Simon Cooper Consultant
The shipping industry: adrift in a sea of cyber risk?
On Tuesday (27 June 2017), only seven weeks after the WannaCry virus affected some of the largest governmental and corporate institutions in over 150 countries, another ransomware attack compromised and disrupted operations of some of the world’s largest firms in industries ranging from pharmaceuticals, through legal, to construction.
This time the list of victims also includes one of the world’s largest shipping groups, with reports of operations at major ports disrupted. A successful attack on a sophisticated and progressive shipping operator raises the following specific issues:
1. how vulnerable is shipping, a naturally lagging sector, as it brings itself into the digital era both on and off shore and how to most effectively address the issues of cyber security from a technical perspective; and
2. how legally to mitigate the risk of constantly evolving nature of cyber threats.
At first, this most recent attack appeared to be another ransomware that used the same server message block (“SMB”) vulnerability in Windows OS to spread itself and infect additional computers. However, now that researchers have had time to study the malware, originally thought to be a variant of the 2016 ransomware “Petya”, the concern is it may be something altogether different – and more dangerous.
The goal of ransomware is to extort money from the victims in return for decrypting the data. Tuesday’s attack appears, instead, to be a “wiper” attack that permanently corrupts the data, and not one designed for making money. There are a number of reasons for this theory:
1) Like “Petya”, this malware attacked the Master Boot Record (“MBR”) and Master File Table (“MFT”), two small files that are crucial to disk operation; a disk will not function if the MBR or MFT are missing or are corrupted. Unlike “Petya”, which encrypts the MBR and MFT but saves the value for later decryption, Tuesday’s attack overwrote the MBR and MFT, making the data irretrievable.
2) Ransomware includes a “personal infection ID”, which is how the attackers can track who was infected and who paid the ransom. The attack on Tuesday included no such identifier, meaning the attackers would have to review payments manually to identify who paid for the decryption key.
3) Victims were instructed to send an email to the attackers confirming payment. The email account, however, was almost immediately blocked by the email provider once the email address became public. As a result, there was no way for victims to notify the attackers of their payment.
The malware does appear to have spread itself using the same SMB vulnerability as the WannaCry code, but there are differences there, as well. Once WannaCry landed on a computer, it scanned the network to find other vulnerable devices and infected them. Tuesday’s attack appears to have attempted to stay inside an organization, moving via network protocols and stealing credentials to infect otherwise protected devices.
The malware appears to have initially targeted Ukraine and was spread via an update to tax/accounting software that is essentially mandatory in Ukraine, M.E. Doc. This could account for the fact approximately 65% of the infected systems are Ukrainian.
Viruses are constantly being updated, revised, and improved. Information security must be considered an ongoing process of continuous improvement to ensure systems are up to date to defeat known threats, as well as agile enough to survive the coming ones.
The legal risks are multi-dimensional and magnified by the global nature of international trade and shipping sector.
On the one hand, there are exposures which can be relatively easily quantified such as expenses incurred in dealing with the attack. On the other hand, there is a multitude of potential less predictable heads of losses such as those arising out of breaches of existing contracts, business disruption resulting in loss of existing and future business, cross-border regulatory consequences, and purely reputational damage which may be virtually impossible to ascertain.
With the hindsight of the most recent attacks, these risks can be contractually mitigated and supported by appropriate insurance arrangements.
The basic concept underpinning the English law of contract is the parties’ freedom of bargain. Thus, if the parties so wish, they can exclude liability for direct and indirect losses resulting from cyber attacks. In the context of shipping and international trade, however, a lot of business is conducted on spot basis using standard forms, the majority of which date back to times when cyber risks were not a concern. It is important that the parties are fully aware of that as leaving the wording unamended may lead to costly arguments and unexpected liabilities.
To demonstrate the types of issues which may arise, a lot of standard trade contracts, such as GAFTA or FOSFA agreements, include so-called “force majeure” clauses designed to deal with unforeseen circumstances beyond either party’s control. For example, GAFTA No. 111 includes events such as: “acts of terrorism”, “hostilities”, “unforeseeable and unavoidable impediments to transportation or navigation” and “any other event comprehended in the term “force majeure””.
In order to bring itself within the force majeure clause, the victim would have to either establish that the motives were hostile or use the other events. So in the case that a port is closed as a result of a profit driven ransomware attack whilst terrorism and hostilities could be reasonably ruled out on the basis that the attack is for profit, a question of whether the attack falls under “unforeseeable and unavoidable impediments to transportation or navigation” or “any other event comprehended in the term “force majeure”” could potentially be argued either way without (in the absence of any case law on the issue) much certainty.
Taking the above example into a charter party context, would the abovementioned attack render a port unsafe? A lot would depend on the way in which the attack manifested itself and the frequency of attacks. If the impact was such that the port had no effective navigational aids then potentially the port would be unsafe. Similarly, if the port was known for being repeatedly hacked due to a lack of sufficient security then an unsafe port case could be arguable.
On bespoke contracts, in the energy sector for example, we are also seeing examples of parties inserting into contracts clauses which will make the counterparty liable for any losses suffered by the first party as a result of a virus being inadvertently introduced into the first party’s system by that counter party. The impact of such clauses can be far reaching and they should be approached with caution.
There are many more examples which could be used to demonstrate the uncertainty of this novel area (most notably in the liner trade where container booking and release systems are to a large extent automated). However, in our view, the common and crucial feature of bringing and defending most claims involving losses arising out of cyber attacks will be the reasonableness of preventative measures.
Unless a very specific exclusion is put in place, an organisation will be extremely unlikely to avoid liability if no evidence of appropriate cyber security processes can be put forward. What is appropriate will depend on the nature and size of the business. Our advice is for all businesses to monitor industry and governmental initiatives and consider external audits.
In view of the increasing prevalence of these incidents it seems almost inevitable that companies will become the victim of a cyber incident at one time or another. It is vital, therefore, that shipping companies take steps to ensure that they have the necessary insurance protection in place. It cannot be assumed that traditional insurances will provide cover for the losses incurred following a cyber event. For example, many polices will exclude cover for malicious acts in one way or another. Many other policies can only be triggered if the insured has suffered physical damage which is often not the case if it is a victim of a cyber event.
As the motives for the latest attacks become clearer, issues may also be raised about the applicability of war and terrorism exclusions and it will be important, therefore, to ensure that any specific war insurances dovetail effectively with the war exclusion in the insured’s standard policies. The nature of cyber events means that you can be the unintended victim of a cyber attack aimed at a target thousands of miles away, that does not mean, however, that these same coverage considerations will not apply to you.
Specific cyber insurances may be an answer but it is important to be aware that, unlike in many marine policies, there is no consistency of either cover or definitions in cyber policies. The buyer will need to be very careful, therefore, to ensure that in buying a cyber policy it is in fact obtaining the cover which suits its requirements.
Read more about how Navigant and Ince can help you with cyber security.
Related news & insights
Events / Maritime Week Gibraltar 2021
18-10-2021 / Maritime
Maritime Week Gibraltar 2021 is a highly informative, multi-format interactive event, designed to showcase the many shipping, port and maritime services offered in Gibraltar to a wider international audience.
Insights / Court considers breach of confidentiality and unlawful conspiracy claims in ship design dispute
18-10-2021 / Maritime
Salt Ship Design AS v. Prysmian Powerlink SRL  EWHC 2633 (Comm)
News / AfCFTA and Energy & Infrastructure
11-10-2021 / Energy & Infrastructure, Maritime
This article is the third in a series of articles looking at the impact of the African Continental Free Trade Area (the “AfCFTA”) on various practice areas and industry sectors that our clients operate in. This article focuses on Energy and Infrastructure and addresses some of the key questions our clients have asked us.
Insights / Witness evidence reforms now apply in the Admiralty Court
07-10-2021 / Maritime
Following much discussion, the witness evidence reforms have now made their way to the Admiralty Court. The provisions now apply to trial witness statements signed on or after 1 October 2021 in Admiralty Court proceedings and constitute a further reminder that a witness statement must be exactly that – a statement in the words of the witness.
News / Mutual benefit: A focus on superyacht crew welfare - Interview with SuperyachtNews
07-10-2021 / Maritime, Yachts & Superyachts
“I am regularly instructed on behalf of yacht owners and their liability underwriters to defend crew mental health claims made against them, a trend which had been increasing for several years now,” starts Rachel Butlin, partner at Ince. “Within the yacht industry, I have been involved in many cases in which there have been not just physical injuries to yacht crew but increasingly psychiatric ones, including anxiety and post-traumatic stress disorders, as well as depression and the emotional consequences of bullying/assault.”
Insights / “Zoned out”: Court confirms applicable time zone for notification of demurrage claims
05-10-2021 / Maritime
The Court has considered which time zone applies to determine the date of completion of discharge for the purposes of deciding whether notification of a demurrage claim was made too late. In their article, Natalie Jensen and Monika Humphreys-Davies review the decision and explain why the Court held that it was the time zone at the place of discharge.