Digitalisation of shipping and the associated cyber risk vulnerabilities are hotly debated and discussed topics in the shipping industry, both at state and corporate levels. Whilst the focus appears to be largely on shipowners and the use of autonomous ships, there are also a number of pressing areas of concern that ought to be considered and addressed in the context of ship management.
The industry standard BIMCO SHIPMAN contract allows the owners to delegate all or some aspects of managing their fleets to ship management companies. These areas include: technical, crew and commercial management of operations. Each of these areas brings its own challenges and risks as regards the implementation and use of technology.
Commercial and Technical Management
Under these headings, ship managers assume responsibility for ensuring that ships are compliant with all relevant standards and regulations, are sufficiently supplied, and engaged in commercial employment.
As an agent, a ship manager will often act as an intermediary. This creates obvious potential for cyber criminals who may seek to embed themselves in a transaction and attempt to have funds payable for genuine supplies diverted to their own bank account.
For instance, a ship manager orders bunkers for a ship. Having penetrated the ship manager’s IT systems, a hacker could monitor all email exchanges with the bunker supplier. Once the price has been agreed and instructions to deliver issued, the hacker could send a fake invoice and delivery note to the ship manager and request payment for the bunkers into the hacker’s own bank account.
By the time the loss is discovered, the transaction would likely have been made and the funds dissipated from the hacker’s account. Contractually, the owner would probably be obliged to pay the bunker supplier for the bunkers in fact supplied. The owner could then turn to the ship manager to recover its loss of the first payment pocketed by the hacker.
A question would then have to be answered as to whether the ship manager acted in a professional manner and had sound systems in place to prevent the cyber fraud from happening. If the ship manager’s approach to IT security was reckless, the ship manager could be liable for the full amount to the owner.
In that situation, the ship manager might have three ways to recoup the money, namely:
1. Against the hacker – but in our experience it will be very difficult and expensive, once the money has gone, to recover anything. Many countries operate specialist cyber-crime police divisions. A consideration should be given to making a prompt notification (this could also be required under any specialist insurance policy and/or local law).
2. Against its IT suppliers, depending on the terms of that contract and the nature of the fraud that has resulted in the loss.
3. Against its insurers, if a specialist cyber risks policy has been purchased.
A ship can only be as resilient as its crew. Depending on their objectives, many hackers will either seek to use crew as their gateway to the ship’s systems or simply target individual seafarers in an effort to extort money from them, raising an important welfare consideration.
There have already been reported instances of seafarers being profiled and targeted on social media (such as online dating portals or interest groups). Seafarers could then be contacted and unknowingly used to carry malicious software on-board a ship (e.g. on a USB drive) or even, in some cases, be blackmailed into assisting the hackers or asked to pay a ransom.
Whilst a significant proportion of the exposure may ultimately lie on the employer, i.e. the owner, ship managers will store a lot of personal data about seafarers and could be targeted by cyber-criminals looking for copies of bank account details, medical records etc. to help them profile individuals.
The GDPR will come into force in the EU (including the UK) in May 2018. Depending on whether the ship manager is based in the EU or the crew concerned comes from an EU country, a breach resulting in personal data being obtained by hackers will need to be reported to the relevant local authorities. If the ship manager is unable to demonstrate compliance with the GDPR and that the data was sufficiently protected, the maximum fine which could be imposed by the authorities could be the higher of EUR 20 million or 4% of global annual turnover.
Ship managers contracting on the SHIPMAN form have a general duty to “use their best endeavours” to provide ship management services to owners (see clause 8(a)). The increased reliance on technology brings increased risk of being targeted by cyber criminals. We consider it prudent that ship managers carefully analyse their IT infrastructures and policies, and implement appropriate measures to fully comply with their contractual obligations under the SHIPMAN form.
Many IT supply contracts will have more robust and up to date force majeure clauses potentially excluding some types of cyber-attacks. Under the un-amended SHIPMAN form, a profit-motivated attack would be unlikely to fall within the definition of force majeure (clause 17(a)) creating a potential for liability without any corresponding recourse against IT suppliers. It is advisable to consider the potential contractual gaps and take advice on appropriate insurance products.