Australia: Is your refund policy immune from COVID-19?
The COVID-19 global health emergency has significantly impacted the ability of Australian businesses to supply services to consumers.
Maritime industries are becoming increasingly reliant on technology and the use of data. On the one hand, this represents a shift towards industries that are safer, more efficient and more profitable – prime examples being the increasing use of e-bills of lading and automated systems for the operation of container ports. However, this greater reliance on technology also brings with it a range of increased risks.
This article explores the scope of those risks, the potential exposures and the means by which those risks can be mitigated by maritime industries.
The threat is a real one, as demonstrated by a prominent example of a criminal hacking of a port, which occurred at the Port of Antwerp in 2011. In this case, hackers remotely accessed the Port’s network to identify containers in which they had hidden illegal goods, and removed the goods before they were searched by authorities. This was done by sending Trojans to the port’s staff, resulting in the port’s IT system being infected, as well as key logging devices being installed to capture the passwords of port employees. The criminal enterprise is thought to have continued for two years.
The maritime industries are also vulnerable to more generic types of cyber risk, such as economic cyber-crime. A recent example of this was the interception and redirection (through email infiltration and impersonation) of a multi-million dollar funds transfer from an owner to a shipbuilder. Other incidents involving the theft, misuse, loss or destruction of personal data (such as data belonging to employees or customers) can also lead to significant losses being incurred.
However, there are very few such examples and, to date, the maritime industries have not suffered many high-profile adverse cyber incidents. IBM’s 2015 Cyber Security Intelligence Index suggests that the majority of adverse cyber incidents happen within the finance and insurance, manufacturing, and information and communication industries, rather than in the shipping or logistics sector. This may be partly explained by the fact that maritime industries have been slower to embrace the use of technology and also that the business is rather ‘invisible’ to the general public - insufficient information is known about how the industry works for many hackers or criminals to invest their time. There are simpler and more rewarding targets.
Nevertheless, today’s reality is that the maritime industries now use vast quantities of electronically-stored and transmitted data and criminals will increasingly look to the sector. This leaves the industry vulnerable to a range of cyber risks. An obvious example is the threat posed by potential cyber-attacks on shipping or port infrastructure, such as an attack on an automated navigation or logistics system. This could involve the manipulation or destruction of data which could cause automated systems to malfunction or fail entirely - or expensive and valuable cargoes to be stolen. An attack of this nature can come about in a variety of ways – access to data can be gained by phishing attacks or by the opportunistic use of networks with inadequate security, as well as by more sophisticated hacking techniques.
The consequences of such an attack could be broad-ranging. For example, ship collisions could occur due to hacking of e-navigation and other systems, resulting in physical loss of or damage to ships, bodily injury to crew, loss of cargo, pollution and business interruption. Disruption to the port’s activities could also arise, leading to considerable business interruption losses for the port and those doing business in it.
An adverse cyber incident of this nature could affect all of the organisations that use a port’s infrastructure, including those who are not in a position to influence the port’s cyber-security or have a role in responding to the incident.
The costs and liabilities arising from an adverse cyber incident could be surprisingly broad and the scale of losses might be considerable, particularly if an incident were to cause damage to ships, port infrastructure or other physical assets.
In addition to losses caused by damage to, or destruction of, physical assets, considerable costs may need to be incurred in responding to an adverse cyber incident. For example, if the personal data of employees or customers is compromised, significant legal fees may need to be incurred in notifying the data protection regulator and the data subjects themselves as well as in defending legal proceedings. These costs are likely to increase in Europe due to the forthcoming reform of EU law in the shape of the new General Data Protection Regulation. This regulation is set to implement mandatory reporting of certain adverse cyber incidents to the relevant data privacy regulators. This is a particular issue for the cruise and ferry sectors. For example, claims may be brought by individuals under data privacy legislation or, depending on the jurisdiction, in tort for breach of a duty of care. In the UK, there is an expectation that claims of this nature are set to become more common due to recent legal developments. In the US, class-action law suits relating to data privacy are already commonplace. Claims against the boards of companies that suffer adverse cyber incidents, often brought by shareholders, are also on the rise – directors in these cases are often alleged to have breached their fiduciary duties by not preventing the incident in the first place.
The loss of commercially confidential data would involve a breach of typical service provider agreements. IT consultancy services are likely to be necessary to mitigate the effects of a breach, remediate IT systems and restore the confidence of customers and counterparties. Investment in IT infrastructure, cyber security and cyber risk education in the aftermath of an incident, could be expensive and time-consuming.
There are a number of ways in which organisations in the maritime industries can prepare for adverse cyber incidents and mitigate the cyber risks that they are facing.
The first step is often to address the lack of understanding of cyber risks. Indeed, most adverse incidents come about because of:
This can be a particular issue in industries where a knowledge of cyber risks has not traditionally been required, which would include many maritime industries. Thorough training of boards and employees can make a considerable difference to the number of adverse cyber incidents that an organisation suffers.
An organisation’s cyber-security should also be thoroughly tested and constantly reviewed to ensure it is appropriate to the evolving nature of cyber risk that an organisation is facing.
Co-dependency of organisations in the maritime industries is a key issue. If an organisation manages its own cyber risks well, it still remains at risk if its counterparties or service providers do not. This type of risk was evident in the recent high-profile data breaches affecting retailers in the US, where the source of the issue was found to be poor cyber-security on the part of third party suppliers, which eventually allowed hackers to infiltrate the retailers’ networks. Detailed cyber due diligence should therefore be carried out on all counterparties and service providers. Port community user groups could also be used as a vehicle to improve all organisations’ commitment to cyber risk management.
Cyber risk is increasing in all sectors and the maritime industries are not immune to this trend. While the risk can be mitigated, the extent of an organisation’s ultimate exposure will very much depend on the readiness and determination of an organisation’s management to deal with this threat. Readiness includes investment in security and precautions, training, comprehensive incident response procedures and insurance.
COVID-19 has had and will continue to have impacts on virtually every corporation in Canada and globally.