Trends in cyber-attacks in the shipping industry

Video | May 2018 | 4:51

Video Details

Trends in cyber-attacks in the shipping industry
Steven Hadwin We have been advising clients on a broad range of sophisticated cyber incidents recently, including in the shipping industry and a lot of our clients are asking us, firstly how the shipping industry is gearing up to face the cyber risk and also what are the forthcoming legal and regulatory changes around cyber that will affect the industry. Phil what is your experience of how the shipping industry is gearing up to meet these challenges?
Philip Roche It’s slow. There is a degree of scepticism.  There are areas of shipping industry which are very network-dependent on I.T. such as containers, but generally people believe that industrial shipping isn’t too affected by this.  But that said, we are seeing increasing amounts of ransomware and that type of hacking, which is causing issues for shipping: delay, disruption, off-hire type things, and shipping really needs to start thinking very hard about how it’s going to deal with this.  There’s plenty of industry guidance.  There has been now for a few years from people like BIMCO, International Chamber of Shipping with very good sensible advice, how to risk-manage this issue, and shipping just needs to get on and start implementing that sort of thing now.
Steven Hadwin Another aspect to it is, the legal and regulatory changes that are coming down the line. I mean, the significance of them shouldn’t really be underestimated particularly from the European perspective, where we have the General Data Protection Regulation which will come into force next month and that will apply to pretty much everyone in the shipping industry and it will impose enhanced obligations in terms of Data Protection. There’s also the Network Information Security Directive.  I mean that doesn’t apply to everyone but it will apply to some ship owners and operators as providers of essential services and that imposes a range of obligations around network security and cyber security being a key part of that and the headline in both of those pieces of legislation is effectively that both of them provide for very stringent penalties regime for non-compliance.  GDPR in particular, we can be talking about a fine of up to four per cent of an organisation’s global turnover in the worst case.  So certainly things should be considered, you know, in detail now before their implementation in the next few months.  But I guess coupled with that we also have the requirements which are being imposed by the IMO as well, which are also going to be significant.
Philip Roche Quite and so on top of all that this resolution about maritime data security by about 2021, this will be a requirement, a part of SOLAS, which means if you don’t have the right certificates, which means you don’t have the right training and procedures in place to improve cyber security and deal with cyber incidents, then the ship may well be detained by Port State Control and that’s all coming down the road but the key thing is that the threat is now. If you suffer an accident as a result of a cyber incident then there will be questions, if you took no precautions at all, whether actually the ship is sea-worthy at the commencement of the voyage, which will of course have issues in relation to your charterparty agreements, insurance and other issues which will lead to liability.  So there are these regulations coming and shipping may say well we don’t process a lot of data, we don’t need to worry about these things now and the IMO resolution is coming later but actually the problem is now, there is enough guidance out there, enough warning of the issues, that shipping needs to take proper precautions to improve cyber security, risk manage it, to maintain the sea-worthiness of their ships
Steven Hadwin Yes, I mean that is fundamental to their business right? That goes way beyond a compliance point, what is there in terms of the law and regulations.  It’s fundamental to the operations of what companies are doing.  We are seeing a lot of clients who are coming to us for guidance on that sort of thing and we’re advising on compliance under things like GDPR and NIS but more broadly it’s about how you can deal with the cyber risks that the organisation is facing.  How you can manage them effectively and as and when things do go wrong, how you can respond quickly and proficiently to limit the damage and the potential liabilities that can arise out of things.  So it is a big challenge but it is great to see a lot of our clients facing up to those challenges now and tackling them for the future.
Philip Roche Precisely. It is just a matter of risk assessment and risk management.  Shipping is great at doing that.  They just need to turn their minds to doing it in relation to cyber risk.