Cyber risks facing ship managers

News / / Cyber risks facing ship managers

The industry standard BIMCO SHIPMAN contract allows the owners to delegate all or some aspects of managing their fleets to ship management companies These areas include technical, crew and commercial management of operations Each of these areas brings its own challenges and risks as regards the implementation and use of technologynbspCommercial and Technical ManagementUnder these headings, ship managers assume responsibility for ensuring that ships are compliant with all relevant standards and regulations, are sufficiently supplied, and engaged in commercial employmentAs an agent, a ship manager will often act as an intermediary This creates obvious potential for cyber criminals who may seek to embed themselves in a transaction and attempt to have funds payable for genuine supplies diverted to their own bank account For instance, a ship manager orders bunkers for a ship Having penetrated the ship manager's IT systems, a hacker could monitor all email exchanges with the bunker supplier Once the price has been agreed and instructions to deliver issued, the hacker could send a fake invoice and delivery note to the ship manager and request payment for the bunkers into the hacker's own bank accountBy the time the loss is discovered, the transaction would likely have been made and the funds dissipated from the hacker's account Contractually, the owner would probably be obliged to pay the bunker supplier for the bunkers in fact supplied The owner could then turn to the ship manager to recover its loss of the first payment pocketed by the hackerA question would then have to be answered as to whether the ship manager acted in a professional manner and had sound systems in place to prevent the cyber fraud from happening If the ship manager's approach to IT security was reckless, the ship manager could be liable for the full amount to the ownerIn that situation, the ship manager might have three ways to recoup the money, namely1nbspnbspnbsp Against the hacker but in our experience it will be very difficult and expensive, once the money has gone, to recover anything Many countries operate specialist cyber-crime police divisions A consideration should be given to making a prompt notification (this could also be required under any specialist insurance policy andor local law) 2nbspnbspnbsp Against its IT suppliers, depending on the terms of that contract and the nature of the fraud that has resulted in the loss 3nbspnbspnbsp Against its insurers, if a specialist cyber risks policy has been purchased Crew ManagementA ship can only be as resilient as its crew Depending on their objectives, many hackers will either seek to use crew as their gateway to the ship's systems or simply target individual seafarers in an effort to extort money from them, raising an important welfare considerationThere have already been reported instances of seafarers being profiled and targeted on social media (such as online dating portals or interest groups) Seafarers could then be contacted and unknowingly used to carry malicious software on-board a ship (eg on a USB drive) or even, in some cases, be blackmailed into assisting the hackers or asked to pay a ransom Whilst a significant proportion of the exposure may ultimately lie on the employer, ie the owner, ship managers will store a lot of personal data about seafarers and could be targeted by cyber-criminals looking for copies of bank account details, medical records etc to help them profile individualsThe GDPR will come into force in the EU (including the UK) in May 2018nbsp Depending on whether the ship manager is based in the EU or the crew concerned comes from an EU country, a breach resulting in personal data being obtained by hackers will need to be reported to the relevant local authorities If the ship manager is unable to demonstrate compliance with the GDPR and that the data was sufficiently protected, the maximum fine which could be imposed by the authorities could be the higher of EUR 20 million or 4 of global annual turnoverSummaryShip managers contracting on the SHIPMAN form have a general duty to use their best endeavours to provide ship management services to owners (see clause 8(a)) The increased reliance on technology brings increased risk of being targeted by cyber criminals We consider it prudent that ship managers carefully analyse their IT infrastructures and policies, and implement appropriate measures to fully comply with their contractual obligations under the SHIPMAN form Many IT supply contracts will have more robust and up to date force majeure clauses potentially excluding some types of cyber-attacks Under the un-amended SHIPMAN form, a profit-motivated attack would be unlikely to fall within the definition of force majeure (clause 17(a)) creating a potential for liability without any corresponding recourse against IT suppliers It is advisable to consider the potential contractual gaps and take advice on appropriate insurance products

Related sectors:

Related services:

Related news & insights

Events / Maritime Week Gibraltar 2021

18-10-2021 / Maritime

Maritime Week Gibraltar 2021 is a highly informative, multi-format interactive event, designed to showcase the many shipping, port and maritime services offered in Gibraltar to a wider international audience.

Maritime Week Gibraltar 2021

Insights / Court considers breach of confidentiality and unlawful conspiracy claims in ship design dispute

18-10-2021 / Maritime

Salt Ship Design AS v. Prysmian Powerlink SRL [2021] EWHC 2633 (Comm)

Court considers breach of confidentiality and unlawful conspiracy claims in ship design dispute

News / AfCFTA and Energy & Infrastructure

11-10-2021 / Energy & Infrastructure, Maritime

This article is the third in a series of articles looking at the impact of the African Continental Free Trade Area (the “AfCFTA”) on various practice areas and industry sectors that our clients operate in. This article focuses on Energy and Infrastructure and addresses some of the key questions our clients have asked us.

AfCFTA and Energy & Infrastructure

News / Mutual benefit: A focus on superyacht crew welfare - Interview with SuperyachtNews

07-10-2021 / Maritime, Yachts & Superyachts

“I am regularly instructed on behalf of yacht owners and their liability underwriters to defend crew mental health claims made against them, a trend which had been increasing for several years now,” starts Rachel Butlin, partner at Ince. “Within the yacht industry, I have been involved in many cases in which there have been not just physical injuries to yacht crew but increasingly psychiatric ones, including anxiety and post-traumatic stress disorders, as well as depression and the emotional consequences of bullying/assault.”

Mutual benefit: A focus on superyacht crew welfare - Interview with SuperyachtNews

Insights / Witness evidence reforms now apply in the Admiralty Court

07-10-2021 / Maritime

Following much discussion, the witness evidence reforms have now made their way to the Admiralty Court. The provisions now apply to trial witness statements signed on or after 1 October 2021 in Admiralty Court proceedings and constitute a further reminder that a witness statement must be exactly that – a statement in the words of the witness.

Witness evidence reforms now apply in the Admiralty Court

Insights / “Zoned out”: Court confirms applicable time zone for notification of demurrage claims

05-10-2021 / Maritime

The Court has considered which time zone applies to determine the date of completion of discharge for the purposes of deciding whether notification of a demurrage claim was made too late. In their article, Natalie Jensen and Monika Humphreys-Davies review the decision and explain why the Court held that it was the time zone at the place of discharge.

“Zoned out”: Court confirms applicable time zone for notification of demurrage claims

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500