Given the strategic importance of the sector and its dependence on technology, the coming years will witness an increase in transport related cyber-attacks. There will be cases where the carrier will be unable to avoid liability.
The 27th June 2017 will go down in history as the date on which the transport sector became aware of the truly dramatic consequences of a cyber-attack. On that day, the operations of the Danish shipping company A.P. Moller - Maersk were totally paralysed as a result of a Petya ransomware attack that took down the systems of its headquarters and many of its facilities worldwide.
This is not an isolated event, but a first glimpse at a trend that can only increase in the coming years given transport’s dependence on technology and the strategic importance of the sector. In this sense, the latest study on cybercrime in Spain, prepared by the Ministry of the Interior, places transport as the third strategic sector where infrastructures had the most cybersecurity incidents during 2017 (preceded only by the financial and energy sectors with more attacks).
It goes without saying that a cyber-attack suffered by a carrier can also affect the goods being carried. This situation gives rise to the legal dilemma of whether the carrier is liable for any damage sustained to the cargo, given the carrier’s obligation to deliver the goods at destination in the same state and condition as received on loading at origin.
Bearing in mind that at this time there are no specific transport regulations that exclude liability for cyber-attacks, the debate is open as to whether this type of incident can be considered an act of force majeure or fortuitous so as to exclude the liability of the carrier.
To resolve this dilemma, it is necessary to start from the premise that cyber-attacks take advantage of any gaps or breaches in the security of the software being used by the carrier. Within the range of software vulnerabilities, the so-called "zero-day" (or "zero-day exploits") are distinguished from the rest. The particularity of the "zero-day" vulnerabilities is that, according to the state-of-the-art of the relevant technology, the existence of this vulnerability is completely unknown until the cyber event occurs. Thus, the manufacturer of the corresponding software, at the time of its creation, could neither know nor foresee the existence of such vulnerability to cyber-attack.
So, it follows that only in those cases in which there is a "zero-day" cyber-attack, is there likely to be a good argument for force majeure or to categorise the attack as a fortuitous event. In all other cases, the cyber-attack could have been avoided by the victim simply having their systems updated and duly protected.
The fact is that software service providers from time to time supply users with updates or improvements for programs that aim to safeguard their proper maintenance and operation, including protection against new cyber risks that arise. Therefore, once these updates are available, it is up to the users to implement them, since failing to do so will be interpreted as a lack of action and a contributing factor to the success of the cyber-attack and therefore, the users will be held accountable for the consequences.
Finally, it should be noted that the transport regulations put the burden of proof on the carrier, such that it is the carrier who must prove the facts when claiming an act of force majeure or fortuitous event if attempting to avoid liability for any damage to the cargo. In the case of a cyber-attack, it will be up to the carrier not only to demonstrate that the corresponding security measures had been duly implemented, but also that it was also a "zero-day" vulnerability.
In summary, carriers must be aware of the cyber risks posed by their sector, adopting appropriate measures to protect against such risks. Otherwise, they will be considered liable for any damages caused to the goods as a consequence of a cyber-attack.