Kate B. Belmont and Jared Zola
The summer of 2017 has been noteworthy for developments in maritime cybersecurity and cyber risk management. Major global cyber attacks from the WannaCry attack to the NotPetya attack, including mass GPS spoofing attacks in the Black Sea, have significantly affected the maritime industry, leaving no doubt of the importance of cybersecurity and cyber risk management. While the maritime industry remains largely unregulated in this area, the United States Coast Guard (“USCG”), the International Maritime Organization (“IMO”), and various industry working groups continue to provide guidance to the industry on cyber risk management, creating a new standard of care and practice in the maritime industry.
Significant Regulatory Initiatives
One of the most significant developments in maritime cyber risk management has been the IMO’s approval of Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems. After careful consideration, on June 16, 2017, at the 98th session of the Maritime Safety Committee, the IMO approved the resolution on Maritime Cyber Risk Management in Safety Management Systems, which affirms that approved safety management systems should take cyber risk management into account in accordance with the objectives and requirements of the International Safety Management Code. Although not a regulatory requirement, through the resolution IMO member states are encouraged to appropriately address cyber risks in safety management systems no later than the first annual verification of the company’s Document of Compliance after January 1, 2021.
The USCG has also been actively monitoring and address- ing the need for cyber risk management through its cyber security initiative. On July 12, 2017, the USCG issued a draft Navigation and Vessel Inspection Circular (“NVIC”) addressing cyber risks (NVIC 05-17; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities). The USCG draft NVIC is helpful as it will serve as policy guidance once finalized, but it is not binding on the industry. That said, it could be a precursor to a regulatory initiative in the future. The comment period on the draft NVIC has been extended until October 11, 2017. Accordingly, as it could have a long-lasting and significant impact, industry representatives are encouraged to comment on the draft.
Industry Working Group Guidelines
Shortly after the approval of the IMO Resolution, the industry working group, comprised of the Baltic and International Maritime Council (“BIMCO”), Cruise Lines International Association (“CLIA”), International Chamber of Shipping (“ICS”), International Association of Dry Cargo Shipowners (“INTERCARGO”), International Association of Independent Tanker Owners (“INTERTANKO”), International Union of Maritime Insurance (“IUMI”), and Oil Companies International Marine Forum (“OCIMF”), released the second edition of The Guidelines on Cyber Security Onboard Ships (“the Guidelines”). Building on the first edition that was released in January 2016, the second version is more comprehensive, includes information on insurance issues, and is aligned with the recommendations given in the IMO’s guidelines.
In addressing cyber risk management, the Guidelines provide the following framework:
- identify the roles and responsibilities of users, key per- sonnel, and management, both ashore and onboard;
- identify the systems, assets, data, and capabilities, which, if disrupted, could pose risks to the ship’s opera- tions and safety;
- implement technical measures to protect against a cyber incident and ensure continuity of operations—this may include configuration of networks, access control to networks and systems, communication and boundary defense, and the use of protection and detection software; and
- implement activities to prepare for and respond to cyber incidents.
(See The Guidelines on Cyber Security Onboard Ships, pro- duced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERANKO, OCIMF, and IUMI at 3.)
The Guidelines accurately note that approaches to cyber security and cyber risk management will be company and ship-specific, but all players in the maritime industry should be guided by appropriate standards and requirements of rel- evant national regulations. Effective cyber risk management requires a holistic, flexible approach that addresses each company’s specific needs, requirements, and capabilities.
OVERVIEW OF LIABILITY
Additionally, and most notably, the Guidelines address insurance issues relating to losses suffered from a cyber incident. The inclusion of this chapter is significant. For several years, the question of whether losses from a cyber incident would be covered by insurance has been discussed and debated. In the second version of The Guidelines for Cyber Security Onboard Ships, in addressing loss from a cyber incident, it is made clear that all companies should be able to demonstrate that they have acted with reasonable care in their approach to managing cyber risk. Although cybersecurity in the maritime industry is currently unregulated, companies must be proactive in addressing cyber risk as suggested by the IMO, USCG, and various industry working groups. Maritime companies can no longer claim ignorance in addressing cyber risk management.
Regarding liability for a cyber incident, the second version of the Guidelines introduces a general overview of potential cover for liability. The following guidance is offered:
- It is recommended to contact the P&I Club for detailed information about cover provided to ship- owners and charterers in respect of liability to third parties (and related expenses) arising from the operation of ships.
- An incident caused, for example, by the malfunction of a ship’s navigation or mechanical systems because of a criminal act or accidental cyber attack, does not in and of itself give rise to any exclusion of normal P&I cover.
- It should be noted that many losses, which could arise from a cyber incident, are not in the nature of third- party liabilities arising from the operation of the ship. For example, financial loss caused by ransomware, or costs of rebuilding scrambled data, would not be identified in the coverage.
- Normal cover, in respect of liabilities, is subject to a war risk exclusion, and cyber incidents in the context of a war or terror risk will not normally be covered.
(See The Guidelines on Cyber Security Onboard Ships, produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERANKO, OCIMF, and IUMI at 36.)
In addressing cyber risk management, companies are encouraged to speak with their insurers and brokers in advance of a cyber attack or breach to discuss what cyber incidents their policies cover. It should also be determined whether additional, non-marine insurance cover is avail- able for certain losses that may arise from a cyber attack or data breach, such as fines resulting from a data loss or compromised personally identifiable information (“PII”), or penalties that might result from equipment failure.
CYBER INSURANCE MARKET
Purchasing cyber coverage is not like purchasing other types of insurance. The cyber market does not feature standard industry forms that are universally adopted by insurers. Instead, insurance companies in the cyber insurance market have developed their own idiosyncratic cyber products, which vary widely both in their terms and the coverage being offered. Purchasers should carefully analyze the terms, conditions, and exclusions of a cyber policy, rather than assume that the use of similar labels suggests an equivalence across different insurance policies. Cyber policies that appear to offer the same types of coverage can vary greatly when analyzing the fine print.
The lack of uniformity presents leverage when purchasing cyber insurance, and the maritime industry should take note. The competitiveness of the cyber insurance market, along with insurers having the desire to increase their respective market share in this rapidly growing area, means that many insurers are more receptive to negotiation and customization than with regard to other types of insurance. Shipowners, operators, and all players in the maritime industry should utilize the unique nature of the cyber insurance market at this time. Working with attorneys and insurers that specialize in cyber security and cyber insurance can help develop a product that provides appropriate coverage, specific to each company’s needs.
For those shipowners and operators who choose to disregard industry guidance, proceed with caution. To protect itself from even greater losses, a company must show it has acted with reasonable care in managing cyber risk and mitigating such damages, which includes having the proper cyber insurance. Additionally, shipowners and operators might face issues of unseaworthiness if their vessels are not protected, riddled with viruses, and vulnerable to cyber attacks. In dealing with several public cyber attacks and significant financial losses, the summer of 2017 has been a transformative one for the maritime industry. Cyber attacks are real, and the maritime industry is vulnerable. Ports, shipping companies, and any players in the maritime industry that wish to stay competitive must address cyber risk management as outlined by the IMO, USCG, and various industry working groups.