Charting a safe course: Maritime cybersecurity

In our most recent Shipping News London seminar, Stephenson Harwood had the pleasure of hosting a panel addressing maritime cybersecurity challenges and solutions.

We were delighted to hear from Dan Humphreys, Senior Director at ABS, John Sullivan, Head of Insurance Services at V.Risk, and Rod Johnson, Director of Seamark Marine. The panel was moderated by Partner Ezio Dal Maso, head of Stephenson Harwood’s superyacht practice. Some of the key takeaways are set out below.

CYBERSECURITY IS A NOVEL AND GROWING CONCERN IN SHIPPING

The industry has become more aware of cyber risks, especially in the light of recent high-profile incidents. There is a wide discrepancy between vessels’ cybersecurity infrastructure; cruise lines and superyacht owners are generally in a position to invest in state-of-the-art protections, while budgets may constrain the owners of commercial fleets. Many older ships are now being retrofitted with new cybersecurity tech, which may offer less protection than inbuilt systems.

REGULATION IS CONSTANTLY CATCHING UP

As things stand, there are three levels of mandatory regulation:

International regulations (such as IMO resolutions)
Technical regulations (e.g. classification society requirements)
Regional/flag state rules

However, regulations generally set a minimum standard - “the floor, not the ceiling” as Dan Humphreys commented - leaving much room for improvement. As is the case in many sectors, regulatory bodies are in a race against increasingly sophisticated cyber criminals and their methods. Countries such as the USA are increasing enforcement, including the detention of vessels for non-compliance with cybersecurity standards.

HUMAN FACTOR AS A CAUSE OF CYBER ATTACKS

Rod Johnson emphasised how human error and the tendency to trade thoroughness for ease or efficiency are exploited by cybercriminals. Both crews and shore staff often lack basic cyber hygiene (including password management, USB use, working in public spaces etc.). It is also important to remember that it can take weeks or months for operators and owners to realise that hackers and malware are ‘living’ in their vessels’ IT systems.

PERPETRATORS RANGE FROM INDIVIDUALS TO STATE ACTORS

Cyber criminals’ motivations range from financial gain, for example using ransomware to extract money from victims, to the pursuit of social or political agendas.

State actors are increasingly involved, especially in the compromise of GPS systems on which today’s crews and onshore staff are heavily reliant, which can in turn cause supply chain disruption.

INSURERS AND LENDERS ARE ADJUSTING TO THE NEW REALITY

Standard marine insurance policies now include cyber endorsements but there are exclusions, especially for war and state-backed cyber risks. P&I clubs offer some cyber cover, but limits tend to be low and activity which falls within the definition of ‘war risks’ will generally be excluded from such cover.

In the world of finance, lenders are starting to require minimum cyber cover and new products are emerging, but comprehensive solutions are still lacking.

WHAT COMES NEXT?

Cybersecurity must become part of shipping culture and daily operations, not just a tick-box exercise. There is a need for ongoing crew training, cyber drills, and better system segmentation. Ship design is increasingly driven by cyber risk considerations, but financial constraints and a rapidly changing risk landscape are a challenge for owners, operators and regulators.

Our next Shipping News London seminar, 'Building Tomorrow’s Fleet – Managing Risks in Modern Shipbuilding', will take place on Tuesday 19 May. You can sign up here.

Related Expertise