Cyber risk in the maritime sector
October 7, 2020 MARITIME CYBER SECURITY
While any rewards are invariably well articulated, many misconceptions continue to pervade cyber risk – and it’s the consequences of these “cyber myths” that could result in significant financial cost.
Here are several cyber risk misconceptions that exist within the maritime sector to watch out for:
-
01
Cyber risk does not affect the maritime sector
An organization that relies upon technology for any aspect of its operation has cyber risk. The maritime sector is therefore exposed to the same cyber risk as any other industry sector. Note the recent study by Naval Dome which reported a 400% increase in cyber-attacks against the maritime industry between February and June 20201.
-
02
Nobody is going to target a business in the maritime sector and therefore I have nothing to worry about
Cosco2, MSC3 and most recently, Carnival4, are just three high-profile examples of companies in the maritime sector who were targeted by cyber-criminals. You do not, however, have to be a target in order to suffer the impact of a cyber-attack – just ask Maersk5 and many others, who were collateral damage in a cyber-attack whose target was Ukraine. It is well documented that Maersk suffered significant financial harm as a result of the attack.
-
03
We have invested significantly in network security controls and have therefore eradicated the cyber risk
Putting the right controls in place is a crucial element of cyber risk mitigation. Such controls, however, can only ever minimize the vulnerabilities in the network and/or decrease the likelihood of the threat. It is impossible to eradicate the risk altogether. Moreover, insider threats remain an issue. Employees make mistakes and, on occasions, seek to deliberately cause their employers harm.
-
04
Losses arising from cyber risk are covered under our traditional marine insurance policies
This, of course, could be correct depending on the terms of the insurance contract. Hull and machinery policies, however, typically exclude loss or damage where caused by a cyber-attack. In some cases, policies may be silent on whether loss arising from cyber risk is covered or excluded, which potentially gives rise to uncertainty.
-
05
My hull and machinery policy includes a cyber-attack exclusion, but a cyber-attack can’t lead to property damage
This is incorrect. For example, in 2008 a pipeline in Turkey exploded after cyber-criminals hacked into the pipeline’s control systems. Similarly, in 2014, hackers accessed the control systems of a steel mill in Germany causing significant physical damage. Whilst there have been no reported cases of physical damage to vessels caused by a cyber-attack, the increased reliance upon operational technologies such as GPS, AIS and ECDIS on board vessels, may increase the threat of physical damage.
-
06
I’ve looked at cyber insurance solutions in the past and concluded the cover was not relevant to my business
While cyber threats are the same regardless of the sector, the way in which they impact organizations can vary enormously. Traditionally, cyber insurance solutions were drafted on a ‘one size fits all’ basis. Cyber risk poses unique challenges and exposures for the maritime sector, however. This is why Willis Towers Watson has developed CyNav, an insurance policy designed by cyber and marine specialists, specifically to meet the needs of the maritime sector.
Source: willistowerswatson