Cybercrime and shipping: the facts

Does the industry have the tools to combat this rising scourge? Peter Armstrong, executive director – cyber, for the Willis Group, writes exclusively for Splash.

How serious a threat to shipping is cybercrime? The aviation sector’s exposure to the global cyber threat was laid bare by the recent acts of a ‘white-hat’ hacker, who apparently infiltrated a commercial aircraft’s flight-management systems while it was in flight. So, the question for the maritime sector is: do we honestly believe we are better prepared, or that the security challenge is any less pronounced than with the aviation sector?

Both sectors share extraordinary similarities: they are highly integrated value chains; they contribute massively to global wealth creation; and they rely upon broad-based technological integration with very high-value assets. Moreover, every link of these value chains is dependent upon the third-party resilience of all members to ensure the security of the whole.

If the maritime community believes they are comparatively less attractive targets for cyber attack than other industries, they only need to look at the value of the world trade they carry. From a geopolitical standpoint, they only need to imagine how much disruption would be caused by even a short-term closure of one of the world’s primary shipping lanes.

Shipping is no stranger to risk-management. But cyber risks are different, in that they have the unique potential to magnify the impact of a company’s present portfolio of identified risks. Those additional risk levels need to be immediately quantified by each company and, with industry connectivity growing by the day, any cyber-resilience strategy will need to be a collective effort. To achieve that, the responsibility for erecting corporate cyber-defences will have to transition from the IT rooms to the C-suite. There is simply no room for complacency.

However, according to our recent analysis of 49 maritime transport companies’ 2014 annual reports, just 22% identified cyber-crime as a potential risk. This is despite the World Fuel theft, and the attack on the Port of Antwerp where container-release codes and port-handling capacity were compromised.

And fixed infrastructure is not the only vulnerable area. Our communications infrastructure is changing rapidly, as is the connectivity of the logistics sector as a whole. Stories of emerging ‘smart’ ships and terminals are everywhere. They will modernise our industry, but they also bring new cyber-related risks that won’t be fully understood until all parties – regulators, owners, operators … all participants in global maritime trade — look at their role in the value chain from both ends of the telescope.

What’s ultimately at stake? From a purely capital-related perspective, it’s always proven difficult to establish the commercial value of the Internet. Last year, the International Institute of Strategic Studies (IISS) published a report positing that the wealth the internet creates extends well beyond the value of its transactions.

Through that wider lens, the internet was seen by the IISS to add trillions of dollars to international commerce each year. And, remarkably, the losses attributable to cybercrime were estimated at 15-20% of the value it adds.

If that 15-20% is converted into a global GDP measure, it equates to 0.8%, similar to the provisions that macro-economists make for the annual cost of standard business crimes.

In other words, across industry, cybercrime appears to be doubling the impact on GDP and wealth creation of standard business crimes.

This was calculated before the anticipated explosion of devices connected to the internet was factored in (conservative estimates see those to tripling to 20bn by 2020), potentially implying a runaway train of losses that capital markets, financiers and insurers simply will not tolerate.

Simply put, asset-owners – including shipowners – are on a direct path to segmented pricing for investment capital, assessments that will be linked to the effectiveness of their cyber-defence strategies. Those with weak or no strategies will inevitably pay more.

With almost $54bn spent on new ships in the first nine months of this year, according to Clarkson’s data, stakeholders won’t need reminding of what even a 1% increase in capital costs could mean to their bottom lines.

To lessen the risk of rising capital costs, maritime organisations need to start quantifying their cyber exposure, just like they do for every other category of risk. This will help them to make informed decisions about a capital-usage strategy that will strike the right balance between risk mitigation, retained and funded risk, and risk transfer.

It simply is no longer enough for them to only know the vulnerabilities inside their organisations; in today’s increasingly interconnected world, organisations must understand their exposure in the whole value chain, where some of the vulnerabilities are outside of their control, but still need to be included in any total cyber-risk calculation.

This exercise will not be simple. It will require hard, intellectual yards. But, to date, nowhere near enough maritime organisations have started the journey.