing. In addition, other traditional insurance products are likely specifically to exclude cover for loss arising out of cyber risk – marine hull insurance policies are a good example of this. Cyber insurance can, therefore, be used to "plug the gaps" in cover which traditional insurance products leave behind, providing cover for a range of first-party and third-party losses that might arise as a result of an adverse cyber incident. These policies usually also provide the insured with a suite of services to mitigate the impact of adverse cyber incidents, including cover for the costs of legal advice, PR, crisis management, forensics and security specialists as well as asset rectification costs, cyber business interruption costs and cyber extortion cover. The cyber insurance market is growing in a number of regions, not least in Europe.

Conclusion

Cyber risk is increasing in all sectors and the maritime industries are not immune to this trend. While the risk can be mitigated, the extent of an organisation's ultimate exposure will very much depend on the readiness and determination of an organisation's management to deal with this threat. Readiness includes investment in security and precautions, training, comprehensive incident response procedures and insurance.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.