Cyber Risk Management

Cyber security is an increasingly important issue for shipowners from a security, safety, and insurance perspective. Ship operations now routinely involve the use of operational technology to manage safety-critical functions on board; an obvious example being Electronic Chart Display and Information Systems (ECDIS). Equally, the management of ships, both on board and ashore, relies on information technology for functions such as email, pre-arrival reporting and cargo management. 

In May 2016, the IMO Maritime Safety Committee finalised Interim Guidelines on Maritime Cyber Risk Management. These recommendatory guidelines provide an indication of the direction which should be taken by the shipping industry to protect vessels operating at sea. While shipping companies are part of the audience for these guidelines, ICS believes their application is wider and reflects the fact that shipping companies alone cannot secure maritime transport from the potential risks posed by increasing reliance on operational and information technology. The interim IMO guidelines also recognise the role of the Guidelines for Cyber Security Onboard Ships, produced by BIMCO, ICS and other industry organisations in 2015, as the principal means by which shipping companies should address the IMO recommendations. 

While the extent of any current threats posed to international shipping is unclear, it is probably only a matter of time before the general trend in increasing cyber risk exposure has a noticeable impact on the industry. In this regard, companies looking to take their first steps into cyber risk management, or looking to consolidate existing activity, are advised to focus on training and awareness of all personnel. Other important issues to be addressed include the complexity and quality of software, the persistent vulnerability that this may create for companies and thus the industry’s need for support from equipment manufacturers and classification societies. 

Since November 2016, ICS has participated in the International Association of Classification Societies (IACS) Cyber Systems Joint Working Group. The purpose is to develop recommendations for IACS classification societies relating to the implementation of cyber systems on board ships. Appropriately, this work is not limited to security, but encompasses wider issues relating to the resilience of operational technology installed on board. This work is essential to the future of addressing cyber risks in the shipping industry and will include an industry level risk assessment. 

Work on updating elements of the industry’s Guidelines for Cyber Security Onboard Ships has also commenced, with a view to submitting a further edition to IMO during 2017. This update will include additional sections on ship/shore interfaces, third party service providers, cyber safety and insurance considerations. There will also be revised guidance on network design and segmentation of critical systems. 

ICS will continue to participate in industry level work on cyber risk management and cyber systems, with a view to ensuring that shipping companies are provided with sufficient support from manufacturers and classification societies so as to be able to manage cyber risks effectively. 

Meanwhile, an important aspect of any risk management strategy is risk transfer. The application of exclusions to some commercial marine hull and machinery (H&M) and war insurance policies, such as the London market Institute Cyber Attack Exclusion Clause, has led to uncertainty about the scope of cyber risk cover. ICS discussions with London market underwriters have clarified that such exclusions would only apply to malicious cyber-attacks intended to inflict harm and not to accidental computer malfunction or breakdown that resulted in a loss that would fall within the H&M policy. 

Apparently, the exclusion in the H&M policies was intended to shift the risk to the war policies affording underwriters the opportunity to cancel the policy and reinstate on more appropriate terms when necessary. This explanation, along with the London market’s confirmation that the risk of a cyber-attack on a ship which could lead to systemic loss was considered remote, has led ICS to renew its advice to shipowners to continue to press for the removal of cyber risk exclusions from their commercial marine insurance policies.

  • International Chamber of Shipping
  • 38 St Mary Axe, London
  • EC3A 8BH