This is the second of three Club circulars issued to inform and update members on cyber risks and cyber security issues.  The first circular was
published on 10 November, 2017and provided a general introduction to cyber risks.  This circular will address the international regulations and guidance on cyber security.  In the third circular, we will consider some case study scenario of a cyber incident.  

CYBER RISKS – REGULATIONS AND GUIDANCE

The maritime industry recognises that measures taken in relation to cyber security should be company and ship specific.  For example, ships with limited electronic systems would not need to undertake the same level of risk analysis as a ship with complex inter-connected electronic systems onboard.  

Currently, there is little by way of national or international cyber security legislation, although both the EU and US are developing legislation in this area.  Pending such legislation and regulation, maritime organisations such as BIMCO have prepared cyber security guidance notes and recommendations to help guide members in this complex new area.

BIMCO GUIDELINES

Over the last few years BIMCO has led the discussions on the risks posed by the increasing technology onboard ships.  In 2017 BIMCO published an updated version of their 2016 Guidelines on Cyber Security Onboard Ships (the "Guidelines"). These Guidelines are supported by the International Chamber of Shipping, Intertanko, Intercargo and the Cruise Lines International Association.  

The updated Guidelines can now be considered the most comprehensive guidance for the shipping industry, which builds on the knowledge and experience developed by BIMCO over recent years.

BIMCO represents 60% of the world's merchant fleet.  In order to develop the Guidelines, they worked with the US Coast Guard and the Liberian flag registry including giving maritime researchers access to some BIMCO members' vessels to investigate potential attacks.  As with many other studies, the findings have shown significant potential for cyber disruption.  

The Guidelines are intended to provide assistance to shipowners and operators on how to risk assess their operations, identify the vulnerabilities in their systems and take steps to protect themselves.  It is not a stand-alone document, but is designed to be complementary to existing regulations under the International Safety Management Code (ISM Code) and the International Ship and Port Facilities Security Code (ISPS Code).

Although BIMCO recognises that measures taken in relation to cyber security will be company and ship-specific, the Guidelines seek to reinforce that the approach to these risks should be guided by appropriate standards.  The Guidelines focus on six critical aspects of cyber security awareness namely:

1. Identifying threats and understanding the cyber security threats to the ship;
2. Identifying vulnerabilities within the ship’s cyber security system;
3. Assessing risk exposure and the likelihood of being exploited by external threats;
4. Developing protection and detection measures in order to minimize impact;
5. Establishing contingency plans to reduce the threat’s impacts; and
6. Responding appropriately to cyber security incidents.

These are all issues which members need to consider when assessing their cyber security.  The Club is available to help members identify third-party experts to assist in addressing these issues.  This includes taking steps to:

Once members have undertaken an analysis of its risk exposure, they may be able to transfer any exposures by way of allocation of such risks in contracts with counter-parties or by using a stand-alone cyber insurance product.  It is recommended that members contact their insurance broker to discuss the potential options in more detail.

IMO GUIDELINES

Following an IMO Maritime Safety Committee's  meeting in June 2017, the Committee has issued new guidelines on  the implementation of cyber risk management.

These guidelines means that ship owners and operators will now have to take into account cyber risk management in their safety management systems (SMS).  The IMO Committee has also provided a timetable for these changes stating that a company SMS will need to ensure that cyber risks are appropriately addressed no later than the first annual verification of the company's Document of Compliance after 1 January 2021.  

If a members' electronic systems are successfully attacked, and they cannot show that they acted with reasonable care in managing cyber risks and protecting their ships, then there is a risk that a vessel may be considered unseaworthy in breach of the contract of carriage.  If a Court or Tribunal reaches this conclusion and the investigations indicate that members have been imprudent and failed to exercise due diligence, this may have implications on any insurances in place.

CONCLUSION

The risks of a cyber attack are increasing.  Members may face serious financial damage if they suffer a cyber attack.  Although there is currently no national or international legislation on cyber risks, the shipping industry has comprehensive guidance in place to help members take steps to protect themselves from these risks, including the BIMCO Guidelines.  It is important that members consider the industry guidance to assess the risks and to try and address them appropriately, particularly with the recent IMO recommendations on the implementation of cyber risk management.

[This Circular has been prepared for Japan P&I Club by Mr. Matthew Montgomery / Ms. Jean Koh of HFW, a leading maritime law firm Holman Fenwick Willan LLP (http://www.hfw.com/Home)]

Related Links