Cyber risks facing ship managers

News / / Cyber risks facing ship managers

The industry standard BIMCO SHIPMAN contract allows the owners to delegate all or some aspects of managing their fleets to ship management companies These areas include technical, crew and commercial management of operations Each of these areas brings its own challenges and risks as regards the implementation and use of technologynbspCommercial and Technical ManagementUnder these headings, ship managers assume responsibility for ensuring that ships are compliant with all relevant standards and regulations, are sufficiently supplied, and engaged in commercial employmentAs an agent, a ship manager will often act as an intermediary This creates obvious potential for cyber criminals who may seek to embed themselves in a transaction and attempt to have funds payable for genuine supplies diverted to their own bank account For instance, a ship manager orders bunkers for a ship Having penetrated the ship manager's IT systems, a hacker could monitor all email exchanges with the bunker supplier Once the price has been agreed and instructions to deliver issued, the hacker could send a fake invoice and delivery note to the ship manager and request payment for the bunkers into the hacker's own bank accountBy the time the loss is discovered, the transaction would likely have been made and the funds dissipated from the hacker's account Contractually, the owner would probably be obliged to pay the bunker supplier for the bunkers in fact supplied The owner could then turn to the ship manager to recover its loss of the first payment pocketed by the hackerA question would then have to be answered as to whether the ship manager acted in a professional manner and had sound systems in place to prevent the cyber fraud from happening If the ship manager's approach to IT security was reckless, the ship manager could be liable for the full amount to the ownerIn that situation, the ship manager might have three ways to recoup the money, namely1nbspnbspnbsp Against the hacker but in our experience it will be very difficult and expensive, once the money has gone, to recover anything Many countries operate specialist cyber-crime police divisions A consideration should be given to making a prompt notification (this could also be required under any specialist insurance policy andor local law) 2nbspnbspnbsp Against its IT suppliers, depending on the terms of that contract and the nature of the fraud that has resulted in the loss 3nbspnbspnbsp Against its insurers, if a specialist cyber risks policy has been purchased Crew ManagementA ship can only be as resilient as its crew Depending on their objectives, many hackers will either seek to use crew as their gateway to the ship's systems or simply target individual seafarers in an effort to extort money from them, raising an important welfare considerationThere have already been reported instances of seafarers being profiled and targeted on social media (such as online dating portals or interest groups) Seafarers could then be contacted and unknowingly used to carry malicious software on-board a ship (eg on a USB drive) or even, in some cases, be blackmailed into assisting the hackers or asked to pay a ransom Whilst a significant proportion of the exposure may ultimately lie on the employer, ie the owner, ship managers will store a lot of personal data about seafarers and could be targeted by cyber-criminals looking for copies of bank account details, medical records etc to help them profile individualsThe GDPR will come into force in the EU (including the UK) in May 2018nbsp Depending on whether the ship manager is based in the EU or the crew concerned comes from an EU country, a breach resulting in personal data being obtained by hackers will need to be reported to the relevant local authorities If the ship manager is unable to demonstrate compliance with the GDPR and that the data was sufficiently protected, the maximum fine which could be imposed by the authorities could be the higher of EUR 20 million or 4 of global annual turnoverSummaryShip managers contracting on the SHIPMAN form have a general duty to use their best endeavours to provide ship management services to owners (see clause 8(a)) The increased reliance on technology brings increased risk of being targeted by cyber criminals We consider it prudent that ship managers carefully analyse their IT infrastructures and policies, and implement appropriate measures to fully comply with their contractual obligations under the SHIPMAN form Many IT supply contracts will have more robust and up to date force majeure clauses potentially excluding some types of cyber-attacks Under the un-amended SHIPMAN form, a profit-motivated attack would be unlikely to fall within the definition of force majeure (clause 17(a)) creating a potential for liability without any corresponding recourse against IT suppliers It is advisable to consider the potential contractual gaps and take advice on appropriate insurance products

Related sectors:

Related services:

Related news & insights

News / Court finds extra-contractual counterclaims fell within scope of arbitration agreement

02-08-2022 / Maritime

Sea Master Special Maritime Enterprise & another v. Arab Bank (Switzerland) Ltd (Sea Master) [2022] EWHC 1953 (Comm) This bill of lading dispute raised issues as to whether the Bank financing the purchase of a cargo, and the holder of a switch bill of lading for the cargo, was a party to the arbitration agreement incorporated into the switch bill and, if so, whether certain counterclaims brought by the Owners came within the scope of that arbitration agreement. The Court agreed with the tribunal’s findings that, once the Court had decided that the Bank was a party to the arbitration agreement, then the counterclaims for reasonable remuneration and quantum meruit came within the ambit of the arbitration agreement, being claims “arising out of or in connection” with the bill of lading contract.

Court finds extra-contractual counterclaims fell within scope of arbitration agreement

News / Party offered reasonably satisfactory security following collision obliged to accept it

20-07-2022 / Maritime

MV Pacific Pearl Co Ltd v. Osios David Shipping Inc (Panamax Alexander) [2022] EWCA Civ 798 The Court of Appeal has confirmed that a party to ASG 2, the standard form Collision Jurisdiction Agreement, is obliged to accept reasonable security once it is offered and cannot choose to refuse that security and seek alternative or better security by arresting a ship. In such circumstances, there is no right to an arrest or any justification for it.

Party offered reasonably satisfactory security following collision obliged to accept it

News / Rosita Lau, MH calls for China businesses to opt for Hong Kong arbitration in their contracts

15-07-2022 / Maritime

In an interview published this morning (14 July) in The Hong Kong Maritime Hub, Ince Partner Rosita Lau, MH calls for Chinese businesses to opt for Hong Kong arbitration in their contracts, initiative that requires attention of officials from the highest level.

Rosita Lau, MH calls for China businesses to opt for Hong Kong arbitration in their contracts

News / Court finds Covid-19 restrictions did not constitute force majeure under MOA

13-07-2022 / Maritime

NKD Maritime Limited v. Bart Maritime (No 2) Inc (Shagang Giant) [2022] EWHC 1615 (Comm) The Court has construed a force majeure clause and considered whether Buyers validly terminated a contract for the sale of a vessel on the basis that Covid-19 lockdown restrictions prevented Sellers from transferring title in the Vessel. 

Court finds Covid-19 restrictions did not constitute force majeure under MOA

News / Shipping gets smart

20-06-2022 / Maritime

On 25 November 2021, the UK Law Commission published its Advice to the UK Government on how English law currently applies to smart legal contracts. Subsequently, on 16 March 2022, the Law Commission published its report on electronic trade documents, together with draft legislation that would implement its recommendations to allow for the legal recognition of trade documents such as bills of lading and bills of exchange in electronic form.

Shipping gets smart

News / Carrier Under CMR Successful in Limiting Liability for Consignee’s Losses

14-06-2022 / Maritime

Paul Knapfield v. C.A.R.S. Ltd & others [2022] EWHC 1437 (Comm) Disputes under the Carriage of Goods by Road Act 1965, which incorporates the Convention on the Contract for the International Carriage of Goods by Road 1956 (CMR), do not come up very often. This decision is, therefore, useful in illustrating when and how the CMR applies. In this case, the Court found that the CMR limit of liability applied to the claimant’s claim, with the result that his losses far exceeded the amount he could ultimately recover from the carrier.

Carrier Under CMR Successful in Limiting Liability for Consignee’s Losses