The threat of piracy in the high risk area of the Indian Ocean remains real. Despite no major vessel being hijacked by Somali pirates since May 2012, it is still prudent to take precautions including, without limitation, complying with the latest Best Management Practice (BMP) and, if the risk assessment deems it necessary, deploying armed guards from private maritime security companies. However, whilst there is no room for complacency in this region, at this time there is little need for further discussion of the precautions to be taken as they are generally understood by all concerned.
The security situation in the Gulf of Guinea continues to be grave. Here the perpetrators’ tactics and methods differ greatly from those in east Africa and the approach of the littoral states means that vessels operating in this region must adopt alternative security measures, including only using armed guards from local constabulary or military authorities (as applicable) rather than from private maritime security companies. The continued seriousness of the situation has prompted a recent revision to the Guidelines for Owners, Operators and Masters for Protection against Piracy in the Gulf of Guinea Region. However, whilst piracy in the Gulf of Guinea and the precautions to be taken justify their own article, the region is little visited by cruise ships and this must therefore be addressed in another publication.
Increasing numbers of attacks have been reported in South East Asia. Whilst sometimes violent, these are – with a few exceptions – considered maritime crime rather than acts of piracy and appear more opportunist than organised. Although tankers are commonly targeted, those few cruise ships idling in the region should nevertheless be on their guard.
Like the rest of shipping, the cruise industry faces the intangible but no less serious threat of cyber attack. A number of industries, including the financial services, energy and extractives industries have been aware of the risk for some time and state security services and the private security industry are taking it seriously. The UK’s National Strategy for Maritime Security is aligned with the National Cyber Security Strategy and foresees an attack on UK maritime infrastructure or shipping, including a cyber attack, as a security risk. The cyber risk to shipping might manifest itself in any number of ways.
For example, through an act of cyber vandalism caused by the deliberate or accidental infection of a vessel’s essential systems, the safe operation of a vessel might be jeopardised. Alternatively, an attack on a satellite positioning system, such as caused the disruption to the Russian Global Navigation Satellite System earlier this year might hamper a vessel’s safe navigation.
Either of the above might result in an unseaworthiness claim by charterers or claims by third parties for property damage or personal injury, which from a legal point of view would be treated in much the same way as any other such claim. A shipowner’s defence to an unseaworthiness claim by charterers lies in having exercised due diligence to make its ship seaworthy.
An operator’s duty of care to its passengers is likely to be governed by the terms of the ticket, whilst a third party claim will be subject to the usual tortious principles and likely to require the shipowner/operator to have taken at least reasonable care to guard against an attack and deal with the consequences.
Notwithstanding the potential seriousness of the above, the most substantial risk currently posed by cyber attack is to business and reputation. Electronically-driven industrial espionage, whether economically or politically motivated may result in a loss of business secrets, competitive advantage and the personal data of employees and clients. Whilst most shipowners hold very little personal data, those in the cruise industry, due to the nature of their business and size of their crews, generally hold large amounts (for example, passenger names, ages, contact details, preferences and health requirements). Serious reputational, regulatory and litigation exposures can flow from such an event. We will focus on the subject of data protection in a later Bulletin, but the sanctions for losing personal data can be substantial.
Strategy to deal with potential attack
Currently there is no applicable case law. Nor have any guidelines been published specifically for shipping to guide shipowners in their due diligence. However, non-industry specific information is available, including from the UK’s Department for Business, Innovation and Skills.
Some have suggested that shipping should consider adopting mandatory standards to deal with the threat. Given the level of regulation affecting the industry, this is unlikely to be welcomed and might be an overreaction. However, it is clear that cyber security should be taken seriously and shipping should consider developing pragmatic and effective plans for dealing with it in much the same way as it did when developing BMP.
In the meantime, all shipowners should develop their own comprehensive cyber security plans and incident response policies and take steps to protect their systems and information, including ensuring that all staff, whether on shore or at sea and at all levels of the business are aware of the risks and the steps to be taken to mitigate them. Any plan should be tested and those required to take action thereunder be aware of their role. Those businesses with such a plan should be in a much stronger position to both defend themselves from and deal with the aftermath of any attack and so mitigate their liability.
If comprehensive cyber security plans are in place, then a business will also be in a stronger position to defend itself against any potential clams that might arise from a cyber attack.
Shipowners should consider whether they have suitable insurance cover in place and should not assume that their commercial general liability policies will automatically answer. The insurance market is increasingly understanding of the risk and some now offer cyber insurance tailored to the shipping industry.
If attacked, a business should implement its plan as soon as it becomes aware of the breach and ensure that senior management are informed immediately. Furthermore, it is prudent to engage lawyers early to help manage the press, assess contractual liabilities and establish legal privilege over the results of any investigation.