I flew down to Manila late last year in order to speak to around 500 senior shipping and maritime people involved in crewing and training. One of the things I covered was cyber risk and specifically the results of the first major research into the level of cyber incidents serving crew have experienced on board vessels.
Perhaps most startling is that of the 3000 crew surveyed almost 50 per cent reported that they had sailed on a vessel within the last 12 months which had experienced a cyber breach.
The statistics clearly caused many people in the room a significant degree of unease, particularly considering the response the previous day by a representative of BIMCO to a question about the industry’s preparedness to meet the cyber threat. There hadn’t been any significant cyber attacks in shipping, he assured the audience, and the industry was well ahead of the curve.
That’s wrong of course, on both counts, but it highlights one of the most intractable issues around cyber security, and that’s the widespread failure to really quantify the risk. Because leaving aside the fact that maritime organisations are—understandably—very reluctant to report when they’ve been the victim of a cyber attack, the bigger issue is that most of them probably haven’t even realised yet.
Up to 70 per cent of cyber attacks go undetected, so basing the maritime industries’ vulnerability on the number of attacks reported isn’t just poor judgment, it’s actively dangerous. The bottom line is that if almost half of crew know their vessel was subjected to a cyber attack of some kind, the likelihood is that the other half’s vessels were too—they just don’t know it.
But whilst the security of the ship and its control systems is essential it’s only one part of a far bigger cyber picture. A company’s digital footprint encompasses multiple employees, stakeholders and suppliers and you are only as secure as your weakest link. Smaller, less well-resourced suppliers are often targeted and used as a bridge into larger companies—as the airline flying me to Manila was about to discover.
Etihad reported earlier this month that the details of around 7000 of its loyalty card holders had been stolen, including names, email, physical and IP addresses. What was notable about the breach was that it had come via a small marketing company which Etihad had used to build a promotional website for it in 2013. Etihad was reported to be, “considering all its legal options as a matter of priority.” Stop for a minute and think about all the small specialist marketing and PR agencies in the maritime industry and the digital access they have to, or data they’re supplied with by, ship operators and larger maritime suppliers.
Now consider the new EU Data Protection reform, which every member state will begin to formally adopt from the beginning of 2016. It could see companies who lose data subject to a fine of up to EUR20m, or 4 per cent of turnover, and includes mandatory reporting, and joint liability for example with a cloud provider. With this kind of regulation arriving it’s likely that even if shipping and maritime companies aren’t focussed on the risk now, their customers increasingly will be.
According to a survey 52% of CEOs believe they have cover for cyber events when only 10% actually do. What very few people seem to realise at the moment is that the insurance cover they have in place is almost certain to be inadequate.
The first evidence of that is already emerging. Results of the first ever Maritime Cyberwatch survey (read more about that this issue) indicate that 40 per cent of shipping and maritime companies have been asked by their customers about their IT security credentials in the last 12 months. That’s a concern when you set it against the fact that 90 per cent of the companies surveyed spent less than 20 per cent of their IT budget on cyber security and resilience, 70 per cent spent under 10 per cent of their budget and 10 per cent spent absolutely nothing at all.
Customers asking questions about cyber security credentials may be awkward, but if it forces companies to engage in a real cyber risk assessment it can only be a good thing. Unfortunately, it’s also likely to lead to some nasty surprises, because what very few people seem to realise at the moment is that the insurance cover they have in place is almost certain to be inadequate.
According to data collated from surveys conducted by the UK Government, insurers Zurich and risk advisor and insurance broker Marsh, 52 per cent of CEOs believe that they have cover for cyber events, when in fact less than 10 per cent do. That’s an astonishing state of affairs when one considers that cyber attacks cost businesses more than $400 billion a year, which is a sum broadly equivalent to the GDP of Austria or Thailand.
What lies at the heart of this is a range of cyber risk exclusion clauses present in commercial insurance policies which specifically excludes all losses—including bodily injury, property damage and business interruption—arising from a cyber hacking attack. Between them the Cyber Attack Exclusion Clause (CL380), the Terrorism Form T3 LMA3030 Exclusion 9, and the Electronic Data Exclusion NMA2914 leave companies wide open to what the World Economic Forum have decided is one of the top ten global threats.
Which means the maritime and shipping industry is in a potentially nightmarish scenario: for a start we don’t understand the risks we’re probably exposed to, and even if we do, there’s no way to insure against them.
Thankfully for us there is at least one company that’s got the industry’s back. Marsh is a global insurance broking and risk management firm, in fact my research shows it’s the largest insurance broker in the world, and it’s been closely involved in finding a solution to this problem. Marsh characterises this black hole in coverage as a ‘Cyber Gap’ and has managed to produce a policy that shipping and maritime companies could potentially use to bridge it.
Despite the fact that the exclusions in commercial policies potentially leave catastrophic events un-indemnifiable all attempts to remove them have been unsuccessful. That’s because the removal of these clauses, which are features of most treaty contracts, could leave insurers exposed to substantial “net” losses.
To overcome this Marsh has developed ‘Cyber Gap Insurance’ which essentially negates the inclusion of the offending clauses and eradicates the cyber gap. It uses a simple questionnaire tailored to deliver the information required by insurers to assess a company’s security practices and if they’re adequate, cover is provided. Originally designed for the Energy sector who faced the same exclusions, Marsh believe that this could be easily adapted for shipping.
It’s good to know that there is at least one solution out there, but the bigger question is how many in the industry are even aware they probably need it? To what extent are shipping and maritime companies cognisant of the new cyber risks that digital operation inevitably brings?
“I think that there is a growing awareness that the shipping industry is not immune from the cyber threat, though without a serious and well publicised incident, it is all too easy to ignore,” believes Stephen Wares, EMEA Leader of Marsh’s Cyber Risk Practice. “The risk is therefore under-investigated and the consequences under-explored rather than being a complete unknown.” As someone whose cyber risk expertise isn’t restricted to maritime, does Wares think it’s fair to characterise the industry as lagging others?
“Perhaps, but it’s not too far behind other industrial sectors,” says Wares.”It is understandable that highly regulated industries such as financial institutions and highly targeted industries such as retail would have a higher awareness and level of preparedness against cyber attacks. In industrial sectors the drive for cyber awareness and security has been less pronounced with critical national infrastructure leading the way mainly due to pressure and regulation from government.”
For insurers looking to cover risk from cyber attacks the challenges keep multiplying. “The key challenge is the diversity of technology across all industry segments and the diversity of loss outcome,” confirms Wares. “So many business functions and physical operations are controlled by IT or OT (operating technology) now that the range of possible outcomes can be as broad as the death of a hospital patient through hacking a medical device, to the theft of funds from a bank account by means of a phishing scam. The potential for the acquisition of the control over certain functions within a ship is one more to add to the growing list.”
The list is inevitably going to get longer too. We’re talking about SmartShips this issue and the new relationships, responsibilities and digital ecosystems they’re going to create. Nowhere is their impact likely to be greater than in cyber risk and resilience. As ships become smarter and more of the vessel’s systems are operated by software, or reliant upon third-party platforms or connectivity, or even operated and maintained directly by a manufacturer, what are the implications for insurers of these fragmented responsibilities and relationships when it comes to assessing and providing cover for risk?
Should ship operators and equipment suppliers be considering these scenarios too? “Insurers are well used to this fragmentation of responsibilities through insuring other industry segments,” Wares points out. “For most organisations, many IT functions and systems will be outsourced to third parties to host, maintain and monitor. For insurers underwriting this type of organisation the key is to understand how the organisation selects, contracts with, manages and audits these suppliers to ensure that the suppliers are held to a rigorously enforced standard.”
But it’s the concentration of dependence that insurers are concerned about. “The critical implication for the insurer is the aggregation of risk where many insured organisations are dependent on the same supplier or technology and so could therefore be vulnerable to multiple claims from the same event,” Wares explains. “This has the potential to limit the availability of cover where the aggregate exposure is too large for the insurer to bear.”
It’s that kind of insight that the maritime industry really needs to be listening to, and fully grasping. It is dependence that leads to risk, and concentration of dependence means more risk.
With the cyber security industry now exploring de-centralised measures, like the distributed ledgers of the blockchain, or even digital embassies like those being set up by the government of Latvia to protect itself in the event of a physical invasion, the aggregated risk posed by common technologies and platforms is indeed something maritime must be aware of as it develops its SmartShips.
In that context the comments made by BIMCO President, Philippe Louis-Dreyfus late last year seem unhelpful at best. “It would be very unlikely to see a widespread cyber attack on shipping because ships across the world use so many different IT systems,” said Dreyfus. “Also, because all parties involved – such as shipowners, classifications societies, equipment-makers, and so on – will do their “homework”.
Perhaps someone needs to point out to BIMCO that every single SOLAS registered vessel must carry a working Inmarsat connection in order to be compliant with regulations. Take that down and the entire SOLAS fleet is vulnerable, and at the very least unseaworthy in the eyes of maritime law. Or perhaps that the vast majority of PCs on board every vessel will be running Windows software. That ship’s engines are overwhelmingly supplied by one of two or three big companies. That every single smartphone carried aboard by a seafarer will be running either iOS or Android, in excess of 80-90 per cent of the apps for which are estimated to be infected with malware. And that even a comparatively small maritime communications supplier could be providing email services including direct remote support to 2,000 vessels.
There is homework to be done alright, because making statements like the one above could be considered in some hacking quarters as the equivalent of laying down a challenge. With other sectors tightening up their cyber practices there are already concerns that attention is now turning to maritime as a far softer target, and as any cyber expert will tell you, there are people out there who will be happy to bring our industry to a standstill for no other reason than to show that they can.
“I don’t want to tell you how much insurance I carry with the Prudential, ” American comedian Jack Benny once said, “but all I can say is: when I go, they go too.” There has long been discussion of what consequences the catastrophic loss of something the size of a TripleE would have; whether the insurance would actually be able to cover the loss. Please God it doesn’t happen, but if it did and the cause was anything related to a cyber attack then the answer’s pretty straightforward. And it’s a no.
Which of course has implications for another massively important set of stakeholders, the people who are currently financing the global fleet. How many of them are fully aware of the risk they’re taking? I know of at least a couple who had no idea the assets they’d invested in had no coverage in the event of a cyber attack. For my money that could well be the next ticking time-bomb for an already desperately struggling industry.
Let’s hope what one security expert described to me as ‘shipping’s 9/11’ doesn’t happen. Or if that’s a hopelessly naive sentiment, let’s hope that we’ve at least had a chance to build our industry’s resilience, and the insurance it will need to recover, before it does.
Awareness of cyber has been low up until now. But when it comes to regulations, contracts and clauses, ignorance is not a defence.
Images courtesy © Marsh/Getty Images
This article appeared in the January 2016 issue of Futurenautics.read online and subcribe