Underreporting is not surprising for a number of reasons – most notably, to broadcast one’s business as a victim of a cyber event could lead to serious repercussions.
As AXIS's, Georgie Furness-Smith, Cyber Insurance underwriter, reported in some occasions reporting is a lawful duty, where customer information has been compromised. However, copanies are the target of different types of attacks, as ransomware attacks, a company may not be required to, or want to, disclose the attack because they fear the consequences of negative publicity on their business.
Concerning the issue of underreporting, when the shipping industry just here's reputation around cyber attacks or hears the occasional cyber event, it's not easy to acknowledge how likely an attack actually is.
This creates a sense of denial or wishful thinking, ‘why would it be me?’.
In the meantime, the CSO Alliance conducted an anonymous reporting facility aiming to help maritime companies report cyber incidents with absolute anonymity and confidentiality. Therefore, the Alliance helps raise awareness of the scale of the issue.
In addition, the BIMCO guidelines which address the requirement to incorporate cyber risks into the ship’s safety management system and provide guidance for dealing with supply chain risks come into effect in January 2020, and their new BIMCO Cyber Security Clause was launched in May 2019.
BIMCO's efforts have raised awareness within the industry, due to the fact that no major incident has still been reported.
In light of digitalization's dangers, the USCG issued a bulletin alerting cyber adversaries targeting commercial vessels. According to the statement, Cyber adversaries are attempting to gain sensitive information, including the content of an official Notice of Arrival (NOA) using email addresses that pose as an official Port State Control (PSC) authority such as: firstname.lastname@example.org.
Ms. Furness-Smith highlighted that anonymous reporting is vital to allow the shipping community the ability to clearly understand with tangible data what is happening within the industry so that thorough and educated risk management strategies can be deployed.
The scenario of cyber criminals being able to take control of a vessel to cause unpresented harm both physically and economically might seem like a doomsday event, but imagine if an event like this had already happened, but had not been reported?