Cyberattacks bear risk for shipping companies in terms of contractual liability, third party liability, and regulator violations. Such liability may be excluded or limited by complying with IMO 2021 regulations and guidelines regarding Safety Management Systems, and/or incorporating appropriate contractual clauses.
Cybersecurity is fast becoming one of the buzz words within the shipping community. Though the issue is hardly new, it is becoming more prevalent owing to major recent incidents as well as diverse drivers of change in shipping. These incidents include cyberattacks on the four largest container lines, including an April 2020 attack on Mediterranean Shipping Co (MSC), which led to its systems shutting down for a week. The drivers include the recent COVID-19 pandemic crisis and its ensuing overreliance on working through computers via remote (and often vulnerable) access points, the increased digitisation of the industry in an effort to cut down on cost and increase transparency, and future envisaged developments such as autonomous ships.
Cybersecurity threats are therefore both real and increasingly significant. This prompted the International Maritime Organization (IMO) in 2017 to adopt Resolution MSC.428 (98) on ‘Maritime Cyber Risk Management in Safety Management Systems’, whereby shipping companies are to address cyber risks under their Safety Management Systems (SMS) as defined in the International Safety Management (ISM) Code. IMO 2021, as it is widely known, entered into force in January 2021, and encourages administrations to ensure compliance no later than the first annual verification of a company’s Document of Compliance (DOC). Moreover, the IMO published Guidelines on ‘cyber risk management’ which make specific reference to published industry best practices, such as the ‘Guidelines on Cyber Security Onboard Ships’ produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
Legal risk associated with cyberattacks includes contractual liability, third party liability, and potential regulatory violations. One therefore first needs to consider whether and under what circumstances the party that suffered the attack remains liable.
Contractual liability could potentially be excluded under the doctrine of frustration or by invoking force majeure. However, it shall be difficult for a shipping company to claim frustration (in terms of lack of foreseeability) or invoke a force majeure clause (should one be present) if, for instance, it failed to apply an update on software that was made available by the manufacturer resulting in vulnerability exploited through the cyberattack, or it failed to apply proper security standards / provide adequate training and an infected USB stick was brought on board. In terms of third party liability, there is also good chance such vulnerabilities brought about by poor standards could establish the vessel was not ‘seaworthy’ when it took to sea, for instance in case of a systems hijack leading to a collision with possible damage to property and/or loss of life, whereby liability shall not be excluded and marine insurance claims may fail.
Model clauses are available and may be incorporated into contracts in an attempt to delineate and limit cyber related liability, such as BIMCO’s ‘Cyber Security Clause 2019’ featuring in charterparties. The BIMCO clause creates obligations in terms of (i) implementing and reviewing systems, plans and procedures both pre and post cyber incident, (ii) using reasonable endevours to ensure third parties providing services comply with these systems, plans and procedures, and (iii) notifying the other party of any incident affecting or likely to affect cyber security. There is a provision within the clause of limiting liability (the default limit amounting to $100,000), unless gross negligence or willful misconduct is proven.
The next question to ask is whether insurers are likely to cover cyber related liability. It is estimated 92% of the costs that may result from a cyberattack are uninsured , and widely acknowledged that available cover is both limited and restricted. With regards to third party liability insurance, P&I Clubs have now principally adopted the LMA 5403 ‘Marine Cyber Endorsement’ model clause, in preference to the former widely applied CL 380 Institute ‘Cyber Attack Exclusion’ clause. The latter was criticised over its failure to address ‘silent cyber’, i.e. recoverable losses under traditional insurance policies emanating from the cyberattack, such policies containing no express cyber risk inclusion/exclusion wording.
Under LMA 5403 insurance cover is excluded for liability ‘caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus, computer process or any other electronic system’. (our emphasis). Cover is however provided where such use or operation does not constitute a means of inflicting harm, in contrast to the LMA 5402 ‘Marine Cyber Exclusion’ clause. Moreover, where LMA 5403 is endorsed under policies covering war risk, cover includes a cyberattack which results in firing a weapon.
Furthermore, insurers may include the JCC ‘Cyber Attack Exclusion Clause and Write-Back’. This model clause also excludes liability deriving from a cyberattack intending to inflict harm, but for ‘an otherwise covered physical loss of or physical damage to the Insured's property caused by a Targeted Cyber Attack’ (the write-back). The burden of proof under the write-back falls on the insured, who must demonstrate inter alia that the motive behind the cyberattack was to inflict harm solely on the Insured or its property.
IMO 2021 & Guidelines
Within this general context, IMO 2021 and its accompanying Guidelines constitute the IMO’s response to the increasing cyber threat by laying out an emerging regulatory framework.
The Guidelines are presented as ‘high level recommendations’ for cyber risk management, and are ‘complementary to the safety and security management practices’ established by the IMO. As such they are an attempt to apply a global standard, and therein lies their value. They take note of industry best practices, and rely on a risk management framework incorporating five elements: identification, protection, detection, response, and recovery.
As for IMO 2021, it serves a dual purpose. Firstly, it affirms an approved SMS should take into account cyber risk management in accordance with the ISM Code. Secondly, it encourages administrations to ensure cyber risks are addressed in the SMS no later than the first annual verification of a company’s DOC. Viewed together these two elements create an indirect obligation, as they confirm cyber risks should and indeed do form part of an approved SMS under the ISM Code, therefore any administration reviewing the DOC on the first annual verification would be prudent, though not legally mandated, to ensure compliance. When combined with the Guidelines, the end result of IMO 2021 is that shipping companies must review and update their SMS to address cyber threats under IMO recommendations, and industry best practices.
Cybersecurity is a very real issue embracing all stakeholders in the maritime industry. Given insurers provide limited and restricted cover to the majority of the losses that may arise following a cyberattack, it is crucial companies review and adopt such systems and measures as to ensure they can detect, minimise and mitigate the risk of cyberattacks, and/or incorporate appropriate clauses into their contracts, in an effort to limit or escape liability. Though presented in terms of recommendations and encouragement, IMO 2021 and its accompanying Guidelines set shipping companies on that path, by applying a global standard, and ‘retrospectively’ affirming cybersecurity forms part of existing approved SMS, indirectly obliging companies to review and comply.