Cyber-attacks targeting the marine sector, and critical infrastructure more broadly, are growing rapidly across the world and in Asia. As the ransomware crisis of 2020 surges on, hackers are narrowing their focus on organizations in the maritime sector as tempting targets due to perceived lagging investment in cybersecurity and potential for significant operational disruption.
The marine industry being an attractive target for hackers is not new. Since Maersk suffered a devastating US$300 million ransomware attack in 2017, the maritime industry has earned the unfortunate distinction of being the only sector to have all four of the world’s largest shipping companies being hit by cyber-attacks in the last four years, namely – Maersk, Mediterranean Shipping Company, CMA CGM and COSCO.
With Asia being the world’s busiest transshipment hub and a key node in the global supply chain, it is imperative that the maritime sector here needs to be well-prepared against the threat of cyber-attacks which are increasingly more sophisticated.
From 1 January 2021, shipowners and operators globally – including this in Asia – have been obliged to comply with the International Maritime Organization (IMO)’s resolutions pertaining to cyber risk management and guidelines. Every Safety Management System must be documented has having factored in cyber risk management and processes for cyber risk assessment, in line with the International Safety Management Code.
Aside from compliance motivations, 2021’s volatile cyber risk landscape with ongoing spates of ransomware attacks have thrown cyber risk into greater focus for shipowners and operators. There is growing anxiety over the financial impact and operational ramifications should such an attack occur. The Asia-Pacific region has not been spared: it is reportedly the most targeted region in the world by ransomware and state-sponsored advanced persistent threat groups, experiencing a 168% increase in cyberattacks between May 2020 to May 2021. Further, cybersecurity specialist Naval Dome found there has been a 400 percent increase in attempted hacks on the marine industry globally since the pandemic began. The recent cyber breaches of Singapore-based marine services provider Swire Pacific Offshore in November 2021 and South Korean shopping company HMM in June 2021 highlight this threat.
The loss scenario run by CyRiM in 2019 modelled losses arising from a hypothetical ‘Shen’ cyber-attack on major ports across the Asia-Pacific, estimating that losses of up to $110 billion would occur in an extreme scenario in which a computer virus infects 15 ports. The insured losses included Business Interruption, Contingent Business Interruption, Incident Responses Cost and Data and Software Loss.
Despite the data proving coverable losses and the real possibility of claims, there are still major misconceptions around cyber risk and insurance which are preventing an in-depth study into this risk transfer solution:
01
Putting the right controls in place is a crucial element of cyber risk mitigation. Such controls, however, can only ever minimise the vulnerabilities in the network and/or decrease the likelihood of the threat. It is impossible to eradicate the risk altogether. No security can be 100%. Moreover, insider threats remain an issue. Employees make mistakes and, on occasions, seek to deliberately cause their employers harm.
02
This, of course, could be correct depending on the terms of the insurance contract. Hull & Machinery policies, however, typically exclude loss or damage where caused by a cyber-attack. In some cases, policies may be silent on whether loss arising from cyber risk is covered or excluded, which potentially gives rise to uncertainty.
03
This is incorrect. For example, in 2008 a pipeline in Turkey exploded after cyber-criminals hacked into the pipeline’s control systems. Similarly, in 2014, hackers accessed the control systems of a steel mill in Germany causing significant physical damage. Whilst there have been no reported cases of physical damage to vessels caused by a cyber-attack (which is not to say there haven’t been any cases), the increased reliance upon operational technologies such as GPS, AIS and ECDIS on board vessels, undoubtedly increases the threat of physical damage.
As ship operations become more interconnected with shore side computer systems, partly driven by the digitalization wave following the COVID-19 pandemic, the potential for a cyber event leading to physical damage is heightened. The reputational implications if such an attack took place on such a critical industry would be severe.
Brian Worning of Marine Cybersecurity specialist OceanShield observed: “With onshore facilities becoming harder targets for intruders, many relatively vulnerable maritime assets become increasingly 'juicy' targets. Also, and as we have seen, maritime operators often become 'collateral damage' of attacks never even intended for them, meaning lack of protection itself is a risk even if you're not the principal target.”
Cyber insurance with a physical damage extension such as WTW CyNav product would provide protection for financial losses, however before seeking insurance companies will have to demonstrate robust controls and cyber response capabilities.
While digitalization of the industry brings exciting possibilities, care must be taken to ensure cyber threats are managed.
OceanShield note that “The limitations in cyber response capabilities are highlighted by the lack of visibility around onboard digital asset inventories and network infrastructure/topology… While the IT assets are much better mapped, this is certainly not the case for Operational Technology (OT)”
Cyber security remains of critical importance for maritime operators yet perhaps not receiving the funding, focus and risk management approach it deserves and needs. With cyberattacks on ship owners and operators being reported with ever-increasing frequency across Asia, the time for open collaboration, risk discussions and knowledge sharing is now.
WTW is an insurance broker and gives its views on the meaning or interpretation of insurance policy wordings as brokers experienced in the insurance market. Insurers may take a different view on the meaning of policy wordings. Any interpretation or thoughts given are not legal advice, and they should not be interpreted or relied upon as such. Should a legal interpretation of an insurance contract be required, please seek your own advice from a suitably qualified lawyer in the relevant jurisdiction. While all reasonable skill and care has been taken in preparation of this document it should not be construed or relied upon as a substitute for specific advice on your insurance needs. No warranty or liability is accepted by WTW, their shareholders, directors, employees, other affiliated entities for any statement, error or omission.
For more information, please contact local entities of the WTW Group:
Willis Insurance Brokers Co. Ltd. | Willis Hong Kong Limited | Willis Towers Watson India Insurance Brokers Pvt. Ltd | PT Willis Towers Watson Insurance Broker Indonesia | Willis Japan Services K.K. | Willis (Malaysia) Sdn Bhd | Willis Towers Watson Insurance Brokers Philippines, Inc. | Willis Towers Watson Brokers (Singapore) Pte. Ltd. | Willis Towers Watson Insurance Korea Limited | Willis Towers Watson Taiwan Limited | Willis Towers Watson Vietnam Insurance Broker
