In the wake of a number of high profile cyber incidents in the marine sector it probably comes as no surprise that the Department for Transport (DfT) has now released a new Code of Practice for Cyber Security for Ships (available here). The Code should be considered by board members, insurers, senior officers and those responsible for day to day operation of vessels.
The DfT emphasise that the Code should be used as a part of an overall risk management scheme. It therefore supplements the existing requirements under the international ship and port facility security (ISPS) code. In particular, the provisions for a Company Security Officer, and Company Security Assessment are elaborated on, with a view to achieving enhanced cyber security.
At over 70 pages the Code is most comprehensive; to summarise, the predominant points are that ship-owners / companies should:
Assess their current cyber security arrangements and identify risks;
Prepare a written Cyber Security Plan (CSP);
Plan for continuing assessment and monitoring of the Cyber Security Plan;
Implement the Cyber Security Plan and manage Cyber Security by appointing a Cyber Security Officer (CySO) and creating a Security Operations Centre;
Effectively handle the release of information to third parties;
Appropriately monitor and handle any cyber security breaches.
It is also highlighted throughout the Code that in order for security arrangements to be effective, the responsibility for security policies, processes and procedures should flow down through contracts, and supply chains.
What this means for you
Cyber security is receiving much attention in the marine world at present, particularly in the wake of A.P. Moller-Maersk’s approximate $300m loss due to the NotPetya malware incident. Accordingly the Code provides welcome guidance on how to implement appropriate security measures and keep them up to date.
For ship-owners, a Cyber Security Plan should be drafted and annexed to the Ship Security Plan. Not only will this provide the steps needed to implement effective cyber security, should any questions be raised about your approach to cyber security, you have a thorough, considered document which can be referred to.
For insurers and ship-owners alike, consider whether insurance policies have sufficient Cyber Security protection and whether existing cyber insurance policies adequately meet the needs of ship owners and/or are presented in a way that ship-owners will understand.
In terms of a ship owner’s existing non-cyber insurance, are the Institute Cyber Attack Exclusion clauses incorporated in to the policy? If they are, ship-owners should consider whether the time is right to investigate cyber insurance with their insurers. Individual cyber policy wordings should then be carefully assessed to ensure that the policy chosen is one which most closely fits the requirements and risk profile of the shipping industry and the individual business buying the insurance.
As insurers, if you are offering coverage for cyber incidents, consider whether the establishment of and adherence to a Cyber Security Plan should be a term of coverage, and whether the presence or not of a CSP might impact premiums.
For those offering passenger services, failure to comply with this Code leaves you exposed to the risk of being held to have acted with fault or neglect, and thus be liable for death, injury, or damage to luggage suffered as a result of cyber-attacks. If there is no written Cyber Security Plan in place, criticism and/or liability will potentially attach very easily, simply by reason of its absence.