The under-reporting of cyber attacks are taking place at a more rapid pace than what the public is led to believe. This reason results to lack of awareness and preparedness.
As Georgie Furness-Smith, Cyber insurance underwriter at Axis, discusses, given that cyber attacks and threats are affecting large and small businesses, the anonymous reports of cyber events would be helpful to deal with this problem.
Although it is easy to look away from this problem, it is crucial to approach cyber security as an integral part of overall safety management. In instances in which customer data has been compromised, organisations in many geographies are required by law to report such incidents to local and national authorities and regulators, as well as notify affected customers and individuals.
Sometimes organisations face additional kinds of attacks, such as ransomware and phishing, they are not required to or even want to disclose the attack because they are afraid of damaging their reputation.
In attempts on fighting under-reporting, the CSO Alliance, a UK-based maritime-focused membership organisation, has already launched an anonymous reporting system to assist maritime companies report cyber incidents, while it ensures anonymity and confidentiality.
In the meantime, Smith suggests that if companies are informed of 'big' cyber attacks, as the one that hit Maersk or Norsk Hydro, they will believe that attackers only aim to big companies and will result to being sensitive victims. The denial makes companies believe that they will not be targeted because they are too small to be on the radar of a cyber criminal.
While this may or may not be true, a factor that is equally important and often overlooked is the risk of an untargeted attack.
An untargeted attack may be a virus entering the system or the repercussion of something much larger, such as the Maersk incident, whereby the company is merely collateral damage and just one of the victims of a much larger cyber attack.
In addition, in 2017 IMO launched a set of guidelines on maritime cyber risk management to safeguard shipping from existing and emerging cyber threats and vulnerabilities. In the meantime, it is a fact that the more cyber attacks are discussed as a problem for all, the more businesses will be willing to identify or report these attacks, either anonymous or not.
Shipowners should be aware that, according to Lloyd’s market bulletin from January 1, 2020 all first-party property damage policies must either affirm or exclude cyber cover. In that way, the owners will be able to know whether their vessel was damaged because of a cyber attack will be covered or not.