The IMO global sulphur cap, effective from 1 January 2020, followed by the COVID-19 pandemic, has made the start of 2020 particularly challenging for the maritime industry. Despite this, shipowners need to keep in mind that, from the beginning of 2021, issues of cyber security will need to be addressed in the Planned Maintenance System (PMS) and Safety Management System (SMS). These developments are now being referred to as ‘IMO 2021’.
Maritime cyber security has been under discussion now for at least ten years. This is unsurprising as, over that period, vessels have become increasingly automated, integrated and connected to digital networks. The developments in electronic connections and interfaces, and the increased dependence on electronic systems, makes the threat of cyber security incidents both more likely and potentially more damaging to onboard operations.
A cyber attack can be described as any occurrence that targets onboard systems, networks or computers with the aim of compromising, destroying or accessing those systems. It may not necessarily be malicious. For example, it could be due to an inadvertent action or inaction by a crew member on board.
There are numerous published reports on the high-profile cyber attacks that have taken place over recent years. What we have learned from recent cyber attacks is that:
- No industry or sector is immune.
- Even the largest blue-chip companies, with sophisticated IT infrastructures, have been attacked and suffered losses as a result.
- Cyber attacks are becoming increasingly sophisticated.
We need only go back to 2011 to find the first set of guidelines on cyber security published by the European Network and Information Security Agency (ENISA). Since then, the US Coast Guard (USCG) has issued a comprehensive report and BIMCO has also released its own set of guidelines on the subject.
Under the BIMCO guidelines, the starting point is to identify where threats may exist and the potential vulnerabilities within a company’s electronic systems. Then, depending on risk exposures, to develop protection and detection measures in order to prevent an attack from succeeding.
The BIMCO guidelines also advise establishing an emergency response plan, with external advisors — such as IT experts, lawyers and others — in place to assist if required. Such a plan is essential to ensure that roles are designated, and decisions are made in a logical and effective manner.
Despite the previous guidelines, there is no escaping the fact that IMO 2021 is going to be a ‘game-changer’ with regard to ship cyber security, in the same way that its older brother, IMO 2020, has been for fuels.
Up-to-now, there has only been general guidance and recommendations regarding what measures to take. However, IMO Resolution 428(98) states that, from 2021, a vessel’s SMS will need take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
The guidelines are very general but, in effect, member governments are required to ensure that cyber risks are appropriately addressed in SMS systems. Member governments are ‘encouraged’ to ensure that safety management systems address cyber risks no later than the first annual verification of the Document of Compliance after 1 January 2021.
It goes without saying that the smaller owners and operators will find the process more challenging than those with dedicated IT teams. However, there are still some months until IMO 2021 takes effect so, if action has not been taken yet, there is still time.
The evidence is that steps are now being taken in the lead-up to IMO 2021. TradeWinds has reported that engineering group ABB and classification society DNV GL have made maritime history by awarding a large cruise ship — under construction at a European shipyard — cyber security verification. The Korean Register has also recently awarded full cyber-security compliance to the 2009-build Songa Hawk.
The legal impact
With regard to charterparties, BIMCO has introduced a cyber security clause which requires each party to:
- Implement appropriate cyber security measures.
- Have plans and procedures in place to effectively respond to an incident.
- Regularly review cyber security arrangements to make sure that they are fit for purpose.
We can expect to see clauses like this more often in future charter parties, particularly after IMO 2021 has come into force. If an incident does occur, the party that has suffered the attack will need to take all necessary steps to mitigate the loss and notify their counter-party of the incident within 12 hours. It will also have to prove that the attack occurred despite it having put in place effective cyber security measures. If it is unable to prove compliance with the clause, then a claim for damages can be expected.
If a cyber attack causes losses to be suffered by cargo interests, then owners will also need to show that the vessel was seaworthy at the commencement of the voyage. The question that the English Courts (or a Tribunal) would ask is ‘would a prudent owner have required that the defect be made good before sending the vessel to sea, had he/she known of it?’ The English Courts have said that seaworthiness must be judged by the standards and practices of the industry at the relevant time. After the introduction of IMO 2021, the expectations of the prudent owner on matters of cyber security will be higher than ever. There is clearly a real risk that a vessel could be deemed unseaworthy as a result of failures and vulnerabilities in electronic cyber security systems.
Owners would still potentially be able to defend claims if they could show that, despite the unseaworthiness, due diligence had been exercised. This would require a close review of the owners’ SMS and PMS to see whether they met the IMO guidelines, were fit for purpose and had been understood and put into effect by the crew or any others to whom the duties had been delegated.
The COVID-19 pandemic has made electronic connectivity and remote-working more important than ever. IMO 2021 is only going to increase the pressure on owners and operators to prove that their electronic systems are secure and that the risks have been carefully mapped out and addressed. The good news is that with careful forethought and proper risk assessment, prudent owners can identify and address risks in their SMS and PMS.
This article is written with contribution by Matthew Montgomery, Partner at MFB. Matthew Montgomery has a broad practice advising primarily on contentious matters across wet and dry shipping. Over recent years, he has also developed a detailed knowledge of cyber security issues in the marine market, publishing a number of articles on the subject.
We’re all in this together - The fight against cyber crime
“In shipping, probably 70% or more of attacks are phishing or spear-phishing – people receive an email with an attachment, they open the attachment and it locks the system.”