Between 2011 and 2013, the Port of Antwerp was the victim of a drug trafficking operation that used cyberspace to its advantage.
Traffickers used hackers to break into the port's IT system and steal data about the location of various containers which had been used to smuggle billions of dollars' worth of drugs. Using this information, traffickers removed the drugs before the containers were collected by their rightful owners.
This is just one example of a growing threat facing the shipping industry: cybercrime.
Cyber security has been a hot topic over the past few years, but underreporting of cyberattacks makes it difficult to determine just how big a problem it is. Shipping companies are vulnerable to the same cyber threats as other industries, but also face a number of unique threats.
Countering the cyber pirate
Cyberattacks can range from relatively minor "nuisance attacks" which, although they cause immediate business disruption, have little long term impact, to serious attacks which threaten the loss of money, cargo, vessel or life. Attacks can be directed against a vessel, a port or any other link along supply chains. This is a major risk for global trade: there are so many players operating throughout the world and one weak link creates risks for all other parties.
Acknowledging the risk is crucial. Wherever there is technology, there is the risk of cyberattacks. In 2015, ESC Global Security estimated that 99% of all cyberattacks are a result of known vulnerabilities. 90% of these had security patches available. This shows that many cyberattacks can be prevented, if companies have the right tools.
Perhaps even more crucially, companies need to provide effective training to staff. Staff are the first line of defence, especially against scam emails. For example, in 2013, emails were sent purporting to be from the Suez Canal Authority, seeking to gain access to vessels, allegedly to carry out blood tests on crews. Staff receiving these types of emails need to be able to distinguish immediately between legitimate and suspect requests.
But vigilance is not enough. Hackers will attack. Companies need strong detection software to enable them to detect attacks, bolster security and minimise loss. Finally, companies need a strategy to respond to successful attacks. This approach needs to comply with any mandatory data breach legislation in the relevant jurisdictions. Australia has recently enacted legislation that requires all organisations with an annual turnover of $3 million or more to respond to data breaches and notify affected individuals of the breach.
Cyber Insurance
Cybersecurity is a relatively new topic, and it falls into a bit of a black hole for most marine insurance policies. Most policies either expressly exclude cyber risks, or don't mention them at all. This means losses arising from cybercrime may fall to be considered under general provisions that were never designed to cover this kind of loss.
Fortunately, cyber insurance is a rapidly growing market. Insurers are adapting to cover cyber risks and an increasing number of insurers now offer specialised coverage. These policies can help mitigate losses, including legal fees, PR management and rectification costs. Shipping companies need to consider whether their existing insurance policies respond to the cyber threat and, if not, what type of policy they need.
All shipping companies should consider their cyber security and coverage sooner rather than later – you never know who is lurking in cyberspace.
