Simon Cooper Consultant
The shipping industry: adrift in a sea of cyber risk?
On Tuesday (27 June 2017), only seven weeks after the WannaCry virus affected some of the largest governmental and corporate institutions in over 150 countries, another ransomware attack compromised and disrupted operations of some of the world’s largest firms in industries ranging from pharmaceuticals, through legal, to construction.
This time the list of victims also includes one of the world’s largest shipping groups, with reports of operations at major ports disrupted. A successful attack on a sophisticated and progressive shipping operator raises the following specific issues:
1. how vulnerable is shipping, a naturally lagging sector, as it brings itself into the digital era both on and off shore and how to most effectively address the issues of cyber security from a technical perspective; and
2. how legally to mitigate the risk of constantly evolving nature of cyber threats.
At first, this most recent attack appeared to be another ransomware that used the same server message block (“SMB”) vulnerability in Windows OS to spread itself and infect additional computers. However, now that researchers have had time to study the malware, originally thought to be a variant of the 2016 ransomware “Petya”, the concern is it may be something altogether different – and more dangerous.
The goal of ransomware is to extort money from the victims in return for decrypting the data. Tuesday’s attack appears, instead, to be a “wiper” attack that permanently corrupts the data, and not one designed for making money. There are a number of reasons for this theory:
1) Like “Petya”, this malware attacked the Master Boot Record (“MBR”) and Master File Table (“MFT”), two small files that are crucial to disk operation; a disk will not function if the MBR or MFT are missing or are corrupted. Unlike “Petya”, which encrypts the MBR and MFT but saves the value for later decryption, Tuesday’s attack overwrote the MBR and MFT, making the data irretrievable.
2) Ransomware includes a “personal infection ID”, which is how the attackers can track who was infected and who paid the ransom. The attack on Tuesday included no such identifier, meaning the attackers would have to review payments manually to identify who paid for the decryption key.
3) Victims were instructed to send an email to the attackers confirming payment. The email account, however, was almost immediately blocked by the email provider once the email address became public. As a result, there was no way for victims to notify the attackers of their payment.
The malware does appear to have spread itself using the same SMB vulnerability as the WannaCry code, but there are differences there, as well. Once WannaCry landed on a computer, it scanned the network to find other vulnerable devices and infected them. Tuesday’s attack appears to have attempted to stay inside an organization, moving via network protocols and stealing credentials to infect otherwise protected devices.
The malware appears to have initially targeted Ukraine and was spread via an update to tax/accounting software that is essentially mandatory in Ukraine, M.E. Doc. This could account for the fact approximately 65% of the infected systems are Ukrainian.
Viruses are constantly being updated, revised, and improved. Information security must be considered an ongoing process of continuous improvement to ensure systems are up to date to defeat known threats, as well as agile enough to survive the coming ones.
The legal risks are multi-dimensional and magnified by the global nature of international trade and shipping sector.
On the one hand, there are exposures which can be relatively easily quantified such as expenses incurred in dealing with the attack. On the other hand, there is a multitude of potential less predictable heads of losses such as those arising out of breaches of existing contracts, business disruption resulting in loss of existing and future business, cross-border regulatory consequences, and purely reputational damage which may be virtually impossible to ascertain.
With the hindsight of the most recent attacks, these risks can be contractually mitigated and supported by appropriate insurance arrangements.
The basic concept underpinning the English law of contract is the parties’ freedom of bargain. Thus, if the parties so wish, they can exclude liability for direct and indirect losses resulting from cyber attacks. In the context of shipping and international trade, however, a lot of business is conducted on spot basis using standard forms, the majority of which date back to times when cyber risks were not a concern. It is important that the parties are fully aware of that as leaving the wording unamended may lead to costly arguments and unexpected liabilities.
To demonstrate the types of issues which may arise, a lot of standard trade contracts, such as GAFTA or FOSFA agreements, include so-called “force majeure” clauses designed to deal with unforeseen circumstances beyond either party’s control. For example, GAFTA No. 111 includes events such as: “acts of terrorism”, “hostilities”, “unforeseeable and unavoidable impediments to transportation or navigation” and “any other event comprehended in the term “force majeure””.
In order to bring itself within the force majeure clause, the victim would have to either establish that the motives were hostile or use the other events. So in the case that a port is closed as a result of a profit driven ransomware attack whilst terrorism and hostilities could be reasonably ruled out on the basis that the attack is for profit, a question of whether the attack falls under “unforeseeable and unavoidable impediments to transportation or navigation” or “any other event comprehended in the term “force majeure”” could potentially be argued either way without (in the absence of any case law on the issue) much certainty.
Taking the above example into a charter party context, would the abovementioned attack render a port unsafe? A lot would depend on the way in which the attack manifested itself and the frequency of attacks. If the impact was such that the port had no effective navigational aids then potentially the port would be unsafe. Similarly, if the port was known for being repeatedly hacked due to a lack of sufficient security then an unsafe port case could be arguable.
On bespoke contracts, in the energy sector for example, we are also seeing examples of parties inserting into contracts clauses which will make the counterparty liable for any losses suffered by the first party as a result of a virus being inadvertently introduced into the first party’s system by that counter party. The impact of such clauses can be far reaching and they should be approached with caution.
There are many more examples which could be used to demonstrate the uncertainty of this novel area (most notably in the liner trade where container booking and release systems are to a large extent automated). However, in our view, the common and crucial feature of bringing and defending most claims involving losses arising out of cyber attacks will be the reasonableness of preventative measures.
Unless a very specific exclusion is put in place, an organisation will be extremely unlikely to avoid liability if no evidence of appropriate cyber security processes can be put forward. What is appropriate will depend on the nature and size of the business. Our advice is for all businesses to monitor industry and governmental initiatives and consider external audits.
In view of the increasing prevalence of these incidents it seems almost inevitable that companies will become the victim of a cyber incident at one time or another. It is vital, therefore, that shipping companies take steps to ensure that they have the necessary insurance protection in place. It cannot be assumed that traditional insurances will provide cover for the losses incurred following a cyber event. For example, many polices will exclude cover for malicious acts in one way or another. Many other policies can only be triggered if the insured has suffered physical damage which is often not the case if it is a victim of a cyber event.
As the motives for the latest attacks become clearer, issues may also be raised about the applicability of war and terrorism exclusions and it will be important, therefore, to ensure that any specific war insurances dovetail effectively with the war exclusion in the insured’s standard policies. The nature of cyber events means that you can be the unintended victim of a cyber attack aimed at a target thousands of miles away, that does not mean, however, that these same coverage considerations will not apply to you.
Specific cyber insurances may be an answer but it is important to be aware that, unlike in many marine policies, there is no consistency of either cover or definitions in cyber policies. The buyer will need to be very careful, therefore, to ensure that in buying a cyber policy it is in fact obtaining the cover which suits its requirements.
Read more about how Navigant and Ince can help you with cyber security.
Related news & insights
News / Court finds extra-contractual counterclaims fell within scope of arbitration agreement
02-08-2022 / Maritime
Sea Master Special Maritime Enterprise & another v. Arab Bank (Switzerland) Ltd (Sea Master)  EWHC 1953 (Comm) This bill of lading dispute raised issues as to whether the Bank financing the purchase of a cargo, and the holder of a switch bill of lading for the cargo, was a party to the arbitration agreement incorporated into the switch bill and, if so, whether certain counterclaims brought by the Owners came within the scope of that arbitration agreement. The Court agreed with the tribunal’s findings that, once the Court had decided that the Bank was a party to the arbitration agreement, then the counterclaims for reasonable remuneration and quantum meruit came within the ambit of the arbitration agreement, being claims “arising out of or in connection” with the bill of lading contract.
News / Party offered reasonably satisfactory security following collision obliged to accept it
20-07-2022 / Maritime
MV Pacific Pearl Co Ltd v. Osios David Shipping Inc (Panamax Alexander)  EWCA Civ 798 The Court of Appeal has confirmed that a party to ASG 2, the standard form Collision Jurisdiction Agreement, is obliged to accept reasonable security once it is offered and cannot choose to refuse that security and seek alternative or better security by arresting a ship. In such circumstances, there is no right to an arrest or any justification for it.
News / Rosita Lau, MH calls for China businesses to opt for Hong Kong arbitration in their contracts
15-07-2022 / Maritime
In an interview published this morning (14 July) in The Hong Kong Maritime Hub, Ince Partner Rosita Lau, MH calls for Chinese businesses to opt for Hong Kong arbitration in their contracts, initiative that requires attention of officials from the highest level.
News / Court finds Covid-19 restrictions did not constitute force majeure under MOA
13-07-2022 / Maritime
NKD Maritime Limited v. Bart Maritime (No 2) Inc (Shagang Giant)  EWHC 1615 (Comm) The Court has construed a force majeure clause and considered whether Buyers validly terminated a contract for the sale of a vessel on the basis that Covid-19 lockdown restrictions prevented Sellers from transferring title in the Vessel.
News / Shipping gets smart
20-06-2022 / Maritime
On 25 November 2021, the UK Law Commission published its Advice to the UK Government on how English law currently applies to smart legal contracts. Subsequently, on 16 March 2022, the Law Commission published its report on electronic trade documents, together with draft legislation that would implement its recommendations to allow for the legal recognition of trade documents such as bills of lading and bills of exchange in electronic form.
News / Carrier Under CMR Successful in Limiting Liability for Consignee’s Losses
14-06-2022 / Maritime
Paul Knapfield v. C.A.R.S. Ltd & others  EWHC 1437 (Comm) Disputes under the Carriage of Goods by Road Act 1965, which incorporates the Convention on the Contract for the International Carriage of Goods by Road 1956 (CMR), do not come up very often. This decision is, therefore, useful in illustrating when and how the CMR applies. In this case, the Court found that the CMR limit of liability applied to the claimant’s claim, with the result that his losses far exceeded the amount he could ultimately recover from the carrier.