Cyber Risks & Shipping

Cyber risk and Cyber security countermeasures

Cyber risks have not been specified in the Japan P&I Club rules, however, a claim regarding the coverage of a cyber attack or cyber breach would be examined in the usual way with reference to the Rules. When the cyber attack would not fall under the definition of "war" or "act of terrorism" under rule 35, a member will be subject to cover along with his normal P&I insurance. For example, the following case would normally be subject to P&I insurance: The ship's system gets infected with a virus via the onboard LAN system via the e-mail PC used for work or a crew member's personal PC. The onboard PC's software for work use is updated without permission or, as a result that particular crew member changed connection to the onboard LAN cable without permission. The electronic aid for navigation and propulsion breaks down, which causes damage to harbour facilities at the time of departure.

The following examples will not be covered by P&I insurance: For instance, there was a case whereby a certain amount of the ship's store was transmitted mistakenly due to a hacked e-mail. In another case, the ship's schedule was delayed because the crew was investigated by the authorities, because the uploaded video which was found in his personal PC appeared to be associated with terrorism. Further, a threatening email was sent to the ship as a fake money demand meaning that the ship might have been arrested. Such cases which do not develop into P&I accidents were reported.

Cyber Risks & Shipping

A Definition of Cyber Risks Might Be: 'Cyber risk' means any risk of accidents, incidents, financial loss, business disruption, or damage to the reputation of an organization through failure of its electronic systems or by the persons using those systems. 

In a shipping context a cyber risk may be the failure of an onboard GPS receiver due to a fault with the equipment, extending right through to catastrophe scenarios of vessel systems being attacked and the vessel being disabled, run aground or taken over by malicious third parties. Although the catastrophe scenarios are possible the likelihood of such an incident for most companies is low. 

The risks of electronic equipment failure are generally well recognised in the industry and critical equipment will often be required to have redundancy, spares will be carried or manual operation will be possible should the electronics fail. 

What has been less well recognised until recently is the risk of electronic systems being subject to unauthorised access or malicious attacks - let's call them 'Cyber Threats'. Recently there has been a focus on this area and the steps that might be taken to defend shipping companies from unauthorised access or malicious attacks. The defences taken to defend systems are known as 'Cyber Security'. 

It is important to recognise at the outset that cyber risks should not be seen solely as the responsibility of the IT department. They have companywide implications. Any measures put in place to control the risk can affect business practice. As such cyber risks must be dealt with on a whole company basis that includes both equipment and personnel, as well as taking into account the wider business implications of any security measures.