News / 14-02-2018 / Cyber risks facing ship managers

The industry standard BIMCO SHIPMAN contract allows the owners to delegate all or some aspects of managing their fleets to ship management companies These areas include technical, crew and commercial management of operations Each of these areas brings its own challenges and risks as regards the implementation and use of technologynbspCommercial and Technical ManagementUnder these headings, ship managers assume responsibility for ensuring that ships are compliant with all relevant standards and regulations, are sufficiently supplied, and engaged in commercial employmentAs an agent, a ship manager will often act as an intermediary This creates obvious potential for cyber criminals who may seek to embed themselves in a transaction and attempt to have funds payable for genuine supplies diverted to their own bank account For instance, a ship manager orders bunkers for a ship Having penetrated the ship manager's IT systems, a hacker could monitor all email exchanges with the bunker supplier Once the price has been agreed and instructions to deliver issued, the hacker could send a fake invoice and delivery note to the ship manager and request payment for the bunkers into the hacker's own bank accountBy the time the loss is discovered, the transaction would likely have been made and the funds dissipated from the hacker's account Contractually, the owner would probably be obliged to pay the bunker supplier for the bunkers in fact supplied The owner could then turn to the ship manager to recover its loss of the first payment pocketed by the hackerA question would then have to be answered as to whether the ship manager acted in a professional manner and had sound systems in place to prevent the cyber fraud from happening If the ship manager's approach to IT security was reckless, the ship manager could be liable for the full amount to the ownerIn that situation, the ship manager might have three ways to recoup the money, namely1nbspnbspnbsp Against the hacker but in our experience it will be very difficult and expensive, once the money has gone, to recover anything Many countries operate specialist cyber-crime police divisions A consideration should be given to making a prompt notification (this could also be required under any specialist insurance policy andor local law) 2nbspnbspnbsp Against its IT suppliers, depending on the terms of that contract and the nature of the fraud that has resulted in the loss 3nbspnbspnbsp Against its insurers, if a specialist cyber risks policy has been purchased Crew ManagementA ship can only be as resilient as its crew Depending on their objectives, many hackers will either seek to use crew as their gateway to the ship's systems or simply target individual seafarers in an effort to extort money from them, raising an important welfare considerationThere have already been reported instances of seafarers being profiled and targeted on social media (such as online dating portals or interest groups) Seafarers could then be contacted and unknowingly used to carry malicious software on-board a ship (eg on a USB drive) or even, in some cases, be blackmailed into assisting the hackers or asked to pay a ransom Whilst a significant proportion of the exposure may ultimately lie on the employer, ie the owner, ship managers will store a lot of personal data about seafarers and could be targeted by cyber-criminals looking for copies of bank account details, medical records etc to help them profile individualsThe GDPR will come into force in the EU (including the UK) in May 2018nbsp Depending on whether the ship manager is based in the EU or the crew concerned comes from an EU country, a breach resulting in personal data being obtained by hackers will need to be reported to the relevant local authorities If the ship manager is unable to demonstrate compliance with the GDPR and that the data was sufficiently protected, the maximum fine which could be imposed by the authorities could be the higher of EUR 20 million or 4 of global annual turnoverSummaryShip managers contracting on the SHIPMAN form have a general duty to use their best endeavours to provide ship management services to owners (see clause 8(a)) The increased reliance on technology brings increased risk of being targeted by cyber criminals We consider it prudent that ship managers carefully analyse their IT infrastructures and policies, and implement appropriate measures to fully comply with their contractual obligations under the SHIPMAN form Many IT supply contracts will have more robust and up to date force majeure clauses potentially excluding some types of cyber-attacks Under the un-amended SHIPMAN form, a profit-motivated attack would be unlikely to fall within the definition of force majeure (clause 17(a)) creating a potential for liability without any corresponding recourse against IT suppliers It is advisable to consider the potential contractual gaps and take advice on appropriate insurance products