MARITIME CYBER RISK !

The insurance losses and liabilities arising from cyber risks is an increasing area of focus for both shipowners and their insurers, argues Mr. Adrian Durkin, Director (Claims) and Mr. Colin Gillespie, Deputy

Potentially owners may be exposed to gaps in cover arising from cyber incidents – an unsatisfactory situation in today’s connected world. For example, an owner’s hull and machinery insurance may contain a cyber risk exclusion which mirrors, or is derived from, institute clause 380.

There are also cyber exclusions in war risk policies that relate to computer viruses. The war risks clause is derived from market clause 3039. Many other market insurance policies specifically exclude losses or liabilities arising as a result of cyber risks.

Why is Cyber Excluded?

Cyber risks present a range of issues for insurers. Cyber risks are relatively new – claims data relating to these risks is quite limited. Another difficulty is that cyber security is not yet well established in the maritime industry. The sheer complexity of the information technology, operational technology and internet available across the industry also presents a challenge, as does the potential for cyber problems to spread quickly across the globe. As a result the likelihood, extent and costs associated with claims involving cyber risks are difficult to calculate and potentially significant, hence the reluctance to offer cover.

It is in an owner’s interests to scrutinise their various policies in order to identify potential gaps in their insurance cover. It is possible to close the gaps by working with insurers and brokers. This may require owners to demonstrate that they have robust cyber risk management practices in place both ashore and afloat. An additional premium may be payable. The market is responding to these risks – albeit slowly.

P&I Cover for Cyber Risks

The International Group of P&I Clubs’ poolable cover does not exclude claims arising from cyber risks.

This means that club members benefit from the same level of P&I cover should a claim arise due to a cyber risk, as they would from such a claim arising from a traditional risk. As always cover is subject to the club rules.

While there are currently no internationally agreed regulations in force as to what constitutes a prudent level of cyber risk management or protection, this does not mean that owners, charterers, managers or operators of ships can ignore the need to take proper steps to protect themselves in the belief that their club cover will always respond.

If a claim with a cyber element arises, an owner may need to demonstrate that they took all obvious steps to prevent foreseeable loss or liability. As more and more potential cyber risks are being identified, clubs will expect to see the operation of sensible and properly managed cyber risk policies and systems both ashore and on vessels.

MARITIME CYBER RISK

Don’t delay – act now

Barely a month goes by without news of a major cyber-attack affecting a large or high profile commercial or government entity. Cybercrime is a rapidly growing global threat in all industries and the maritime supply chain is vulnerable as the problems experienced by Maersk in 2017 have demonstrated. In that incident problems ashore had a knock on effect on vessels, highlighting the fact that as marine transport operations become more connected, the more chance there is of problems impacting across the system both ashore and afloat.

The authorities and large charterers are concerned about the risk to operations ashore and afloat and are taking steps to drive change in the industry. Actively managing cyber risks is now both a commercial and compliance priority.

Cyber Risks & ISM Code

The IMO’s Maritime Safety Committee (MSC) has confirmed that cyber risks should be managed under the ISM Code.

Resolution MSC.428(98) affirms that an approved safety management system should take into account cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

TMSA 3

Cyber risk management has been included in TMSA 3 under elements 7 and 13. KPI 7.3.3 includes cyber security as an assigned responsibility for software management in the best practice guidelines. Under element 13 cyber security is specifically identified as a security threat to be managed. It seems clear that the oil industry has recognised the need for action from tanker owners and is encouraging action through commercial pressure via TMSA 3. For tanker operators the time to act is already here.

Rightship Inspections

Cyber risk management now forms part of Rightship inspections and a company’s cyber security maturity may be one aspect dry bulk charterers will take into account.

A Daunting Task?

The prospect of dealing with cyber security will be daunting for many shipping companies. It’s new, involves things that may not be fully understood, and most of us are not likely to have received any formal training in such risks.

What is a definite plus is that shipping companies will be very familiar with the risk management framework suggested by the IMO Guidelines on Cyber Risk Management and industry Guidelines on Cyber Security Onboard Ships. We can also use the experience gained in other sectors of industry that have already put cyber security systems in place.

2021 is not far away, but the potential for cyber risks to result in losses or liabilities is clearly already upon us.

Cyber risks can affect almost every part of a shipping company. There will be lots to do to identify risks and vulnerabilities and to take steps to prepare for, and respond to, cyber threats. It’s time for us all to act.

By Adrian Durkin, Director (Claims) & Colin Gillespie, Deputy Director (Loss Prevention), North P&I Club


Maritime External  Cyber Security Audit

[wp_cart_button name=”MCSM-CYBER SECURITY MANUAL” price=”1500″] [show_wp_shopping_cart]

Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.

SHIP IP LTD via our Network of local engineers can attend your vessels and complete an External  Cyber Security Audit that includes and not limited to :

  •  Policies and Procedures
  • Cyber security risk management
  • Training and awareness
  • Physical security and access control
  • Network security
  • Vulnerability scan of your onboard network

Why you should ask for an External Cyber Security Audit ? 

Answer is straight forward and that because both TMSA and RightShip have already include it as a requirement to their latest revisions which you can read below 

Where are our specialist located ?

Singapore and Greece.

We can cover ASIA and EUROPE via our engineers.

How much it costs ?

That it depends the port and country we visit but for example in Singapore can be as low as USD 1500 all included !

Time Required to complete the Audit ?

Under normal circumstances our Singapore Team will complete the Audit same day . Boarding Team consists of our Captain Thum and our Local IT Engineer .

We have post below relevant Requirements : 

TMSA 3 – ELEMENT 13

STAGE 2

2.4 The company actively promotes cyber security awareness.

Effective means are used to encourage responsible behaviour by shore-based personnel, vessel personnel and third parties.

Such behaviour may include:

• Locking of unattended work stations.
• Safeguarding of passwords.
• No use of unauthorised software.
• Responsible use of social media.
• Control/prevention of misuse of portable storage and memory sticks.

 

STAGE 4

4.2 Independent specialist support is used to mitigate identified security threats.

Any contracts for specialist support both onboard and ashore, are supported by a comprehensive scope of work.

 

4.5 The company is involved in the testing and implementation of innovative security technology and systems.

This may include:

• Physical measures to improve security.
• Software enhancements to IT systems.

RIGHTSHIP

Inspection and Assessment Report For Dry Cargo Ships

4.7 Cybersecurity
4.7.1 Does the vessel and/or company have documented software/firmware and
hardware maintenance procedures ………………………………………………………….?
4.7.1.1 Are service reports available ………………………………………………………..?
4.7.2 Does the vessel and/or company have any cyber security procedures…………..?
4.7.2.1 Has a Risk Assessment for Cyber attack been completed. ……………….?
4.7.2.2 Is a Cyber attack Response Plan available …………………………………….?
4.7.3 Does the vessel and/or company provide any cyber security training ………..

 

| T: ( +30) 211 850 1121
| e: sales@shipip.com
| w: http://localhost/shipip
| Skype : anyawb1

SINCE 2013


Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED