Part 3: A very modern form of piracy: Cybercrime against the shipping industry – Data Protection
UK & Europe
Written by Daniel Jones, Rosehana Amin, Rory Duncan and Sarah Yeow.
This is the concluding article in a four-part series that has considered some of the key issues concerning the very serious threat that cybercrime poses to the shipping industry. The preceding three articles have considered the rapidly developing risks facing the industry as well as focussing on ransomware incidents and data protection issues. This final article draws upon Clyde & Co’s extensive expertise in both the cyber and marine practice areas to highlight some of the steps that can be taken to anticipate and mitigate risks, the relevance of insurance and how to respond most effectively when faced with a cyber incident. This important conversation around the impact of cybercrime on the shipping industry will also be continued in a webinar featuring experts from Clyde & Co, further details of which can be found at the end of this article.
We discussed in our first article the developing nature and extent of cybercrime in the marine industry. Understanding these potential cyber security threats is important to help identify vulnerabilities as well as assisting in seeking to manage risk exposure. Crucially, it is important to understand the potential impact of cybercrime on any particular business and the most appropriate safeguards that should be put in place. Armed with such an understanding, the issue of insurance can then be properly addressed in order to help minimise the impact of a cyber attack on a business and minimise any gaps in protection that may exist. In our experience, appropriately tailored insurance can be a very significant benefit in dealing with cyber incidents. In the shipping industry, however, there are areas where traditional marine insurance products will not cover all the risks and new insurance products are appearing in the market. It is still very much a developing area.
An important starting point is to recognise the limitations of existing ‘traditional’ marine insurance in the context of cyber incidents. For example, current UK Hull insurance policies are now likely to include one of the Lloyds Market Association model clauses for exclusion of cyber risks. For instance, clause “LMA5402 – Marine Cyber Exclusion” provides a general exclusion of all loss or damage arising from the use or operation of a computer system whereas clause “LMA5403 – Marine Cyber Endorsement” only provides cover for losses that have arisen where a computer programme or system has not been used to inflict harm, thereby effectively excluding losses arising from a cyber attack. Similarly, German insurance policies may include German Insurance Association (“GDV”) model clauses such as the recently-introduced Marine Cyber and Blackout Exclusion and Optional Cyber Write Back Clause which excludes physical damage, financial loss, liability, costs, expenses or indirect loss/damage arising from a cyber attack.
P&I insurance typically does not incorporate specific exclusions for cyber risks (at least where cover is provided through an International Group P&I Club) but can still have significant limitations. For example, P&I cover will be subject to the war risks exclusion which excludes “any hostile act by or against a belligerent power or any act of terrorism” which could encompass cyber attacks attributed to or with links to a state actor, or on critical national infrastructures. In addition, P&I insurance will typically be prejudiced by the failure of a member to take reasonable steps to prevent foreseeable loss or liability. As we considered in the first article in this series, the rapidly developing nature of cyber risks – and with that the increasing nature of obligations on shipowners to mitigate those risks – make compliance with such requirements increasingly difficult. As one leading International Group P&I Club has put it; “as more and more potential cyber risks are being identified all Clubs will expect to see operation of sensible and properly managed cyber risk policies and systems both ashore and on vessels if a cyber risk leads to a claim.”
A further important point to consider is that there are significant heads of marine-related loss that may be suffered following a cyber attack that would be beyond the scope of cover of traditional marine insurance policies. Such losses may include the loss of hire or other income where a vessel or fleet becomes unable to trade as a result of a cyber event or the costs of dealing with a cyber incident, payment of ransom, data loss/disclosure or the reinstatement of computer systems. It is therefore important to consider whether specialist cyber risk insurance is required and, if so, the scope of cover needed. There are increasing numbers of specialist insurance products available in the market and these can vary according to the levels of cover provided. In a shipping context, important questions to consider may relate to exclusions from cover (for example, for liabilities arising under contracts with third parties), the breadth of cover (for example, whether insurance extends to shore-based computer systems or just those located on board vessels) and whether the financial limits of the policy are suitable to meet the needs of the insured.
In addition to any relevant insurance cover, it is important for a business to proactively consider how it will effectively detect, respond and resolve cyber incidents. A cyber response plan, for instance, will enable an organisation to identify gaps in their capabilities beforehand, and to ensure that there is a robust incident management plan in place to provide clarity over the lifecycle of the incident.
To gain the best possible understanding of the nature and extent of the impact a cyber incident could have, a shipping company will need to bear in mind the different risk profiles of onshore risks (including any involvement in port operations, container terminals, shipyards and other shore-based assets or control centres) and offshore risks (vessel / installation-based). The different risks should be fully identified and understood so appropriate measures can be implemented.
Clyde & Co has significant experience in advising on and assisting in such scoping exercises, for example by providing pre-incident preparedness packages, full cyber security health checks, data mapping, third party contract reviews, horizon scanning and assistance in reviewing data privacy regulations. Such preparation can help not only in identifying further steps that can assist in responding to any attack (such the development of contingency plans or an assessment of insurance needs), but also – through exposing and correcting vulnerabilities - in helping to ensure that a cyber-attack becomes less likely as well as ensuring that contractual obligations to be ‘cyber-ready’ can be met.
In the unfortunate scenario that an attack does happen, Clyde & Co’s experience, gained through assisting clients in over 3,000 cyber incidents globally, can be a very valuable asset. We understand that rapid response is key. We also understand that in a crisis situation different businesses will have different priorities, so our experts can help identify and explain the different parties that are able to assist as well as the various response options available following an attack. Clyde & Co’s extensive international presence means we understand and can assist with multi-jurisdictional issues in the shipping industry and our assistance is aimed at helping to shift the burden from the business and to improve and facilitate recovery.
Having the right team in place with skills appropriate to the particular threat can make a huge difference in ensuring the effectiveness of any response. Working with experienced IT forensic specialists to establish the cause of an attack, mitigate risks and address vulnerabilities will be vital in the time-critical initial stages of response. Expert knowledge of ransomware incidents will also be especially helpful in negotiating with a threat actor who makes a demand on an organisation. It will be important to understand the risks of re-extortion, ensuring that due diligence checks are taken to test a decryption key, validating the proof of life and conducting the appropriate threat intelligence to understand the ransomware strain and source of attack. PR expertise may also be required where business interruption or data leaks pose a reputational threat and to manage client communications especially where commercially sensitive information, cargo or other sensitive issues may be involved. This panel of experts can help ensure that any response is rapid and effective but knowledge of the type of assistance available and its suitability to any given situation is essential, particularly in an emergency. Clyde & Co is fully versed in the coordination of the incident response process and management of specialist third party vendors as well as in managing the regulatory and legal compliance or the risk of any third party liability.
Following the response, various factors need to be considered when restoring business operations. As highlighted previously, different parties will be able to assist with their specific expertise. Weighing up different options and alternative routes will need to be assessed depending on the priorities of the particular business.
Ransomware attacks can pose particular challenges even where a decryption key has been obtained and forensic experts will need to validate and test the key to ensure it will restore the affected IT systems whilst in parallel considering whether systems should be restored via back-ups (where available). Additionally, the possibility of re-extortion must always be considered. This includes where a threat actor attacks the systems a second time, before it is fully secure, to demand a further payment or where after a ransom payment is made, an additional demand is made and required to be paid before the decryption keys are provided by the threat actor or to ensure that the threat to disclose data does not materialise. Forensic experts can ensure that the threat is contained and systems are secure to prevent a further recurrence and to manage threat actor engagement and negotiation. Further, when considering possible payment of a ransom it will be important to assess the level of risk regarding whether the threat actor will provide the decryption key and/or return the data it has purportedly exfiltrated or if it may disclose the data publicly in any event.
In addition to technical issues, there will be a range of recovery steps that will require legal input and our experience is that this is often a task that requires coordination across a number of jurisdictions. Such issues will include management of regulatory investigations to minimise the likelihood of enforcement action or penalties being imposed. In addition to the regulatory scrutiny a business may face, there is also the prospect of third party claims and litigation. This is an area of law that is developing rapidly and the growth of litigation funding and collective action mechanisms has only served to increase the already existing potential for overlapping litigation in multiple jurisdictions. Preservation of relevant evidence will also be essential in this context as well as assisting in the investigation of potential routes of recovery of losses from third parties.
Finally, it is our experience that the final stages of recovery can be facilitated by a post-response audit and review focusing on lessons learnt from the incident as well as identifying future steps that may be taken for the protection of the affected business.
This series of articles has been designed to provide an overview of the particular challenges posed to the shipping industry by cyber attacks. As well as identifying the increasing nature of the threats to the industry, the series has also sought to highlight the range of measures available to mitigate these risks and to help businesses make an informed decision on the best way forward. If there is one key message it would be that preparation is essential and, in our experience, this requires drawing upon a range of expertise, both internal and external, to assess and minimise risk exposure. In the unfortunate case of an event having occurred then the key factors will be speed of response and effective coordination of expertise that is tailored to the particular cyber threat. Although the threats are very significant, our extensive experience of anticipating and responding to cyber attacks has shown that there is much that can be done to manage the impact of cybercrime on the shipping industry. For further information please contact any of the authors of this article or your usual Clyde & Co contact.
We are currently planning a Cyber Marine webinar. If you would like to register your interest in attending please click here.