Today, ships and the infrastructure that supports them are more vulnerable than ever before. Increasingly complex computerised technologies and systems are being deployed throughout the world’s fleet. In the final part of this series, we will explore how risk is being managed from a financial and legal perspective in the dynamically changing technological environment of the maritime industry.
Ultimately, effective cyber security management in maritime requires effective risk management. Without fully understanding the risk profile of the fleet, it is impossible to know what mitigations will be appropriate. Though cyber attacks from nation-state backed groups are still rare, they can cause enormous damage and even cost lives if they are successful. Similarly, random malware infections are a daily threat, but may only have a small impact on a ship’s operations. Many ship operators are exposing themselves to unnecessary risk through not being properly prepared for ransomware attacks, not understanding the limitations of their insurance, or under investing in cyber security management.
RANSOM
Depending on the hacker’s objective, it is possible that recovering affected systems will require the payment of a ransom. The use of ransomware has been rapidly growing globally, and maritime is by no means immune. Of those maritime organisations that reported being the subject of a cyber attack in the last three years, 3% said the attack resulted in them paying a ransom. The average ransom paid was US$3.1 million.
Depending on the circumstances of an attack, paying a ransom may be the only practical solution to a cyber incident. In 2018, when the SamSam ransomware virus hijacked the city of Atlanta’s smart city infrastructure,
officials elected not to pay the US$51,000 ransom. Several years on, the reported cost of rebuilding the infrastructure is estimated to be between US$11 million to US$17 million.
Depending on the circumstances of an attack, paying a ransom may be the only practical solution to a cyber incident.
Because of the industry’s international nature, the legality of paying ransoms can be challenging to pin down. While paying a ransom under certain circumstances can be perfectly legal, it can be illegal in other cases. For example, a ship may be owned in Germany, flagged in Panama, managed in Cyprus, and crewed by Filipino nationals. In that case, it can be complicated to understand which jurisdiction ransom legalities fall under. The rules can also change if that vessel enters the territorial waters of another state or if the person deciding to pay the ransom is a national of a particular state.
“Of those maritime organisations that reported being the subject of a cyber attack in the last three years, 3% said the attack resulted in them paying a ransom. The average ransom paid was US$3.1 million.”
Though very few countries have expressly banned the paying of ransoms during ransomware attacks, some laws expressly prohibit payments in some circumstances. For example, in many jurisdictions it is a criminal offence to make payments to terrorist organisations. This can be problematic in the context of ransomware as some ransom demands could be politically motivated.
Similarly, ransom payments cannot be made to sanctioned entities or individuals. For example, the United States Office of Foreign Asset Control (OFAC) bans any person under US jurisdiction from transacting with persons, organisations, or nation-states under sanction. In September 2021, OFAC issued an advisory notice with specific information relating to ransomware. The memo states that individuals may be “held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.” It is improbable for the victim of a ransomware attack to know with whom they are transacting, making it almost impossible to know with certainty if they will breach the OFAC rules. Similar laws also exist in England and Wales and across the EU regarding transactions with sanctioned entities and individuals.
INSURANCE
Similar uncertainties exist around the insurance sector and the likelihood of a successful claim. 34% of industry professionals report that their organisation has insurance to cover cyber attacks. Outside of specific cyber insurance, there is little in the way of common understanding of how cyber risks are handled in marine insurance.
Outside of specific cyber insurance, there is little in the way of common understanding of how cyber risks are handled in marine insurance.
Several common exemptions specifically exclude cyber risk from insurance policies. Further, where cyber is included, there can be major exemptions. For example, a cyber risk policy that does not cover war-risk. Many of the most sophisticated cyber attacks come from nation state teams or state-sponsored cyber criminals; whether those attacks are “acts of war” is currently a point of contention. There are currently several cases working their way through courts around the world that seek clarity on what constitutes an act of war, and therefore the question of whether state sponsored cyber attacks are covered or not.
The same issue applies to whether a vessel can be deemed seaworthy in light of the IMO 2021 Maritime Cyber Risk guidance. Those operators who cannot prove that they have taken reasonable steps to manage cyber risk may be operating vessels that are not seaworthy, and therefore not covered by any insurance.
INVESTMENT
Over the last two years, the vast majority of ship operators will have invested in cyber security to some degree to ensure they are compliant with the latest guidance from the IMO. But effectively managing constantly changing cyber risks requires an ongoing investment in systems, management, and training for all staff and crew.
54% of ship operators spend less than US$100,000 per year on cyber security management.
54% of ship operators spend less than US$100,000 per year on cyber security management. This figure may appear reasonable for smaller fleets, particularly when you consider that the mean average annual cost of cyber attacks to ship operators is US$182,000. But these figures don’t take into account the large downside risk that all operators face.
For 1 in 12 ship operators, the average annual cost of cyber attacks is US$1.8million.
For 1 in 12 ship operators, the average annual cost of cyber attacks is US$1.8million. Every ship, whether it is part of a small or large fleet is at risk of being targeted by cyber criminals. For those unfortunate enough to be successfully hit, the costs of recovery can be several million dollars. Ship operators can no longer ignore the need to invest in effective cyber security management. As the threat landscape continues to evolve, it will become critical to move beyond simple compliance.
Download the full report here
CYBER SECURITY MANAGEMENT SERIES
In the last few years, the maritime industry has made great progress in improving its approach to cyber risk management, but significant gaps remain. This report developed in collaboration with CyberOwl and HFW explores the gaps that exist between the industry’s perceptions of cyber security and reality, taking into account the views of more than 200 stakeholders from across the industry, including cyber security experts, seafarers, shoreside managers, industry suppliers, and C-suite leaders.
Over the coming weeks, we will be sharing a series of articles on the state of cyber risk management in the maritime industry, and we will also uncover the great disconnects that exist across the industry where expectations and reality don’t match up, cyber risk management efforts are lacking, or risks that are unique to maritime exist.
Source: Thetius
