Lloyd's List is part of Maritime Intelligence

This site is operated by a business or businesses owned by Maritime Insights & Intelligence Limited, registered in England and Wales with company number 13831625 and address c/o Hackwood Secretaries Limited, One Silk Street, London EC2Y 8HQ, United Kingdom. Lloyd’s List Intelligence is a trading name of Maritime Insights & Intelligence Limited. Lloyd’s is the registered trademark of the Society Incorporated by the Lloyd’s Act 1871 by the name of Lloyd’s.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call UK support at +44 (0)20 3377 3996 / APAC support at +65 6508 2430

Printed By

UsernamePublicRestriction

Cyber attacks: Downside of the digital revolution

Digitalisation has created immense openings for our industry. Unfortunately, it has done much the same for criminals, nasty governments and bored teenagers too

Existing IMO guidelines are good. A robust internationally agreed legal cybersecurity framework with mandatory standards would be better, while marine insurance buyers need to know what they are getting for their money

YOU don’t have to read history books or the dystopian fiction of Orwell and Koestler to know that revolutions tend to come with built-in downsides. The digital revolution on which shipping has embarked during the past decade is no exception.

The advances in navigation systems, communication networks and automated cargo management systems have truly been immense. On the white-collar side of the industry, from compliance and fleet optimisation to marine underwriting, digitalisation has been a game changer.

Unfortunately, the new avenues open to sophisticated cyber criminals targeting shipping seem every bit as extensive as the potential for those trying to turn an honest buck.

To make matters worse, governments — including unsavoury regimes with a direct self-interest in making sanctions implementation as difficult as they can — have joined the ranks of the wrong ’uns.

Threats that simply did not exist 10 years ago now pose huge risks to the safety and security of maritime operations. These include ransomware and distributed denial of service attacks, cross-site scripting, malware, data breaches and common or garden phishing.

Among the unpleasant consequences are navigation failures, loss of cargo, collisions, cargo theft, total losses and large fines where in the event of proven laxity. And all of this is before we get to reputational damage.

Things may well get worse before they get better, or not get better at all. It doesn’t require a hyperactive imagination to conjecture a cyber attack on port facilities that would screw up the entire global supply chain.

Victims already range from marquee names such as Maersk, Cosco, CMA CGM, MSC, Clarksons, DNV, the Tokyo MOU and the International Maritime Organization itself down to individual ports and software houses. Given the generalised reluctance to discuss these matters publicly, the list is undoubtedly far longer.

Shipping’s vulnerability on the cyber front remains elevated, according to a recent survey conducted by Lloyd’s List. One shipping company in five told us they had suffered an attack in the previous three years.

It should not take a rerun of the devastating NotPetya attack of 2017 to convince owners of the necessity to raise our game all round. And if not now, when?

The IMO has published comprehensive guidelines, calling on shipping companies to implement cyber security measures as part of their safety management systems. Thank you, Albert Embankment.

But given where we are right now, that probably isn’t enough. The logical next step is for governments and regulatory bodies to devise a robust legal framework for cybersecurity and to ensure universal compliance with international standards.

One obvious line of defence is marine insurance. Cyber attacks are a risk, and where there is a risk, underwriters are in the business of pricing it and covering it.

But nothing in life is simple. Insurers themselves are divided as to whether marine cyber cover is best written in the marine book, the political risks book or a bespoke cyber book.

On top of that, the lack of historical data makes it difficult for them to build the right actuarial models, which has meant a tendency towards overpricing.

Since the end of March, Lloyd’s has stipulated all standalone cyber attack policies must include an exclusion for state-backed attacks, including those mounted by security and intelligence services.

Lloyd’s contends this move will add to clarity; others believe it will have the opposite effect, leaving a situation in which insureds do not and cannot know exactly what they are buying.

First there is the difficulty of attribution; cyber attackers do not leave calling cards, and it is usually impossible definitively to establish whether a perpetrator is a secret service agent, a blackmailer or a bored teenager in a back bedroom in Wolverhampton.

Then there is the grey area of defining which entities deserve to be designated as “states”. As Orwell might have put it, some governments are more recognised than others.

Moreover, exclusion clauses are always open to interpretation, and are often challenged in the courts. Few other than lawyers will relish the prospect of yet more costly claims litigation.

Broker Marsh and insurer Munich Re have suggested an alternative wording, arguing that the attribution of cyber operations to a sovereign state should not automatically trigger exclusion. That looks to us a fair-minded compromise.

No revolution is ever perfect, but the digital revolution has so far proved smoother than most. The prospects for artificial intelligence suggest that we only at the beginning of a process that could yet prove more transformative than 1789 or 1917.

There will always be bad actors who seek to pervert such progress for their own ends. But they cannot be allowed to get in the way.


Related Content

Topics

  • Related Companies
  • UsernamePublicRestriction

    Register

    LL1145051

    Ask The Analyst

    Please Note: You can also Click below Link for Ask the Analyst
    Ask The Analyst

    Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

    All fields are required.

    Please make sure all fields are completed.

    Please make sure you have filled out all fields

    Please make sure you have filled out all fields

    Please enter a valid e-mail address

    Please enter a valid Phone Number

    Ask your question to our analysts

    Cancel