Cyber and Data Security in the Commercial Marine Sector
Computing technology has transformed the business world. Industries have leveraged the power of data and high-speed computing to improve efficiencies. The commercial marine sector is no exception; technology has allowed it to streamline supply chains while managing personnel and vessels around the world. With an increased reliance on computer-based systems, however, the risks of a data breach or activity of cybercriminals have also increased. Securing vital business data is an emerging risk management practice that marine operators must take seriously. Coupled with commercial marine insurance, identifying and mitigating the risks associated with cybercrime is a process that can help ensure business continuity.
Cyber Risks in the Commercial Marine Industry
The commercial marine industry uses computer systems for a wide variety of tasks, including cargo tracking, shipboard navigation, port management, and vessel diagnostics. Each of these systems may be compromised by cybercriminals; if criminals were to hack into a ship’s navigation and steering systems, there exists the possibility that the vessel could effectively be “hijacked” – an Information Age version of high-seas piracy.
In the Netherlands, a criminal gang hacked into the port management systems of the Port of Antwerp. Over a two-year period, these criminals gained control over cargo management at two piers, allowing them to steal cargo and to bring in drugs concealed in containers without tipping off authorities. When cargo management systems are compromised, thousands of containers and billions of dollars in shipments are at stake.
Computer security experts suggest that hijacking ships and rerouting cargo are possible but unlikely. In fact, digital information systems used in the maritime industry experience the same types and magnitudes of risk that other business interests have. Some of the most common cyber risks in the commercial marine industry include:
- Ransomware attacks on corporate computer systems.
- Theft of banking data, both from shipping companies and their clients.
- Phishing incidents that compromise sensitive business data.
- Injection of malware into shipboard systems done inadvertently by crew members plugging their own devices into ships for charging purposes.
- Use of onboard computers for personal tasks like email, online purchases, and banking, opening the doors for cybercriminals to enter shipboard systems.
Fighting Cyber Criminals at Sea
To address the potential of cybercrime and how it affects the commercial marine industry, shipping companies must adopt new risk management strategies. These strategies supplement the protection of commercial marine insurance. Today, many commercial insurers are adding cyber coverage to their slate of products and services in an effort to protect shipping interests.
Unfortunately, the commercial maritime industry lags behind shore-based businesses in terms of adopting cybersecurity strategies. In an informal survey conducted by IHS Fairplay, a weekly magazine for the merchant shipping industry, it was estimated that even though 34 percent of survey respondents experienced some form of cyber attack;
- 30 percent of respondents indicated that their company or vessel had no dedicated computer security manager or department;
- 66 percent stated their company had an IT security policy in place;
- 47 percent of survey respondents indicated that staff access to computer systems was the leading risk.
Staff training on the safe and secure use of computer systems needs to be the primary focus of risk management programs. Training staff to utilize secure logins, to avoid personal computer use on shipboard/company systems, and to ensure unused computers go into a secure “sleep” mode are all important parts of the cybersecurity landscape.
Vessels and their parent companies must also adopt cybersecurity practices, such as updating or patching network vulnerabilities and software. Establishing an IT security policy is a good practice, as is appointing a cybersecurity team to handle the routine monitoring and assessment of computer activities. The United States Coast Guard issued a Marine Safety Alert in 2019 that stressed these practices. Failure to establish robust cybersecurity policies and to train all stakeholders in secure computer usage can be costly; in 2018, global shipping powerhouse Maersk was one of the targets of a ransomware attack that ultimately cost the industry an estimated $300 million.
Cyber risks are not taken lightly by the maritime industry. The International Maritime Organization (IMO) has adopted cybersecurity requirements as part of the Safety of Life at Sea (SOLAS) Regulations governing the safe operation of ships. The requirement goes into effect in January 2021. Regulations adopted by the industry will supplement the cybersecurity coverage of commercial marine insurance policies, helping to prevent costly and business-damaging cyber-criminal actions.
About Merrimac Marine Insurance
At Merrimac Marine, we are dedicated to providing insurance for the marine industry to protect your clients’ business and assets. For more information about our products and programs, contact our specialists today at (800) 681-1998.