4 December 2020
.jpg)
As the COVID-19 pandemic has forced countries into lockdown, and businesses and organisations to update IT infrastructure and software to accommodate working from home, cyber risks have increased exponentially. The up-tick in cyberattacks during the last 12 months has been widely reported and there is no data, that we are aware of, to suggest that this trend will end anytime soon.
In Australia, as we fortunately enter a phase where the risk of contracting COVID-19 has diminished quite significantly in recent months, remote working will remain a key feature of our 'COVID-Normal' world and, consequently, the risk of contracting a cyber related virus will not abate. In fact, cyber risks will most certainly only increase as cybercriminals continue to exploit loopholes in new software and user complacency. Most risk managers have reluctantly accepted that stopping a cyberattack is almost impossible. Therefore, ensuring that there is an effective response to and management of a cyberattack is critical to any risk management plan.
No immunity for the shipping and logistics industry
The shipping and logistics industry is of course not immune to cyberattacks and remain vulnerable. One of the first significant cases was in 2017, when Maersk was hit by a ransomware attack and reportedly cost the company approximately US$300 million. Other victims this year alone include, Toll Group, Mediterranean Shipping Company, CMA CGM and the International Maritime Organization (IMO).
For all those businesses involved in shipping, trade and the broader supply chain cyber risk management should be a top priority in this 'COVID-Normal' era where an even greater reliance will be placed on digitalisation, automation, remote working and network-based systems.
International Regulation and Guidance
IMO's Resolution MSC.428(98) "Maritime Cyber Risk Management in Safety Management Systems" will take effect on 1 January 2021 and as a result shipowners and managers will need to incorporate cyber risk management into their safety management systems (SMS) in order to meet the objectives and functional requirements of the ISM Code.
The IMO has also published its "Guidelines on maritime cyber risk management" (MSC-FAL.1/Circ.3) which provides high level recommendations regarding the elements of an appropriate approach to implementing cyber risk management in order to safeguard against cyber related threats both onshore and offshore.
BIMCO, together with key industry stakeholders published, "The Guidelines on Cyber Security Onboard Ships", which provides practical guidance and recommendations on the minimum measures that organisations should consider addressing in its cyber risk management onboard and to maintain the security of IT systems in the company.
In practice, shipowners and managers simply cannot ignore cyber risks. Compliance with the ISM Code, and therefore having a cyber risk management plan in place is not optional and from 1 January 2021 this will have a bearing on the seaworthiness of a ship. AMSA, under Marine Order 58, which covers ISM Code compliance, will no doubt police this new requirement.
Effective Cyber Risk Management
As a first step in adopting and implementing a cyber risk management plan, organisations should consider a risk based approach specific to the organisation and assess its vulnerabilities. That said, any device connected to the network is a potential opening for cybercriminals to exploit an organisations network.
The cyber risk management plan should be flexible and adaptable to the emerging risks.This includes having appropriate safeguards to protect both IT and operational technology (OT) systems, as they often share the same network. A cyberattack on an organisations OT system may leave vessels' operational systems and networks vulnerable.
Another key factor to effective cyber risk management is to bring a level of cyber risk awareness to the organisation so that all staff at all levels have the tools to identify cyber risks such as malicious malware or phishing links and attachments in emails. Research has shown that the number one vulnerability for any business is human error so it is essential that organisations take proper steps to manage against this risk.
A key part of cyber risk management is the development and maintenance of an incident response plan which is designed to address key risks and vulnerabilities specific to a business' operations and incorporate certain safeguards to manage these risks. An incident response plan should set out procedures that can deal with any operational impacts such as network and system outages and to ensure business and operational continuity. The plan should have protocols and strategies that respond to each stage of a cyber incident, including:
Pre-Incident Response
-
Conduct periodic cybersecurity health checks of both onboard and onshore systems and run cybersecurity and incident response scenarios to determine if there are any gaps and whether further safeguards are required.
-
Update IT software and infrastructure regularly, have antivirus software to detect viruses, and security policies and secure remote working practices and procedures accessible to all staff. This includes enforcing secure VPN connections to critical digital assets, implementing multi factor authentication over key applications, and strengthening password requirement.
-
Educate staff at all levels on cyber awareness, hold ongoing and regular training sessions, to ensure that staff can identify and report cyber-related risks such as phishing attempts and if appropriate, manage a cyber risk incident.
Incident Response
-
Communicate with affected customers, counterparties, law enforcement, regulatory bodies, including the Office of the Australian Information Commissioner (OAIO), if there is a Eligible Data Breach under the Privacy Act 1988 (Cth), the media and staff.
-
If a malicious attachment has been opened or clicked, isolate the affected machines from the network to prevent the spread of malware within your organisation's systems. Assess the scope of the impact on your network including what information may be at risk and consider temporarily shutting down the network to prevent the further spread of the virus.
-
If personal information has been provided, consider what steps can be taken to prevent misuse of that information, including protecting against identify theft and prevent unauthorised access to critical applications.
-
Contact your insurer to assist with your response capabilities.
Post-Incident Response
-
Preserve evidence and recover losses against third parties who have caused or contributed to the incident.
-
Assess the impact and cause of attack and the effectiveness of the incident response plan, reassess threats and vulnerabilities to determine new vulnerabilities.
Transfer of cyber risks
In some circumstances organisations may be able to transfer some of their cyber risk by expressly incorporating cybersecurity terms into contracts or by way of cyber insurance.
For example, in 2019, BIMCO introduced a Cyber Security Clause which can be incorporated in most shipping and transport contracts, which requires parties', including any third party performing services, to implement and maintain "appropriate" cybersecurity measures and systems. The clause also incorporates a notification regime requiring a party who is aware of a cybersecurity incident to notify the other party and if that party is affected by a cybersecurity incident, then it must within 12 hours, inform the other party and offer assistance to mitigate and prevent the further effects of the incident. The clause also incorporates a default limitation of liability cap of USD100,000, which applies unless the incident was from the sole result of gross negligence or wilful misconduct of a party.
Aside from transferring risk through express terms, organisations may also seek to obtain cyber insurance to minimise the impacts of a cyberattack or data breach. Cyber insurance will generally cover against first party loss (i.e. the costs of recovering data, repairing damage to networks and lost income due to business interruptions) and third party loss (i.e. liability for claims by third parties for data breaches or other security threats).
However, insurers will first take into account an organisations cyber risk management, policies and procedures, and if these are not sufficient, it may decline or limit coverage whilst applying higher premiums or deductibles to future policies.
It is also important that businesses and organisations remember their obligations to protect personal information from unauthorised disclosure in the case of a data breach. Any claims brought by third parties or by the OAIO, for example, for eligible data breaches under the Privacy Act 1988 (Cth) or other loss or damage caused by insufficient cyber risk management could have dire financial implications, cause substantial reputational damage and result in liability for loss and damage caused by the attack.
How can we help?
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team, which is led by leading cyber risk and incident response specialist, John Moran, have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock.
For further information, please contact:
Maurice Thompson, Partner, Clyde & Co
maurice.thompson@clydeco.com
