The shipping industry: adrift in a sea of cyber risk?

News / / The shipping industry: adrift in a sea of cyber risk?

On Tuesday (27 June 2017), only seven weeks after the WannaCry virus affected some of the largest governmental and corporate institutions in over 150 countries, another ransomware attack compromised and disrupted operations of some of the world’s largest firms in industries ranging from pharmaceuticals, through legal, to construction.

This time the list of victims also includes one of the world’s largest shipping groups, with reports of operations at major ports disrupted. A successful attack on a sophisticated and progressive shipping operator raises the following specific issues:

1.  how vulnerable is shipping, a naturally lagging sector, as it brings itself into the digital era both on and off shore and how to most effectively address the issues of cyber security from a technical perspective; and

2.  how legally to mitigate the risk of constantly evolving nature of cyber threats.

Technical perspective

At first, this most recent attack appeared to be another ransomware that used the same server message block (“SMB”) vulnerability in Windows OS to spread itself and infect additional computers.  However, now that researchers have had time to study the malware, originally thought to be a variant of the 2016 ransomware “Petya”, the concern is it may be something altogether different – and more dangerous.

The goal of ransomware is to extort money from the victims in return for decrypting the data.  Tuesday’s attack appears, instead, to be a “wiper” attack that permanently corrupts the data, and not one designed for making money. There are a number of reasons for this theory:

1)  Like “Petya”, this malware attacked the Master Boot Record (“MBR”) and Master File Table (“MFT”), two small files that are crucial to disk operation; a disk will not function if the MBR or MFT are missing or are corrupted. Unlike “Petya”, which encrypts the MBR and MFT but saves the value for later decryption, Tuesday’s attack overwrote the MBR and MFT, making the data irretrievable. 

2)  Ransomware includes a “personal infection ID”, which is how the attackers can track who was infected and who paid the ransom. The attack on Tuesday included no such identifier, meaning the attackers would have to review payments manually to identify who paid for the decryption key.

3)  Victims were instructed to send an email to the attackers confirming payment.  The email account, however, was almost immediately blocked by the email provider once the email address became public. As a result, there was no way for victims to notify the attackers of their payment. 

The malware does appear to have spread itself using the same SMB vulnerability as the WannaCry code, but there are differences there, as well.  Once WannaCry landed on a computer, it scanned the network to find other vulnerable devices and infected them.  Tuesday’s attack appears to have attempted to stay inside an organization, moving via network protocols and stealing credentials to infect otherwise protected devices. 

The malware appears to have initially targeted Ukraine and was spread via an update to tax/accounting software that is essentially mandatory in Ukraine, M.E. Doc.  This could account for the fact approximately 65% of the infected systems are Ukrainian.

Viruses are constantly being updated, revised, and improved.  Information security must be considered an ongoing process of continuous improvement to ensure systems are up to date to defeat known threats, as well as agile enough to survive the coming ones.

Legal perspective

The legal risks are multi-dimensional and magnified by the global nature of international trade and shipping sector.

On the one hand, there are exposures which can be relatively easily quantified such as expenses incurred in dealing with the attack. On the other hand, there is a multitude of potential less predictable heads of losses such as those arising out of breaches of existing contracts, business disruption resulting in loss of existing and future business, cross-border regulatory consequences, and purely reputational damage which may be virtually impossible to ascertain.

With the hindsight of the most recent attacks, these risks can be contractually mitigated and supported by appropriate insurance arrangements.


The basic concept underpinning the English law of contract is the parties’ freedom of bargain. Thus, if the parties so wish, they can exclude liability for direct and indirect losses resulting from cyber attacks. In the context of shipping and international trade, however, a lot of business is conducted on spot basis using standard forms, the majority of which date back to times when cyber risks were not a concern. It is important that the parties are fully aware of that as leaving the wording unamended may lead to costly arguments and unexpected liabilities.

To demonstrate the types of issues which may arise, a lot of standard trade contracts, such as GAFTA or FOSFA agreements, include so-called “force majeure” clauses designed to deal with unforeseen circumstances beyond either party’s control. For example, GAFTA No. 111 includes events such as: “acts of terrorism”“hostilities”“unforeseeable and unavoidable impediments to transportation or navigation” and “any other event comprehended in the term “force majeure””.

In order to bring itself within the force majeure clause, the victim would have to either establish that the motives were hostile or use the other events. So in the case that a port is closed as a result of a profit driven ransomware attack whilst terrorism and hostilities could be reasonably ruled out on the basis that the attack is for profit, a question of whether the attack falls under “unforeseeable and unavoidable impediments to transportation or navigation” or “any other event comprehended in the term “force majeure”” could potentially be argued either way without (in the absence of any case law on the issue) much certainty.

Taking the above example into a charter party context, would the abovementioned attack render a port unsafe? A lot would depend on the way in which the attack manifested itself and the frequency of attacks. If the impact was such that the port had no effective navigational aids then potentially the port would be unsafe. Similarly, if the port was known for being repeatedly hacked due to a lack of sufficient security then an unsafe port case could be arguable.

On bespoke contracts, in the energy sector for example, we are also seeing examples of parties inserting into contracts clauses which will make the counterparty liable for any losses suffered by the first party as a result of a virus being inadvertently introduced into the first party’s system by that counter party. The impact of such clauses can be far reaching and they should be approached with caution.

There are many more examples which could be used to demonstrate the uncertainty of this novel area (most notably in the liner trade where container booking and release systems are to a large extent automated). However, in our view, the common and crucial feature of bringing and defending most claims involving losses arising out of cyber attacks will be the reasonableness of preventative measures.

Unless a very specific exclusion is put in place, an organisation will be extremely unlikely to avoid liability if no evidence of appropriate cyber security processes can be put forward. What is appropriate will depend on the nature and size of the business. Our advice is for all businesses to monitor industry and governmental initiatives and consider external audits.

Insurance issues

In view of the increasing prevalence of these incidents it seems almost inevitable that companies will become the victim of a cyber incident at one time or another. It is vital, therefore, that shipping companies take steps to ensure that they have the necessary insurance protection in place. It cannot be assumed that traditional insurances will provide cover for the losses incurred following a cyber event.  For example, many polices will exclude cover for malicious acts in one way or another. Many other policies can only be triggered if the insured has suffered physical damage which is often not the case if it is a victim of a cyber event.

As the motives for the latest attacks become clearer, issues may also be raised about the applicability of war and terrorism exclusions and it will be important, therefore, to ensure that any specific war insurances dovetail effectively with the war exclusion in the insured’s standard policies. The nature of cyber events means that you can be the unintended victim of a cyber attack aimed at a target thousands of miles away, that does not mean, however, that these same coverage considerations will not apply to you.

Specific cyber insurances may be an answer but it is important to be aware that, unlike in many marine policies, there is no consistency of either cover or definitions in cyber policies. The buyer will need to be very careful, therefore, to ensure that in buying a cyber policy it is in fact obtaining the cover which suits its requirements.

Read more about how Navigant and Ince can help you with cyber security.

The article has been co-authored by John Boles and Benjamin Donnachie at Navigant. 

Simon Cooper

Simon Cooper Consultant

Related sectors:

Related services:

Related news & insights

News / Ince celebrates one year since Scotland office opening

23-11-2022 / Insurance, Maritime, Real Estate

We are pleased to be celebrating one year since opening our first Scottish office in the city of Glasgow.  Stefanie Johnston, dual-qualified Partner and Head of Scotland, has worked tirelessly over the last year to develop our offering through the opening of an Ince office in what is arguably an established Scottish market. Starting from the ground up, Stefanie and her team have successfully gained an admirable reputation in the region and further afield in the maritime, insurance, real estate and regulatory sectors. 

Ince celebrates one year since Scotland office opening

News / Shipping E-brief November 2022

17-11-2022 / Maritime

The Shipping E-Brief is a publication providing you with key information on legal decisions and developments in shipping and related business areas.

Shipping E-brief November 2022

News / Appeals from arbitration: is reform required?

15-11-2022 / Maritime

In September 2022, the UK Law Commission published a consultation paper with provisional recommendations for updating the Arbitration Act 1996 (the Act 1996). Amongst other things, the Law Commission considered whether any changes need to be made to: (i) s.67 of the Act 1996, which deals with jurisdictional challenges to arbitral awards; and (ii) s.69 of the Act 1996, which deals with appeals on points of law.

Appeals from arbitration: is reform required?

News / Owners not in breach of charter and entitled to claim demurrage

09-11-2022 / Maritime

CM P-MAX III Limited v. Petroleos Del Norte SA (MT Stena Primorsk) [2022] EWHC 2147 (Comm) This recent laytime and demurrage dispute demonstrates that an owner can legitimately refuse orders where such orders may jeopardise the safety of a vessel.

Owners not in breach of charter and entitled to claim demurrage

News / Court of Appeal finds owner should have accepted non-contractual performance

09-11-2022 / Maritime

Mur Shipping BV v. RTI Ltd [2022] EWCA Civ 1406 A majority of the Court of Appeal has held that the Owner under a contract of affreightment (COA) should have accepted payment of freight in Euros, rather than the US dollars provided for in the COA. Its refusal to do so meant that the Owner could not rely on the force majeure clause in the COA, in circumstances where US sanctions might have restricted US dollar transfers from or on behalf of the Charterer.

Court of Appeal finds owner should have accepted non-contractual performance

News / “Due” means due!

03-11-2022 / Maritime

Ceto Shipping Corporation v. Savory Inc (Victor 1) [2022] EWHC 2636 (Comm) The Court in this case had to construe a purchase option clause in a bareboat charter. Specifically, it considered whether the fact that the charterer had not fulfilled certain payment obligations under the charter because it was disputing them in good faith meant that the owner was not obliged to transfer title to the vessel at the end of the charter period.

“Due” means due!