Over the recent years the Maritime industry has increasingly depended on digitalization and IT technologies in order to improve efficiency and reliability. The same goes for the cargo operations. Years ago, the Industry depended more on human labor and manual methods. Handling of the cargo is rapidly depending on digitalization as well. A serious incident with Maersk back in June 2017 caused a huge disruption to Maersk’s operations and terminals worldwide and the accumulating losses exceeded USD 300,000 million. That demonstrates the increased threat of security risks such as hacking and sabotage.
A common factor though that exists between P&I insurance and Cyber threat is the human element. In the P&I insurance cover is provided for third party liabilities where the majority of the incidents are caused by human error. Therefore, all P&I Clubs have developed robust loss prevention departments, in order to share awareness and knowledge as well as to train all the parties involved of how to best prevent such incidents from happening.
When it comes to the cyber-attack there is an awareness gap and that is one of the main reasons why cyber threats and associated risks have spread around the globe so quickly during the last few years. Over the last decade there has been a rapid increase at an alarming rate. Thankfully during the last couple of years that rate has been more stable. So generally, there is awareness in the shipping market but nevertheless the maritime community has a growing concern about the cyber risks. That is mainly linked to the fact that 50.000 vessels are at port or at sea at any given time and it has been recently reported that they are nearly 17 million attacks worldwide on a weekly basis. That gives a clear picture as to how much important cyber security is.
Another crucial issue crew- members’ awareness. In an survey that was carried out in 2018, it was revealed that close to 47% of the seafarers that were questioned advised that they had sailed on a vessel that been a target of a cyber-attack. Regretfully, only 15% of those seafarers have received any basic form of cyber security training and that training was only provided to them by the manning agents before leaving on their next contract. That means that training was not specific either to the company or to the particular ship that they were going to join. It is ,thus, evident that there is an immediate need to get measures to prevent cyber risks from incurring and that will happen through preventive steps. Obviously, prevention is much better than cure.
We have to adopt a holistic approach in order to ensure that there is sufficient training and education but on a specific basis. It is essential that every party assess the relevant risks and work towards training to that effect. The maritime industry should be well equipped to deal with the future cyber challenges as well, such as the one of the fully autonomous vessels.
From the Club’s perspective, we have a strict policy in line for employees to get sufficient and very specific training to our needs and obtain adequate certification. The fact is that the cyber threats are constantly evolving, hackers seem to be on top of things in relation to new technologies, so the market players need to enhance their defenses by continuously assessing their systems and developing a procedure that will enable them to spot any red flags.
When it comes to P&I insurance and how we can possibly respond to a cyber risk event, once that materializes, we obviously have to deal with each and every case based on its own facts. In order to give you a few examples, we have created a couple of scenarios:
The first one is related to an unauthorized access into an agent’s system; meaning that when shipowners tries to remit funds to his agent’s bank account these funds end up to be redirected to the hackers’ bank account. That account is obviously an act of fraud which causes economic losses to the owners. Unfortunately, these losses fall outside the P&I cover, but we are still able to provide assistance within the context of FD&D cover and take legal action in order to be able to recover those misdirecting facts.
Another possible scenario is where malware is by accident installed to the vessel’s navigation systems by a seafarer, for example with the use of an infected USB stick which could potentially create problem with the navigation system of the vessel, ending up to a major casualty such as a collision or an injury. In this situation, we have a common element which is the human error and therefore the P&I insurance will respond as usual. But this is a case that could have been prevented by using the main principle of loss prevention which is the training and implementation of strict policies.
The last one has to do with a virus, which can be planted by a seafarer’s mistake and cause an engine failure. The delays caused which inevitably be incurred by the shipowner due to the disruption to the vessel’s operation will fall outside the P&I cover.
So due to this extensive development on cyber risks, all the international maritime organizations have very promptly responded by issuing guidance and initiatives to the members and to the industry. We have IMO who issued guidelines on maritime cyber risks management and has also adopted a resolution in June 2017, prompting all the administrations to ensure that the cyber risks are properly addressed within the safety management system, giving a deadline no later than 1ST of January 2021, with the adverse effect that if a vessel has not complied by that date, it runs the risk of detention.
Equally, BIMCO has also responded and issued guidelines on cyber security onboard ships with the assistance and support of other international organizations and the aim there, is to provide the basic guidelines by a diagram in order for the companies to define the personnel’s rules, develop consistency plans in order to assess the assets that are at risk and also be able to detect a cyber event in a timely manner. What is also important is to develop a plan in order to provide resilience and to restore the systems as soon as those have been attacked. At last but not least, is very important to prevent recurrence.
In the American Club we very much support all these guidelines, we have issued alerts and reminders to our members and we are always at their disposal in case we can provide additional clarifications. The last initiative taken by BIMCO is that cyber security clause of 2019, which actually aims to spread awareness to all contractual parties in the charter party, the Owner, the Charterer and the Brokers in order to push them to create systems to eliminate the risks of a cyber event occurring but even in case such an event does occur, to be able to mitigate the adverse effects.
Concluding, it is important to reconsider and assess your risks as well as to focus on any insurance gaps which you need to fill in in consultation with your insurance experts. Keep in mind that, although there is no cyber exclusions within your P&I cover, the P&I insurance won’t be able to cover each and every scenario. The way forward is to establish training and education procedures across all levels of the company in order to ensure a strong and a robust cyber environment for your company.
Above text is an edited version of Ms. Elina Souli’ presentation during the 2020 SMART4SEA Form.
View her presentation herebelow
The views expressed in this article are solely those of the author and do not necessarily represent those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Elina Souli, Regional Business Development Director V.P., American Club
Elina Souli is a lawyer qualified both in Greece and UK with over 20 years of experience in P&I and FD&D matters. She obtained her Law Degree from the Aristoteleio University of Thessaloniki and holds an LLM degree from Southampton University in UK.
She started her career as an Associate lawyer in one of the major shipping firms in Greece before joining an IG P&I Club office in 1999 where she dealt with a wide range of P&I as well as FD&D cases over the years. She received specialized training in crisis management of marine emergencies and she, thereafter, handled major casualties within the scope of her role as Casualty Coordinator of the Greek office. In 2016 she was appointed Head of Defense and she has represented Owners in various Arbitration and Mediation hearings both in UK and USA.
Elina joined SCB (Hellas) Inc., the Piraeus Claims Liaison Office for the Managers of the American P&I Club, (Shipowners Claims Bureau Inc., NY) in November 2018 where she currently holds the position of Regional Business Development Director, V.P – FD&D Manager .
She is regularly invited as a speaker in various International Conferences related to P&I and Marine Insurance topics and she is a visiting lecturer at the LLM course of Athens Law School.