Research conducted by Thetius, in collaboration with CyberOwl and HFW, suggests that the industry remains an easy target and suggests new ways to outsmart cyber criminals is an ongoing task.
aking into account the opinions and experiences of more than 150 industry professionals from interviews and a survey, the ‘Shifting Tides, Rising Ransoms and Critical Decisions: Progress on maritime cyber risk management maturity’ research found that while the number of attacks has not risen dramatically since the 2022 research, there is an undeniable increase in the financial impact.
- Cyber attacks have cost organisations on average more than US $545,000 over the last three years. This is a 200% increase since our 2022 research.
- Ransom payments remain high. The average price paid for ransom is now US $3.2 million.
- But the demand for ransom payments has skyrocketed. It has increased 357% since 2022.
- 23% said that they had been tricked into transferring funds.
- There is significant uncertainty around insurance cover and claims. 42% are unclear about whether their organisation has an insurance policy in place, while 25% believe there is no insurance in place.
- Despite these figures, awareness is increasing and companies are investing more into cyber security. 33% of respondents say their organisations spent less than US $100K on cyber management, whereas in 2022 this figure was 54%.
- The potential severity of attacks is increasing and there are three key roles that are most impacted by the changing cyber risk landscape – risk management, IT management, and fleet safety management. Understanding the level of risk across these key roles needs work.
The report also presents some recommendations on how to mitigate the phenomenon of cyber attacks. The recommendations are as follows:
#1 Understanding how responsibilities are evolving for key roles is critical
These roles are changing as a result of increased connectivity, digitalisation and the consequential cyber risks, and there are increasing pressures and demands on people. Not only do people require the skills to operate advanced and complex technologies, but they also need the right cyber security knowledge to reduce the risk of opening up systems to vulnerabilities. Blending skills across all departments is helpful and this can be done via cross-functional teams.
#2 Make deliberate and holistic decisions on investments in cyber risk management
This requires a coherent security programme, led by an authority that understands the risks. Making decisions on point-based solutions may result in high costs, but low effectiveness. There are longer term consequences to decisions. Developing capabilities in-house vs leveraging the expertise and scale of outsourced providers needs to be considered carefully. So does the choice of bundling vs disaggregating cyber security from other functions.
#3 When assessing the installation of advanced satellite communications systems such as LEO, additional cyber risks must be considered in the budget
43% of respondents said that their organisation is planning to roll out Low Earth Orbit (LEO) within the next 12 months and nearly half agreed that it would increase cyber risks. Greater cyber protection will be required but this will come at an additional financial cost.
#4 Secure the right relationships with OEMs
Ships are being continuously upgraded with digital technologies and OEMs are held to account by technical teams. But it’s complex and it’s important to acknowledge that an effective cyber security strategy comes from both one-off actions and continuous maintenance of security. OEMs also need to develop software to standards which are understood by industry to avoid unnecessary confusion.
#5 Insurance needs to be right
While having it in the first place is a start, not having a clear understanding of how and what protection it actually provides is a major but all too common issue seen today.
#6 Check your contracts.
Assigning risk and responsibility preincident in a contract is one of the better ways to mitigate any exposure the parties may have following a cyber security breach. If the contract is silent and no provision is made for cyber security, consider if it is necessary to incorporate an appropriately drafted cyber security clause.