Cybercrime knocks – How prepared is the shipping sector?

Navigating the impact of the COVID-19 pandemic has forced the shipping sector to reappraise its operations and reassess its resilience.

Today, there is wide recognition that the adoption of tech will ultimately help ship owners, operators and other stakeholders better withstand future challenges. There are clear benefits on efficiency, productivity, costs and emissions reduction, to name a few.

In Southeast Asia, though, there are still significant disparities within the sector on the pace and scope of digital transformation.

During a webinar at the IMO-Singapore Future of Shipping event earlier this year, industry experts attributed some of the slow progress to a “lack of trust”, a mentality that believes sharing data widely would mean losing an industry edge to competitors.

Compounded with that mentality is a wide range of challenges and risks facing the shipping sector, including the hefty cost of investment required for digitalisation during a recession, and the potential exposure of vulnerabilities.

Cybersecurity risks

One of the greatest hindrances to technological advancement is the threat of cybercrime. It’s a conundrum – many in the shipping industry believe that the wholesale adoption of new technology might expose their vulnerabilities but, on the other hand, the resistance to adopting new tech could curtail a company’s ability to protect itself from lurking cybercrime.

Singapore’s shipping sector fortunately has not yet suffered a major episode but the recent attacks on South Korea’s national flagship carrier HMM, French shipping company CMAA CGM, and the International Maritime Organisation (IMO) itself has created heightened anxiety.

What to look out for

The shipping industry possesses characteristics that make the sector particularly vulnerable to cyber breaches. The nature of maritime operations involves constant interactions with onshore parties like marine terminals, government bodies and stakeholders in a supply chain, and these interactions often include the sharing of business critical data and commercially sensitive information.

Other traits include the common use of legacy technology that rely on operating systems that are already obsolete. The vast network of participants and stakeholders, serving different levels of responsibilities and roles, often also means that meaningful cyber risk management cultures are difficult to implement.

In such a complex web of operation, cyber breaches can manifest in many different ways including unintended system failures, for example, through the use of an infected USB drive, system failures due to software crashes, or employee interactions with phishing attempts.

These breaches, as innocuous as they can be, can deliver significant damage. Companies face substantial risks including the theft of information and cargo, loss of business reputation, destruction of vessel and property, and liability to third parties, just to name a few.

Costs to rectify these breaches can be pegged to loss of customer business, investigations and forensics, audit services, deployment of detection software, damage to brand, and ultimately court settlements.

 

Risk Management

This all necessitates robust approaches to cyber risk management, which should cover several major elements such as identifying key management and personnel and who should hold responsibilities for when disruption occurs.

Contracts should also have express clauses that address cyber risk by clearly allocating liability and loss.

In the event of a breach, robust and frequently exercised protocols must be in place for staff members to report it to the board, comply with regulatory obligations and engage the crisis response team. Companies should also consider specific cyber security insurance with providers.

Earlier this year, Singapore’s MPA issued a helpful guidance note that provides information on the requirement to incorporate maritime cyber risk management in the safety management systems of companies operating Singapore-registered ships. The requirements included five functional elements:

  1. Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations;
  2. Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations;
  3. Detect: Develop and implement activities necessary to detect a cyber event in a timely manner;
  4. Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event; and
  5. Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

Shipping companies need to instill a top-down risk culture, develop industry best practices and implement consistent training to stay ahead of the risks it faces.

+++

JTJB is a Singapore-based law firm with network offices around the world. Our International Trade, Shipping & Logistics Practice Group is a key area of practice at our firm. With more than 30 years of experience advising on transactional, commercial and contentious shipping matters, our robust list of credentials has awarded us with a stellar reputation as shipping specialists. If we can assist on your digitalisation journey, please reach out to K. Murali Pany (murali@jtjb.com).