Maritime cyber risk awareness ‘barrelling forward at full pelt’

Sarah Stephens is a partner and head of cyber at JLT Specialty
Sarah Stephens is a partner and head of cyber at JLT Specialty
Shore and ships systems are now inextricably linked, with robust connectivity between them
Shore and ships systems are now inextricably linked, with robust connectivity between them
Industry Database

According to Sarah Stephens of cyber risk advisers JLT Specialty, 2017 will perhaps be remembered for, among other things, being the year that awareness of cyber incidents in the shipping and maritime industry started barrelling forward at full pelt.

Innovation clearly abounds across the industry in a number of areas, but consciousness of the extent to which such progress and ever increasing connectivity impact the industry’s risk profile has not kept pace. Fast forward to today, where these issues are clearly on the radar for industry players, regulators, policy makers and insurers alike.

A WAKE-UP CALL
Awareness of cyber risk issues lurched to the forefront in June 2017, when industry giant Maersk – which handles around one in seven containers shipped globally – reported that it had been subject to the NotPetya ransomware attack. As a result, its operations across numerous areas of the business came to a screeching halt. Among the affected areas were oil and gas production, drilling services, oil tankers and, notably, its port operations. Operations were impacted for more than a week, and the company reported its total financial impact to be $250-300 million.

This proved to be only the first major incident, as it was followed shortly by a data breach at Clarkson plc, one of the world’s key shipbrokers. Of particular concern was the company’s research arm, focused on the collection and analysis of data related to merchant shipping and offshore markets. The final estimated cost of that incident has not been made public, but its shares plunged six percent on the day the news was announced.

Taken together, these two scenarios made clear that the shipping industry is in no way immune to the risks of cyber incidents. Quite the contrary, given the pace of innovation within the sector. In the last decade alone, the industry has made significant advances in navigation systems and introduced pilot programmes around crewless ships. Despite this, many risk managers still think of it as a ‘low tech’ industry. That’s starting to change, although true understanding of the scale and scope of the risks is still lagging behind.

Shore and ships systems are now inextricably linked, with robust connectivity between them. The exposure goes far beyond merely navigation, with inter-connected systems focused on health and safety or even on-board internet and entertainment for crews adding to the complexity. Long gone are the days when organisations can worry only about one system or another; it is where these systems are inter-connected where some of the greatest risks lie. In many ways, this mirrors the transformation of traditional manufacturing operations worldwide, which now have multi-dimensional, technology-powered industrial control systems at their core.

ACCELERATING RESPONSE
The pace of awareness and change, however, is picking up. The evolving risks in the maritime sector have rightly been identified as part of the UK government’s cyber strategy review. At the end of 2017, it released an initial evidence review which outlined key areas of attack observed to date - enterprise and information assets, GPS and navigation systems, and critical control systems among them – and detailed the fact that threat motivation, technical competence of attackers and complexity of employed attacks are all increasing. Over the next three to five years, advances in communication, improved sensing, and intelligent and autonomous control systems are of particular concern. According to the review, they are likely to make “potential software-dependent weaknesses easier to exploit for malicious gain.”

Further, the industry’s primary global regulatory body, the International Maritime Organization, has issued its cyber security guidelines. At this stage, they aren’t required but ‘encouraged’. However, it’s not hard to envision a day when these guidelines will instead be required and subject to audit and compliance testing. It is likely that, in the not too distant future, proving the implementation of such standards will be table stakes, with direct implications for contract bids and other standard industry practice.

Companies across the sector, both large and small, need to work feverishly themselves to get ahead of these threats, which are likely to outpace development of technology to combat them. Investment in cyber security clearly will have to be escalated and accelerated, and existing insurance policies and protections reviewed and scrutinised.

Maritime firms need to understand that just because an insurance policy has ‘cyber’ in its name does not mean that it will fill all of the gaps in a standard insurance portfolio. Cyber policies generally exclude physical damage to ships and cargo stemming from cyber incidents, so there is a real need to take a closer look at each organisation’s existing insurance policies and work collaboratively across lines of business to meet a company’s needs. Simply purchasing an ‘off the shelf’ cyber policy or negotiating to delete exclusions within non-cyber policies is unlikely to give risk managers the seamless coverage they desire.

In response, the insurance industry itself is evolving to meet these changing needs, with solutions and programmes via P&I Clubs now starting to emerge. As well as innovation in terms of products and solutions, it is essential that a much greater degree of collaboration across different areas of risk management becomes the norm and not the exception. Marine specialists and cyber underwriters must put their heads together to ensure all areas of exposure have been addressed, and that maritime industry players have the best chance possible of avoiding or minimising the impact of costly – and potentially dangerous – cyber-related incidents.

Sarah Stephens is a partner and head of cyber at JLT Specialty

Latest Press Releases

2018 saw Ship Shape IMO exhibit at IMPA London for the first time.

2018 saw Ship Shape IMO exhibit at IMPA London for the first time. After visiting the exhibition for... Read more

De Boer holds naming ceremony for Damen RSD WID Tug 2915 Hybrid Fregate and ASD Tug 2310 SD Papillon

The naming ceremony has been held for two custom tugs built by Damen Shipyards Hardinxveld for De Bo... Read more

Damen signs for another three years as founding partner of the Nederlands Dans Theater

The long-term partnership between the Damen Shipyards Group and the Nederlands Dans Theater (NDT) co... Read more

Damen Schelde Naval Shipbuilding announced as one of the Fan sponsors of SAIL Amsterdam 2020

Damen Schelde Naval Shipbuilding (DSNS) will be a Fan sponsorship partner of SAIL Amsterdam 2020, wh... Read more

Damen’s 3rd Annual Workboat Festival showcases over thirty workboats to customers and industry partners

Last Thursday, Damen Shipyards Gorinchem hosted the Damen group’s third annual Workboat Festival. Th... Read more

Damen appoints Sales Director for its new large RoPax division

Damen Shipyards Group has appointed Chiel de Leeuw to the newly-created position of Sales Director R... Read more

View all