IMO may have set 2021 as the deadline for incorporating cyber risk into ship safety, but there's no time like the present when it comes to security
Speaking at a maritime cyber security workshop in London promoting the Maritime Cyber Emergency Response Team in July, Norton Rose Fulbright partner Philip Roche addressed the legal and industry imperatives for investing in cyber security.
He began by pointing out that while IMO has given shipowners and managers until 2021 to incorporate cyber risk into ship safety, this is not soon enough and that it is in everyone’s interest to start taking action now.
Addressing the concerns of those who feel cyber security is too expensive, Mr Roche pointed out that need not be the case. There are many resources available from organisations such as BIMCO, class societies and P&I clubs that can help owners with cyber security without the need to bring in external contractors. But the fundamental message, he said, is that risk assessment is key.
There are a lot of points of access on a ship through which attacks can be made, said Mr Roche, giving examples such as somebody boarding a vessel with an infected flash drive in port, or malware or vulnerabilities being included in a software update. “All you need is for one of those parties to have bad cyber hygiene or malicious intent and your ship can be quite vulnerable,” he said.
While current regulation encourages shipowners to take action, Mr Roche sees this as a flawed approach and thinks it is liable to change. Even if IMO doesn’t introduce regulations until 2021, there is nothing stopping port states from taking action sooner, with Mr Roche noting that a port state could opt to detain vessels it deems to be a cyber security risk.
He added that while it may be arguable whether the International Safety Management Code, which mandates standards for safe operation of vessels, currently covers cyber security, this will not be disputable in the next couple of years.
“Even if you’re the most reluctant and recalcitrant shipowner, you’re going to find that if you want to do business with big multinational companies such as an oil major, they are simply going to start leaning on you and saying ‘We’re not going to charter your ship unless you have good cyber security,’” said Mr Roche, noting that Norton Rose Fulbright has already written a clause that large companies are using to try to force contractors to get on board with cyber security.
Addressing the issue of the legal standard for due diligence, Mr Roche said that while a couple of years ago it would have been possible to stand in front of a judge and claim you were unaware of the risks of a cyber attack, “that time is gone and even the most backwards-looking shipowners are aware that there is a risk to safety and security, and it would be very hard to persuade a judge that you were not aware of this.”
He added that the standards used to determine due diligence would involve demonstrating the company’s board had made a real effort to address cyber risk by having the right software, consultants and support network and it had made efforts to train employees.
But an important issue relates to communications of a different sort, said Mr Roche, noting that “The C-suite don’t talk the language of the lawyers and the risk people” and that the problem is even more pronounced with the disconnect between information technology experts and board members. “Successful companies solve that by having an information officer, making them a board member or close to the board,” he said, noting that an approach like that of the ISM code’s “Designated Person Ashore” is necessary for good communication.
Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, at which Mr Roche also spoke, took place in London on 15 June 2018.